feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2025-06-01 04:12:10 +00:00 · 2025-04-03 15:24:15 +00:00 · 2025-04-03 15:24:15 +00:00 · 77b0275572
commit 77b0275572
parent ba5b157f7e
22 changed files with 681 additions and 122 deletions
--- a/models/user/activitypub.go
+++ b/models/user/activitypub.go
@ -0,0 +1,44 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package user
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"forgejo.org/models/db"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/validation"
+)
+
+// APActorID returns the IRI to the api endpoint of the user
+func (u *User) APActorID() string {
+	if u.IsAPServerActor() {
+		return fmt.Sprintf("%sapi/v1/activitypub/actor", setting.AppURL)
+	}
+
+	return fmt.Sprintf("%sapi/v1/activitypub/user-id/%s", setting.AppURL, url.PathEscape(fmt.Sprintf("%d", u.ID)))
+}
+
+// APActorKeyID returns the ID of the user's public key
+func (u *User) APActorKeyID() string {
+	return u.APActorID() + "#main-key"
+}
+
+func GetUserByFederatedURI(ctx context.Context, federatedURI string) (*User, error) {
+	user := new(User)
+	has, err := db.GetEngine(ctx).Where("normalized_federated_uri=?", federatedURI).Get(user)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, nil
+	}
+
+	if res, err := validation.IsValid(*user); !res {
+		return nil, err
+	}
+
+	return user, nil
+}