activitypub: Sign the Host header too

Mastodon with `AUTHORIZED_FETCH` enabled requires the `Host` header to be signed too, add it to the default for `setting.Federation.GetHeaders` and `setting.Federation.PostHeaders`. For this to work, we need to sign the request later: not immediately after `NewRequest`, but just before sending them out with `client.Do`. Doing so also lets us use `setting.Federation.GetHeaders` (we were using `.PostHeaders` even for GET requests before). Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2025-05-31 11:52:10 +00:00 · 2024-08-04 15:34:31 +02:00 · 2024-08-04 15:34:31 +02:00 · cd17eb0fa7
commit cd17eb0fa7
parent c031881a20
2 changed files with 30 additions and 13 deletions
--- a/modules/setting/federation.go
+++ b/modules/setting/federation.go
@ -25,8 +25,8 @@ var (
 		MaxSize:             4,
 		Algorithms:          []string{"rsa-sha256", "rsa-sha512", "ed25519"},
 		DigestAlgorithm:     "SHA-256",
-		GetHeaders:          []string{"(request-target)", "Date"},
-		PostHeaders:         []string{"(request-target)", "Date", "Digest"},
+		GetHeaders:          []string{"(request-target)", "Date", "Host"},
+		PostHeaders:         []string{"(request-target)", "Date", "Host", "Digest"},
 	}
 )