diff --git a/.config/cypress-devcontainer.yml b/.config/cypress-devcontainer.yml index 8b11c8413c..9dbe429a3c 100644 --- a/.config/cypress-devcontainer.yml +++ b/.config/cypress-devcontainer.yml @@ -183,16 +183,17 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 128 -# inboxJobConcurrency: 16 +#deliverJobConcurrency: 16 +#inboxJobConcurrency: 4 +#relationshipJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 128 -# inboxJobPerSec: 32 +#deliverJobPerSec: 1024 +#inboxJobPerSec: 64 # Job attempts -# deliverJobMaxAttempts: 12 -# inboxJobMaxAttempts: 8 +#deliverJobMaxAttempts: 12 +#inboxJobMaxAttempts: 8 # IP address family used for outgoing request (ipv4, ipv6 or dual) #outgoingAddressFamily: ipv4 diff --git a/.config/docker_example.yml b/.config/docker_example.yml index dc354324dc..ce2d68b658 100644 --- a/.config/docker_example.yml +++ b/.config/docker_example.yml @@ -195,16 +195,17 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 128 -# inboxJobConcurrency: 16 +#deliverJobConcurrency: 16 +#inboxJobConcurrency: 4 +#relationshipJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 128 -# inboxJobPerSec: 32 +#deliverJobPerSec: 1024 +#inboxJobPerSec: 64 # Job attempts -# deliverJobMaxAttempts: 12 -# inboxJobMaxAttempts: 8 +#deliverJobMaxAttempts: 12 +#inboxJobMaxAttempts: 8 # IP address family used for outgoing request (ipv4, ipv6 or dual) #outgoingAddressFamily: ipv4 diff --git a/.config/example.yml b/.config/example.yml index 489cceec34..7e12b279e3 100644 --- a/.config/example.yml +++ b/.config/example.yml @@ -287,15 +287,15 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -#deliverJobConcurrency: 128 -#inboxJobConcurrency: 16 +#deliverJobConcurrency: 16 +#inboxJobConcurrency: 4 #relationshipJobConcurrency: 16 # What's relationshipJob?: # Follow, unfollow, block and unblock(ings) while following-imports, etc. or account migrations. # Job rate limiter -#deliverJobPerSec: 128 -#inboxJobPerSec: 32 +#deliverJobPerSec: 1024 +#inboxJobPerSec: 64 #relationshipJobPerSec: 64 # Job attempts diff --git a/.devcontainer/devcontainer.yml b/.devcontainer/devcontainer.yml index fb0d25c214..aa95127aa5 100644 --- a/.devcontainer/devcontainer.yml +++ b/.devcontainer/devcontainer.yml @@ -170,16 +170,17 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 128 -# inboxJobConcurrency: 16 +#deliverJobConcurrency: 16 +#inboxJobConcurrency: 4 +#relationshipJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 128 -# inboxJobPerSec: 32 +#deliverJobPerSec: 1024 +#inboxJobPerSec: 64 # Job attempts -# deliverJobMaxAttempts: 12 -# inboxJobMaxAttempts: 8 +#deliverJobMaxAttempts: 12 +#inboxJobMaxAttempts: 8 # IP address family used for outgoing request (ipv4, ipv6 or dual) #outgoingAddressFamily: ipv4 diff --git a/.github/workflows/test-federation.yml b/.github/workflows/test-federation.yml index 873396f622..4a6d370414 100644 --- a/.github/workflows/test-federation.yml +++ b/.github/workflows/test-federation.yml @@ -99,11 +99,51 @@ jobs: run: | cd packages/backend/test-federation docker compose run --no-deps tester - - name: Log + - name: 'Redis Log' if: always() run: | cd packages/backend/test-federation - docker compose logs + docker compose logs -t redis.test + - name: 'Setup Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t setup + - name: 'DB A Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t db.a.test + - name: 'DB B Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t db.b.test + - name: 'Daemon Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t daemon + - name: 'Misskey A Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t misskey.a.test + - name: 'Misskey B Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t misskey.b.test + - name: 'Nginx A Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t a.test + - name: 'Nginx B Log' + if: always() + run: | + cd packages/backend/test-federation + docker compose logs -t b.test - name: Stop servers if: always() run: | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 95e6077d93..e69b3fb3be 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -246,7 +246,7 @@ See [`/packages/backend/test-federation/README.md`](/packages/backend/test-feder ## Environment Variable - `MISSKEY_CONFIG_YML`: Specify the file path of config.yml instead of default.yml (e.g. `2nd.yml`). -- `MISSKEY_WEBFINGER_USE_HTTP`: If it's set true, WebFinger requests will be http instead of https, useful for testing federation between servers in localhost. NEVER USE IN PRODUCTION. +- `MISSKEY_USE_HTTP`: If it's set true, federation requests (like nodeinfo and webfinger) will be http instead of https, useful for testing federation between servers in localhost. NEVER USE IN PRODUCTION. (was `MISSKEY_WEBFINGER_USE_HTTP`) ## Continuous integration Misskey uses GitHub Actions for executing automated tests. diff --git a/chart/files/default.yml b/chart/files/default.yml index 8fa0b39eff..001d97b9a1 100644 --- a/chart/files/default.yml +++ b/chart/files/default.yml @@ -191,16 +191,17 @@ id: "aidx" #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 128 -# inboxJobConcurrency: 16 +#deliverJobConcurrency: 16 +#inboxJobConcurrency: 4 +#relationshipJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 128 -# inboxJobPerSec: 32 +#deliverJobPerSec: 1024 +#inboxJobPerSec: 64 # Job attempts -# deliverJobMaxAttempts: 12 -# inboxJobMaxAttempts: 8 +#deliverJobMaxAttempts: 12 +#inboxJobMaxAttempts: 8 # IP address family used for outgoing request (ipv4, ipv6 or dual) #outgoingAddressFamily: ipv4 diff --git a/packages/backend/migration/1708980134301-APMultipleKeys.js b/packages/backend/migration/1708980134301-APMultipleKeys.js new file mode 100644 index 0000000000..ca55526c6e --- /dev/null +++ b/packages/backend/migration/1708980134301-APMultipleKeys.js @@ -0,0 +1,39 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class APMultipleKeys1708980134301 { + name = 'APMultipleKeys1708980134301' + + async up(queryRunner) { + await queryRunner.query(`DROP INDEX "public"."IDX_171e64971c780ebd23fae140bb"`); + await queryRunner.query(`ALTER TABLE "user_keypair" ADD "ed25519PublicKey" character varying(128)`); + await queryRunner.query(`ALTER TABLE "user_keypair" ADD "ed25519PrivateKey" character varying(128)`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "FK_10c146e4b39b443ede016f6736d"`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_10c146e4b39b443ede016f6736d"`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_0db6a5fdb992323449edc8ee421" PRIMARY KEY ("userId", "keyId")`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_0db6a5fdb992323449edc8ee421"`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_171e64971c780ebd23fae140bba" PRIMARY KEY ("keyId")`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "UQ_10c146e4b39b443ede016f6736d" UNIQUE ("userId")`); + await queryRunner.query(`CREATE INDEX "IDX_10c146e4b39b443ede016f6736" ON "user_publickey" ("userId") `); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "FK_10c146e4b39b443ede016f6736d" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE NO ACTION`); + } + + async down(queryRunner) { + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "FK_10c146e4b39b443ede016f6736d"`); + await queryRunner.query(`DROP INDEX "public"."IDX_10c146e4b39b443ede016f6736"`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "UQ_10c146e4b39b443ede016f6736d"`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_171e64971c780ebd23fae140bba"`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_0db6a5fdb992323449edc8ee421" PRIMARY KEY ("userId", "keyId")`); + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_0db6a5fdb992323449edc8ee421"`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_10c146e4b39b443ede016f6736d" PRIMARY KEY ("userId")`); + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "FK_10c146e4b39b443ede016f6736d" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE NO ACTION`); + await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" DROP DEFAULT`); + await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" TYPE "public"."user_profile_followersVisibility_enum_old" USING "followersVisibility"::"text"::"public"."user_profile_followersVisibility_enum_old"`); + await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" SET DEFAULT 'public'`); + await queryRunner.query(`ALTER TABLE "user_keypair" DROP COLUMN "ed25519PrivateKey"`); + await queryRunner.query(`ALTER TABLE "user_keypair" DROP COLUMN "ed25519PublicKey"`); + await queryRunner.query(`CREATE UNIQUE INDEX "IDX_171e64971c780ebd23fae140bb" ON "user_publickey" ("keyId") `); + } +} diff --git a/packages/backend/migration/1709242519122-HttpSignImplLv.js b/packages/backend/migration/1709242519122-HttpSignImplLv.js new file mode 100644 index 0000000000..7748bae006 --- /dev/null +++ b/packages/backend/migration/1709242519122-HttpSignImplLv.js @@ -0,0 +1,16 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class HttpSignImplLv1709242519122 { + name = 'HttpSignImplLv1709242519122' + + async up(queryRunner) { + await queryRunner.query(`ALTER TABLE "instance" ADD "httpMessageSignaturesImplementationLevel" character varying(16) NOT NULL DEFAULT '00'`); + } + + async down(queryRunner) { + await queryRunner.query(`ALTER TABLE "instance" DROP COLUMN "httpMessageSignaturesImplementationLevel"`); + } +} diff --git a/packages/backend/migration/1709269211718-APMultipleKeysFix1.js b/packages/backend/migration/1709269211718-APMultipleKeysFix1.js new file mode 100644 index 0000000000..d2011802f2 --- /dev/null +++ b/packages/backend/migration/1709269211718-APMultipleKeysFix1.js @@ -0,0 +1,16 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class APMultipleKeys1709269211718 { + name = 'APMultipleKeys1709269211718' + + async up(queryRunner) { + await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "UQ_10c146e4b39b443ede016f6736d"`); + } + + async down(queryRunner) { + await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "UQ_10c146e4b39b443ede016f6736d" UNIQUE ("userId")`); + } +} diff --git a/packages/backend/migration/1751848750315-RemoteSuspend.js b/packages/backend/migration/1751848750315-RemoteSuspend.js new file mode 100644 index 0000000000..efa7b83026 --- /dev/null +++ b/packages/backend/migration/1751848750315-RemoteSuspend.js @@ -0,0 +1,19 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ +export class RemoteSuspend1751848750315 { + name = 'RemoteSuspend1751848750315' + + async up(queryRunner) { + await queryRunner.query(`ALTER TABLE "user" ADD "isRemoteSuspended" boolean NOT NULL DEFAULT false`); + await queryRunner.query(`COMMENT ON COLUMN "user"."isSuspended" IS 'Whether the User is suspended by the local moderators.'`); + await queryRunner.query(`COMMENT ON COLUMN "user"."isRemoteSuspended" IS 'Whether the User is suspended by the remote moderators.'`); + } + + async down(queryRunner) { + await queryRunner.query(`COMMENT ON COLUMN "user"."isRemoteSuspended" IS 'Whether the User is suspended by the remote moderators.'`); + await queryRunner.query(`COMMENT ON COLUMN "user"."isSuspended" IS 'Whether the User is suspended.'`); + await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "isRemoteSuspended"`); + } +} diff --git a/packages/backend/migration/1752410859370-FollowingIsFollowerSuspended.js b/packages/backend/migration/1752410859370-FollowingIsFollowerSuspended.js new file mode 100644 index 0000000000..ce63c16fb7 --- /dev/null +++ b/packages/backend/migration/1752410859370-FollowingIsFollowerSuspended.js @@ -0,0 +1,22 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class FollowingIsFollowerSuspended1752410859370 { + name = 'FollowingIsFollowerSuspended1752410859370' + + async up(queryRunner) { + await queryRunner.query(`DROP INDEX "public"."IDX_ce62b50d882d4e9dee10ad0d2f"`); + await queryRunner.query(`ALTER TABLE "following" ADD "isFollowerSuspended" boolean NOT NULL DEFAULT false`); + await queryRunner.query(`CREATE INDEX "IDX_1896254b78a41a50e0396fdabd" ON "following" ("followeeId", "followerHost", "isFollowerSuspended", "isFollowerHibernated") `); + await queryRunner.query(`CREATE INDEX "IDX_d2b8dbf0b772042f4fe241a29d" ON "following" ("followerId", "followeeId", "isFollowerSuspended") `); + } + + async down(queryRunner) { + await queryRunner.query(`DROP INDEX "public"."IDX_d2b8dbf0b772042f4fe241a29d"`); + await queryRunner.query(`DROP INDEX "public"."IDX_1896254b78a41a50e0396fdabd"`); + await queryRunner.query(`ALTER TABLE "following" DROP COLUMN "isFollowerSuspended"`); + await queryRunner.query(`CREATE INDEX "IDX_ce62b50d882d4e9dee10ad0d2f" ON "following" ("followeeId", "followerHost", "isFollowerHibernated") `); + } +} diff --git a/packages/backend/migration/1752410900000-FollowingIsFollowerSuspendedCopySuspendedState.js b/packages/backend/migration/1752410900000-FollowingIsFollowerSuspendedCopySuspendedState.js new file mode 100644 index 0000000000..185d8cbe1a --- /dev/null +++ b/packages/backend/migration/1752410900000-FollowingIsFollowerSuspendedCopySuspendedState.js @@ -0,0 +1,21 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class FollowingIsFollowerSuspendedCopySuspendedState1752410900000 { + name = 'FollowingIsFollowerSuspendedCopySuspendedState1752410900000' + + async up(queryRunner) { + // Update existing records based on user suspension status + await queryRunner.query(` + UPDATE "following" + SET "isFollowerSuspended" = "user"."isSuspended" + FROM "user" + WHERE "following"."followerId" = "user"."id" + `); + } + + async down(queryRunner) { + } +} diff --git a/packages/backend/package.json b/packages/backend/package.json index 5114912769..9a80e5249f 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -80,13 +80,13 @@ "@fastify/multipart": "9.2.1", "@fastify/static": "8.2.0", "@fastify/view": "10.0.2", + "@misskey-dev/node-http-message-signatures": "0.0.10", "@misskey-dev/sharp-read-bmp": "1.2.0", "@misskey-dev/summaly": "5.2.3", "@napi-rs/canvas": "0.1.79", "@nestjs/common": "11.1.6", "@nestjs/core": "11.1.6", "@nestjs/testing": "11.1.6", - "@peertube/http-signature": "1.7.0", "@sentry/node": "8.55.0", "@sentry/profiling-node": "8.55.0", "@simplewebauthn/server": "12.0.0", diff --git a/packages/backend/src/@types/http-signature.d.ts b/packages/backend/src/@types/http-signature.d.ts deleted file mode 100644 index 75b62e55f0..0000000000 --- a/packages/backend/src/@types/http-signature.d.ts +++ /dev/null @@ -1,82 +0,0 @@ -/* - * SPDX-FileCopyrightText: syuilo and misskey-project - * SPDX-License-Identifier: AGPL-3.0-only - */ - -declare module '@peertube/http-signature' { - import type { IncomingMessage, ClientRequest } from 'node:http'; - - interface ISignature { - keyId: string; - algorithm: string; - headers: string[]; - signature: string; - } - - interface IOptions { - headers?: string[]; - algorithm?: string; - strict?: boolean; - authorizationHeaderName?: string; - } - - interface IParseRequestOptions extends IOptions { - clockSkew?: number; - } - - interface IParsedSignature { - scheme: string; - params: ISignature; - signingString: string; - algorithm: string; - keyId: string; - } - - type RequestSignerConstructorOptions = - IRequestSignerConstructorOptionsFromProperties | - IRequestSignerConstructorOptionsFromFunction; - - interface IRequestSignerConstructorOptionsFromProperties { - keyId: string; - key: string | Buffer; - algorithm?: string; - } - - interface IRequestSignerConstructorOptionsFromFunction { - sign?: (data: string, cb: (err: any, sig: ISignature) => void) => void; - } - - class RequestSigner { - constructor(options: RequestSignerConstructorOptions); - - public writeHeader(header: string, value: string): string; - - public writeDateHeader(): string; - - public writeTarget(method: string, path: string): void; - - public sign(cb: (err: any, authz: string) => void): void; - } - - interface ISignRequestOptions extends IOptions { - keyId: string; - key: string; - httpVersion?: string; - } - - export function parse(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature; - export function parseRequest(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature; - - export function sign(request: ClientRequest, options: ISignRequestOptions): boolean; - export function signRequest(request: ClientRequest, options: ISignRequestOptions): boolean; - export function createSigner(): RequestSigner; - export function isSigner(obj: any): obj is RequestSigner; - - export function sshKeyToPEM(key: string): string; - export function sshKeyFingerprint(key: string): string; - export function pemToRsaSSHKey(pem: string, comment: string): string; - - export function verify(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean; - export function verifySignature(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean; - export function verifyHMAC(parsedSignature: IParsedSignature, secret: string): boolean; -} diff --git a/packages/backend/src/const.ts b/packages/backend/src/const.ts index 1ca0397206..5eabe52a20 100644 --- a/packages/backend/src/const.ts +++ b/packages/backend/src/const.ts @@ -8,6 +8,11 @@ export const MAX_NOTE_TEXT_LENGTH = 3000; export const USER_ONLINE_THRESHOLD = 1000 * 60 * 10; // 10min export const USER_ACTIVE_THRESHOLD = 1000 * 60 * 60 * 24 * 3; // 3days +export const REMOTE_USER_CACHE_TTL = 1000 * 60 * 60 * 3; // 3hours +export const REMOTE_USER_MOVE_COOLDOWN = 1000 * 60 * 60 * 24 * 14; // 14days + +export const REMOTE_SERVER_CACHE_TTL = 1000 * 60 * 60 * 3; // 3hours + export const PER_NOTE_REACTION_USER_PAIR_CACHE_MAX = 16; //#region hard limits diff --git a/packages/backend/src/core/AccountUpdateService.ts b/packages/backend/src/core/AccountUpdateService.ts index 69a57b4854..363a149316 100644 --- a/packages/backend/src/core/AccountUpdateService.ts +++ b/packages/backend/src/core/AccountUpdateService.ts @@ -3,39 +3,85 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Inject, Injectable } from '@nestjs/common'; +import { Inject, Injectable, OnModuleInit } from '@nestjs/common'; +import { ModuleRef } from '@nestjs/core'; import { DI } from '@/di-symbols.js'; import type { UsersRepository } from '@/models/_.js'; -import type { MiUser } from '@/models/User.js'; +import type { MiLocalUser, MiUser } from '@/models/User.js'; import { ApRendererService } from '@/core/activitypub/ApRendererService.js'; import { RelayService } from '@/core/RelayService.js'; import { ApDeliverManagerService } from '@/core/activitypub/ApDeliverManagerService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; +import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; @Injectable() -export class AccountUpdateService { +export class AccountUpdateService implements OnModuleInit { + private apDeliverManagerService: ApDeliverManagerService; constructor( + private moduleRef: ModuleRef, + @Inject(DI.usersRepository) private usersRepository: UsersRepository, private userEntityService: UserEntityService, private apRendererService: ApRendererService, - private apDeliverManagerService: ApDeliverManagerService, private relayService: RelayService, ) { } - @bindThis - public async publishToFollowers(userId: MiUser['id']) { - const user = await this.usersRepository.findOneBy({ id: userId }); - if (user == null) throw new Error('user not found'); + async onModuleInit() { + this.apDeliverManagerService = this.moduleRef.get(ApDeliverManagerService.name); + } - // フォロワーがリモートユーザーかつ投稿者がローカルユーザーならUpdateを配信 + private async createUpdatePersonActivity(user: MiLocalUser) { + return this.apRendererService.addContext( + this.apRendererService.renderUpdate( + await this.apRendererService.renderPerson(user), user + ) + ); + } + + @bindThis + /** + * Deliver account update to followers + * @param userId user id + * @param deliverKey optional. Private key to sign the deliver. + */ + public async publishToFollowers(userId: MiUser['id'], deliverKey?: PrivateKeyWithPem) { + const user = await this.usersRepository.findOneBy({ id: userId }); + if (user == null || user.isDeleted) { + // ユーザーが存在しない、または削除されている場合は何もしない + return; + } + + // ローカルユーザーならUpdateを配信 if (this.userEntityService.isLocalUser(user)) { - const content = this.apRendererService.addContext(this.apRendererService.renderUpdate(await this.apRendererService.renderPerson(user), user)); - this.apDeliverManagerService.deliverToFollowers(user, content); - this.relayService.deliverToRelays(user, content); + const content = await this.createUpdatePersonActivity(user); + this.apDeliverManagerService.deliverToFollowers(user, content, deliverKey); + this.relayService.deliverToRelays(user, content, deliverKey); + } + } + + @bindThis + async publishToFollowersAndSharedInboxAndRelays(userId: MiUser['id']) { + const user = await this.usersRepository.findOneBy({ id: userId }); + if (user == null || user.isDeleted) { + // ユーザーが存在しない、または削除されている場合は何もしない + return; + } + + // ローカルユーザーならUpdateを配信 + if (this.userEntityService.isLocalUser(user)) { + const content = await this.createUpdatePersonActivity(user); + const manager = this.apDeliverManagerService.createDeliverManager(user, content); + manager.addAllKnowingSharedInboxRecipe(); + manager.addFollowersRecipe(); + + await Promise.allSettled([ + manager.execute(), + this.relayService.deliverToRelays(user, content), + ]); } } } diff --git a/packages/backend/src/core/FanoutTimelineEndpointService.ts b/packages/backend/src/core/FanoutTimelineEndpointService.ts index 94c5691bf4..69f9634e07 100644 --- a/packages/backend/src/core/FanoutTimelineEndpointService.ts +++ b/packages/backend/src/core/FanoutTimelineEndpointService.ts @@ -149,6 +149,7 @@ export class FanoutTimelineEndpointService { filter = (note) => { if (!ps.ignoreAuthorFromUserSuspension) { if (note.user!.isSuspended) return false; + if (note.user!.isRemoteSuspended) return false; } if (note.userId !== note.renoteUserId && note.renote?.user?.isSuspended) return false; if (note.userId !