From 3780fdc6ff9fb23048266b43ceae86646fb795cc Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 27 Nov 2024 12:47:24 -0500
Subject: [PATCH] fix: regression on remote deletes, received object is not
 always a simple id

---
 src/activitypub/inbox.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index eddc8026bd..2aaa8350db 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -203,9 +203,15 @@ inbox.delete = async (req) => {
 		// probably 410/404
 	}
 
-	// Origin checking
+	// Deletions must be made by an actor of the same origin
 	const actorHostname = new URL(actor).hostname;
-	const objectHostname = new URL(object).hostname;
+	if (typeof object !== 'string') {
+		const { id } = object;
+		if (!id) {
+			throw new Error('[[error:activitypub.origin-mismatch]]');
+		}
+	}
+	const objectHostname = new URL(object.id || object).hostname;
 	if (actorHostname !== objectHostname) {
 		throw new Error('[[error:activitypub.origin-mismatch]]');
 	}
@@ -229,7 +235,7 @@ inbox.delete = async (req) => {
 		// }
 
 		default: {
-			activitypub.helpers.log(`[activitypub/inbox.delete] Object (${object}) does not exist locally. Doing nothing.`);
+			activitypub.helpers.log(`[activitypub/inbox.delete] Object (${object.id || object}) does not exist locally. Doing nothing.`);
 			break;
 		}
 	}