feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2025-05-31 20:02:09 +00:00 · 2025-04-03 15:24:15 +00:00 · 2025-04-03 15:24:15 +00:00 · 77b0275572
commit 77b0275572
parent ba5b157f7e
22 changed files with 681 additions and 122 deletions
--- a/models/forgejo_migrations/v29.go
+++ b/models/forgejo_migrations/v29.go
@ -0,0 +1,29 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgejo_migrations //nolint:revive
+
+import (
+	"database/sql"
+
+	"xorm.io/xorm"
+)
+
+func AddPublicKeyInformationForFederation(x *xorm.Engine) error {
+	type FederationHost struct {
+		KeyID     sql.NullString         `xorm:"key_id UNIQUE"`
+		PublicKey sql.Null[sql.RawBytes] `xorm:"BLOB"`
+	}
+
+	err := x.Sync(&FederationHost{})
+	if err != nil {
+		return err
+	}
+
+	type FederatedUser struct {
+		KeyID     sql.NullString         `xorm:"key_id UNIQUE"`
+		PublicKey sql.Null[sql.RawBytes] `xorm:"BLOB"`
+	}
+
+	return x.Sync(&FederatedUser{})
+}