feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2025-05-31 20:02:09 +00:00 · 2025-04-03 15:24:15 +00:00 · 2025-04-03 15:24:15 +00:00 · 77b0275572
commit 77b0275572
parent ba5b157f7e
22 changed files with 681 additions and 122 deletions
--- a/models/user/user_system.go
+++ b/models/user/user_system.go
@ -73,30 +73,30 @@ func (u *User) IsActions() bool {
 }

 const (
-	APActorUserID   = -3
-	APActorUserName = "actor"
-	APActorEmail    = "noreply@forgejo.org"
+	APServerActorUserID   = -3
+	APServerActorUserName = "actor"
+	APServerActorEmail    = "noreply@forgejo.org"
 )

-func NewAPActorUser() *User {
+func NewAPServerActor() *User {
 	return &User{
-		ID:               APActorUserID,
-		Name:             APActorUserName,
-		LowerName:        APActorUserName,
+		ID:               APServerActorUserID,
+		Name:             APServerActorUserName,
+		LowerName:        APServerActorUserName,
 		IsActive:         true,
-		Email:            APActorEmail,
+		Email:            APServerActorEmail,
 		KeepEmailPrivate: true,
-		LoginName:        APActorUserName,
+		LoginName:        APServerActorUserName,
 		Type:             UserTypeIndividual,
 		Visibility:       structs.VisibleTypePublic,
 	}
 }

-func APActorUserAPActorID() string {
+func APServerActorID() string {
 	path, _ := url.JoinPath(setting.AppURL, "/api/v1/activitypub/actor")
 	return path
 }

-func (u *User) IsAPActor() bool {
-	return u != nil && u.ID == APActorUserID
+func (u *User) IsAPServerActor() bool {
+	return u != nil && u.ID == APServerActorUserID
 }