logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: 4a3a46074d924f6cd61d06995298caa00184ff18
parent: b638cc50b67de8b74a490285aa8504a35e87b646
Author: kaniini <nenolod@gmail.com>
Date:   Sun,  7 Oct 2018 01:16:05 +0000

Merge branch 'security/follow-always-async' into 'develop'

AP follows must be always async (closes #306)

Closes #306

See merge request pleroma/pleroma!368

Diffstat:

Mconfig/config.exs3++-
Mlib/pleroma/user.ex51+++++++++++++++++++++++++--------------------------
Mlib/pleroma/web/activity_pub/transmogrifier.ex2++
Mlib/pleroma/web/activity_pub/utils.ex4++--
Mlib/pleroma/web/mastodon_api/mastodon_api_controller.ex7++++++-
Mlib/pleroma/web/mastodon_api/views/account_view.ex11++++++++++-
Mlib/pleroma/web/twitter_api/twitter_api.ex7++++++-
7 files changed, 53 insertions(+), 32 deletions(-)

diff --git a/config/config.exs b/config/config.exs @@ -109,7 +109,8 @@ config :pleroma, :fe, config :pleroma, :activitypub, accept_blocks: true, unfollow_blocked: true, - outgoing_blocks: true + outgoing_blocks: true, + follow_handshake_timeout: 500 config :pleroma, :user, deny_follow_blocked: true diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex @@ -185,32 +185,7 @@ defmodule Pleroma.User do def needs_update?(_), do: true def maybe_direct_follow(%User{} = follower, %User{info: info} = followed) do - user_config = Application.get_env(:pleroma, :user) - deny_follow_blocked = Keyword.get(user_config, :deny_follow_blocked) - - user_info = user_info(followed) - - should_direct_follow = - cond do - # if the account is locked, don't pre-create the relationship - user_info[:locked] == true -> - false - - # if the users are blocking each other, we shouldn't even be here, but check for it anyway - deny_follow_blocked and - (User.blocks?(follower, followed) or User.blocks?(followed, follower)) -> - false - - # if OStatus, then there is no three-way handshake to follow - User.ap_enabled?(followed) != true -> - true - - # if there are no other reasons not to, just pre-create the relationship - true -> - true - end - - if should_direct_follow do + if !User.ap_enabled?(followed) do follow(follower, followed) else {:ok, follower} @@ -763,4 +738,28 @@ defmodule Pleroma.User do get_or_fetch_by_nickname(uri_or_nickname) end end + + # wait a period of time and return newest version of the User structs + # this is because we have synchronous follow APIs and need to simulate them + # with an async handshake + def wait_and_refresh(_, %User{local: true} = a, %User{local: true} = b) do + with %User{} = a <- Repo.get(User, a.id), + %User{} = b <- Repo.get(User, b.id) do + {:ok, a, b} + else + _e -> + :error + end + end + + def wait_and_refresh(timeout, %User{} = a, %User{} = b) do + with :ok <- :timer.sleep(timeout), + %User{} = a <- Repo.get(User, a.id), + %User{} = b <- Repo.get(User, b.id) do + {:ok, a, b} + else + _e -> + :error + end + end end diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex @@ -326,6 +326,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do with actor <- get_actor(data), %User{} = followed <- User.get_or_fetch_by_ap_id(actor), {:ok, follow_activity} <- get_follow_activity(follow_object, followed), + {:ok, follow_activity} <- Utils.update_follow_state(follow_activity, "accept"), %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity.data["actor"]), {:ok, activity} <- ActivityPub.accept(%{ @@ -351,6 +352,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do with actor <- get_actor(data), %User{} = followed <- User.get_or_fetch_by_ap_id(actor), {:ok, follow_activity} <- get_follow_activity(follow_object, followed), + {:ok, follow_activity} <- Utils.update_follow_state(follow_activity, "reject"), %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity.data["actor"]), {:ok, activity} <- ActivityPub.accept(%{ diff --git a/lib/pleroma/web/activity_pub/utils.ex b/lib/pleroma/web/activity_pub/utils.ex @@ -247,11 +247,11 @@ defmodule Pleroma.Web.ActivityPub.Utils do "actor" => follower_id, "to" => [followed_id], "cc" => ["https://www.w3.org/ns/activitystreams#Public"], - "object" => followed_id + "object" => followed_id, + "state" => "pending" } data = if activity_id, do: Map.put(data, "id", activity_id), else: data - data = if User.locked?(followed), do: Map.put(data, "state", "pending"), else: data data end diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -571,10 +571,15 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do end end + @activitypub Application.get_env(:pleroma, :activitypub) + @follow_handshake_timeout Keyword.get(@activitypub, :follow_handshake_timeout) + def follow(%{assigns: %{user: follower}} = conn, %{"id" => id}) do with %User{} = followed <- Repo.get(User, id), {:ok, follower} <- User.maybe_direct_follow(follower, followed), - {:ok, _activity} <- ActivityPub.follow(follower, followed) do + {:ok, _activity} <- ActivityPub.follow(follower, followed), + {:ok, follower, followed} <- + User.wait_and_refresh(@follow_handshake_timeout, follower, followed) do render(conn, AccountView, "relationship.json", %{user: follower, target: followed}) else {:error, message} -> diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -72,6 +72,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do end def render("relationship.json", %{user: user, target: target}) do + follow_activity = Pleroma.Web.ActivityPub.Utils.fetch_latest_follow(user, target) + + requested = + if follow_activity do + follow_activity.data["state"] == "pending" + else + false + end + %{ id: to_string(target.id), following: User.following?(user, target), @@ -79,7 +88,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do blocking: User.blocks?(user, target), muting: false, muting_notifications: false, - requested: false, + requested: requested, domain_blocking: false, showing_reblogs: false, endorsed: false diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex @@ -20,10 +20,15 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do end end + @activitypub Application.get_env(:pleroma, :activitypub) + @follow_handshake_timeout Keyword.get(@activitypub, :follow_handshake_timeout) + def follow(%User{} = follower, params) do with {:ok, %User{} = followed} <- get_user(params), {:ok, follower} <- User.maybe_direct_follow(follower, followed), - {:ok, activity} <- ActivityPub.follow(follower, followed) do + {:ok, activity} <- ActivityPub.follow(follower, followed), + {:ok, follower, followed} <- + User.wait_and_refresh(@follow_handshake_timeout, follower, followed) do {:ok, follower, followed, activity} else err -> err