feat: restrict loopback calls

2025-11-03 04:25:55 +01:00 · 2024-02-26 16:12:40 -05:00
parent 5f85e70006
commit 77a3efb43c
4 changed files with 51 additions and 9 deletions
--- a/install/data/defaults.json
+++ b/install/data/defaults.json
@@ -189,5 +189,7 @@
    "composer:allowPluginHelp": 1,
    "maxReconnectionAttempts": 5,
    "reconnectionDelay": 1500,
-    "disableCustomUserSkins": 0
+    "disableCustomUserSkins": 0,
+    "activitypubEnabled": 1,
+    "activitypubAllowLoopback": 0
 }
--- a/public/language/en-GB/admin/settings/activitypub.json
+++ b/public/language/en-GB/admin/settings/activitypub.json
@@ -1,6 +1,14 @@
 {
-	"acp.intro-lead": "What is Federation?",
-	"acp.intro-body": "NodeBB is able to communicate with other NodeBB instances that support it. This is achieved through a protocol called <a href=\"https://activitypub.rocks/\">ActivityPub</a>. If enabled, NodeBB will also be able to communicate with other apps and websites that use ActivityPub (e.g. Mastodon, Peertube, etc.)",
-	"acp.general": "General",
-	"acp.enabled": "Enable Federation"
+	"intro-lead": "What is Federation?",
+	"intro-body": "NodeBB is able to communicate with other NodeBB instances that support it. This is achieved through a protocol called <a href=\"https://activitypub.rocks/\">ActivityPub</a>. If enabled, NodeBB will also be able to communicate with other apps and websites that use ActivityPub (e.g. Mastodon, Peertube, etc.)",
+	"general": "General",
+	"enabled": "Enable Federation",
+	"enabled-help": "If enabled, will allow this NodeBB will be able to communicate with all Activitypub-enabled clients on the wider fediverse.",
+	"allowLoopback": "Allow loopback processing",
+	"allowLoopback-help": "Useful for debugging purposes only. You should probably leave this disabled.",
+
+	"servers": "Servers",
+	"count": "This NodeBB is currently aware of <strong>%1</strong> server(s)",
+	"server.filter-help": "Specify servers you would like to bar from federating with your NodeBB. Alternatively, you may opt to selectively <em>allow</em> federation with specific servers, instead. Both options are supported, although they are mutually exclusive.",
+	"server.filter-allow-list": "Use this as an Allow List instead"
 }
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -6,6 +6,7 @@ const { createHash, createSign, createVerify } = require('crypto');

 const request = require('../request');
 const db = require('../database');
+const meta = require('../meta');
 const user = require('../user');
 const utils = require('../utils');
 const ttl = require('../cache/ttl');
@@ -45,6 +46,13 @@ ActivityPub.resolveId = async (uid, id) => {
 ActivityPub.resolveInboxes = async (ids) => {
 	const inboxes = new Set();

+	if (!meta.config.activitypubAllowLoopback) {
+		ids = ids.filter((id) => {
+			const { hostname } = new URL(id);
+			return hostname !== nconf.get('url_parsed').hostname;
+		});
+	}
+
 	await ActivityPub.actors.assert(ids);
 	await Promise.all(ids.map(async (id) => {
 		const { inbox, sharedInbox } = await user.getUserFields(id, ['inbox', 'sharedInbox']);
--- a/src/views/admin/settings/activitypub.tpl
+++ b/src/views/admin/settings/activitypub.tpl
@@ -1,18 +1,42 @@
 <div class="acp-page-container">
 	<!-- IMPORT admin/partials/settings/header.tpl -->

-	<p class="lead">[[admin/settings/activitypub:acp.intro-lead]]</p>
-	<p>[[admin/settings/activitypub:acp.intro-body]]</p>
+	<p class="lead">[[admin/settings/activitypub:intro-lead]]</p>
+	<p>[[admin/settings/activitypub:intro-body]]</p>

 	<hr />

 	<div class="row settings m-0">
-		<div class="col-sm-2 col-12 settings-header">[[admin/settings/activitypub:acp.general]]</div>
+		<div class="col-sm-2 col-12 settings-header">[[admin/settings/activitypub:general]]</div>
 		<div class="col-sm-10 col-12">
 			<form>
 				<div class="form-check form-switch mb-3">
 					<input class="form-check-input" type="checkbox" data-field="activitypubEnabled">
-					<label class="form-check-label">[[admin/settings/activitypub:acp.enabled]]</label>
+					<label class="form-check-label">[[admin/settings/activitypub:enabled]]</label>
+					<p class="form-text">[[admin/settings/activitypub:enabled-help]]</p>
+				</div>
+				<div class="form-check form-switch mb-3">
+					<input class="form-check-input" type="checkbox" data-field="activitypubAllowLoopback">
+					<label class="form-check-label">[[admin/settings/activitypub:allowLoopback]]</label>
+					<p class="form-text">[[admin/settings/activitypub:allowLoopback-help]]</p>
+				</div>
+			</form>
+		</div>
+	</div>
+
+	<div class="row settings m-0">
+		<div class="col-sm-2 col-12 settings-header">[[admin/settings/activitypub:servers]]</div>
+		<div class="col-sm-10 col-12">
+			<form>
+				<div class="mb-3">
+					<p>[[admin/settings/activitypub:server.filter-help]]</p>
+					<p>[[admin/settings/activitypub:count, 0]]</p>
+					<label for="activitypubFilterList" class="form-label">Filtering list</label>
+					<textarea class="form-control" id="activitypubFilterList" rows="10" disabled="disabled"></textarea>
+				</div>
+				<div class="form-check form-switch mb-3">
+					<input class="form-check-input" type="checkbox" data-field="activitypubFilter" disabled="disabled" />
+					<label class="form-check-label">[[admin/settings/activitypub:server.filter-allow-list]]</label>
 				</div>
 			</form>
 		</div>