== note.replyUserId && note.reply?.user?.isSuspended) return false; diff --git a/packages/backend/src/core/FetchInstanceMetadataService.ts b/packages/backend/src/core/FetchInstanceMetadataService.ts index ce3af7c774..5cb3c50b56 100644 --- a/packages/backend/src/core/FetchInstanceMetadataService.ts +++ b/packages/backend/src/core/FetchInstanceMetadataService.ts @@ -15,6 +15,7 @@ import { LoggerService } from '@/core/LoggerService.js'; import { HttpRequestService } from '@/core/HttpRequestService.js'; import { bindThis } from '@/decorators.js'; import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; +import { REMOTE_SERVER_CACHE_TTL } from '@/const.js'; import type { DOMWindow } from 'jsdom'; type NodeInfo = { @@ -24,6 +25,7 @@ type NodeInfo = { version?: unknown; }; metadata?: { + httpMessageSignaturesImplementationLevel?: unknown, name?: unknown; nodeName?: unknown; nodeDescription?: unknown; @@ -39,6 +41,7 @@ type NodeInfo = { @Injectable() export class FetchInstanceMetadataService { private logger: Logger; + private httpColon = 'https://'; constructor( private httpRequestService: HttpRequestService, @@ -48,6 +51,7 @@ export class FetchInstanceMetadataService { private redisClient: Redis.Redis, ) { this.logger = this.loggerService.getLogger('metadata', 'cyan'); + this.httpColon = process.env.MISSKEY_USE_HTTP?.toLowerCase() === 'true' ? 'http://' : 'https://'; } @bindThis @@ -59,7 +63,7 @@ export class FetchInstanceMetadataService { return await this.redisClient.set( `fetchInstanceMetadata:mutex:v2:${host}`, '1', 'EX', 30, // 30秒したら自動でロック解除 https://github.com/misskey-dev/misskey/issues/13506#issuecomment-1975375395 - 'GET' // 古い値を返す(なかったらnull) + 'GET', // 古い値を返す(なかったらnull) ); } @@ -73,23 +77,24 @@ export class FetchInstanceMetadataService { public async fetchInstanceMetadata(instance: MiInstance, force = false): Promise { const host = instance.host; - // finallyでunlockされてしまうのでtry内でロックチェックをしない - // (returnであってもfinallyは実行される) - if (!force && await this.tryLock(host) === '1') { - // 1が返ってきていたらロックされているという意味なので、何もしない - return; + if (!force) { + // キャッシュ有効チェックはロック取得前に行う + const _instance = await this.federatedInstanceService.fetchOrRegister(host); + const now = Date.now(); + if (_instance && _instance.infoUpdatedAt != null && (now - _instance.infoUpdatedAt.getTime() < REMOTE_SERVER_CACHE_TTL)) { + this.logger.debug(`Skip because updated recently ${_instance.infoUpdatedAt.toJSON()}`); + return; + } + + // finallyでunlockされてしまうのでtry内でロックチェックをしない + // (returnであってもfinallyは実行される) + if (await this.tryLock(host) === '1') { + // 1が返ってきていたら他にロックされているという意味なので、何もしない + return; + } } try { - if (!force) { - const _instance = await this.federatedInstanceService.fetchOrRegister(host); - const now = Date.now(); - if (_instance && _instance.infoUpdatedAt && (now - _instance.infoUpdatedAt.getTime() < 1000 * 60 * 60 * 24)) { - // unlock at the finally caluse - return; - } - } - this.logger.info(`Fetching metadata of ${instance.host} ...`); const [info, dom, manifest] = await Promise.all([ @@ -118,6 +123,14 @@ export class FetchInstanceMetadataService { updates.openRegistrations = info.openRegistrations; updates.maintainerName = info.metadata ? info.metadata.maintainer ? (info.metadata.maintainer.name ?? null) : null : null; updates.maintainerEmail = info.metadata ? info.metadata.maintainer ? (info.metadata.maintainer.email ?? null) : null : null; + if (info.metadata && info.metadata.httpMessageSignaturesImplementationLevel && ( + info.metadata.httpMessageSignaturesImplementationLevel === '01' || + info.metadata.httpMessageSignaturesImplementationLevel === '11' + )) { + updates.httpMessageSignaturesImplementationLevel = info.metadata.httpMessageSignaturesImplementationLevel; + } else { + updates.httpMessageSignaturesImplementationLevel = '00'; + } } if (name) updates.name = name; @@ -129,6 +142,12 @@ export class FetchInstanceMetadataService { await this.federatedInstanceService.update(instance.id, updates); this.logger.succ(`Successfuly updated metadata of ${instance.host}`); + this.logger.debug('Updated metadata:', { + info: !!info, + dom: !!dom, + manifest: !!manifest, + updates, + }); } catch (e) { this.logger.error(`Failed to update metadata of ${instance.host}: ${e}`); } finally { @@ -141,7 +160,7 @@ export class FetchInstanceMetadataService { this.logger.info(`Fetching nodeinfo of ${instance.host} ...`); try { - const wellknown = await this.httpRequestService.getJson('https://' + instance.host + '/.well-known/nodeinfo') + const wellknown = await this.httpRequestService.getJson(this.httpColon + instance.host + '/.well-known/nodeinfo') .catch(err => { if (err.statusCode === 404) { throw new Error('No nodeinfo provided'); @@ -184,7 +203,7 @@ export class FetchInstanceMetadataService { private async fetchDom(instance: MiInstance): Promise { this.logger.info(`Fetching HTML of ${instance.host} ...`); - const url = 'https://' + instance.host; + const url = this.httpColon + instance.host; const html = await this.httpRequestService.getHtml(url); @@ -196,7 +215,7 @@ export class FetchInstanceMetadataService { @bindThis private async fetchManifest(instance: MiInstance): Promise | null> { - const url = 'https://' + instance.host; + const url = this.httpColon + instance.host; const manifestUrl = url + '/manifest.json'; @@ -207,7 +226,7 @@ export class FetchInstanceMetadataService { @bindThis private async fetchFaviconUrl(instance: MiInstance, doc: Document | null): Promise { - const url = 'https://' + instance.host; + const url = this.httpColon + instance.host; if (doc) { // https://github.com/misskey-dev/misskey/pull/8220#issuecomment-1025104043 @@ -234,12 +253,12 @@ export class FetchInstanceMetadataService { @bindThis private async fetchIconUrl(instance: MiInstance, doc: Document | null, manifest: Record | null): Promise { if (manifest && manifest.icons && manifest.icons.length > 0 && manifest.icons[0].src) { - const url = 'https://' + instance.host; + const url = this.httpColon + instance.host; return (new URL(manifest.icons[0].src, url)).href; } if (doc) { - const url = 'https://' + instance.host; + const url = this.httpColon + instance.host; // https://github.com/misskey-dev/misskey/pull/8220#issuecomment-1025104043 const links = Array.from(doc.getElementsByTagName('link')).reverse(); diff --git a/packages/backend/src/core/GlobalEventService.ts b/packages/backend/src/core/GlobalEventService.ts index 3215b41c8d..9e16d59157 100644 --- a/packages/backend/src/core/GlobalEventService.ts +++ b/packages/backend/src/core/GlobalEventService.ts @@ -225,7 +225,7 @@ type UndefinedAsNullAll = { }; export interface InternalEventTypes { - userChangeSuspendedState: { id: MiUser['id']; isSuspended: MiUser['isSuspended']; }; + userChangeSuspendedState: { id: MiUser['id']; isSuspended: MiUser['isSuspended']; } | { id: MiUser['id']; isRemoteSuspended: MiUser['isRemoteSuspended']; }; userChangeDeletedState: { id: MiUser['id']; isDeleted: MiUser['isDeleted']; }; userTokenRegenerated: { id: MiUser['id']; oldToken: string; newToken: string; }; remoteUserUpdated: { id: MiUser['id']; }; @@ -260,6 +260,7 @@ export interface InternalEventTypes { unmute: { muterId: MiUser['id']; muteeId: MiUser['id']; }; userListMemberAdded: { userListId: MiUserList['id']; memberId: MiUser['id']; }; userListMemberRemoved: { userListId: MiUserList['id']; memberId: MiUser['id']; }; + userKeypairUpdated: { userId: MiUser['id']; }; } type EventTypesToEventPayload = EventUnionFromDictionary>>; diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index f7973cbb66..5a24430258 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -162,7 +162,7 @@ export class HttpRequestService { this.https = new HttpsRequestServiceAgent(config, agentOption); - const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 128); + const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 16); this.httpAgent = config.proxy ? new HttpProxyAgent({ diff --git a/packages/backend/src/core/NoteCreateService.ts b/packages/backend/src/core/NoteCreateService.ts index 1eefcfa054..e397821bd4 100644 --- a/packages/backend/src/core/NoteCreateService.ts +++ b/packages/backend/src/core/NoteCreateService.ts @@ -549,6 +549,7 @@ export class NoteCreateService implements OnApplicationShutdown { // TODO: キャッシュ this.followingsRepository.findBy({ followeeId: user.id, + isFollowerSuspended: false, notify: 'normal', }).then(async followings => { if (note.visibility !== 'specified') { @@ -854,6 +855,7 @@ export class NoteCreateService implements OnApplicationShutdown { where: { followeeId: user.id, followerHost: IsNull(), + isFollowerSuspended: false, isFollowerHibernated: false, }, select: ['followerId', 'withReplies'], diff --git a/packages/backend/src/core/QueueService.ts b/packages/backend/src/core/QueueService.ts index 2d0e7b5d83..ab0717a8a2 100644 --- a/packages/backend/src/core/QueueService.ts +++ b/packages/backend/src/core/QueueService.ts @@ -15,7 +15,6 @@ import type { Config } from '@/config.js'; import { DI } from '@/di-symbols.js'; import { bindThis } from '@/decorators.js'; import type { Antenna } from '@/server/api/endpoints/i/import-antennas.js'; -import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js'; import { type SystemWebhookPayload } from '@/core/SystemWebhookService.js'; import type { Packed } from '@/misc/json-schema.js'; import { type UserWebhookPayload } from './UserWebhookService.js'; @@ -38,7 +37,7 @@ import type { SystemWebhookDeliverQueue, UserWebhookDeliverQueue, } from './QueueModule.js'; -import type httpSignature from '@peertube/http-signature'; +import { genRFC3230DigestHeader, type PrivateKeyWithPem, type ParsedSignature } from '@misskey-dev/node-http-message-signatures'; import type * as Bull from 'bullmq'; export const QUEUE_TYPES = [ @@ -129,21 +128,21 @@ export class QueueService { } @bindThis - public deliver(user: ThinUser, content: IActivity | null, to: string | null, isSharedInbox: boolean) { + public async deliver(user: ThinUser, content: IActivity | null, to: string | null, isSharedInbox: boolean, privateKey?: PrivateKeyWithPem) { if (content == null) return null; if (to == null) return null; const contentBody = JSON.stringify(content); - const digest = ApRequestCreator.createDigest(contentBody); const data: DeliverJobData = { user: { id: user.id, }, content: contentBody, - digest, + digest: await genRFC3230DigestHeader(contentBody, 'SHA-256'), to, isSharedInbox, + privateKey, }; const label = to.replace('https://', '').replace('/inbox', ''); @@ -169,13 +168,16 @@ export class QueueService { * @param user `{ id: string; }` この関数ではThinUserに変換しないので前もって変換してください * @param content IActivity | null * @param inboxes `Map` / key: to (inbox url), value: isSharedInbox (whether it is sharedInbox) + * @param forceMainKey boolean | undefined, force to use main (rsa) key * @returns void */ @bindThis - public async deliverMany(user: ThinUser, content: IActivity | null, inboxes: Map) { + public async deliverMany(user: ThinUser, content: IActivity | null, inboxes: Map, privateKey?: PrivateKeyWithPem) { if (content == null) return null; + inboxes.delete(null as unknown as string); // remove null inboxes + if (inboxes.size === 0) return null; + const contentBody = JSON.stringify(content); - const digest = ApRequestCreator.createDigest(contentBody); const opts = { attempts: this.config.deliverJobMaxAttempts ?? 12, @@ -197,9 +199,9 @@ export class QueueService { data: { user, content: contentBody, - digest, to: d[0], isSharedInbox: d[1], + privateKey, } as DeliverJobData, opts, }))); @@ -208,7 +210,7 @@ export class QueueService { } @bindThis - public inbox(activity: IActivity, signature: httpSignature.IParsedSignature) { + public inbox(activity: IActivity, signature: ParsedSignature | null) { const data = { activity: activity, signature, diff --git a/packages/backend/src/core/RelayService.ts b/packages/backend/src/core/RelayService.ts index 9120de1f9f..d53a7cf77b 100644 --- a/packages/backend/src/core/RelayService.ts +++ b/packages/backend/src/core/RelayService.ts @@ -15,6 +15,8 @@ import { DI } from '@/di-symbols.js'; import { deepClone } from '@/misc/clone.js'; import { bindThis } from '@/decorators.js'; import { SystemAccountService } from '@/core/SystemAccountService.js'; +import { UserKeypairService } from './UserKeypairService.js'; +import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; @Injectable() export class RelayService { @@ -28,6 +30,7 @@ export class RelayService { private queueService: QueueService, private systemAccountService: SystemAccountService, private apRendererService: ApRendererService, + private userKeypairService: UserKeypairService, ) { this.relaysCache = new MemorySingleCache(1000 * 60 * 10); // 10m } @@ -92,7 +95,7 @@ export class RelayService { } @bindThis - public async deliverToRelays(user: { id: MiUser['id']; host: null; }, activity: any): Promise { + public async deliverToRelays(user: { id: MiUser['id']; host: null; }, activity: any, privateKey?: PrivateKeyWithPem): Promise { if (activity == null) return; const relays = await this.relaysCache.fetch(() => this.relaysRepository.findBy({ @@ -102,11 +105,9 @@ export class RelayService { const copy = deepClone(activity); if (!copy.to) copy.to = ['https://www.w3.org/ns/activitystreams#Public']; + privateKey = privateKey ?? await this.userKeypairService.getLocalUserPrivateKeyPem(user.id); + const signed = await this.apRendererService.attachLdSignature(copy, privateKey); - const signed = await this.apRendererService.attachLdSignature(copy, user); - - for (const relay of relays) { - this.queueService.deliver(user, signed, relay.inbox, false); - } + this.queueService.deliverMany(user, signed, new Map(relays.map(({ inbox }) => [inbox, false])), privateKey); } } diff --git a/packages/backend/src/core/RoleService.ts b/packages/backend/src/core/RoleService.ts index 9e1d9cc370..11a5d7a7dc 100644 --- a/packages/backend/src/core/RoleService.ts +++ b/packages/backend/src/core/RoleService.ts @@ -260,7 +260,7 @@ export class RoleService implements OnApplicationShutdown, OnModuleInit { } // サスペンド済みユーザである case 'isSuspended': { - return user.isSuspended; + return this.userEntityService.isSuspendedEither(user); } // 鍵アカウントユーザである case 'isLocked': { diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts index a85da62b86..be852cd3ab 100644 --- a/packages/backend/src/core/SignupService.ts +++ b/packages/backend/src/core/SignupService.ts @@ -3,7 +3,6 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { generateKeyPair } from 'node:crypto'; import { Inject, Injectable } from '@nestjs/common'; import bcrypt from 'bcryptjs'; import { DataSource, IsNull } from 'typeorm'; @@ -19,6 +18,7 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; import UsersChart from '@/core/chart/charts/users.js'; import { UtilityService } from '@/core/UtilityService.js'; +import { genRSAAndEd25519KeyPair } from '@/misc/gen-key-pair.js'; import { UserService } from '@/core/UserService.js'; import { SystemAccountService } from '@/core/SystemAccountService.js'; import { MetaService } from '@/core/MetaService.js'; @@ -100,22 +100,7 @@ export class SignupService { } } - const keyPair = await new Promise((res, rej) => - generateKeyPair('rsa', { - modulusLength: 2048, - publicKeyEncoding: { - type: 'spki', - format: 'pem', - }, - privateKeyEncoding: { - type: 'pkcs8', - format: 'pem', - cipher: undefined, - passphrase: undefined, - }, - }, (err, publicKey, privateKey) => - err ? rej(err) : res([publicKey, privateKey]), - )); + const keyPair = await genRSAAndEd25519KeyPair(); let account!: MiUser; @@ -137,9 +122,8 @@ export class SignupService { })); await transactionalEntityManager.save(new MiUserKeypair({ - publicKey: keyPair[0], - privateKey: keyPair[1], userId: account.id, + ...keyPair, })); await transactionalEntityManager.save(new MiUserProfile({ diff --git a/packages/backend/src/core/SystemAccountService.ts b/packages/backend/src/core/SystemAccountService.ts index 53c047dd74..92748c28d5 100644 --- a/packages/backend/src/core/SystemAccountService.ts +++ b/packages/backend/src/core/SystemAccountService.ts @@ -18,7 +18,7 @@ import { DI } from '@/di-symbols.js'; import { bindThis } from '@/decorators.js'; import { generateNativeUserToken } from '@/misc/token.js'; import { IdService } from '@/core/IdService.js'; -import { genRsaKeyPair } from '@/misc/gen-key-pair.js'; +import { genRSAAndEd25519KeyPair } from '@/misc/gen-key-pair.js'; export const SYSTEM_ACCOUNT_TYPES = ['actor', 'relay', 'proxy'] as const; @@ -119,7 +119,7 @@ export class SystemAccountService implements OnApplicationShutdown { // Generate secret const secret = generateNativeUserToken(); - const keyPair = await genRsaKeyPair(); + const keyPair = await genRSAAndEd25519KeyPair(); let account!: MiUser; @@ -148,9 +148,8 @@ export class SystemAccountService implements OnApplicationShutdown { }).then(x => transactionalEntityManager.findOneByOrFail(MiUser, x.identifiers[0])); await transactionalEntityManager.insert(MiUserKeypair, { - publicKey: keyPair.publicKey, - privateKey: keyPair.privateKey, userId: account.id, + ...keyPair, }); await transactionalEntityManager.insert(MiUserProfile, { diff --git a/packages/backend/src/core/UserFollowingService.ts b/packages/backend/src/core/UserFollowingService.ts index e7a6be99fb..f5d8222a8e 100644 --- a/packages/backend/src/core/UserFollowingService.ts +++ b/packages/backend/src/core/UserFollowingService.ts @@ -229,9 +229,7 @@ export class UserFollowingService implements OnModuleInit { followee: { id: MiUser['id']; host: MiUser['host']; uri: MiUser['host']; inbox: MiUser['inbox']; sharedInbox: MiUser['sharedInbox'] }, - follower: { - id: MiUser['id']; host: MiUser['host']; uri: MiUser['host']; inbox: MiUser['inbox']; sharedInbox: MiUser['sharedInbox'] - }, + follower: MiUser, silent = false, withReplies?: boolean, ): Promise { @@ -244,6 +242,7 @@ export class UserFollowingService implements OnModuleInit { followerId: follower.id, followeeId: followee.id, withReplies: withReplies, + isFollowerSuspended: follower.isSuspended, // 非正規化 followerHost: follower.host, @@ -734,6 +733,7 @@ export class UserFollowingService implements OnModuleInit { return this.followingsRepository.createQueryBuilder('following') .select('following.followeeId') .where('following.followerId = :followerId', { followerId: userId }) + .andWhere('following.isFollowerSuspended = false') .getMany(); } @@ -743,6 +743,7 @@ export class UserFollowingService implements OnModuleInit { where: { followerId, followeeId, + isFollowerSuspended: false, }, }); } diff --git a/packages/backend/src/core/UserKeypairService.ts b/packages/backend/src/core/UserKeypairService.ts index 92d61cd103..fac0e19b3f 100644 --- a/packages/backend/src/core/UserKeypairService.ts +++ b/packages/backend/src/core/UserKeypairService.ts @@ -5,41 +5,184 @@ import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; import * as Redis from 'ioredis'; +import { genEd25519KeyPair, importPrivateKey, PrivateKey, PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; import type { MiUser } from '@/models/User.js'; import type { UserKeypairsRepository } from '@/models/_.js'; -import { RedisKVCache } from '@/misc/cache.js'; +import { RedisKVCache, MemoryKVCache } from '@/misc/cache.js'; import type { MiUserKeypair } from '@/models/UserKeypair.js'; import { DI } from '@/di-symbols.js'; import { bindThis } from '@/decorators.js'; +import { GlobalEventService, GlobalEvents } from '@/core/GlobalEventService.js'; +import { UserEntityService } from '@/core/entities/UserEntityService.js'; +import type { webcrypto } from 'node:crypto'; @Injectable() export class UserKeypairService implements OnApplicationShutdown { - private cache: RedisKVCache; + private keypairEntityCache: RedisKVCache; + private privateKeyObjectCache: MemoryKVCache; constructor( @Inject(DI.redis) private redisClient: Redis.Redis, - + @Inject(DI.redisForSub) + private redisForSub: Redis.Redis, @Inject(DI.userKeypairsRepository) private userKeypairsRepository: UserKeypairsRepository, + + private globalEventService: GlobalEventService, + private userEntityService: UserEntityService, ) { - this.cache = new RedisKVCache(this.redisClient, 'userKeypair', { + this.keypairEntityCache = new RedisKVCache(this.redisClient, 'userKeypair', { lifetime: 1000 * 60 * 60 * 24, // 24h memoryCacheLifetime: 1000 * 60 * 60, // 1h fetcher: (key) => this.userKeypairsRepository.findOneByOrFail({ userId: key }), toRedisConverter: (value) => JSON.stringify(value), fromRedisConverter: (value) => JSON.parse(value), }); + this.privateKeyObjectCache = new MemoryKVCache(1000 * 60 * 60 * 1); + + this.redisForSub.on('message', this.onMessage); } @bindThis public async getUserKeypair(userId: MiUser['id']): Promise { - return await this.cache.fetch(userId); + return await this.keypairEntityCache.fetch(userId); + } + + /** + * Get private key [Only PrivateKeyWithPem for queue data etc.] + * @param userIdOrHint user id or MiUserKeypair + * @param preferType + * If ed25519-like(`ed25519`, `01`, `11`) is specified, ed25519 keypair will be returned if exists. + * Otherwise, main keypair will be returned. + * @returns + */ + @bindThis + public async getLocalUserPrivateKeyPem( + userIdOrHint: MiUser['id'] | MiUserKeypair, + preferType?: string, + ): Promise { + const keypair = typeof userIdOrHint === 'string' ? await this.getUserKeypair(userIdOrHint) : userIdOrHint; + if ( + preferType && ['01', '11', 'ed25519'].includes(preferType.toLowerCase()) && + keypair.ed25519PublicKey != null && keypair.ed25519PrivateKey != null + ) { + return { + keyId: `${this.userEntityService.genLocalUserUri(keypair.userId)}#ed25519-key`, + privateKeyPem: keypair.ed25519PrivateKey, + }; + } + return { + keyId: `${this.userEntityService.genLocalUserUri(keypair.userId)}#main-key`, + privateKeyPem: keypair.privateKey, + }; + } + + /** + * Get private key [Only PrivateKey for ap request] + * Using cache due to performance reasons of `crypto.subtle.importKey` + * @param userIdOrHint user id, MiUserKeypair, or PrivateKeyWithPem + * @param preferType + * If ed25519-like(`ed25519`, `01`, `11`) is specified, ed25519 keypair will be returned if exists. + * Otherwise, main keypair will be returned. (ignored if userIdOrHint is PrivateKeyWithPem) + * @returns + */ + @bindThis + public async getLocalUserPrivateKey( + userIdOrHint: MiUser['id'] | MiUserKeypair | PrivateKeyWithPem, + preferType?: string, + ): Promise { + if (typeof userIdOrHint === 'object' && 'privateKeyPem' in userIdOrHint) { + // userIdOrHint