Ignore actor delete messages for unknown actors (#124)

2022-12-06 00:23:35 -05:00 · 2022-12-06 00:23:35 -05:00 · 42c7b629cf
parent b8460b0acd
commit 42c7b629cf
3 changed files with 38 additions and 0 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -92,6 +92,7 @@ def identity(user, domain) -> Identity:
    """
    identity = Identity.objects.create(
        actor_uri="https://example.com/@test@example.com/",
+        inbox_uri="https://example.com/@test@example.com/inbox/",
        username="test",
        domain=domain,
        name="Test User",
@ -125,6 +126,7 @@ def other_identity(user, domain) -> Identity:
    """
    identity = Identity.objects.create(
        actor_uri="https://example.com/@other@example.com/",
+        inbox_uri="https://example.com/@other@example.com/inbox/",
        username="other",
        domain=domain,
        name="Other User",
@ -143,6 +145,7 @@ def remote_identity() -> Identity:
    domain = Domain.objects.create(domain="remote.test", local=False)
    return Identity.objects.create(
        actor_uri="https://remote.test/test-actor/",
+        inbox_uri="https://remote.test/@test/inbox/",
        profile_uri="https://remote.test/@test/",
        username="test",
        domain=domain,
--- a/tests/users/views/test_activitypub.py
+++ b/tests/users/views/test_activitypub.py
@ -31,3 +31,25 @@ def test_webfinger_system_actor(client):
    data = client.get("/actor/", HTTP_ACCEPT="application/ld+json").json()
    assert data["id"] == "https://example.com/actor/"
    assert data["inbox"] == "https://example.com/actor/inbox/"
+
+
+@pytest.mark.django_db
+def test_delete_actor(client, identity):
+    data = {
+        "@context": "https://www.w3.org/ns/activitystreams",
+        "actor": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+        "id": "https://mastodon.social/users/fakec8b6984105c8f15070a2#delete",
+        "object": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+        "signature": {
+            "created": "2022-12-06T03:54:28Z",
+            "creator": "https://mastodon.social/users/fakec8b6984105c8f15070a2#main-key",
+            "signatureValue": "This value doesn't matter",
+            "type": "RsaSignature2017",
+        },
+        "to": ["https://www.w3.org/ns/activitystreams#Public"],
+        "type": "Delete",
+    }
+    resp = client.post(
+        identity.inbox_uri, data=data, content_type="application/activity+json"
+    )
+    assert resp.status_code == 202
--- a/users/views/activitypub.py
+++ b/users/views/activitypub.py
@ -145,9 +145,21 @@ class Inbox(View):
        # This ensures that the signature used for the headers matches the actor
        # described in the payload.
        identity = Identity.by_actor_uri(document["actor"], create=True, transient=True)
+        if (
+            document["type"] == "Delete"
+            and document["actor"] == document["object"]
+            and not identity.pk
+        ):
+            # We don't have an Identity record for the user. No-op
+            exceptions.capture_message(
+                f"Inbox: Discarded delete message for unknown actor {document['actor']}"
+            )
+            return HttpResponse(status=202)
+
        if not identity.public_key:
            # See if we can fetch it right now
            async_to_sync(identity.fetch_actor)()
+
        if not identity.public_key:
            exceptions.capture_message(
                f"Inbox error: cannot fetch actor {document['actor']}"
@ -160,6 +172,7 @@ class Inbox(View):
                f"Inbox: Discarded message from {identity.domain}"
            )
            return HttpResponse(status=202)
+
        # If there's a "signature" payload, verify against that
        if "signature" in document:
            try: