feat: temporarily deny handling non-public notes

public/language/en-GB/error.json

@@ -283,5 +283,6 @@
 	"activitypub.get-failed": "Unable to retrieve the specified resource.",
 	"activitypub.pubKey-not-found": "Unable to resolve public key, so payload verification cannot take place.",
 	"activitypub.origin-mismatch": "The received object's origin does not match the sender's origin",
-	"activitypub.actor-mismatch": "The received activity is being carried out by an actor that is different from expected."
+	"activitypub.actor-mismatch": "The received activity is being carried out by an actor that is different from expected.",
+	"activitypub.not-implemented": "The request was denied because it or an aspect of it is not implemented by the recipient server"
 }

src/activitypub/inbox.js

@@ -19,6 +19,11 @@ inbox.create = async (req) => {
 	const { object } = req.body;
 	const postData = await activitypub.mocks.post(object);
 
+	// Temporary, reject non-public notes.
+	if (![...postData._activitypub.to, ...postData._activitypub.cc].includes(activitypub._constants.publicAddress)) {
+		throw new Error('[[error:activitypub.not-implemented]]');
+	}
+
 	if (postData) {
 		await activitypub.notes.assert(0, [postData]);
 		const tid = await activitypub.notes.assertTopic(0, postData.pid);

src/controllers/activitypub/index.js

@@ -4,6 +4,7 @@ const nconf = require('nconf');
 
 const user = require('../../user');
 const activitypub = require('../../activitypub');
+const helpers = require('../helpers');
 
 const Controller = module.exports;
 
@@ -117,6 +118,10 @@ Controller.postInbox = async (req, res) => {
 		return res.sendStatus(501);
 	}
 
-	await activitypub.inbox[method](req);
-	res.sendStatus(200);
+	try {
+		await activitypub.inbox[method](req);
+		helpers.formatApiResponse(200, res);
+	} catch (e) {
+		helpers.formatApiResponse(500, res, e);
+	}
 };