is PrivateKeyWithPem + return { + keyId: userIdOrHint.keyId, + privateKey: await this.privateKeyObjectCache.fetch(userIdOrHint.keyId, async () => { + return await importPrivateKey(userIdOrHint.privateKeyPem); + }), + }; + } + + const userId = typeof userIdOrHint === 'string' ? userIdOrHint : userIdOrHint.userId; + const getKeypair = () => typeof userIdOrHint === 'string' ? this.getUserKeypair(userId) : userIdOrHint; + + if (preferType && ['01', '11', 'ed25519'].includes(preferType.toLowerCase())) { + const keyId = `${this.userEntityService.genLocalUserUri(userId)}#ed25519-key`; + const fetched = await this.privateKeyObjectCache.fetchMaybe(keyId, async () => { + const keypair = await getKeypair(); + if (keypair.ed25519PublicKey != null && keypair.ed25519PrivateKey != null) { + return await importPrivateKey(keypair.ed25519PrivateKey); + } + return; + }); + if (fetched) { + return { + keyId, + privateKey: fetched, + }; + } + } + + const keyId = `${this.userEntityService.genLocalUserUri(userId)}#main-key`; + return { + keyId, + privateKey: await this.privateKeyObjectCache.fetch(keyId, async () => { + const keypair = await getKeypair(); + return await importPrivateKey(keypair.privateKey); + }), + }; } + @bindThis + public async refresh(userId: MiUser['id']): Promise { + return await this.keypairEntityCache.refresh(userId); + } + + /** + * If DB has ed25519 keypair, refresh cache and return it. + * If not, create, save and return ed25519 keypair. + * @param userId user id + * @returns MiUserKeypair if keypair is created, void if keypair is already exists + */ + @bindThis + public async refreshAndPrepareEd25519KeyPair(userId: MiUser['id']): Promise { + await this.refresh(userId); + const keypair = await this.keypairEntityCache.fetch(userId); + if (keypair.ed25519PublicKey != null) { + return; + } + + const ed25519 = await genEd25519KeyPair(); + await this.userKeypairsRepository.update({ userId }, { + ed25519PublicKey: ed25519.publicKey, + ed25519PrivateKey: ed25519.privateKey, + }); + this.globalEventService.publishInternalEvent('userKeypairUpdated', { userId }); + const result = { + ...keypair, + ed25519PublicKey: ed25519.publicKey, + ed25519PrivateKey: ed25519.privateKey, + }; + this.keypairEntityCache.set(userId, result); + return result; + } + + @bindThis + private async onMessage(_: string, data: string): Promise { + const obj = JSON.parse(data); + + if (obj.channel === 'internal') { + const { type, body } = obj.message as GlobalEvents['internal']['payload']; + switch (type) { + case 'userKeypairUpdated': { + this.refresh(body.userId); + break; + } + } + } + } @bindThis public dispose(): void { - this.cache.dispose(); + this.keypairEntityCache.dispose(); } @bindThis diff --git a/packages/backend/src/core/UserSearchService.ts b/packages/backend/src/core/UserSearchService.ts index 4be7bd9bdb..8c243a5368 100644 --- a/packages/backend/src/core/UserSearchService.ts +++ b/packages/backend/src/core/UserSearchService.ts @@ -207,7 +207,7 @@ export class UserSearchService { } } - userQuery.andWhere('user.isSuspended = FALSE'); + userQuery.andWhere('user.isSuspended = FALSE').andWhere('user.isRemoteSuspended = FALSE'); return userQuery; } @@ -243,7 +243,8 @@ export class UserSearchService { .where('user.updatedAt IS NULL') .orWhere('user.updatedAt > :activeThreshold', { activeThreshold: activeThreshold }); })) - .andWhere('user.isSuspended = FALSE'); + .andWhere('user.isSuspended = FALSE') + .andWhere('user.isRemoteSuspended = FALSE'); if (mutingQuery) { nameQuery.andWhere(`user.id NOT IN (${mutingQuery.getQuery()})`); @@ -286,6 +287,7 @@ export class UserSearchService { .orWhere('user.updatedAt > :activeThreshold', { activeThreshold: activeThreshold }); })) .andWhere('user.isSuspended = FALSE') + .andWhere('user.isRemoteSuspended = FALSE') .setParameters(profQuery.getParameters()); users = users.concat(await userQuery diff --git a/packages/backend/src/core/UserSuspendService.ts b/packages/backend/src/core/UserSuspendService.ts index 7920e58e36..3d109e0a40 100644 --- a/packages/backend/src/core/UserSuspendService.ts +++ b/packages/backend/src/core/UserSuspendService.ts @@ -4,17 +4,14 @@ */ import { Inject, Injectable } from '@nestjs/common'; -import { Not, IsNull } from 'typeorm'; import type { FollowingsRepository, FollowRequestsRepository, UsersRepository } from '@/models/_.js'; -import type { MiUser } from '@/models/User.js'; -import { QueueService } from '@/core/QueueService.js'; +import type { MiRemoteUser, MiUser } from '@/models/User.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; import { DI } from '@/di-symbols.js'; -import { ApRendererService } from '@/core/activitypub/ApRendererService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; -import { RelationshipJobData } from '@/queue/types.js'; import { ModerationLogService } from '@/core/ModerationLogService.js'; +import { AccountUpdateService } from '@/core/AccountUpdateService.js'; @Injectable() export class UserSuspendService { @@ -29,9 +26,8 @@ export class UserSuspendService { private followRequestsRepository: FollowRequestsRepository, private userEntityService: UserEntityService, - private queueService: QueueService, private globalEventService: GlobalEventService, - private apRendererService: ApRendererService, + private accountUpdateService: AccountUpdateService, private moderationLogService: ModerationLogService, ) { } @@ -49,8 +45,20 @@ export class UserSuspendService { }); (async () => { - await this.postSuspend(user).catch(e => {}); - await this.unFollowAll(user).catch(e => {}); + await this.postSuspend(user, false).catch((e: any) => { }); + await this.suspendFollowings(user).catch((e: any) => { }); + })(); + } + + @bindThis + public async suspendFromRemote(user: { id: MiRemoteUser['id']; host: MiRemoteUser['host'] }): Promise { + await this.usersRepository.update(user.id, { + isRemoteSuspended: true, + }); + + (async () => { + await this.postSuspend(user, true).catch((e: any) => { }); + await this.suspendFollowings(user).catch((e: any) => { }); })(); } @@ -67,13 +75,29 @@ export class UserSuspendService { }); (async () => { - await this.postUnsuspend(user).catch(e => {}); + await this.postUnsuspend(user, false).catch((e: any) => { }); + await this.restoreFollowings(user).catch((e: any) => { }); })(); } @bindThis - private async postSuspend(user: { id: MiUser['id']; host: MiUser['host'] }): Promise { - this.globalEventService.publishInternalEvent('userChangeSuspendedState', { id: user.id, isSuspended: true }); + public async unsuspendFromRemote(user: { id: MiRemoteUser['id']; host: MiRemoteUser['host'] }): Promise { + await this.usersRepository.update(user.id, { + isRemoteSuspended: false, + }); + + (async () => { + await this.postUnsuspend(user, true).catch((e: any) => { }); + await this.restoreFollowings(user).catch((e: any) => { }); + })(); + } + + @bindThis + private async postSuspend(user: { id: MiUser['id']; host: MiUser['host'] }, isFromRemote: boolean): Promise { + this.globalEventService.publishInternalEvent( + 'userChangeSuspendedState', + isFromRemote ? { id: user.id, isRemoteSuspended: true } : { id: user.id, isSuspended: true } + ); this.followRequestsRepository.delete({ followeeId: user.id, @@ -83,80 +107,55 @@ export class UserSuspendService { }); if (this.userEntityService.isLocalUser(user)) { - // 知り得る全SharedInboxにDelete配信 - const content = this.apRendererService.addContext(this.apRendererService.renderDelete(this.userEntityService.genLocalUserUri(user.id), user)); - - const queue: string[] = []; - - const followings = await this.followingsRepository.find({ - where: [ - { followerSharedInbox: Not(IsNull()) }, - { followeeSharedInbox: Not(IsNull()) }, - ], - select: ['followerSharedInbox', 'followeeSharedInbox'], - }); - - const inboxes = followings.map(x => x.followerSharedInbox ?? x.followeeSharedInbox); - - for (const inbox of inboxes) { - if (inbox != null && !queue.includes(inbox)) queue.push(inbox); - } - - for (const inbox of queue) { - this.queueService.deliver(user, content, inbox, true); - } + this.accountUpdateService.publishToFollowersAndSharedInboxAndRelays(user.id); } } @bindThis - private async postUnsuspend(user: MiUser): Promise { - this.globalEventService.publishInternalEvent('userChangeSuspendedState', { id: user.id, isSuspended: false }); + private async postUnsuspend(user: { id: MiUser['id']; host: MiUser['host'] }, isFromRemote: boolean): Promise { + this.globalEventService.publishInternalEvent( + 'userChangeSuspendedState', + isFromRemote ? { id: user.id, isRemoteSuspended: false } : { id: user.id, isSuspended: false } + ); if (this.userEntityService.isLocalUser(user)) { - // 知り得る全SharedInboxにUndo Delete配信 - const content = this.apRendererService.addContext(this.apRendererService.renderUndo(this.apRendererService.renderDelete(this.userEntityService.genLocalUserUri(user.id), user), user)); - - const queue: string[] = []; - - const followings = await this.followingsRepository.find({ - where: [ - { followerSharedInbox: Not(IsNull()) }, - { followeeSharedInbox: Not(IsNull()) }, - ], - select: ['followerSharedInbox', 'followeeSharedInbox'], - }); - - const inboxes = followings.map(x => x.followerSharedInbox ?? x.followeeSharedInbox); - - for (const inbox of inboxes) { - if (inbox != null && !queue.includes(inbox)) queue.push(inbox); - } - - for (const inbox of queue) { - this.queueService.deliver(user as any, content, inbox, true); - } + this.accountUpdateService.publishToFollowersAndSharedInboxAndRelays(user.id); } } @bindThis - private async unFollowAll(follower: MiUser) { - const followings = await this.followingsRepository.find({ - where: { + private async suspendFollowings(follower: { id: MiUser['id'] }) { + await this.followingsRepository.update( + { followerId: follower.id, - followeeId: Not(IsNull()), }, - }); - - const jobs: RelationshipJobData[] = []; - for (const following of followings) { - if (following.followeeId && following.followerId) { - jobs.push({ - from: { id: following.followerId }, - to: { id: following.followeeId }, - silent: true, - }); + { + isFollowerSuspended: true, } + ); + } + + @bindThis + private async restoreFollowings(_follower: { id: MiUser['id'] }) { + // 最新の情報を取得 + const follower = await this.usersRepository.findOneBy({ id: _follower.id }); + if (follower == null) { + // ユーザーが削除されている場合は何もしないでおく + return; } - this.queueService.createUnfollowJob(jobs); + if (this.userEntityService.isSuspendedEither(follower)) { + // フォロー関係を復元しない + return; + } + + // フォロー関係を復元(isFollowerSuspended: false)に変更 + await this.followingsRepository.update( + { + followerId: follower.id, + }, + { + isFollowerSuspended: false, + } + ); } } diff --git a/packages/backend/src/core/WebfingerService.ts b/packages/backend/src/core/WebfingerService.ts index 374536a741..aa1144778c 100644 --- a/packages/backend/src/core/WebfingerService.ts +++ b/packages/backend/src/core/WebfingerService.ts @@ -46,7 +46,7 @@ export class WebfingerService { const m = query.match(mRegex); if (m) { const hostname = m[2]; - const useHttp = process.env.MISSKEY_WEBFINGER_USE_HTTP && process.env.MISSKEY_WEBFINGER_USE_HTTP.toLowerCase() === 'true'; + const useHttp = process.env.MISSKEY_USE_HTTP && process.env.MISSKEY_USE_HTTP.toLowerCase() === 'true'; return `http${useHttp ? '' : 's'}://${hostname}/.well-known/webfinger?${urlQuery({ resource: `acct:${query}` })}`; } diff --git a/packages/backend/src/core/WebhookTestService.ts b/packages/backend/src/core/WebhookTestService.ts index 6714bda9a9..1f73e5151b 100644 --- a/packages/backend/src/core/WebhookTestService.ts +++ b/packages/backend/src/core/WebhookTestService.ts @@ -44,6 +44,7 @@ function generateDummyUser(override?: Partial): MiUser { avatarDecorations: [], tags: [], isSuspended: false, + isRemoteSuspended: false, isLocked: false, isBot: false, isCat: true, diff --git a/packages/backend/src/core/activitypub/ApDbResolverService.ts b/packages/backend/src/core/activitypub/ApDbResolverService.ts index 5c16744a77..2f1f4e69ff 100644 --- a/packages/backend/src/core/activitypub/ApDbResolverService.ts +++ b/packages/backend/src/core/activitypub/ApDbResolverService.ts @@ -4,8 +4,9 @@ */ import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; +import * as Redis from 'ioredis'; import { DI } from '@/di-symbols.js'; -import type { NotesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; +import type { MiUser, NotesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; import type { Config } from '@/config.js'; import { MemoryKVCache } from '@/misc/cache.js'; import type { MiUserPublickey } from '@/models/UserPublickey.js'; @@ -14,9 +15,12 @@ import { UtilityService } from '@/core/UtilityService.js'; import type { MiNote } from '@/models/Note.js'; import { bindThis } from '@/decorators.js'; import { MiLocalUser, MiRemoteUser } from '@/models/User.js'; +import Logger from '@/logger.js'; import { getApId } from './type.js'; import { ApPersonService } from './models/ApPersonService.js'; +import { ApLoggerService } from './ApLoggerService.js'; import type { IObject } from './type.js'; +import { GlobalEvents } from '@/core/GlobalEventService.js'; export type UriParseResult = { /** wether the URI was generated by us */ @@ -36,8 +40,8 @@ export type UriParseResult = { @Injectable() export class ApDbResolverService implements OnApplicationShutdown { - private publicKeyCache: MemoryKVCache; - private publicKeyByUserIdCache: MemoryKVCache; + private publicKeyByUserIdCache: MemoryKVCache; + private logger: Logger; constructor( @Inject(DI.config) @@ -52,12 +56,17 @@ export class ApDbResolverService implements OnApplicationShutdown { @Inject(DI.userPublickeysRepository) private userPublickeysRepository: UserPublickeysRepository, + @Inject(DI.redisForSub) + private redisForSub: Redis.Redis, + private cacheService: CacheService, private apPersonService: ApPersonService, + private apLoggerService: ApLoggerService, private utilityService: UtilityService, ) { - this.publicKeyCache = new MemoryKVCache(1000 * 60 * 60 * 12); // 12h - this.publicKeyByUserIdCache = new MemoryKVCache(1000 * 60 * 60 * 12); // 12h + this.publicKeyByUserIdCache = new MemoryKVCache(1000 * 60 * 60 * 12); // 12h + this.logger = this.apLoggerService.logger.createSubLogger('db-resolver'); + this.redisForSub.on('message', this.onMessage); } @bindThis @@ -120,63 +129,180 @@ export class ApDbResolverService implements OnApplicationShutdown { } } - /** - * AP KeyId => Misskey User and Key - */ @bindThis - public async getAuthUserFromKeyId(keyId: string): Promise<{ - user: MiRemoteUser; - key: MiUserPublickey; - } | null> { - const key = await this.publicKeyCache.fetch(keyId, async () => { - const key = await this.userPublickeysRepository.findOneBy({ - keyId, - }); - - if (key == null) return null; - - return key; - }, key => key != null); - - if (key == null) return null; - - const user = await this.cacheService.findUserById(key.userId).catch(() => null) as MiRemoteUser | null; - if (user == null) return null; - if (user.isDeleted) return null; - - return { - user, - key, - }; + private async refreshAndFindKey(userId: MiUser['id'], keyId: string): Promise { + this.refreshCacheByUserId(userId); + const keys = await this.getPublicKeyByUserId(userId); + if (keys == null || !Array.isArray(keys) || keys.length === 0) { + this.logger.warn(`No key found (refreshAndFindKey) userId=${userId} keyId=${keyId} keys=${JSON.stringify(keys)}`); + return null; + } + const exactKey = keys.find(x => x.keyId === keyId); + if (exactKey) return exactKey; + this.logger.warn(`No exact key found (refreshAndFindKey) userId=${userId} keyId=${keyId} keys=${JSON.stringify(keys)}`); + return null; } /** * AP Actor id => Misskey User and Key + * @param uri AP Actor id + * @param keyId Key id to find. If not specified, main key will be selected. + * @returns + * 1. `null` if the user and key host do not match + * 2. `{ user: null, key: null }` if the user is not found + * 3. `{ user: MiRemoteUser, key: null }` if key is not found + * 4. `{ user: MiRemoteUser, key: MiUserPublickey }` if both are found */ @bindThis - public async getAuthUserFromApId(uri: string): Promise<{ + public async getAuthUserFromApId(uri: string, keyId?: string): Promise<{ user: MiRemoteUser; key: MiUserPublickey | null; - } | null> { - const user = await this.apPersonService.resolvePerson(uri) as MiRemoteUser; - if (user.isDeleted) return null; + } | { + user: null; + key: null; + } | + null> { + if (keyId) { + if (this.utilityService.punyHost(uri) !== this.utilityService.punyHost(keyId)) { + /** + * keyIdはURL形式かつkeyIdのホストはuriのホストと一致するはず + * (ApPersonService.validateActorに由来) + * + * ただ、Mastodonはリプライ関連で他人のトゥートをHTTP Signature署名して送ってくることがある + * そのような署名は有効性に疑問があるので無視することにする + * ここではuriとkeyIdのホストが一致しない場合は無視する + * ハッシュをなくしたkeyIdとuriの同一性を比べてみてもいいが、`uri#*-key`というkeyIdを設定するのが + * 決まりごとというわけでもないため幅を持たせることにする + * + * + * The keyId should be in URL format and its host should match the host of the uri + * (derived from ApPersonService.validateActor) + * + * However, Mastodon sometimes sends toots from other users with HTTP Signature signing for reply-related purposes + * Such signatures are of questionable validity, so we choose to ignore them + * Here, we ignore cases where the hosts of uri and keyId do not match + * We could also compare the equality of keyId without the hash and uri, but since setting a keyId like `uri#*-key` + * is not a strict rule, we decide to allow for some flexibility + */ + this.logger.warn(`getAuthUserFromApId: actor uri and keyId are not matched uri=${uri} keyId=${keyId}`); + return null; + } + } - const key = await this.publicKeyByUserIdCache.fetch( - user.id, - () => this.userPublickeysRepository.findOneBy({ userId: user.id }), + const user = await this.apPersonService.resolvePerson(uri, undefined, true) as MiRemoteUser; + this.logger.debug(`getAuthUserFromApId: User resolved uri=${uri} userId=${user.id} keyId=${keyId}`); + + if (user.isDeleted) { + this.logger.warn(`getAuthUserFromApId: User is deleted uri=${uri} userId=${user.id} keyId=${keyId}`); + return { user: null, key: null }; + } + + const keys = await this.getPublicKeyByUserId(user.id); + + if (keys == null || !Array.isArray(keys) || keys.length === 0) { + this.logger.warn(`getAuthUserFromApId: No key found uri=${uri} userId=${user.id} keys=${JSON.stringify(keys)}`); + return { user, key: null }; + } + + if (!keyId) { + // Choose the main-like + const mainKey = keys.find(x => { + try { + const url = new URL(x.keyId); + const path = url.pathname.split('/').pop()?.toLowerCase(); + if (url.hash) { + if (url.hash.toLowerCase().includes('main')) { + return true; + } + } else if (path?.includes('main') || path === 'publickey') { + return true; + } + } catch { /* noop */ } + + return false; + }); + if (mainKey) { + this.logger.debug(`getAuthUserFromApId: keyId not specified, use main key uri=${uri} userId=${user.id} keyId=${mainKey.keyId}`); + return { user, key: mainKey }; + } + this.logger.warn(`getAuthUserFromApId: keyId not specified, No main key found, use the first key of ${keys.length} key(s) uri=${uri} userId=${user.id} key=${keys[0].keyId}`); + return { user, key: keys[0] }; + } + + const exactKey = keys.find(x => x.keyId === keyId); + if (exactKey) { + this.logger.debug(`getAuthUserFromApId: key found uri=${uri} userId=${user.id} keyId=${keyId}`); + return { user, key: exactKey }; + } + + /** + * keyIdで見つからない場合、まずはキャッシュを更新して再取得 + * If not found with keyId, update cache and reacquire + */ + this.logger.debug(`getAuthUserFromApId: key not found, refreshing cache uri=${uri} userId=${user.id} keyId=${keyId}`); + const cacheRaw = this.publicKeyByUserIdCache.getRaw(user.id); + if (cacheRaw && Date.now() - cacheRaw.date > 1000 * 60 * 5) { + this.logger.debug(`getAuthUserFromApId: Cache is old, refreshing user public keys uri=${uri} userId=${user.id} keyId=${keyId}`); + const exactKey = await this.refreshAndFindKey(user.id, keyId); + if (exactKey) return { user, key: exactKey }; + } + + /** + * lastFetchedAtでの更新制限を弱めて再取得 + * Reacquisition with weakened update limit at lastFetchedAt + */ + if (user.lastFetchedAt == null || Date.now() - user.lastFetchedAt.getTime() > 1000 * 60 * 5) { + this.logger.info(`getAuthUserFromApId: Renewing remote user uri=${uri} userId=${user.id} keyId=${keyId}`); + const renewed = await this.apPersonService.fetchPersonWithRenewal(uri, 0); + if (renewed == null) { + this.logger.warn(`getAuthUserFromApId: User not found uri=${uri} userId=${user.id} keyId=${keyId}`); + return null; + } else if (renewed.isDeleted) { + this.logger.warn(`getAuthUserFromApId: User is deleted uri=${uri} userId=${user.id} keyId=${keyId}`); + return null; + } + + return { user, key: await this.refreshAndFindKey(user.id, keyId) }; + } + + this.logger.warn(`getAuthUserFromApId: No key found uri=${uri} userId=${user.id} keyId=${keyId}`); + return { user, key: null }; + } + + @bindThis + public async getPublicKeyByUserId(userId: MiUser['id']): Promise { + return await this.publicKeyByUserIdCache.fetch( + userId, + () => this.userPublickeysRepository.find({ where: { userId } }), v => v != null, ); + } - return { - user, - key, - }; + @bindThis + public refreshCacheByUserId(userId: MiUser['id']): void { + this.publicKeyByUserIdCache.delete(userId); + } + + @bindThis + private async onMessage(_: string, data: string): Promise { + const obj = JSON.parse(data); + if (obj.channel === 'internal') { + const { type, body } = obj.message as GlobalEvents['internal']['payload']; + switch (type) { + case 'remoteUserUpdated': { + this.refreshCacheByUserId(body.id); + break; + } + default: + break; + } + } } @bindThis public dispose(): void { - this.publicKeyCache.dispose(); this.publicKeyByUserIdCache.dispose(); + this.redisForSub.off('message', this.onMessage); } @bindThis diff --git a/packages/backend/src/core/activitypub/ApDeliverManagerService.ts b/packages/backend/src/core/activitypub/ApDeliverManagerService.ts index 0140ce9fd6..9a6e7e73ef 100644 --- a/packages/backend/src/core/activitypub/ApDeliverManagerService.ts +++ b/packages/backend/src/core/activitypub/ApDeliverManagerService.ts @@ -3,16 +3,21 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Inject, Injectable } from '@nestjs/common'; +import { Inject, Injectable, OnModuleInit } from '@nestjs/common'; import { IsNull, Not } from 'typeorm'; import { DI } from '@/di-symbols.js'; import type { FollowingsRepository } from '@/models/_.js'; import type { MiLocalUser, MiRemoteUser, MiUser } from '@/models/User.js'; import { QueueService } from '@/core/QueueService.js'; -import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; import type { IActivity } from '@/core/activitypub/type.js'; import { ThinUser } from '@/queue/types.js'; +import { AccountUpdateService } from '@/core/AccountUpdateService.js'; +import type Logger from '@/logger.js'; +import { UserKeypairService } from '../UserKeypairService.js'; +import { ApLoggerService } from './ApLoggerService.js'; +import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; +import { ModuleRef } from '@nestjs/core'; interface IRecipe { type: string; @@ -27,12 +32,19 @@ interface IDirectRecipe extends IRecipe { to: MiRemoteUser; } +interface IAllKnowingSharedInboxRecipe extends IRecipe { + type: 'AllKnowingSharedInbox'; +} + const isFollowers = (recipe: IRecipe): recipe is IFollowersRecipe => recipe.type === 'Followers'; const isDirect = (recipe: IRecipe): recipe is IDirectRecipe => recipe.type === 'Direct'; +const isAllKnowingSharedInbox = (recipe: IRecipe): recipe is IAllKnowingSharedInboxRecipe => + recipe.type === 'AllKnowingSharedInbox'; + class DeliverManager { private actor: ThinUser; private activity: IActivity | null; @@ -40,16 +52,18 @@ class DeliverManager { /** * Constructor - * @param userEntityService + * @param userKeypairService * @param followingsRepository * @param queueService * @param actor Actor * @param activity Activity to deliver */ constructor( - private userEntityService: UserEntityService, + private userKeypairService: UserKeypairService, private followingsRepository: FollowingsRepository, private queueService: QueueService, + private accountUpdateService: AccountUpdateService, + private logger: Logger, actor: { id: MiUser['id']; host: null; }, activity: IActivity | null, @@ -91,6 +105,18 @@ class DeliverManager { this.addRecipe(recipe); } + /** + * Add recipe for all-knowing shared inbox deliver + */ + @bindThis + public addAllKnowingSharedInboxRecipe(): void { + const deliver: IAllKnowingSharedInboxRecipe = { + type: 'AllKnowingSharedInbox', + }; + + this.addRecipe(deliver); + } + /** * Add recipe * @param recipe Recipe @@ -104,11 +130,46 @@ class DeliverManager { * Execute delivers */ @bindThis - public async execute(): Promise { + public async execute(opts: { privateKey?: PrivateKeyWithPem; ignoreSuspend?: boolean } = {}): Promise { + //#region MIGRATION + if (!opts?.privateKey) { + /** + * ed25519の署名がなければ追加する + */ + const created = await this.userKeypairService.refreshAndPrepareEd25519KeyPair(this.actor.id); + if (created) { + // createdが存在するということは新規作成されたということなので、フォロワーに配信する + this.logger.info(`ed25519 key pair created for user ${this.actor.id} and publishing to followers`); + // リモートに配信 + const keyPair = await this.userKeypairService.getLocalUserPrivateKeyPem(created, 'main'); + await this.accountUpdateService.publishToFollowers(this.actor.id, keyPair); + } + } + //#endregion + + //#region collect inboxes by recipes // The value flags whether it is shared or not. // key: inbox URL, value: whether it is sharedInbox const inboxes = new Map(); + if (this.recipes.some(r => isAllKnowingSharedInbox(r))) { + // all-knowing shared inbox + const followings = await this.followingsRepository.createQueryBuilder('f') + .select([ + 'f.followerSharedInbox', + 'f.followeeSharedInbox', + ]) + .where('f.followerSharedInbox IS NOT NULL') + .orWhere('f.followeeSharedInbox IS NOT NULL') + .distinct() + .getRawMany<{ f_followerSharedInbox: string | null; f_followeeSharedInbox: string | null; }>(); + + for (const following of followings) { + if (following.f_followeeSharedInbox) inboxes.set(following.f_followeeSharedInbox, true); + if (following.f_followerSharedInbox) inboxes.set(following.f_followerSharedInbox, true); + } + } + // build inbox list // Process follower recipes first to avoid duplication when processing direct recipes later. if (this.recipes.some(r => isFollowers(r))) { @@ -119,6 +180,7 @@ class DeliverManager { where: { followeeId: this.actor.id, followerHost: Not(IsNull()), + isFollowerSuspended: opts.ignoreSuspend ? undefined : false, }, select: { followerSharedInbox: true, @@ -142,39 +204,55 @@ class DeliverManager { inboxes.set(recipe.to.inbox, false); } + //#endregion // deliver - await this.queueService.deliverMany(this.actor, this.activity, inboxes); + await this.queueService.deliverMany(this.actor, this.activity, inboxes, opts?.privateKey); + this.logger.info(`Deliver queues dispatched: inboxes=${inboxes.size} actorId=${this.actor.id} activityId=${this.activity?.id}`); } } @Injectable() -export class ApDeliverManagerService { +export class ApDeliverManagerService implements OnModuleInit { + private logger: Logger; + private accountUpdateService: AccountUpdateService; + constructor( + private moduleRef: ModuleRef, + @Inject(DI.followingsRepository) private followingsRepository: FollowingsRepository, - private userEntityService: UserEntityService, + private userKeypairService: UserKeypairService, private queueService: QueueService, + private apLoggerService: ApLoggerService, ) { + this.logger = this.apLoggerService.logger.createSubLogger('deliver-manager'); + } + + async onModuleInit() { + this.accountUpdateService = this.moduleRef.get(AccountUpdateService.name); } /** * Deliver activity to followers * @param actor * @param activity Activity + * @param forceMainKey Force to use main (rsa) key */ @bindThis - public async deliverToFollowers(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity): Promise { + public async deliverToFollowers(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity, privateKey?: PrivateKeyWithPem): Promise { const manager = new DeliverManager( - this.userEntityService, + this.userKeypairService, this.followingsRepository, this.queueService, + this.accountUpdateService, + this.logger, actor, activity, ); manager.addFollowersRecipe(); - await manager.execute(); + await manager.execute({ privateKey }); } /** @@ -186,9 +264,11 @@ export class ApDeliverManagerService { @bindThis public async deliverToUser(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity, to: MiRemoteUser): Promise { const manager = new DeliverManager( - this.userEntityService, + this.userKeypairService, this.followingsRepository, this.queueService, + this.accountUpdateService, + this.logger, actor, activity, ); @@ -205,9 +285,11 @@ export class ApDeliverManagerService { @bindThis public async deliverToUsers(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity, targets: MiRemoteUser[]): Promise { const manager = new DeliverManager( - this.userEntityService, + this.userKeypairService, this.followingsRepository, this.queueService, + this.accountUpdateService, + this.logger, actor, activity, ); @@ -218,10 +300,11 @@ export class ApDeliverManagerService { @bindThis public createDeliverManager(actor: { id: MiUser['id']; host: null; }, activity: IActivity | null): DeliverManager { return new DeliverManager( - this.userEntityService, + this.userKeypairService, this.followingsRepository, this.queueService, - + this.accountUpdateService, + this.logger, actor, activity, ); diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts index e88f60b806..207e911a62 100644 --- a/packages/backend/src/core/activitypub/ApInboxService.ts +++ b/packages/backend/src/core/activitypub/ApInboxService.ts @@ -127,21 +127,13 @@ export class ApInboxService { result = await this.performOneActivity(actor, activity, resolver); } - // ついでにリモートユーザーの情報が古かったら更新しておく - if (actor.uri) { - if (actor.lastFetchedAt == null || Date.now() - actor.lastFetchedAt.getTime() > 1000 * 60 * 60 * 24) { - setImmediate(() => { - // 同一ユーザーの情報を再度処理するので、使用済みのresolverを再利用してはいけない - this.apPersonService.updatePerson(actor.uri); - }); - } - } - return result; + // ついでにリモートユーザーの情報が古かったら更新しておく? + // → No, この関数が呼び出される前に署名検証で更新されているはず } @bindThis public async performOneActivity(actor: MiRemoteUser, activity: IObject, resolver?: Resolver): Promise { - if (actor.isSuspended) return; + // ここでは凍結されているかどうかはチェックせず、各処理で判断する if (isCreate(activity)) { return await this.create(actor, activity, resolver); diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts index 55521d6e3a..7bbb044193 100644 --- a/packages/backend/src/core/activitypub/ApRendererService.ts +++ b/packages/backend/src/core/activitypub/ApRendererService.ts @@ -32,6 +32,7 @@ import { JsonLdService } from './JsonLdService.js'; import { ApMfmService } from './ApMfmService.js'; import { CONTEXT } from './misc/contexts.js'; import type { IAccept, IActivity, IAdd, IAnnounce, IApDocument, IApEmoji, IApHashtag, IApImage, IApMention, IBlock, ICreate, IDelete, IFlag, IFollow, IKey, ILike, IMove, IObject, IPost, IQuestion, IReject, IRemove, ITombstone, IUndo, IUpdate } from './type.js'; +import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; @Injectable() export class ApRendererService { @@ -291,15 +292,15 @@ export class ApRendererService { } @bindThis - public renderKey(user: MiLocalUser, key: MiUserKeypair, postfix?: string): IKey { + public renderKey(user: MiLocalUser, publicKey: string, postfix?: string): IKey { return { - id: `${this.config.url}/users/${user.id}${postfix ?? '/publickey'}`, + id: `${this.userEntityService.genLocalUserUri(user.id)}${postfix ?? '/publickey'}`, type: 'Key', owner: this.userEntityService.genLocalUserUri(user.id), - publicKeyPem: createPublicKey(key.publicKey).export({ + publicKeyPem: createPublicKey(publicKey).export({ type: 'spki', format: 'pem', - }), + }) as string, }; } @@ -574,9 +575,13 @@ export class ApRendererService { tag, manuallyApprovesFollowers: user.isLocked, discoverable: user.isExplorable, - publicKey: this.renderKey(user, keypair, '#main-key'), + publicKey: this.renderKey(user, keypair.publicKey, '#main-key'), + additionalPublicKeys: [ + ...(keypair.ed25519PublicKey ? [this.renderKey(user, keypair.ed25519PublicKey, '#ed25519-key')] : []), + ], isCat: user.isCat, attachment: attachment.length ? attachment : undefined, + suspended: user.isSuspended, }; if (user.movedToUri) { @@ -697,12 +702,10 @@ export class ApRendererService { } @bindThis - public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise { - const keypair = await this.userKeypairService.getUserKeypair(user.id); - + public async attachLdSignature(activity: any, key: PrivateKeyWithPem): Promise { const jsonLd = this.jsonLdService.use(); jsonLd.debug = false; - activity = await jsonLd.signRsaSignature2017(activity, keypair.privateKey, `${this.config.url}/users/${user.id}#main-key`); + activity = await jsonLd.signRsaSignature2017(activity, key.privateKeyPem, key.keyId); return activity; } diff --git a/packages/backend/src/core/activitypub/ApRequestService.ts b/packages/backend/src/core/activitypub/ApRequestService.ts index 61d328ccac..9cdc017365 100644 --- a/packages/backend/src/core/activitypub/ApRequestService.ts +++ b/packages/backend/src/core/activitypub/ApRequestService.ts @@ -3,9 +3,9 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import * as crypto from 'node:crypto'; import { URL } from 'node:url'; import { Inject, Injectable } from '@nestjs/common'; +import { genRFC3230DigestHeader, signAsDraftToRequest } from '@misskey-dev/node-http-message-signatures'; import { Window } from 'happy-dom'; import { DI } from '@/di-symbols.js'; import type { Config } from '@/config.js'; @@ -17,124 +17,63 @@ import { LoggerService } from '@/core/LoggerService.js'; import { bindThis } from '@/decorators.js'; import type Logger from '@/logger.js'; import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js'; -import { assertActivityMatchesUrl, FetchAllowSoftFailMask as FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js'; +import { assertActivityMatchesUrl, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js'; import type { IObject } from './type.js'; +import type { PrivateKeyWithPem, PrivateKey } from '@misskey-dev/node-http-message-signatures'; -type Request = { - url: string; - method: string; - headers: Record; -}; +export async function createSignedPost(args: { level: string; key: PrivateKey; url: string; body: string; digest?: string, additionalHeaders: Record }) { + const u = new URL(args.url); + const request = { + url: u.href, + method: 'POST', + headers: { + 'Date': new Date().toUTCString(), + 'Host': u.host, + 'Content-Type': 'application/activity+json', + ...args.additionalHeaders, + } as Record, + }; -type Signed = { - request: Request; - signingString: string; - signature: string; - signatureHeader: string; -}; + // TODO: httpMessageSignaturesImplementationLevelによって新規格で通信をするようにする + const digestHeader = args.digest ?? await genRFC3230DigestHeader(args.body, 'SHA-256'); + request.headers['Digest'] = digestHeader; -type PrivateKey = { - privateKeyPem: string; - keyId: string; -}; + const result = await signAsDraftToRequest( + request, + args.key, + ['(request-target)', 'date', 'host', 'digest'], + ); -export class ApRequestCreator { - static createSignedPost(args: { key: PrivateKey, url: string, body: string, digest?: string, additionalHeaders: Record }): Signed { - const u = new URL(args.url); - const digestHeader = args.digest ?? this.createDigest(args.body); + return { + request, + ...result, + }; +} - const request: Request = { - url: u.href, - method: 'POST', - headers: this.#objectAssignWithLcKey({ - 'Date': new Date().toUTCString(), - 'Host': u.host, - 'Content-Type': 'application/activity+json', - 'Digest': digestHeader, - }, args.additionalHeaders), - }; +export async function createSignedGet(args: { level: string; key: PrivateKey; url: string; additionalHeaders: Record }) { + const u = new URL(args.url); + const request = { + url: u.href, + method: 'GET', + headers: { + 'Accept': 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"', + 'Date': new Date().toUTCString(), + 'Host': new URL(args.url).host, + ...args.additionalHeaders, + } as Record, + }; - const result = this.#signToRequest(request, args.key, ['(request-target)', 'date', 'host', 'digest']); + // TODO: httpMessageSignaturesImplementationLevelによって新規格で通信をするようにする + const result = await signAsDraftToRequest( + request, + args.key, + ['(request-target)', 'date', 'host', 'accept'], + ); - return { - request, - signingString: result.signingString, - signature: result.signature, - signatureHeader: result.signatureHeader, - }; - } - - static createDigest(body: string) { - return `SHA-256=${crypto.createHash('sha256').update(body).digest('base64')}`; - } - - static createSignedGet(args: { key: PrivateKey, url: string, additionalHeaders: Record }): Signed { - const u = new URL(args.url); - - const request: Request = { - url: u.href, - method: 'GET', - headers: this.#objectAssignWithLcKey({ - 'Accept': 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"', - 'Date': new Date().toUTCString(), - 'Host': new URL(args.url).host, - }, args.additionalHeaders), - }; - - const result = this.#signToRequest(request, args.key, ['(request-target)', 'date', 'host', 'accept']); - - return { - request, - signingString: result.signingString, - signature: result.signature, - signatureHeader: result.signatureHeader, - }; - } - - static #signToRequest(request: Request, key: PrivateKey, includeHeaders: string[]): Signed { - const signingString = this.#genSigningString(request, includeHeaders); - const signature = crypto.sign('sha256', Buffer.from(signingString), key.privateKeyPem).toString('base64'); - const signatureHeader = `keyId="${key.keyId}",algorithm="rsa-sha256",headers="${includeHeaders.join(' ')}",signature="${signature}"`; - - request.headers = this.#objectAssignWithLcKey(request.headers, { - Signature: signatureHeader, - }); - // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! - delete request.headers['host']; - - return { - request, - signingString, - signature, - signatureHeader, - }; - } - - static #genSigningString(request: Request, includeHeaders: string[]): string { - request.headers = this.#lcObjectKey(request.headers); - - const results: string[] = []; - - for (const key of includeHeaders.map(x => x.toLowerCase())) { - if (key === '(request-target)') { - results.push(`(request-target): ${request.method.toLowerCase()} ${new URL(request.url).pathname}`); - } else { - results.push(`${key}: ${request.headers[key]}`); - } - } - - return results.join('\n'); - } - - static #lcObjectKey(src: Record): Record { - const dst: Record = {}; - for (const key of Object.keys(src).filter(x => x !== '__proto__' && typeof src[x] === 'string')) dst[key.toLowerCase()] = src[key]; - return dst; - } - - static #objectAssignWithLcKey(a: Record, b: Record): Record { - return Object.assign(this.#lcObjectKey(a), this.#lcObjectKey(b)); - } + return { + request, + ...result, + }; } @Injectable() @@ -155,21 +94,28 @@ export class ApRequestService { } @bindThis - public async signedPost(user: { id: MiUser['id'] }, url: string, object: unknown, digest?: string): Promise { + public async signedPost(user: { id: MiUser['id'] }, url: string, object: unknown, level: string, digest?: string, key?: PrivateKeyWithPem): Promise { const body = typeof object === 'string' ? object : JSON.stringify(object); - - const keypair = await this.userKeypairService.getUserKeypair(user.id); - - const req = ApRequestCreator.createSignedPost({ - key: { - privateKeyPem: keypair.privateKey, - keyId: `${this.config.url}/users/${user.id}#main-key`, - }, + const keyFetched = await this.userKeypairService.getLocalUserPrivateKey(key ?? user.id, level); + const req = await createSignedPost({ + level, + key: keyFetched, url, body, - digest, additionalHeaders: { + 'User-Agent': this.config.userAgent, }, + digest, + }); + + // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! + delete req.request.headers['Host']; + + this.logger.debug('create signed post', { + version: 'draft', + level, + url, + keyId: keyFetched.keyId, }); await this.httpRequestService.send(url, { @@ -185,20 +131,29 @@ export class ApRequestService { * @param url URL to fetch */ @bindThis - public async signedGet(url: string, user: { id: MiUser['id'] }, allowSoftfail: FetchAllowSoftFailMask = FetchAllowSoftFailMask.Strict, followAlternate?: boolean): Promise { + public async signedGet(url: string, user: { id: MiUser['id'] }, allowSoftfail: FetchAllowSoftFailMask = FetchAllowSoftFailMask.Strict, level: string, followAlternate?: boolean): Promise { const _followAlternate = followAlternate ?? true; - const keypair = await this.userKeypairService.getUserKeypair(user.id); - const req = ApRequestCreator.createSignedGet({ - key: { - privateKeyPem: keypair.privateKey, - keyId: `${this.config.url}/users/${user.id}#main-key`, - }, + const key = await this.userKeypairService.getLocalUserPrivateKey(user.id, level); + const req = await createSignedGet({ + level, + key, url, additionalHeaders: { + 'User-Agent': this.config.userAgent, }, }); + // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! + delete req.request.headers['Host']; + + this.logger.debug('create signed get', { + version: 'draft', + level, + url, + keyId: key.keyId, + }); + const res = await this.httpRequestService.send(url, { method: req.request.method, headers: req.request.headers, @@ -243,7 +198,7 @@ export class ApRequestService { if (alternate) { const href = alternate.getAttribute('href'); if (href && this.utilityService.punyHost(url) === this.utilityService.punyHost(href)) { - return await this.signedGet(href, user, allowSoftfail, false); + return await this.signedGet(href, user, allowSoftfail, level, false); } } } catch (e) { diff --git a/packages/backend/src/core/activitypub/ApResolverService.ts b/packages/backend/src/core/activitypub/ApResolverService.ts index 646150455b..37162d71ff 100644 --- a/packages/backend/src/core/activitypub/ApResolverService.ts +++ b/packages/backend/src/core/activitypub/ApResolverService.ts @@ -16,6 +16,7 @@ import { LoggerService } from '@/core/LoggerService.js'; import type Logger from '@/logger.js'; import { SystemAccountService } from '@/core/SystemAccountService.js'; import { IdentifiableError } from '@/misc/identifiable-error.js'; +import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import { isCollectionOrOrderedCollection } from './type.js'; import { ApDbResolverService } from './ApDbResolverService.js'; import { ApRendererService } from './ApRendererService.js'; @@ -42,6 +43,7 @@ export class Resolver { private httpRequestService: HttpRequestService, private apRendererService: ApRendererService, private apDbResolverService: ApDbResolverService, + private federatedInstanceService: FederatedInstanceService, private loggerService: LoggerService, private recursionLimit = 256, ) { @@ -108,8 +110,10 @@ export class Resolver { this.user = await this.systemAccountService.fetch('actor'); } + const server = await this.federatedInstanceService.fetch(host); + const object = (this.user - ? await this.apRequestService.signedGet(value, this.user, allowSoftfail) as IObject + ? await this.apRequestService.signedGet(value, this.user, allowSoftfail, server?.httpMessageSignaturesImplementationLevel ?? '00') as IObject : await this.httpRequestService.getActivityJson(value, undefined, allowSoftfail)) as IObject; if ( @@ -207,6 +211,7 @@ export class ApResolverService { private httpRequestService: HttpRequestService, private apRendererService: ApRendererService, private apDbResolverService: ApDbResolverService, + private federatedInstanceService: FederatedInstanceService, private loggerService: LoggerService, ) { } @@ -227,6 +232,7 @@ export class ApResolverService { this.httpRequestService, this.apRendererService, this.apDbResolverService, + this.federatedInstanceService, this.loggerService, ); } diff --git a/packages/backend/src/core/activitypub/misc/contexts.ts b/packages/backend/src/core/activitypub/misc/contexts.ts index 6611e4b7f9..13996e2cc2 100644 --- a/packages/backend/src/core/activitypub/misc/contexts.ts +++ b/packages/backend/src/core/activitypub/misc/contexts.ts @@ -134,6 +134,7 @@ const security_v1 = { 'privateKey': { '@id': 'sec:privateKey', '@type': '@id' }, 'privateKeyPem': 'sec:privateKeyPem', 'publicKey': { '@id': 'sec:publicKey', '@type': '@id' }, + 'additionalPublicKeys': { '@id': 'sec:publicKey', '@type': '@id' }, 'publicKeyBase58': 'sec:publicKeyBase58', 'publicKeyPem': 'sec:publicKeyPem', 'publicKeyWif': 'sec:publicKeyWif', @@ -543,6 +544,7 @@ const extension_context_definition = { Emoji: 'toot:Emoji', featured: 'toot:featured', discoverable: 'toot:discoverable', + suspended: 'toot:suspended', // schema schema: 'http://schema.org#', PropertyValue: 'schema:PropertyValue', diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts index e52078ed0f..77d62dc54f 100644 --- a/packages/backend/src/core/activitypub/models/ApPersonService.ts +++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts @@ -3,9 +3,10 @@ * SPDX-License-Identifier: AGPL-3.0-only */ +import { verify } from 'crypto'; import { Inject, Injectable } from '@nestjs/common'; import promiseLimit from 'promise-limit'; -import { DataSource } from 'typeorm'; +import { DataSource, In, Not } from 'typeorm'; import { ModuleRef } from '@nestjs/core'; import { DI } from '@/di-symbols.js'; import type { FollowingsRepository, InstancesRepository, MiMeta, UserProfilesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; @@ -38,6 +39,8 @@ import { RoleService } from '@/core/RoleService.js'; import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.js'; import type { AccountMoveService } from '@/core/AccountMoveService.js'; import { checkHttps } from '@/misc/check-https.js'; +import { REMOTE_USER_CACHE_TTL, REMOTE_USER_MOVE_COOLDOWN } from '@/const.js'; +import { UserSuspendService } from '@/core/UserSuspendService.js'; import { getApId, getApType, getOneApHrefNullable, isActor, isCollection, isCollectionOrOrderedCollection, isPropertyValue } from '../type.js'; import { extractApHashtags } from './tag.js'; import type { OnModuleInit } from '@nestjs/common'; @@ -47,7 +50,7 @@ import type { ApResolverService, Resolver } from '../ApResolverService.js'; import type { ApLoggerService } from '../ApLoggerService.js'; import type { ApImageService } from './ApImageService.js'; -import type { IActor, ICollection, IObject, IOrderedCollection } from '../type.js'; +import type { IActor, IKey, IObject, ICollection, IOrderedCollection } from '../type.js'; const nameLength = 128; const summaryLength = 2048; @@ -74,6 +77,7 @@ export class ApPersonService implements OnModuleInit { private instanceChart: InstanceChart; private apLoggerService: ApLoggerService; private accountMoveService: AccountMoveService; + private userSuspendService: UserSuspendService; private logger: Logger; constructor( @@ -126,6 +130,7 @@ export class ApPersonService implements OnModuleInit { this.instanceChart = this.moduleRef.get('InstanceChart'); this.apLoggerService = this.moduleRef.get('ApLoggerService'); this.accountMoveService = this.moduleRef.get('AccountMoveService'); + this.userSuspendService = this.moduleRef.get('UserSuspendService'); this.logger = this.apLoggerService.logger; } @@ -209,13 +214,38 @@ export class ApPersonService implements OnModuleInit { } if (x.publicKey) { - if (typeof x.publicKey.id !