fix: bug where disparate ids all claiming to be the same handle were causing duplicate remote users due to collisions, #13352

2025-10-26 16:46:12 +01:00 · 2025-04-22 15:12:56 -04:00
parent 3e508d6c65
commit c2a3ef817d
4 changed files with 39 additions and 0 deletions
--- a/src/activitypub/actors.js
+++ b/src/activitypub/actors.js
@@ -127,6 +127,13 @@ Actors.assert = async (ids, options = {}) => {
 			activitypub.helpers.log(`[activitypub/actors] Processing ${id}`);
 			const actor = (typeof id === 'object' && id.hasOwnProperty('id')) ? id : await activitypub.get('uid', 0, id, { cache: process.env.CI === 'true' });

+			// webfinger backreference check
+			const { hostname: domain } = new URL(id);
+			const { actorUri: canonicalId } = await activitypub.helpers.query(`${actor.preferredUsername}@${domain}`);
+			if (id !== canonicalId) {
+				return null;
+			}
+
 			let typeOk = false;
 			if (Array.isArray(actor.type)) {
 				typeOk = actor.type.some(type => activitypub._constants.acceptableActorTypes.has(type));
--- a/src/activitypub/helpers.js
+++ b/src/activitypub/helpers.js
@@ -28,6 +28,8 @@ const sha256 = payload => crypto.createHash('sha256').update(payload).digest('he

 const Helpers = module.exports;

+Helpers._webfingerCache = webfingerCache; // exported for tests
+
 Helpers._test = (method, args) => {
 	// because I am lazy and I probably wrote some variant of this below code 1000 times already
 	setTimeout(async () => {
--- a/test/activitypub/actors.js
+++ b/test/activitypub/actors.js
@@ -46,6 +46,7 @@ describe('Actor asserton', () => {
 					publicKeyPem: 'somekey',
 				},
 			});
+			activitypub.helpers._webfingerCache.set('example@example.org', { actorUri })
 		});

 		it('should return true if successfully asserted', async () => {
@@ -194,6 +195,25 @@ describe('Actor asserton', () => {

 				const uid = await db.getObjectField('handle:uid', `${preferredUsername.toLowerCase()}@example.org`);
 				assert.strictEqual(uid, id);
+			});
+
+			it('should fail to assert if a passed-in ID\'s webfinger query does not respond with the same ID (gh#13352)', async () => {
+				const { id } = helpers.mocks.person({
+					preferredUsername: 'foobar',
+				});
+
+				const actorUri = `https://example.org/${utils.generateUUID()}`;
+				activitypub.helpers._webfingerCache.set('foobar@example.org', {
+					username: 'foobar',
+					hostname: 'example.org',
+					actorUri,
+				});
+
+				const { actorUri: confirm } = await activitypub.helpers.query('foobar@example.org');
+				assert.strictEqual(confirm, actorUri);
+
+				const response = await activitypub.actors.assert([id]);
+				assert.deepStrictEqual(response, []);
 			})
 		});
 	});
--- a/test/activitypub/helpers.js
+++ b/test/activitypub/helpers.js
@@ -40,6 +40,11 @@ Helpers.mocks.person = (override = {}) => {
 	};

 	activitypub._cache.set(`0;${id}`, actor);
+	activitypub.helpers._webfingerCache.set(`${actor.preferredUsername}@example.org`, {
+		actorUri: id,
+		username: id,
+		hostname: 'example.org',
+	});

 	return { id, actor };
 };
@@ -51,6 +56,11 @@ Helpers.mocks.group = (override = {}) => {
 	});

 	activitypub._cache.set(`0;${id}`, actor);
+	activitypub.helpers._webfingerCache.set(`${actor.preferredUsername}@example.org`, {
+		actorUri: id,
+		username: id,
+		hostname: 'example.org',
+	});

 	return { id, actor };
 };