fix: check origin only if object is a string

src/activitypub/notes.js

@@ -21,15 +21,16 @@ Notes.assert = async (uid, input, options = {}) => {
 	const actors = new Set();
 
 	await Promise.all(input.map(async (item) => {
-		let id = activitypub.helpers.isUri(item) ? item : item.pid;
+		// Dereference only if a url is received
-		if (activitypub.helpers.isUri(id)) {
+		if (activitypub.helpers.isUri(item)) {
-			id = await activitypub.resolveId(uid, id);
+			item = await activitypub.resolveId(uid, item);
-			if (!id) {
+			if (!item) {
-				winston.warn(`[activitypub/notes.assert] Not asserting ${id}`);
+				winston.warn(`[activitypub/notes.assert] Not asserting ${item}`);
 				return;
 			}
 		}
 
+		const id = activitypub.helpers.isUri(item) ? item : item.pid;
 		const key = `post:${id}`;
 		const exists = await db.exists(key);
 		winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`);

src/middleware/activitypub.js

@@ -48,10 +48,12 @@ middleware.validate = async function (req, res, next) {
 	const { actor, object } = req.body;
 
 	// Origin checking
-	const actorHostname = new URL(actor).hostname;
+	if (typeof object !== 'string') {
-	const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname;
+		const actorHostname = new URL(actor).hostname;
-	if (actorHostname !== objectHostname) {
+		const objectHostname = new URL(object.id).hostname;
-		return res.sendStatus(403);
+		if (actorHostname !== objectHostname) {
+			return res.sendStatus(403);
+		}
 	}
 
 	// Cross-check key ownership against received actor