== 'string') { - throw new Error('invalid Actor: publicKey.id is not a string'); + const publicKeys = Array.isArray(x.publicKey) ? x.publicKey : [x.publicKey]; + + for (const publicKey of publicKeys) { + if (typeof publicKey.id !== 'string') { + throw new Error('invalid Actor: publicKey.id is not a string'); + } + + const publicKeyIdHost = this.utilityService.punyHost(publicKey.id); + if (publicKeyIdHost !== expectHost) { + throw new Error('invalid Actor: publicKey.id has different host'); + } + } + } + + if (x.additionalPublicKeys) { + if (!x.publicKey) { + throw new Error('invalid Actor: additionalPublicKeys is set but publicKey is not'); } - const publicKeyIdHost = this.utilityService.punyHost(x.publicKey.id); - if (publicKeyIdHost !== expectHost) { - throw new Error('invalid Actor: publicKey.id has different host'); + if (!Array.isArray(x.additionalPublicKeys)) { + throw new Error('invalid Actor: additionalPublicKeys is not an array'); + } + + for (const key of x.additionalPublicKeys) { + if (typeof key.id !== 'string') { + throw new Error('invalid Actor: additionalPublicKeys.id is not a string'); + } + + const keyIdHost = this.utilityService.punyHost(key.id); + if (keyIdHost !== expectHost) { + throw new Error('invalid Actor: additionalPublicKeys.id has different host'); + } } } @@ -252,6 +282,33 @@ export class ApPersonService implements OnModuleInit { return null; } + /** + * uriからUser(Person)をフェッチします。 + * + * Misskeyに対象のPersonが登録されていればそれを返し、登録がなければnullを返します。 + * また、TTLが0でない場合、TTLを過ぎていた場合はupdatePersonを実行します。 + */ + @bindThis + async fetchPersonWithRenewal(uri: string, TTL = REMOTE_USER_CACHE_TTL): Promise { + const exist = await this.fetchPerson(uri); + if (exist == null) return null; + + if (this.userEntityService.isRemoteUser(exist)) { + if (TTL === 0 || exist.lastFetchedAt == null || Date.now() - exist.lastFetchedAt.getTime() > TTL) { + this.logger.debug('fetchPersonWithRenewal: renew', { uri, TTL, lastFetchedAt: exist.lastFetchedAt }); + try { + await this.updatePerson(exist.uri); + return await this.fetchPerson(uri); + } catch (err) { + this.logger.error('error occurred while renewing user', { err }); + } + } + this.logger.debug('fetchPersonWithRenewal: use cache', { uri, TTL, lastFetchedAt: exist.lastFetchedAt }); + } + + return exist; + } + private async resolveAvatarAndBanner(user: MiRemoteUser, icon: any, image: any): Promise>> { if (user == null) throw new Error('failed to create user: user is null'); @@ -333,7 +390,7 @@ export class ApPersonService implements OnModuleInit { .then(isPublic => isPublic ? 'public' : 'private') .catch(err => { if (!(err instanceof StatusError) || err.isRetryable) { - this.logger.error('error occurred while fetching following/followers collection', { stack: err }); + this.logger.error('Create the Person: error occurred while fetching following/followers collection', { stack: err }); } return 'private'; }), @@ -359,7 +416,7 @@ export class ApPersonService implements OnModuleInit { const emojis = await this.apNoteService.extractEmojis(person.tag ?? [], host) .then(_emojis => _emojis.map(emoji => emoji.name)) .catch(err => { - this.logger.error('error occurred while fetching user emojis', { stack: err }); + this.logger.error('Create the Person: error occurred while fetching user emojis', { stack: err }); return []; }); //#endregion @@ -393,6 +450,7 @@ export class ApPersonService implements OnModuleInit { makeNotesFollowersOnlyBefore: (person as any).makeNotesFollowersOnlyBefore ?? null, makeNotesHiddenBefore: (person as any).makeNotesHiddenBefore ?? null, emojis, + isRemoteSuspended: person.suspended === true, })) as MiRemoteUser; let _description: string | null = null; @@ -417,11 +475,16 @@ export class ApPersonService implements OnModuleInit { })); if (person.publicKey) { - await transactionalEntityManager.save(new MiUserPublickey({ - userId: user.id, - keyId: person.publicKey.id, - keyPem: person.publicKey.publicKeyPem, - })); + const publicKeys = new Map(); + (person.additionalPublicKeys ?? []).forEach(key => publicKeys.set(key.id, key)); + (Array.isArray(person.publicKey) ? person.publicKey : [person.publicKey]).forEach(key => publicKeys.set(key.id, key)); + + this.logger.debug(`Create the Person: Saving public keys for user ${user.id}`, { keyIds: Array.from(publicKeys.keys()) }); + await transactionalEntityManager.save(Array.from(publicKeys.values(), key => new MiUserPublickey({ + keyId: key.id, + userId: user!.id, + keyPem: key.publicKeyPem, + }))); } }); } catch (e) { @@ -429,7 +492,10 @@ export class ApPersonService implements OnModuleInit { if (isDuplicateKeyValueError(e)) { // /users/@a => /users/:id のように入力がaliasなときにエラーになることがあるのを対応 const u = await this.usersRepository.findOneBy({ uri: person.id }); - if (u == null) throw new Error('already registered'); + if (u == null) { + this.logger.error('Create the Person: duplicate key error', { stack: e }); + throw new Error('already registered'); + } user = u as MiRemoteUser; } else { @@ -570,6 +636,7 @@ export class ApPersonService implements OnModuleInit { movedToUri: person.movedTo ?? null, alsoKnownAs: person.alsoKnownAs ?? null, isExplorable: person.discoverable, + isRemoteSuspended: person.suspended === true, ...(await this.resolveAvatarAndBanner(exist, person.icon, person.image).catch(() => ({}))), } as Partial & Pick; @@ -598,11 +665,42 @@ export class ApPersonService implements OnModuleInit { return 'skip'; } - if (person.publicKey) { - await this.userPublickeysRepository.update({ userId: exist.id }, { - keyId: person.publicKey.id, - keyPem: person.publicKey.publicKeyPem, + //#region suspend + if (exist.isRemoteSuspended === false && person.suspended === true) { + // リモートサーバーでアカウントが凍結された + this.logger.info(`Remote User Suspended: acct=${exist.username}@${exist.host} id=${exist.id} uri=${exist.uri}`); + this.userSuspendService.suspendFromRemote({ id: exist.id, host: exist.host }); + } + if (exist.isRemoteSuspended === true && person.suspended === false) { + // リモートサーバーでアカウントが解凍された + this.logger.info(`Remote User Unsuspended: acct=${exist.username}@${exist.host} id=${exist.id} uri=${exist.uri}`); + this.userSuspendService.unsuspendFromRemote({ id: exist.id, host: exist.host }); + } + //#endregion + + try { + // Deleteアクティビティ受信時にもここが走ってsaveがuserforeign key制約エラーを吐くことがある + // とりあえずtry-catchで囲っておく + const publicKeys = new Map(); + if (person.publicKey) { + (person.additionalPublicKeys ?? []).forEach(key => publicKeys.set(key.id, key)); + (Array.isArray(person.publicKey) ? person.publicKey : [person.publicKey]).forEach(key => publicKeys.set(key.id, key)); + + await this.userPublickeysRepository.save(Array.from(publicKeys.values(), key => ({ + keyId: key.id, + userId: exist.id, + keyPem: key.publicKeyPem, + }))); + } + + this.userPublickeysRepository.delete({ + keyId: Not(In(Array.from(publicKeys.keys()))), + userId: exist.id, + }).catch(err => { + this.logger.error('something happened while deleting remote user public keys:', { userId: exist.id, err }); }); + } catch (err) { + this.logger.error('something happened while updating remote user public keys:', { userId: exist.id, err }); } let _description: string | null = null; @@ -647,7 +745,7 @@ export class ApPersonService implements OnModuleInit { exist.movedAt == null || // 以前のmovingから14日以上経過した場合のみ移行処理を許可 // (Mastodonのクールダウン期間は30日だが若干緩めに設定しておく) - exist.movedAt.getTime() + 1000 * 60 * 60 * 24 * 14 < updated.movedAt.getTime() + exist.movedAt.getTime() + REMOTE_USER_MOVE_COOLDOWN < updated.movedAt.getTime() )) { this.logger.info(`Start to process Move of @${updated.username}@${updated.host} (${uri})`); return this.processRemoteMove(updated, movePreventUris) @@ -670,9 +768,9 @@ export class ApPersonService implements OnModuleInit { * リモートサーバーからフェッチしてMisskeyに登録しそれを返します。 */ @bindThis - public async resolvePerson(uri: string, resolver?: Resolver): Promise { + public async resolvePerson(uri: string, resolver?: Resolver, withRenewal = false): Promise { //#region このサーバーに既に登録されていたらそれを返す - const exist = await this.fetchPerson(uri); + const exist = withRenewal ? await this.fetchPersonWithRenewal(uri) : await this.fetchPerson(uri); if (exist) return exist; //#endregion diff --git a/packages/backend/src/core/activitypub/type.ts b/packages/backend/src/core/activitypub/type.ts index 72732b01df..b6df4d1d4d 100644 --- a/packages/backend/src/core/activitypub/type.ts +++ b/packages/backend/src/core/activitypub/type.ts @@ -59,7 +59,7 @@ export function getOneApId(value: ApObject): string { export function getApId(value: string | IObject): string { if (typeof value === 'string') return value; if (typeof value.id === 'string') return value.id; - throw new Error('cannot detemine id'); + throw new Error('cannot determine id'); } /** @@ -182,10 +182,8 @@ export interface IActor extends IObject { discoverable?: boolean; inbox: string; sharedInbox?: string; // 後方互換性のため - publicKey?: { - id: string; - publicKeyPem: string; - }; + publicKey?: IKey | IKey[]; + additionalPublicKeys?: IKey[]; followers?: string | ICollection | IOrderedCollection; following?: string | ICollection | IOrderedCollection; featured?: string | IOrderedCollection; @@ -195,6 +193,7 @@ export interface IActor extends IObject { }; 'vcard:bday'?: string; 'vcard:Address'?: string; + suspended?: boolean; } export const isCollection = (object: IObject): object is ICollection => @@ -254,8 +253,9 @@ export const isEmoji = (object: IObject): object is IApEmoji => export interface IKey extends IObject { type: 'Key'; + id: string; owner: string; - publicKeyPem: string | Buffer; + publicKeyPem: string; } export const validDocumentTypes = ['Audio', 'Document', 'Image', 'Page', 'Video']; diff --git a/packages/backend/src/core/entities/InstanceEntityService.ts b/packages/backend/src/core/entities/InstanceEntityService.ts index 3688cfb363..346c24191f 100644 --- a/packages/backend/src/core/entities/InstanceEntityService.ts +++ b/packages/backend/src/core/entities/InstanceEntityService.ts @@ -60,6 +60,7 @@ export class InstanceEntityService { infoUpdatedAt: instance.infoUpdatedAt ? instance.infoUpdatedAt.toISOString() : null, latestRequestReceivedAt: instance.latestRequestReceivedAt ? instance.latestRequestReceivedAt.toISOString() : null, moderationNote: iAmModerator ? instance.moderationNote : null, + httpMessageSignaturesImplementationLevel: instance.httpMessageSignaturesImplementationLevel, }; } diff --git a/packages/backend/src/core/entities/NotificationEntityService.ts b/packages/backend/src/core/entities/NotificationEntityService.ts index e91fb9eb51..199bb9bf25 100644 --- a/packages/backend/src/core/entities/NotificationEntityService.ts +++ b/packages/backend/src/core/entities/NotificationEntityService.ts @@ -290,7 +290,7 @@ export class NotificationEntityService implements OnModuleInit { if (notifier == null) return false; if (notifier.host && userMutedInstances.has(notifier.host)) return false; - if (notifier.isSuspended) return false; + if (this.userEntityService.isSuspendedEither(notifier)) return false; return true; } diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts index 47021359e1..7aa7e54a97 100644 --- a/packages/backend/src/core/entities/UserEntityService.ts +++ b/packages/backend/src/core/entities/UserEntityService.ts @@ -69,6 +69,10 @@ function isRemoteUser(user: MiUser | { host: MiUser['host'] }): boolean { return !isLocalUser(user); } +function isSuspendedEither(user: MiUser): boolean { + return user.isSuspended || user.isRemoteSuspended; +} + export type UserRelation = { id: MiUser['id'] following: MiFollowing | null, @@ -163,6 +167,7 @@ export class UserEntityService implements OnModuleInit { public isLocalUser = isLocalUser; public isRemoteUser = isRemoteUser; + public isSuspendedEither = isSuspendedEither; @bindThis public async getRelation(me: MiUser['id'], target: MiUser['id']): Promise { @@ -538,7 +543,7 @@ export class UserEntityService implements OnModuleInit { bannerBlurhash: user.bannerId == null ? null : user.bannerBlurhash, isLocked: user.isLocked, isSilenced: this.roleService.getUserPolicies(user.id).then(r => !r.canPublicNote), - isSuspended: user.isSuspended, + isSuspended: this.isSuspendedEither(user), description: profile!.description, location: profile!.location, birthday: profile!.birthday, diff --git a/packages/backend/src/misc/cache.ts b/packages/backend/src/misc/cache.ts index f9692ce5d5..42a00654ef 100644 --- a/packages/backend/src/misc/cache.ts +++ b/packages/backend/src/misc/cache.ts @@ -237,6 +237,11 @@ export class MemoryKVCache { return cached.value; } + @bindThis + public getRaw(key: string): { date: number; value: T; } | undefined { + return this.cache.get(key); + } + @bindThis public delete(key: string): void { this.cache.delete(key); diff --git a/packages/backend/src/misc/gen-key-pair.ts b/packages/backend/src/misc/gen-key-pair.ts index 02a303dc0a..0b033ec33e 100644 --- a/packages/backend/src/misc/gen-key-pair.ts +++ b/packages/backend/src/misc/gen-key-pair.ts @@ -3,39 +3,14 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import * as crypto from 'node:crypto'; -import * as util from 'node:util'; +import { genEd25519KeyPair, genRsaKeyPair } from '@misskey-dev/node-http-message-signatures'; -const generateKeyPair = util.promisify(crypto.generateKeyPair); - -export async function genRsaKeyPair(modulusLength = 2048) { - return await generateKeyPair('rsa', { - modulusLength, - publicKeyEncoding: { - type: 'spki', - format: 'pem', - }, - privateKeyEncoding: { - type: 'pkcs8', - format: 'pem', - cipher: undefined, - passphrase: undefined, - }, - }); -} - -export async function genEcKeyPair(namedCurve: 'prime256v1' | 'secp384r1' | 'secp521r1' | 'curve25519' = 'prime256v1') { - return await generateKeyPair('ec', { - namedCurve, - publicKeyEncoding: { - type: 'spki', - format: 'pem', - }, - privateKeyEncoding: { - type: 'pkcs8', - format: 'pem', - cipher: undefined, - passphrase: undefined, - }, - }); +export async function genRSAAndEd25519KeyPair(rsaModulusLength = 4096) { + const [rsa, ed25519] = await Promise.all([genRsaKeyPair(rsaModulusLength), genEd25519KeyPair()]); + return { + publicKey: rsa.publicKey, + privateKey: rsa.privateKey, + ed25519PublicKey: ed25519.publicKey, + ed25519PrivateKey: ed25519.privateKey, + }; } diff --git a/packages/backend/src/models/Following.ts b/packages/backend/src/models/Following.ts index 62cbc29f26..b9ac2e5005 100644 --- a/packages/backend/src/models/Following.ts +++ b/packages/backend/src/models/Following.ts @@ -9,7 +9,8 @@ import { MiUser } from './User.js'; @Entity('following') @Index(['followerId', 'followeeId'], { unique: true }) -@Index(['followeeId', 'followerHost', 'isFollowerHibernated']) +@Index(['followerId', 'followeeId', 'isFollowerSuspended']) +@Index(['followeeId', 'followerHost', 'isFollowerSuspended', 'isFollowerHibernated']) export class MiFollowing { @PrimaryColumn(id()) public id: string; @@ -45,6 +46,11 @@ export class MiFollowing { }) public isFollowerHibernated: boolean; + @Column('boolean', { + default: false, + }) + public isFollowerSuspended: boolean; + // タイムラインにその人のリプライまで含めるかどうか @Column('boolean', { default: false, diff --git a/packages/backend/src/models/Instance.ts b/packages/backend/src/models/Instance.ts index 17cd5c6665..f2f2831cf1 100644 --- a/packages/backend/src/models/Instance.ts +++ b/packages/backend/src/models/Instance.ts @@ -158,4 +158,9 @@ export class MiInstance { length: 16384, default: '', }) public moderationNote: string; + + @Column('varchar', { + length: 16, default: '00', nullable: false, + }) + public httpMessageSignaturesImplementationLevel: string; } diff --git a/packages/backend/src/models/User.ts b/packages/backend/src/models/User.ts index a6e9edcf5f..33cd01dfe3 100644 --- a/packages/backend/src/models/User.ts +++ b/packages/backend/src/models/User.ts @@ -166,10 +166,16 @@ export class MiUser { @Column('boolean', { default: false, - comment: 'Whether the User is suspended.', + comment: 'Whether the User is suspended by the local moderators.', }) public isSuspended: boolean; + @Column('boolean', { + default: false, + comment: 'Whether the User is suspended by the remote moderators.', + }) + public isRemoteSuspended: boolean; + @Column('boolean', { default: false, comment: 'Whether the User is locked.', diff --git a/packages/backend/src/models/UserKeypair.ts b/packages/backend/src/models/UserKeypair.ts index f5252d126c..afa74ef11a 100644 --- a/packages/backend/src/models/UserKeypair.ts +++ b/packages/backend/src/models/UserKeypair.ts @@ -3,7 +3,7 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { PrimaryColumn, Entity, JoinColumn, Column, OneToOne } from 'typeorm'; +import { PrimaryColumn, Entity, JoinColumn, Column, ManyToOne } from 'typeorm'; import { id } from './util/id.js'; import { MiUser } from './User.js'; @@ -12,22 +12,42 @@ export class MiUserKeypair { @PrimaryColumn(id()) public userId: MiUser['id']; - @OneToOne(type => MiUser, { + @ManyToOne(type => MiUser, { onDelete: 'CASCADE', }) @JoinColumn() public user: MiUser | null; + /** + * RSA public key + */ @Column('varchar', { length: 4096, }) public publicKey: string; + /** + * RSA private key + */ @Column('varchar', { length: 4096, }) public privateKey: string; + @Column('varchar', { + length: 128, + nullable: true, + default: null, + }) + public ed25519PublicKey: string | null; + + @Column('varchar', { + length: 128, + nullable: true, + default: null, + }) + public ed25519PrivateKey: string | null; + constructor(data: Partial) { if (data == null) return; diff --git a/packages/backend/src/models/UserPublickey.ts b/packages/backend/src/models/UserPublickey.ts index 6bcd785304..7dc8aee5d7 100644 --- a/packages/backend/src/models/UserPublickey.ts +++ b/packages/backend/src/models/UserPublickey.ts @@ -3,27 +3,27 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { PrimaryColumn, Entity, Index, JoinColumn, Column, OneToOne } from 'typeorm'; +import { PrimaryColumn, Entity, Index, JoinColumn, Column, ManyToOne } from 'typeorm'; import { id } from './util/id.js'; import { MiUser } from './User.js'; @Entity('user_publickey') export class MiUserPublickey { - @PrimaryColumn(id()) + @PrimaryColumn('varchar', { + length: 256, + }) + public keyId: string; + + @Index() + @Column(id()) public userId: MiUser['id']; - @OneToOne(type => MiUser, { + @ManyToOne(type => MiUser, { onDelete: 'CASCADE', }) @JoinColumn() public user: MiUser | null; - @Index({ unique: true }) - @Column('varchar', { - length: 256, - }) - public keyId: string; - @Column('varchar', { length: 4096, }) diff --git a/packages/backend/src/models/json-schema/federation-instance.ts b/packages/backend/src/models/json-schema/federation-instance.ts index 85f84952f1..bdad52683c 100644 --- a/packages/backend/src/models/json-schema/federation-instance.ts +++ b/packages/backend/src/models/json-schema/federation-instance.ts @@ -120,5 +120,9 @@ export const packedFederationInstanceSchema = { type: 'string', optional: true, nullable: true, }, + httpMessageSignaturesImplementationLevel: { + type: 'string', + optional: false, nullable: false, + }, }, } as const; diff --git a/packages/backend/src/queue/QueueProcessorService.ts b/packages/backend/src/queue/QueueProcessorService.ts index 7b64182754..cf793683be 100644 --- a/packages/backend/src/queue/QueueProcessorService.ts +++ b/packages/backend/src/queue/QueueProcessorService.ts @@ -269,9 +269,9 @@ export class QueueProcessorService implements OnApplicationShutdown { }, { ...baseWorkerOptions(this.config, QUEUE.DELIVER), autorun: false, - concurrency: this.config.deliverJobConcurrency ?? 128, + concurrency: this.config.deliverJobConcurrency ?? 16, limiter: { - max: this.config.deliverJobPerSec ?? 128, + max: this.config.deliverJobPerSec ?? 1024, duration: 1000, }, settings: { @@ -309,9 +309,9 @@ export class QueueProcessorService implements OnApplicationShutdown { }, { ...baseWorkerOptions(this.config, QUEUE.INBOX), autorun: false, - concurrency: this.config.inboxJobConcurrency ?? 16, + concurrency: this.config.inboxJobConcurrency ?? 4, limiter: { - max: this.config.inboxJobPerSec ?? 32, + max: this.config.inboxJobPerSec ?? 64, duration: 1000, }, settings: { diff --git a/packages/backend/src/queue/processors/DeliverProcessorService.ts b/packages/backend/src/queue/processors/DeliverProcessorService.ts index 391ccdac05..38047deef0 100644 --- a/packages/backend/src/queue/processors/DeliverProcessorService.ts +++ b/packages/backend/src/queue/processors/DeliverProcessorService.ts @@ -81,30 +81,35 @@ export class DeliverProcessorService { } try { - await this.apRequestService.signedPost(job.data.user, job.data.to, job.data.content, job.data.digest); + const server = await (this.meta.enableStatsForFederatedInstances + ? this.federatedInstanceService.fetchOrRegister(host) + : this.federatedInstanceService.fetch(host)); + await this.apRequestService.signedPost( + job.data.user, + job.data.to, + job.data.content, + server?.httpMessageSignaturesImplementationLevel ?? '00', + job.data.digest, + job.data.privateKey, + ); + + // Update stats this.apRequestChart.deliverSucc(); this.federationChart.deliverd(host, true); - // Update instance stats - process.nextTick(async () => { - if (i == null) return; + if (server == null) return 'Success'; - if (i.isNotResponding) { - this.federatedInstanceService.update(i.id, { - isNotResponding: false, - notRespondingSince: null, - }); - } + if (server.isNotResponding) { + this.federatedInstanceService.update(server.id, { + isNotResponding: false, + notRespondingSince: null, + }); + } - if (this.meta.enableStatsForFederatedInstances) { - this.fetchInstanceMetadataService.fetchInstanceMetadata(i); - } - - if (this.meta.enableChartsForFederatedInstances) { - this.instanceChart.requestSent(i.host, true); - } - }); + if (this.meta.enableChartsForFederatedInstances) { + this.instanceChart.requestSent(server.host, true); + } return 'Success'; } catch (res) { @@ -139,6 +144,11 @@ export class DeliverProcessorService { }); if (res instanceof StatusError) { + if (res.statusCode === 401) { + // 401 Unauthorized: this may be caused by a time difference between the server and the target server. + // Let the job be retried. + throw new Error(`${res.statusCode} ${res.statusMessage}\n* 401 may be caused by a time difference between the server and the target server.`); + } // 4xx if (!res.isRetryable) { // 相手が閉鎖していることを明示しているため、配送停止する diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts index 079e014da8..bd9c335393 100644 --- a/packages/backend/src/queue/processors/InboxProcessorService.ts +++ b/packages/backend/src/queue/processors/InboxProcessorService.ts @@ -5,8 +5,8 @@ import { URL } from 'node:url'; import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; -import httpSignature from '@peertube/http-signature'; import * as Bull from 'bullmq'; +import { verifyDraftSignature } from '@misskey-dev/node-http-message-signatures'; import type Logger from '@/logger.js'; import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import { FetchInstanceMetadataService } from '@/core/FetchInstanceMetadataService.js'; @@ -15,12 +15,10 @@ import ApRequestChart from '@/core/chart/charts/ap-request.js'; import FederationChart from '@/core/chart/charts/federation.js'; import { getApId } from '@/core/activitypub/type.js'; import type { IActivity } from '@/core/activitypub/type.js'; -import type { MiRemoteUser } from '@/models/User.js'; -import type { MiUserPublickey } from '@/models/UserPublickey.js'; import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js'; import { StatusError } from '@/misc/status-error.js'; +import * as Acct from '@/misc/acct.js'; import { UtilityService } from '@/core/UtilityService.js'; -import { ApPersonService } from '@/core/activitypub/models/ApPersonService.js'; import { JsonLdService } from '@/core/activitypub/JsonLdService.js'; import { ApInboxService } from '@/core/activitypub/ApInboxService.js'; import { bindThis } from '@/decorators.js'; @@ -51,7 +49,6 @@ export class InboxProcessorService implements OnApplicationShutdown { private federatedInstanceService: FederatedInstanceService, private fetchInstanceMetadataService: FetchInstanceMetadataService, private jsonLdService: JsonLdService, - private apPersonService: ApPersonService, private apDbResolverService: ApDbResolverService, private instanceChart: InstanceChart, private apRequestChart: ApRequestChart, @@ -64,8 +61,15 @@ export class InboxProcessorService implements OnApplicationShutdown { @bindThis public async process(job: Bull.Job): Promise { - const signature = job.data.signature; // HTTP-signature + const signature = job.data.signature ? + 'version' in job.data.signature ? job.data.signature.value : job.data.signature + : null; + if (Array.isArray(signature)) { + // RFC 9401はsignatureが配列になるが、とりあえずエラーにする + throw new Error('signature is array'); + } let activity = job.data.activity; + let actorUri = getApId(activity.actor); //#region Log const info = Object.assign({}, activity); @@ -73,75 +77,82 @@ export class InboxProcessorService implements OnApplicationShutdown { this.logger.debug(JSON.stringify(info, null, 2)); //#endregion - const host = this.utilityService.toPuny(new URL(signature.keyId).hostname); + const host = this.utilityService.toPuny(new URL(actorUri).hostname); if (!this.utilityService.isFederationAllowedHost(host)) { return `Blocked request: ${host}`; } - const keyIdLower = signature.keyId.toLowerCase(); - if (keyIdLower.startsWith('acct:')) { - return `Old keyId is no longer supported. ${keyIdLower}`; - } - // HTTP-Signature keyIdを元にDBから取得 - let authUser: { - user: MiRemoteUser; - key: MiUserPublickey | null; - } | null = await this.apDbResolverService.getAuthUserFromKeyId(signature.keyId); + let authUser: Awaited> = null; + let httpSignatureIsValid = null as boolean | null; - // keyIdでわからなければ、activity.actorを元にDBから取得 || activity.actorを元にリモートから取得 - if (authUser == null) { - try { - authUser = await this.apDbResolverService.getAuthUserFromApId(getApId(activity.actor)); - } catch (err) { - // 対象が4xxならスキップ - if (err instanceof StatusError) { - if (!err.isRetryable) { - throw new Bull.UnrecoverableError(`skip: Ignored deleted actors on both ends ${activity.actor} - ${err.statusCode}`); - } - throw new Error(`Error in actor ${activity.actor} - ${err.statusCode}`); + try { + authUser = await this.apDbResolverService.getAuthUserFromApId(actorUri, signature?.keyId); + } catch (err) { + // 対象が4xxならスキップ + if (err instanceof StatusError) { + if (!err.isRetryable) { + throw new Bull.UnrecoverableError(`skip: Ignored deleted actors on both ends ${activity.actor} - ${err.statusCode}`); } + throw new Error(`Error in actor ${activity.actor} - ${err.statusCode}`); } } - // それでもわからなければ終了 - if (authUser == null) { + // authUser.userがnullならスキップ + if (authUser != null && authUser.user == null) { throw new Bull.UnrecoverableError(`skip: failed to resolve user ${getApId(activity.actor)}`); } - // publicKey がなくても終了 - if (authUser.key == null) { - throw new Bull.UnrecoverableError(`skip: failed to resolve user publicKey ${getApId(activity.actor)}`); + if (signature != null && authUser != null) { + if (signature.keyId.toLowerCase().startsWith('acct:')) { + this.logger.warn(`Old keyId is no longer supported. lowerKeyId=${signature.keyId.toLowerCase()}`); + } else if (authUser.key != null) { + // keyがなかったらLD Signatureで検証するべき + // HTTP-Signatureの検証 + const errorLogger = (ms: any) => this.logger.error(ms); + httpSignatureIsValid = await verifyDraftSignature(signature, authUser.key.keyPem, errorLogger); + this.logger.debug('Inbox message validation: ', { + userId: authUser.user.id, + userAcct: Acct.toString(authUser.user), + parsedKeyId: signature.keyId, + foundKeyId: authUser.key.keyId, + httpSignatureValid: httpSignatureIsValid, + }); + } } - // HTTP-Signatureの検証 - const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); - - // また、signatureのsignerは、activity.actorと一致する必要がある - if (!httpSignatureValidated || authUser.user.uri !== activity.actor) { + if ( + authUser == null || + httpSignatureIsValid !== true || + authUser.user.uri !== actorUri // 一応チェック + ) { // 一致しなくても、でもLD-Signatureがありそうならそっちも見る const ldSignature = activity.signature; - if (ldSignature) { + + if (ldSignature && ldSignature.creator) { if (ldSignature.type !== 'RsaSignature2017') { throw new Bull.UnrecoverableError(`skip: unsupported LD-signature type ${ldSignature.type}`); } - // ldSignature.creator: https://example.oom/users/user#main-key - // みたいになっててUserを引っ張れば公開キーも入ることを期待する - if (ldSignature.creator) { - const candicate = ldSignature.creator.replace(/#.*/, ''); - await this.apPersonService.resolvePerson(candicate).catch(() => null); + if (ldSignature.creator.toLowerCase().startsWith('acct:')) { + throw new Bull.UnrecoverableError(`old key not supported ${ldSignature.creator}`); } - // keyIdからLD-Signatureのユーザーを取得 - authUser = await this.apDbResolverService.getAuthUserFromKeyId(ldSignature.creator); + authUser = await this.apDbResolverService.getAuthUserFromApId(actorUri, ldSignature.creator); + if (authUser == null) { - throw new Bull.UnrecoverableError('skip: LD-Signatureのユーザーが取得できませんでした'); + throw new Bull.UnrecoverableError(`skip: LD-Signatureのactorとcreatorが一致しませんでした uri=${actorUri} creator=${ldSignature.creator}`); + } + if (authUser.user == null) { + throw new Bull.UnrecoverableError(`skip: LD-Signatureのユーザーが取得できませんでした uri=${actorUri} creator=${ldSignature.creator}`); + } + // 一応actorチェック + if (authUser.user.uri !== actorUri) { + throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${actorUri})`); } - if (authUser.key == null) { - throw new Bull.UnrecoverableError('skip: LD-SignatureのユーザーはpublicKeyを持っていませんでした'); + throw new Bull.UnrecoverableError(`skip: LD-SignatureのユーザーはpublicKeyを持っていませんでした uri=${actorUri} creator=${ldSignature.creator}`); } const jsonLd = this.jsonLdService.use(); @@ -152,13 +163,27 @@ export class InboxProcessorService implements OnApplicationShutdown { throw new Bull.UnrecoverableError('skip: LD-Signatureの検証に失敗しました'); } + // ブロックしてたら中断 + const ldHost = this.utilityService.extractDbHost(authUser.user.uri); + if (this.utilityService.isFederationAllowedHost(ldHost)) { + throw new Bull.UnrecoverableError(`Blocked request: ${ldHost}`); + } + // アクティビティを正規化 + // GHSA-2vxv-pv3m-3wvj delete activity.signature; try { activity = await jsonLd.compact(activity) as IActivity; } catch (e) { throw new Bull.UnrecoverableError(`skip: failed to compact activity: ${e}`); } + + // actorが正規化前後で一致しているか確認 + actorUri = getApId(activity.actor); + if (authUser.user.uri !== actorUri) { + throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity(after normalization).actor(${actorUri})`); + } + // TODO: 元のアクティビティと非互換な形に正規化される場合は転送をスキップする // https://github.com/mastodon/mastodon/blob/664b0ca/app/services/activitypub/process_collection_service.rb#L24-L29 activity.signature = ldSignature; @@ -168,18 +193,8 @@ export class InboxProcessorService implements OnApplicationShutdown { delete compactedInfo['@context']; this.logger.debug(`compacted: ${JSON.stringify(compactedInfo, null, 2)}`); //#endregion - - // もう一度actorチェック - if (authUser.user.uri !== activity.actor) { - throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`); - } - - const ldHost = this.utilityService.extractDbHost(authUser.user.uri); - if (!this.utilityService.isFederationAllowedHost(ldHost)) { - throw new Bull.UnrecoverableError(`Blocked request: ${ldHost}`); - } } else { - throw new Bull.UnrecoverableError(`skip: http-signature verification failed and no LD-Signature. keyId=${signature.keyId}`); + throw new Error(`http-signature verification failed and no LD-Signature. http_signature_keyId=${signature?.keyId}`); } } @@ -219,6 +234,7 @@ export class InboxProcessorService implements OnApplicationShutdown { // アクティビティを処理 try { + this.logger.debug('performing activity', { activityId: activity.id, actorUri: authUser.user.uri, actorId: authUser.user.id, actorAcct: Acct.toString(authUser.user), activity }); const result = await this.apInboxService.performActivity(authUser.user, activity); if (result && !result.startsWith('ok')) { this.logger.warn(`inbox activity ignored (maybe): id=${activity.id} reason=${result}`); diff --git a/packages/backend/src/queue/types.ts b/packages/backend/src/queue/types.ts index 757daea88b..4fab5bb21b 100644 --- a/packages/backend/src/queue/types.ts +++ b/packages/backend/src/queue/types.ts @@ -12,7 +12,24 @@ import type { MiWebhook, WebhookEventTypes } from '@/models/Webhook.js'; import type { IActivity } from '@/core/activitypub/type.js'; import type { SystemWebhookPayload } from '@/core/SystemWebhookService.js'; import type { UserWebhookPayload } from '@/core/UserWebhookService.js'; -import type httpSignature from '@peertube/http-signature'; +import type { ParsedSignature, PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; + +/** + * @peertube/http-signature 時代の古いデータにも対応しておく + * TODO: 2026年ぐらいには消す + */ +export interface OldParsedSignature { + scheme: 'Signature'; + params: { + keyId: string; + algorithm: string; + headers: string[]; + signature: string; + }; + signingString: string; + algorithm: string; + keyId: string; +} export type DeliverJobData = { /** Actor */ @@ -25,11 +42,13 @@ export type DeliverJobData = { to: string; /** whether it is sharedInbox */ isSharedInbox: boolean; + /** force to use main (rsa) key */ + privateKey?: PrivateKeyWithPem; }; export type InboxJobData = { activity: IActivity; - signature: httpSignature.IParsedSignature; + signature: ParsedSignature | OldParsedSignature | null; }; export type RelationshipJobData = { diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts index a5fb5b82e3..f8b598a92b 100644 --- a/packages/backend/src/server/ActivityPubServerService.ts +++ b/packages/backend/src/server/ActivityPubServerService.ts @@ -3,11 +3,10 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import * as crypto from 'node:crypto'; import { IncomingMessage } from 'node:http'; import { Inject, Injectable } from '@nestjs/common'; import fastifyAccepts from '@fastify/accepts'; -import httpSignature from '@peertube/http-signature'; +import { verifyDigestHeader, parseRequestSignature } from '@misskey-dev/node-http-message-signatures'; import { Brackets, In, IsNull, LessThan, Not } from 'typeorm'; import accepts from 'accepts'; import vary from 'vary'; @@ -29,6 +28,8 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; import { IActivity } from '@/core/activitypub/type.js'; import { isQuote, isRenote } from '@/misc/is-renote.js'; +import { LoggerService } from '@/core/LoggerService.js'; +import Logger from '@/logger.js'; import * as Acct from '@/misc/acct.js'; import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions, FastifyBodyParser } from 'fastify'; import type { FindOptionsWhere } from 'typeorm'; @@ -39,6 +40,9 @@ const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystr @Injectable() export class ActivityPubServerService { + private logger: Logger; + private inboxLogger: Logger; + constructor( @Inject(DI.config) private config: Config, @@ -77,8 +81,11 @@ export class ActivityPubServerService { private userKeypairService: UserKeypairService, private queryService: QueryService, private fanoutTimelineEndpointService: FanoutTimelineEndpointService, + private loggerService: LoggerService, ) { //this.createServer = this.createServer.bind(this); + this.logger = this.loggerService.getLogger('server-ap', 'gray'); + this.inboxLogger = this.logger.createSubLogger('inbox', 'gray'); } @bindThis @@ -106,75 +113,59 @@ export class ActivityPubServerService { } @bindThis - private inbox(request: FastifyRequest, reply: FastifyReply) { + private async inbox(request: FastifyRequest, reply: FastifyReply) { if (this.meta.federation === 'none') { + this.inboxLogger.debug('federation is disabled'); reply.code(403); return; } - let signature; + if (request.body == null) { + this.inboxLogger.warn('request body is empty'); + reply.code(400); + return; + } + + let signature: ReturnType; + + const verifyDigest = await verifyDigestHeader( + request.raw, + typeof request.rawBody === 'string' ? request.rawBody : (request.rawBody ? request.rawBody.toString('utf8') : ''), + true + ); + if (verifyDigest !== true) { + this.inboxLogger.warn('digest verification failed'); + reply.code(401); + return; + } try { - signature = httpSignature.parseRequest(request.raw, { 'headers': ['(request-target)', 'host', 'date'], authorizationHeaderName: 'signature' }); - } catch (e) { + signature = parseRequestSignature(request.raw, { + requiredInputs: { + draft: ['(request-target)', 'digest', 'host', 'date'], + }, + clockSkew: { + forward: 300_000, + delay: 300_000, + }, + }); + + this.inboxLogger.debug('signature header parsed', { signature, body: request.body }); + } catch (err) { + if (typeof request.body === 'object' && 'signature' in request.body) { + // LD SignatureがあればOK + this.queueService.inbox(request.body as IActivity, null); + this.inboxLogger.debug('LD Signature found in request body', { err, body: request.body }); + reply.code(202); + return; + } + + this.inboxLogger.warn('signature header parsing failed and LD signature not found', { err }); reply.code(401); return; } - if (signature.params.headers.indexOf('host') === -1 - || request.headers.host !== this.config.host) { - // Host not specified or not match. - reply.code(401); - return; - } - - if (signature.params.headers.indexOf('digest') === -1) { - // Digest not found. - reply.code(401); - } else { - const digest = request.headers.digest; - - if (typeof digest !== 'string') { - // Huh? - reply.code(401); - return; - } - - const re = /^([a-zA-Z0-9\-]+)=(.+)$/; - const match = digest.match(re); - - if (match == null) { - // Invalid digest - reply.code(401); - return; - } - - const algo = match[1].toUpperCase(); - const digestValue = match[2]; - - if (algo !== 'SHA-256') { - // Unsupported digest algorithm - reply.code(401); - return; - } - - if (request.rawBody == null) { - // Bad request - reply.code(400); - return; - } - - const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64'); - - if (hash !== digestValue) { - // Invalid digest - reply.code(401); - return; - } - } - this.queueService.inbox(request.body as IActivity, signature); - reply.code(202); } @@ -742,7 +733,7 @@ export class ActivityPubServerService { if (this.userEntityService.isLocalUser(user)) { reply.header('Cache-Control', 'public, max-age=180'); this.setResponseType(request, reply); - return (this.apRendererService.addContext(this.apRendererService.renderKey(user, keypair))); + return (this.apRendererService.addContext(this.apRendererService.renderKey(user, keypair.publicKey))); } else { reply.code(400); return; diff --git a/packages/backend/src/server/NodeinfoServerService.ts b/packages/backend/src/server/NodeinfoServerService.ts index 239ef82dec..7723432176 100644 --- a/packages/backend/src/server/NodeinfoServerService.ts +++ b/packages/backend/src/server/NodeinfoServerService.ts @@ -94,6 +94,13 @@ export class NodeinfoServerService { localComments: 0, }, metadata: { + /** + * '00': Draft, RSA only + * '01': Draft, Ed25519 suported + * '11': RFC 9421, Ed25519 supported + */ + httpMessageSignaturesImplementationLevel: '01', + nodeName: meta.name, nodeDescription: meta.description, nodeAdmins: [{ diff --git a/packages/backend/src/server/ServerService.ts b/packages/backend/src/server/ServerService.ts index 1286b4dad6..b043e71c53 100644 --- a/packages/backend/src/server/ServerService.ts +++ b/packages/backend/src/server/ServerService.ts @@ -215,6 +215,7 @@ export class ServerService implements OnApplicationShutdown { usernameLower: username.toLowerCase(), host: (host == null) || (host === this.config.host) ? IsNull() : host, isSuspended: false, + isRemoteSuspended: false, }, }); diff --git a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts index e7589cba81..6af77694cf 100644 --- a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts +++ b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts @@ -55,7 +55,8 @@ export default class extends Endpoint { // eslint- const res = [] as [string, number][]; for (const job of jobs) { - const host = new URL(job.data.signature.keyId).host; + const signature = job.data.signature ? 'version' in job.data.signature ? job.data.signature.value : job.data.signature : null; + const host = signature ? Array.isArray(signature) ? 'TODO' : new URL(signature.keyId).host : new URL(job.data.activity.actor).host; if (res.find(x => x[0] === host)) { res.find(x => x[0] === host)![1]++; } else { diff --git a/packages/backend/src/server/api/endpoints/admin/show-user.ts b/packages/backend/src/server/api/endpoints/admin/show-user.ts index 1ba6853dbe..fa99336ea3 100644 --- a/packages/backend/src/server/api/endpoints/admin/show-user.ts +++ b/packages/backend/src/server/api/endpoints/admin/show-user.ts @@ -11,6 +11,9 @@ import { RoleService } from '@/core/RoleService.js'; import { RoleEntityService } from '@/core/entities/RoleEntityService.js'; import { IdService } from '@/core/IdService.js'; import { notificationRecieveConfig } from '@/models/json-schema/user.js'; +import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js'; +import { UserEntityService } from '@/core/entities/UserEntityService.js'; +import { UserKeypairService } from '@/core/UserKeypairService.js'; export const meta = { tags: ['admin'], @@ -124,6 +127,10 @@ export const meta = { type: 'boolean', optional: false, nullable: false, }, + isRemoteSuspended: { + type: 'boolean', + optional: false, nullable: false, + }, isHibernated: { type: 'boolean', optional: false, nullable: false, @@ -177,6 +184,53 @@ export const meta = { }, }, }, + publicKeys: { + type: 'array', + optional: false, nullable: true, + items: { + type: 'object', + properties: { + userId: { + type: 'string', + optional: false, nullable: false, + }, + keyId: { + type: 'string', + optional: false, nullable: false, + }, + keyPem: { + type: 'string', + optional: false, nullable: false, + }, + }, + }, + }, + keyPairs: { + type: 'object', + optional: false, nullable: true, + properties: { + userId: { + type: 'string', + optional: false, nullable: false, + }, + publicKey: { + type: 'string', + optional: false, nullable: false, + }, + privateKey: { + type: 'string', + optional: false, nullable: false, + }, + ed25519PublicKey: { + type: 'string', + optional: false, nullable: true, + }, + ed25519PrivateKey: { + type: 'string', + optional: false, nullable: true, + }, + }, + }, }, }, } as const; @@ -204,6 +258,9 @@ export default class extends Endpoint { // eslint- private roleService: RoleService, private roleEntityService: RoleEntityService, private idService: IdService, + private apDbResolverService: ApDbResolverService, + private userEntityService: UserEntityService, + private userKeypairService: UserKeypairService, ) { super(meta, paramDef, async (ps, me) => { const [user, profile] = await Promise.all([ @@ -246,6 +303,7 @@ export default class extends Endpoint { // eslint- isModerator: isModerator, isSilenced: isSilenced, isSuspended: user.isSuspended, + isRemoteSuspended: user.isRemoteSuspended, isHibernated: user.isHibernated, lastActiveDate: user.lastActiveDate ? user.lastActiveDate.toISOString() : null, moderationNote: profile.moderationNote ?? '', @@ -257,6 +315,8 @@ export default class extends Endpoint { // eslint- expiresAt: a.expiresAt ? a.expiresAt.toISOString() : null, roleId: a.roleId, })), + publicKeys: this.userEntityService.isRemoteUser(user) ? await this.apDbResolverService.getPublicKeyByUserId(user.id) : null, + keyPairs: this.userEntityService.isLocalUser(user) ? await this.userKeypairService.getUserKeypair(user.id) : null, }; }); } diff --git a/packages/backend/src/server/api/endpoints/admin/show-users.ts b/packages/backend/src/server/api/endpoints/admin/show-users.ts index 2b2c8c60ab..d8e4a636c4 100644 --- a/packages/backend/src/server/api/endpoints/admin/show-users.ts +++ b/packages/backend/src/server/api/endpoints/admin/show-users.ts @@ -61,7 +61,7 @@ export default class extends Endpoint { // eslint- const query = this.usersRepository.createQueryBuilder('user'); switch (ps.state) { - case 'available': query.where('user.isSuspended = FALSE'); break; + case 'available': query.where('user.isSuspended = FALSE').andWhere('user.isRemoteSuspended = FALSE'); break; case 'alive': query.where('user.updatedAt > :date', { date: new Date(Date.now() - 1000 * 60 * 60 * 24 * 5) }); break; case 'suspended': query.where('user.isSuspended = TRUE'); break; case 'admin': { diff --git a/packages/backend/src/server/api/endpoints/federation/followers.ts b/packages/backend/src/server/api/endpoints/federation/followers.ts index 296bc7c5a8..f4d4caf988 100644 --- a/packages/backend/src/server/api/endpoints/federation/followers.ts +++ b/packages/backend/src/server/api/endpoints/federation/followers.ts @@ -50,7 +50,8 @@ export default class extends Endpoint { // eslint- ) { super(meta, paramDef, async (ps, me) => { const query = this.queryService.makePaginationQuery(this.followingsRepository.createQueryBuilder('following'), ps.sinceId, ps.untilId, ps.sinceDate, ps.untilDate) - .andWhere('following.followeeHost = :host', { host: ps.host }); + .andWhere('following.followeeHost = :host', { host: ps.host }) + .andWhere('following.isFollowerSuspended = false'); const followings = await query .limit(ps.limit) diff --git a/packages/backend/src/server/api/endpoints/federation/following.ts b/packages/backend/src/server/api/endpoints/federation/following.ts index 091bf442af..fa8af37c1c 100644 --- a/packages/backend/src/server/api/endpoints/federation/following.ts +++ b/packages/backend/src/server/api/endpoints/federation/following.ts @@ -50,7 +50,8 @@ export default class extends Endpoint { // eslint- ) { super(meta, paramDef, async (ps, me) => { const query = this.queryService.makePaginationQuery(this.followingsRepository.createQueryBuilder('following'), ps.sinceId, ps.untilId, ps.sinceDate, ps.untilDate) - .andWhere('following.followerHost = :host', { host: ps.host }); + .andWhere('following.followerHost = :host', { host: ps.host }) + .andWhere('following.isFollowerSuspended = false'); const followings = await query .limit(ps.limit) diff --git a/packages/backend/src/server/api/endpoints/federation/stats.ts b/packages/backend/src/server/api/endpoints/federation/stats.ts index 69900bff9a..3093aa1e86 100644 --- a/packages/backend/src/server/api/endpoints/federation/stats.ts +++ b/packages/backend/src/server/api/endpoints/federation/stats.ts @@ -94,11 +94,13 @@ export default class extends Endpoint { // eslint- this.followingsRepository.count({ where: { followeeHost: Not(IsNull()), + isFollowerSuspended: false, }, }), this.followingsRepository.count({ where: { followerHost: Not(IsNull()), + isFollowerSuspended: false, }, }), ]); diff --git a/packages/backend/src/server/api/endpoints/hashtags/users.ts b/packages/backend/src/server/api/endpoints/hashtags/users.ts index 30f0c1b0c8..d5a1ecdaed 100644 --- a/packages/backend/src/server/api/endpoints/hashtags/users.ts +++ b/packages/backend/src/server/api/endpoints/hashtags/users.ts @@ -51,7 +51,8 @@ export default class extends Endpoint { // eslint- if (!safeForSql(normalizeForSearch(ps.tag))) throw new Error('Injection'); const query = this.usersRepository.createQueryBuilder('user') .where(':tag <@ user.tags', { tag: [normalizeForSearch(ps.tag)] }) - .andWhere('user.isSuspended = FALSE'); + .andWhere('user.isSuspended = FALSE') + .andWhere('user.isRemoteSuspended = FALSE'); const recent = new Date(Date.now() - (1000 * 60 * 60 * 24 * 5)); diff --git a/packages/backend/src/server/api/endpoints/users/followers.ts b/packages/backend/src/server/api/endpoints/users/followers.ts index 84c4c80d01..d2dd8cd744 100644 --- a/packages/backend/src/server/api/endpoints/users/followers.ts +++ b/packages/backend/src/server/api/endpoints/users/followers.ts @@ -125,6 +125,7 @@ export default class extends Endpoint { // eslint- where: { followeeId: user.id, followerId: me.id, + isFollowerSuspended: false, }, }); if (!isFollowing) { @@ -136,12 +137,15 @@ export default class extends Endpoint { // eslint- const query = this.queryService.makePaginationQuery(this.followingsRepository.createQueryBuilder('following'), ps.sinceId, ps.untilId, ps.sinceDate, ps.untilDate) .andWhere('following.followeeId = :userId', { userId: user.id }) + .andWhere('following.isFollowerSuspended = FALSE') .innerJoinAndSelect('following.follower', 'follower'); const followings = await query .limit(ps.limit) .getMany(); + console.log(followings); + return await this.followingEntityService.packMany(followings, me, { populateFollower: true }); }); } diff --git a/packages/backend/src/server/api/endpoints/users/following.ts b/packages/backend/src/server/api/endpoints/users/following.ts index 047f9a053b..fb85106e11 100644 --- a/packages/backend/src/server/api/endpoints/users/following.ts +++ b/packages/backend/src/server/api/endpoints/users/following.ts @@ -133,6 +133,7 @@ export default class extends Endpoint { // eslint- where: { followeeId: user.id, followerId: me.id, + isFollowerSuspended: false, }, }); if (!isFollowing) { @@ -144,6 +145,7 @@ export default class extends Endpoint { // eslint- const query = this.queryService.makePaginationQuery(this.followingsRepository.createQueryBuilder('following'), ps.sinceId, ps.untilId, ps.sinceDate, ps.untilDate) .andWhere('following.followerId = :userId', { userId: user.id }) + .andWhere('following.isFollowerSuspended = false') .innerJoinAndSelect('following.followee', 'followee'); if (ps.birthday) { diff --git a/packages/backend/src/server/api/endpoints/users/recommendation.ts b/packages/backend/src/server/api/endpoints/users/recommendation.ts index 769a72d7a1..3ef7848ebb 100644 --- a/packages/backend/src/server/api/endpoints/users/recommendation.ts +++ b/packages/backend/src/server/api/endpoints/users/recommendation.ts @@ -68,7 +68,8 @@ export default class extends Endpoint { // eslint- const followingQuery = this.followingsRepository.createQueryBuilder('following') .select('following.followeeId') - .where('following.followerId = :followerId', { followerId: me.id }); + .where('following.followerId = :followerId', { followerId: me.id }) + .andWhere('following.isFollowerSuspended = false'); query .andWhere(`user.id NOT IN (${ followingQuery.getQuery() })`); diff --git a/packages/backend/src/server/api/endpoints/users/show.ts b/packages/backend/src/server/api/endpoints/users/show.ts index 5ff3a63d6a..04dd3f7dd4 100644 --- a/packages/backend/src/server/api/endpoints/users/show.ts +++ b/packages/backend/src/server/api/endpoints/users/show.ts @@ -138,6 +138,7 @@ export default class extends Endpoint { // eslint- } : { id: In(ps.userIds), isSuspended: false, + isRemoteSuspended: false, }); // リクエストされた通りに並べ替え diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index 3cd83efa1a..aedec54e9e 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -435,6 +435,7 @@ export class ClientServerService { usernameLower: username.toLowerCase(), host: host ?? IsNull(), isSuspended: false, + isRemoteSuspended: false, requireSigninToViewContents: false, }); @@ -494,6 +495,7 @@ export class ClientServerService { usernameLower: username.toLowerCase(), host: host ?? IsNull(), isSuspended: false, + isRemoteSuspended: false, }); vary(reply.raw, 'Accept'); @@ -543,6 +545,7 @@ export class ClientServerService { id: request.params.user, host: IsNull(), isSuspended: false, + isRemoteSuspended: false, }); if (user == null) { diff --git a/packages/backend/test-federation/test/user-suspension.test.ts b/packages/backend/test-federation/test/user-suspension.test.ts new file mode 100644 index 0000000000..a2e6fb787d --- /dev/null +++ b/packages/backend/test-federation/test/user-suspension.test.ts @@ -0,0 +1,95 @@ +import assert, { rejects, strictEqual } from 'node:assert'; +import * as Misskey from 'misskey-js'; +import { createAccount, deepStrictEqualWithExcludedFields, fetchAdmin, type LoginUser, resolveRemoteNote, resolveRemoteUser, sleep } from './utils.js'; + +const [aAdmin, bAdmin] = await Promise.all([ + fetchAdmin('a.test'), + fetchAdmin('b.test'), +]); + +describe('User Suspension', () => { + describe('Suspension', () => { + describe('Check suspend/unsuspend consistency', () => { + let alice: LoginUser, bob: LoginUser; + let bobInA: Misskey.entities.UserDetailedNotMe, aliceInB: Misskey.entities.UserDetailedNotMe; + + beforeAll(async () => { + [alice, bob] = await Promise.all([ + createAccount('a.test'), + createAccount('b.test'), + ]); + + [bobInA, aliceInB] = await Promise.all([ + resolveRemoteUser('b.test', bob.id, alice), + resolveRemoteUser('a.test', alice.id, bob), + ]); + }); + + test('Bob follows Alice, and Alice gets suspended, there is no following relation, and Bob fails to follow again', async () => { + await bob.client.request('following/create', { userId: aliceInB.id }); + await sleep(); + + const followers = await alice.client.request('users/followers', { userId: alice.id }); + strictEqual(followers.length, 1); // followed by Bob + + await aAdmin.client.request('admin/suspend-user', { userId: alice.id }); + await sleep(); + + const aliceInBRaw = await bAdmin.client.request('admin/show-user', { userId: aliceInB.id }); + strictEqual(aliceInBRaw.isRemoteSuspended, true); + const renewedAliceInB = await bob.client.request('users/show', { userId: aliceInB.id }); + strictEqual(renewedAliceInB.isSuspended, true); + + await rejects( + async () => await bob.client.request('following/create', { userId: aliceInB.id }), + (err: any) => { + strictEqual(err.code, 'ALREADY_FOLLOWING'); + return true; + }, + ); + }); + + test('Alice gets unsuspended, Bob succeeds in following Alice', async () => { + await aAdmin.client.request('admin/unsuspend-user', { userId: alice.id }); + await sleep(); + + const aliceInBRenewed = await bAdmin.client.request('admin/show-user', { userId: aliceInB.id }); + strictEqual(aliceInBRenewed.isRemoteSuspended, false); + + await rejects( + async () => await bob.client.request('following/create', { userId: aliceInB.id }), + (err: any) => { + strictEqual(err.code, 'ALREADY_FOLLOWING'); + return true; + }, + ); + }); + + test('Alice can follow Bob', async () => { + await alice.client.request('following/create', { userId: bobInA.id }); + await sleep(); + + const bobFollowers = await bob.client.request('users/followers', { userId: bob.id }); + strictEqual(bobFollowers.length, 1); // followed by Alice + assert(bobFollowers[0].follower != null); + const renewedAliceInB = bobFollowers[0].follower; + assert(aliceInB.username === renewedAliceInB.username); + assert(aliceInB.host === renewedAliceInB.host); + assert(aliceInB.id === renewedAliceInB.id); + }); + + test('Alice follows Bob, and Alice gets suspended, the following relation hidden', async () => { + await aAdmin.client.request('admin/suspend-user', { userId: alice.id }); + await sleep(1000); + + const renewedAliceInB = await bob.client.request('users/show', { userId: aliceInB.id }); + strictEqual(renewedAliceInB.isSuspended, true); + const aliceInBRaw = await bAdmin.client.request('admin/show-user', { userId: aliceInB.id }); + strictEqual(aliceInBRaw.isRemoteSuspended, true); + + const bobFollowers = await bob.client.request('users/followers', { userId: bob.id }); + strictEqual(bobFollowers.length, 0); // Relation is hidden + }); + }); + }); +}); diff --git a/packages/backend/test-federation/test/user.test.ts b/packages/backend/test-federation/test/user.test.ts index ebbe9ff5ba..38c1251600 100644 --- a/packages/backend/test-federation/test/user.test.ts +++ b/packages/backend/test-federation/test/user.test.ts @@ -452,110 +452,4 @@ describe('User', () => { }); }); }); - - describe('Suspension', () => { - describe('Check suspend/unsuspend consistency', () => { - let alice: LoginUser, bob: LoginUser; - let bobInA: Misskey.entities.UserDetailedNotMe, aliceInB: Misskey.entities.UserDetailedNotMe; - - beforeAll(async () => { - [alice, bob] = await Promise.all([ - createAccount('a.test'), - createAccount('b.test'), - ]); - - [bobInA, aliceInB] = await Promise.all([ - resolveRemoteUser('b.test', bob.id, alice), - resolveRemoteUser('a.test', alice.id, bob), - ]); - }); - - test('Bob follows Alice, and Alice gets suspended, there is no following relation, and Bob fails to follow again', async () => { - await bob.client.request('following/create', { userId: aliceInB.id }); - await sleep(); - - const followers = await alice.client.request('users/followers', { userId: alice.id }); - strictEqual(followers.length, 1); // followed by Bob - - await aAdmin.client.request('admin/suspend-user', { userId: alice.id }); - await sleep(); - - const following = await bob.client.request('users/following', { userId: bob.id }); - strictEqual(following.length, 0); // no following relation - - await rejects( - async () => await bob.client.request('following/create', { userId: aliceInB.id }), - (err: any) => { - strictEqual(err.code, 'NO_SUCH_USER'); - return true; - }, - ); - }); - - test('Alice gets unsuspended, Bob succeeds in following Alice', async () => { - await aAdmin.client.request('admin/unsuspend-user', { userId: alice.id }); - await sleep(); - - const followers = await alice.client.request('users/followers', { userId: alice.id }); - strictEqual(followers.length, 1); // FIXME: followers are not deleted?? - - /** - * FIXME: still rejected! - * seems to can't process Undo Delete activity because it is not implemented - * related @see https://github.com/misskey-dev/misskey/issues/13273 - */ - await rejects( - async () => await bob.client.request('following/create', { userId: aliceInB.id }), - (err: any) => { - strictEqual(err.code, 'NO_SUCH_USER'); - return true; - }, - ); - - // FIXME: resolving also fails - await rejects( - async () => await resolveRemoteUser('a.test', alice.id, bob), - (err: any) => { - strictEqual(err.code, 'INTERNAL_ERROR'); - return true; - }, - ); - }); - - /** - * instead of simple unsuspension, let's tell existence by following from Alice - */ - test('Alice can follow Bob', async () => { - await alice.client.request('following/create', { userId: bobInA.id }); - await sleep(); - - const bobFollowers = await bob.client.request('users/followers', { userId: bob.id }); - strictEqual(bobFollowers.length, 1); // followed by Alice - assert(bobFollowers[0].follower != null); - const renewedaliceInB = bobFollowers[0].follower; - assert(aliceInB.username === renewedaliceInB.username); - assert(aliceInB.host === renewedaliceInB.host); - assert(aliceInB.id !== renewedaliceInB.id); // TODO: Same username and host, but their ids are different! Is it OK? - - const following = await bob.client.request('users/following', { userId: bob.id }); - strictEqual(following.length, 0); // following are deleted - - // Bob tries to follow Alice - await bob.client.request('following/create', { userId: renewedaliceInB.id }); - await sleep(); - - const aliceFollowers = await alice.client.request('users/followers', { userId: alice.id }); - strictEqual(aliceFollowers.length, 1); - - // FIXME: but resolving still fails ... - await rejects( - async () => await resolveRemoteUser('a.test', alice.id, bob), - (err: any) => { - strictEqual(err.code, 'INTERNAL_ERROR'); - return true; - }, - ); - }); - }); - }); }); diff --git a/packages/backend/test/misc/mock-resolver.ts b/packages/backend/test/misc/mock-resolver.ts index 53ff4feb7e..ed255e6d39 100644 --- a/packages/backend/test/misc/mock-resolver.ts +++ b/packages/backend/test/misc/mock-resolver.ts @@ -11,6 +11,7 @@ import type { IObject } from '@/core/activitypub/type.js'; import type { HttpRequestService } from '@/core/HttpRequestService.js'; import type { LoggerService } from '@/core/LoggerService.js'; import type { UtilityService } from '@/core/UtilityService.js'; +import type { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import type { FollowRequestsRepository, MiMeta, @@ -47,6 +48,7 @@ export class MockResolver extends Resolver { {} as HttpRequestService, {} as ApRendererService, {} as ApDbResolverService, + {} as FederatedInstanceService, loggerService, ); } diff --git a/packages/backend/test/unit/ApDeliverManagerService.ts b/packages/backend/test/unit/ApDeliverManagerService.ts new file mode 100644 index 0000000000..5112989c4a --- /dev/null +++ b/packages/backend/test/unit/ApDeliverManagerService.ts @@ -0,0 +1,659 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +process.env.NODE_ENV = 'test'; + +import { jest } from '@jest/globals'; +import { Test } from '@nestjs/testing'; +import type { TestingModule } from '@nestjs/testing'; +import type { MiLocalUser, MiRemoteUser } from '@/models/User.js'; +import type { IActivity } from '@/core/activitypub/type.js'; +import { ApDeliverManagerService } from '@/core/activitypub/ApDeliverManagerService.js'; +import { ApLoggerService } from '@/core/activitypub/ApLoggerService.js'; +import { QueueService } from '@/core/QueueService.js'; +import { FollowingsRepository, UsersRepository } from '@/models/_.js'; +import { DI } from '@/di-symbols.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; +import { UserKeypairService } from '@/core/UserKeypairService.js'; +import { AccountUpdateService } from '@/core/AccountUpdateService.js'; + +describe('ApDeliverManagerService', () => { + let service: ApDeliverManagerService; + let followingsRepository: jest.Mocked; + let queueService: jest.Mocked; + let apLoggerService: jest.Mocked; + + const mockLocalUser: MiLocalUser = { + id: 'local-user-id', + host: null, + } as MiLocalUser; + + const mockRemoteUser1: MiRemoteUser & { inbox: string; sharedInbox: string; } = { + id: 'remote-user-1', + host: 'remote.example.com', + inbox: 'https://remote.example.com/inbox', + sharedInbox: 'https://remote.example.com/shared-inbox', + } as MiRemoteUser & { inbox: string; sharedInbox: string; }; + + const mockRemoteUser2: MiRemoteUser & { inbox: string; } = { + id: 'remote-user-2', + host: 'another.example.com', + inbox: 'https://another.example.com/inbox', + sharedInbox: null, + } as MiRemoteUser & { inbox: string; }; + + const mockActivity: IActivity = { + type: 'Create', + id: 'activity-id', + actor: 'https://local.example.com/users/local-user-id', + object: { + type: 'Note', + id: 'note-id', + content: 'Hello, world!', + }, + }; + + beforeAll(async () => { + const module: TestingModule = await Test.createTestingModule({ + providers: [ + ApDeliverManagerService, + { + provide: ApDeliverManagerService.name, + useExisting: ApDeliverManagerService, + }, + { + provide: DI.followingsRepository, + useValue: { + find: jest.fn(), + createQueryBuilder: jest.fn(), + }, + }, + { + provide: QueueService, + useValue: { + deliverMany: jest.fn(), + }, + }, + { + provide: ApLoggerService, + useValue: { + logger: { + createSubLogger: jest.fn().mockReturnValue({ + info: jest.fn(), + warn: jest.fn(), + error: jest.fn(), + }), + }, + }, + }, + { + provide: UserKeypairService, + useFactory: () => ({ + refreshAndPrepareEd25519KeyPair: jest.fn(), + }), + }, + { + provide: AccountUpdateService.name, + useFactory: () => ({ + publishToFollowers: jest.fn(), + }), + }, + ], + }).compile(); + + service = module.get(ApDeliverManagerService); + followingsRepository = module.get(DI.followingsRepository); + queueService = module.get(QueueService); + apLoggerService = module.get(ApLoggerService); + + await service.onModuleInit(); + }); + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('deliverToFollowers', () => { + it('should deliver activity to all followers', async () => { + const mockFollowings = [ + { + followerSharedInbox: 'https://remote1.example.com/shared-inbox', + followerInbox: 'https://remote1.example.com/inbox', + }, + { + followerSharedInbox: 'https://remote2.example.com/shared-inbox', + followerInbox: 'https://remote2.example.com/inbox', + }, + { + followerSharedInbox: null, + followerInbox: 'https://remote3.example.com/inbox', + }, + ]; + + followingsRepository.find.mockResolvedValue(mockFollowings as any); + + await service.deliverToFollowers(mockLocalUser, mockActivity); + + expect(followingsRepository.find).toHaveBeenCalledWith({ + where: { + followeeId: mockLocalUser.id, + followerHost: expect.anything(), // Not(IsNull()) + isFollowerSuspended: false, + }, + select: { + followerSharedInbox: true, + followerInbox: true, + }, + }); + + expect(queueService.deliverMany).toHaveBeenCalledWith( + { id: mockLocalUser.id }, + mockActivity, + expect.any(Map), + undefined, + ); + + // 呼び出されたinboxesを確認 + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(3); + expect(inboxes.has('https://remote1.example.com/shared-inbox')).toBe(true); + expect(inboxes.has('https://remote2.example.com/shared-inbox')).toBe(true); + expect(inboxes.has('https://remote3.example.com/inbox')).toBe(true); + }); + + it('should exclude suspended followers by default', async () => { + followingsRepository.find.mockResolvedValue([]); + + await service.deliverToFollowers(mockLocalUser, mockActivity); + + expect(followingsRepository.find).toHaveBeenCalledWith( + expect.objectContaining({ + where: expect.objectContaining({ + isFollowerSuspended: false, + }), + }), + ); + }); + }); + + describe('deliverToUser', () => { + it('should deliver activity to specific remote user', async () => { + await service.deliverToUser(mockLocalUser, mockActivity, mockRemoteUser1); + + expect(queueService.deliverMany).toHaveBeenCalledWith( + { id: mockLocalUser.id }, + mockActivity, + expect.any(Map), + undefined, + ); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(1); + expect(inboxes.has(mockRemoteUser1.inbox)).toBe(true); + }); + + it('should handle user without shared inbox', async () => { + await service.deliverToUser(mockLocalUser, mockActivity, mockRemoteUser2); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(1); + expect(inboxes.has(mockRemoteUser2.inbox)).toBe(true); + }); + + it('should skip user with null inbox', async () => { + const userWithoutInbox = { + ...mockRemoteUser1, + inbox: null, + } as MiRemoteUser; + + await service.deliverToUser(mockLocalUser, mockActivity, userWithoutInbox); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(0); + }); + }); + + describe('deliverToUsers', () => { + it('should deliver activity to multiple remote users', async () => { + await service.deliverToUsers(mockLocalUser, mockActivity, [mockRemoteUser1, mockRemoteUser2]); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(2); + expect(inboxes.has(mockRemoteUser1.inbox)).toBe(true); + expect(inboxes.has(mockRemoteUser2.inbox)).toBe(true); + }); + }); + + describe('createDeliverManager', () => { + it('should create a DeliverManager instance', () => { + const manager = service.createDeliverManager(mockLocalUser, mockActivity); + + expect(manager).toBeDefined(); + expect(typeof manager.addFollowersRecipe).toBe('function'); + expect(typeof manager.addDirectRecipe).toBe('function'); + expect(typeof manager.addAllKnowingSharedInboxRecipe).toBe('function'); + expect(typeof manager.execute).toBe('function'); + }); + + it('should allow manual recipe management', async () => { + const manager = service.createDeliverManager(mockLocalUser, mockActivity); + + followingsRepository.find.mockResolvedValue([ + { + followerSharedInbox: null, + followerInbox: 'https://follower.example.com/inbox', + }, + ] as any); + + // フォロワー配信のレシピを追加 + manager.addFollowersRecipe(); + // ダイレクト配信のレシピを追加 + manager.addDirectRecipe(mockRemoteUser1); + + await manager.execute(); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(2); + expect(inboxes.has('https://follower.example.com/inbox')).toBe(true); + expect(inboxes.has(mockRemoteUser1.inbox)).toBe(true); + }); + + it('should support ignoreSuspend option', async () => { + const manager = service.createDeliverManager(mockLocalUser, mockActivity); + + followingsRepository.find.mockResolvedValue([]); + + manager.addFollowersRecipe(); + await manager.execute({ ignoreSuspend: true }); + + expect(followingsRepository.find).toHaveBeenCalledWith( + expect.objectContaining({ + where: expect.objectContaining({ + isFollowerSuspended: undefined, // ignoreSuspend: true なので undefined + }), + }), + ); + }); + + it('followers and directs mixture: 先にfollowersでsharedInboxが追加されていた場合、directsでユーザーがそのsharedInboxを持っていたらinboxを追加しない', async () => { + const manager = service.createDeliverManager(mockLocalUser, mockActivity); + followingsRepository.find.mockResolvedValue([ + { + followerSharedInbox: mockRemoteUser1.sharedInbox, + followerInbox: mockRemoteUser2.inbox, + }, + ] as any); + manager.addFollowersRecipe(); + manager.addDirectRecipe(mockRemoteUser1); + await manager.execute(); + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(1); + expect(inboxes.has(mockRemoteUser1.sharedInbox)).toBe(true); + expect(inboxes.has(mockRemoteUser1.inbox)).toBe(false); + }); + }); + + describe('error handling', () => { + it('should throw error for non-local actor', () => { + const remoteActor = { id: 'remote-id', host: 'remote.example.com' } as any; + + expect(() => { + service.createDeliverManager(remoteActor, mockActivity); + }).toThrow('actor.host must be null'); + }); + + it('should throw error when follower has null inbox', async () => { + const mockFollowings = [ + { + followerSharedInbox: null, + followerInbox: null, // null inbox + }, + ]; + + followingsRepository.find.mockResolvedValue(mockFollowings as any); + + await expect(service.deliverToFollowers(mockLocalUser, mockActivity)).rejects.toThrow('inbox is null'); + }); + }); + + describe('AllKnowingSharedInbox recipe', () => { + it('should collect all shared inboxes when using AllKnowingSharedInbox', async () => { + const mockQueryBuilder = { + select: jest.fn().mockReturnThis(), + where: jest.fn().mockReturnThis(), + orWhere: jest.fn().mockReturnThis(), + distinct: jest.fn().mockReturnThis(), + getRawMany: jest.fn().mockResolvedValue([ + { f_followerSharedInbox: 'https://shared1.example.com/inbox' }, + { f_followeeSharedInbox: 'https://shared2.example.com/inbox' }, + ]), + }; + + followingsRepository.createQueryBuilder.mockReturnValue(mockQueryBuilder as any); + + const manager = service.createDeliverManager(mockLocalUser, mockActivity); + manager.addAllKnowingSharedInboxRecipe(); + + await manager.execute(); + + expect(followingsRepository.createQueryBuilder).toHaveBeenCalledWith('f'); + expect(mockQueryBuilder.select).toHaveBeenCalledWith([ + 'f.followerSharedInbox', + 'f.followeeSharedInbox', + ]); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(2); + expect(inboxes.has('https://shared1.example.com/inbox')).toBe(true); + expect(inboxes.has('https://shared2.example.com/inbox')).toBe(true); + }); + }); +}); + +describe('ApDeliverManagerService (SQL)', () => { + // followerにデータを挿入して、SQLの動作を確認します + let app: TestingModule; + let service: ApDeliverManagerService; + let followingsRepository: FollowingsRepository; + let usersRepository: UsersRepository; + let queueService: jest.Mocked; + + async function createUser(data: Partial<{ id: string; username: string; host: string | null; inbox: string | null; sharedInbox: string | null; isSuspended: boolean }> = {}): Promise { + const user = { + id: secureRndstr(16), + username: secureRndstr(16), + usernameLower: (data.username ?? secureRndstr(16)).toLowerCase(), + host: data.host ?? null, + inbox: data.inbox ?? null, + sharedInbox: data.sharedInbox ?? null, + isSuspended: data.isSuspended ?? false, + ...data, + }; + + await usersRepository.insert(user); + return user; + } + + async function createFollowing(follower: any, followee: any, data: Partial<{ + followerInbox: string | null; + followerSharedInbox: string | null; + followeeInbox: string | null; + followeeSharedInbox: string | null; + isFollowerSuspended: boolean; + }> = {}): Promise { + const following = { + id: secureRndstr(16), + followerId: follower.id, + followeeId: followee.id, + followerHost: follower.host, + followeeHost: followee.host, + followerInbox: data.followerInbox ?? follower.inbox, + followerSharedInbox: data.followerSharedInbox ?? follower.sharedInbox, + followeeInbox: data.followeeInbox ?? null, + followeeSharedInbox: data.followeeSharedInbox ?? null, + isFollowerSuspended: data.isFollowerSuspended ?? false, + isFollowerHibernated: false, + withReplies: false, + notify: null, + }; + + await followingsRepository.insert(following); + return following; + } + + beforeEach(async () => { + const { Test } = await import('@nestjs/testing'); + const { GlobalModule } = await import('@/GlobalModule.js'); + const { DI } = await import('@/di-symbols.js'); + + app = await Test.createTestingModule({ + imports: [GlobalModule], + providers: [ + ApDeliverManagerService, + { + provide: ApDeliverManagerService.name, + useExisting: ApDeliverManagerService, + }, + { + provide: QueueService, + useFactory: () => ({ + deliverMany: jest.fn(), + }), + }, + { + provide: ApLoggerService, + useValue: { + logger: { + createSubLogger: jest.fn().mockReturnValue({ + info: jest.fn(), + warn: jest.fn(), + error: jest.fn(), + }), + }, + }, + }, + { + provide: UserKeypairService, + useFactory: () => ({ + refreshAndPrepareEd25519KeyPair: jest.fn(), + }), + }, + { + provide: AccountUpdateService.name, + useFactory: () => ({ + publishToFollowers: jest.fn(), + }), + }, + ], + }).compile(); + + app.enableShutdownHooks(); + // Reset mocks + jest.clearAllMocks(); + + service = app.get(ApDeliverManagerService); + followingsRepository = app.get(DI.followingsRepository); + usersRepository = app.get(DI.usersRepository); + queueService = app.get(QueueService) as jest.Mocked; + + await service.onModuleInit(); + }); + + afterEach(async () => { + await app.close(); + }); + + describe('deliverToFollowers with real data', () => { + it('should deliver to followers excluding suspended ones', async () => { + // Create local user (followee) + const localUser = await createUser({ + host: null, + username: 'localuser', + }); + + // Create remote followers + const activeFollower = await createUser({ + host: 'active.example.com', + username: 'activefollower', + inbox: 'https://active.example.com/inbox', + sharedInbox: 'https://active.example.com/shared-inbox', + isSuspended: false, + }); + + const suspendedFollower = await createUser({ + host: 'suspended.example.com', + username: 'suspendedfollower', + inbox: 'https://suspended.example.com/inbox', + sharedInbox: 'https://suspended.example.com/shared-inbox', + isSuspended: true, + }); + + const followerWithoutSharedInbox = await createUser({ + host: 'noshared.example.com', + username: 'noshared', + inbox: 'https://noshared.example.com/inbox', + sharedInbox: null, + isSuspended: false, + }); + + // Create following relationships + await createFollowing(activeFollower, localUser, { + followerInbox: activeFollower.inbox, + followerSharedInbox: activeFollower.sharedInbox, + isFollowerSuspended: false, + }); + + await createFollowing(suspendedFollower, localUser, { + followerInbox: suspendedFollower.inbox, + followerSharedInbox: suspendedFollower.sharedInbox, + isFollowerSuspended: true, // 凍結されたフォロワー + }); + + await createFollowing(followerWithoutSharedInbox, localUser, { + followerInbox: followerWithoutSharedInbox.inbox, + followerSharedInbox: null, + isFollowerSuspended: false, + }); + + const mockActivity = { + type: 'Create', + id: 'test-activity', + actor: `https://local.example.com/users/${localUser.id}`, + object: { type: 'Note', content: 'Hello' }, + } as any; + + // Execute delivery + await service.deliverToFollowers(localUser, mockActivity); + + // Verify delivery was queued + expect(queueService.deliverMany).toHaveBeenCalledTimes(1); + const [actor, activity, inboxes] = queueService.deliverMany.mock.calls[0]; + + expect(actor.id).toBe(localUser.id); + expect(activity).toBe(mockActivity); + + // Check inboxes - should include active followers but exclude suspended ones + expect(inboxes.size).toBe(2); + expect(inboxes.has('https://active.example.com/shared-inbox')).toBe(true); + expect(inboxes.has('https://noshared.example.com/inbox')).toBe(true); + expect(inboxes.has('https://suspended.example.com/shared-inbox')).toBe(false); + }); + + it('should include suspended followers when ignoreSuspend is true', async () => { + const localUser = await createUser({ host: null }); + const suspendedFollower = await createUser({ + host: 'suspended.example.com', + inbox: 'https://suspended.example.com/inbox', + isSuspended: true, + }); + + await createFollowing(suspendedFollower, localUser, { + isFollowerSuspended: true, + }); + + const manager = service.createDeliverManager(localUser, { type: 'Test' } as any); + manager.addFollowersRecipe(); + + // Execute with ignoreSuspend: true + await manager.execute({ ignoreSuspend: true }); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + expect(inboxes.size).toBe(1); + expect(inboxes.has('https://suspended.example.com/inbox')).toBe(true); + }); + + it('should handle mixed follower types correctly', async () => { + const localUser = await createUser({ host: null }); + + // フォロワー1: shared inbox あり + const follower1 = await createUser({ + host: 'server1.example.com', + inbox: 'https://server1.example.com/users/user1/inbox', + sharedInbox: 'https://server1.example.com/inbox', + }); + + // フォロワー2: 同じサーバーの別ユーザー(shared inbox は同じ) + const follower2 = await createUser({ + host: 'server1.example.com', + inbox: 'https://server1.example.com/users/user2/inbox', + sharedInbox: 'https://server1.example.com/inbox', + }); + + // フォロワー3: 別サーバー、shared inbox なし + const follower3 = await createUser({ + host: 'server2.example.com', + inbox: 'https://server2.example.com/users/user3/inbox', + sharedInbox: null, + }); + + await createFollowing(follower1, localUser); + await createFollowing(follower2, localUser); + await createFollowing(follower3, localUser); + + await service.deliverToFollowers(localUser, { type: 'Test' } as any); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + + // shared inbox は重複排除されるので、2つのinboxのみ + expect(inboxes.size).toBe(2); + expect(inboxes.has('https://server1.example.com/inbox')).toBe(true); // shared inbox + expect(inboxes.has('https://server2.example.com/users/user3/inbox')).toBe(true); // individual inbox + + // individual inbox は shared inbox があるので使用されない + expect(inboxes.has('https://server1.example.com/users/user1/inbox')).toBe(false); + expect(inboxes.has('https://server1.example.com/users/user2/inbox')).toBe(false); + }); + }); + + describe('AllKnowingSharedInbox with real data', () => { + it('should collect all unique shared inboxes from database', async () => { + // Create users with various inbox configurations + const user1 = await createUser({ host: null }); + const user2 = await createUser({ host: null }); + + const remoteUser1 = await createUser({ + host: 'server1.example.com', + sharedInbox: 'https://server1.example.com/shared', + }); + + const remoteUser2 = await createUser({ + host: 'server2.example.com', + sharedInbox: 'https://server2.example.com/shared', + }); + + const remoteUser3 = await createUser({ + host: 'server1.example.com', // 同じサーバー + sharedInbox: 'https://server1.example.com/shared', // 同じ shared inbox + }); + + // Create following relationships + await createFollowing(remoteUser1, user1, { + followerSharedInbox: 'https://server1.example.com/shared', + }); + + await createFollowing(user1, remoteUser2, { + followerSharedInbox: null, + followeeSharedInbox: 'https://server2.example.com/shared', + }); + + await createFollowing(remoteUser3, user2, { + followerSharedInbox: 'https://server1.example.com/shared', // 重複 + }); + + const manager = service.createDeliverManager(user1, { type: 'Test' } as any); + manager.addAllKnowingSharedInboxRecipe(); + + await manager.execute(); + + const [, , inboxes] = queueService.deliverMany.mock.calls[0]; + + // 重複は除去されて2つのユニークな shared inbox + expect(inboxes.size).toBe(2); + expect(inboxes.has('https://server1.example.com/shared')).toBe(true); + expect(inboxes.has('https://server2.example.com/shared')).toBe(true); + }); + }); +}); + diff --git a/packages/backend/test/unit/FetchInstanceMetadataService.ts b/packages/backend/test/unit/FetchInstanceMetadataService.ts index 1e3605aafc..3febed4101 100644 --- a/packages/backend/test/unit/FetchInstanceMetadataService.ts +++ b/packages/backend/test/unit/FetchInstanceMetadataService.ts @@ -75,62 +75,61 @@ describe('FetchInstanceMetadataService', () => { test('Lock and update', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => { return now - 10 * 1000 * 60 * 60 * 24; } } } as any); + federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); + expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1); expect(tryLockSpy).toHaveBeenCalledTimes(1); expect(unlockSpy).toHaveBeenCalledTimes(1); - expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1); expect(httpRequestService.getJson).toHaveBeenCalled(); }); - test('Lock and don\'t update', async () => { + test('Don\'t lock and update if recently updated', async () => { redisClient.set = mockRedis(); - const now = Date.now(); - federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now } } as any); + federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: new Date() } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); - expect(tryLockSpy).toHaveBeenCalledTimes(1); - expect(unlockSpy).toHaveBeenCalledTimes(1); expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1); + expect(tryLockSpy).toHaveBeenCalledTimes(0); + expect(unlockSpy).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalledTimes(0); }); test('Do nothing when lock not acquired', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any); + federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); await fetchInstanceMetadataService.tryLock('example.com'); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); + expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1); expect(tryLockSpy).toHaveBeenCalledTimes(1); expect(unlockSpy).toHaveBeenCalledTimes(0); - expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalledTimes(0); }); - test('Do when lock not acquired but forced', async () => { + test('Do when forced', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any); + federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); await fetchInstanceMetadataService.tryLock('example.com'); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any, true); + expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(0); expect(tryLockSpy).toHaveBeenCalledTimes(0); expect(unlockSpy).toHaveBeenCalledTimes(1); - expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalled(); }); }); diff --git a/packages/backend/test/unit/UserSuspendService.ts b/packages/backend/test/unit/UserSuspendService.ts new file mode 100644 index 0000000000..195c1c1e26 --- /dev/null +++ b/packages/backend/test/unit/UserSuspendService.ts @@ -0,0 +1,503 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +process.env.NODE_ENV = 'test'; + +import { jest } from '@jest/globals'; +import { Test } from '@nestjs/testing'; +import { setTimeout } from 'node:timers/promises'; +import type { TestingModule } from '@nestjs/testing'; +import { GlobalModule } from '@/GlobalModule.js'; +import { UserSuspendService } from '@/core/UserSuspendService.js'; +import { + MiFollowing, + MiUser, + FollowingsRepository, + FollowRequestsRepository, + UsersRepository, +} from '@/models/_.js'; +import { DI } from '@/di-symbols.js'; +import { UserEntityService } from '@/core/entities/UserEntityService.js'; +import { QueueService } from '@/core/QueueService.js'; +import { GlobalEventService } from '@/core/GlobalEventService.js'; +import { ApRendererService } from '@/core/activitypub/ApRendererService.js'; +import { ModerationLogService } from '@/core/ModerationLogService.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; +import { randomString } from '../utils.js'; +import { AccountUpdateService } from '@/core/AccountUpdateService.js'; +import { ApDeliverManagerService } from '@/core/activitypub/ApDeliverManagerService.js'; +import { RelayService } from '@/core/RelayService.js'; +import { ApLoggerService } from '@/core/activitypub/ApLoggerService.js'; +import { MiRemoteUser } from '@/models/User.js'; +import { UserKeypairService } from '@/core/UserKeypairService.js'; + +function genHost() { + return randomString() + '.example.com'; +} + +describe('UserSuspendService', () => { + let app: TestingModule; + let userSuspendService: UserSuspendService; + let usersRepository: UsersRepository; + let followingsRepository: FollowingsRepository; + let followRequestsRepository: FollowRequestsRepository; + let userEntityService: jest.Mocked; + let queueService: jest.Mocked; + let globalEventService: jest.Mocked; + let apRendererService: jest.Mocked; + let moderationLogService: jest.Mocked; + let userKeypairService: jest.Mocked; + let accountUpdateService: AccountUpdateService; + let apDeliverManagerService: ApDeliverManagerService; + + async function createUser(data: Partial = {}): Promise { + const user = { + id: secureRndstr(16), + username: secureRndstr(16), + usernameLower: secureRndstr(16).toLowerCase(), + host: null, + isSuspended: false, + isRemoteSuspended: false, + ...data, + } as MiUser; + + await usersRepository.insert(user); + return user; + } + + async function createFollowing(follower: MiUser, followee: MiUser, data: Partial = {}): Promise { + const following = { + id: secureRndstr(16), + followerId: follower.id, + followeeId: followee.id, + isFollowerSuspended: false, + isFollowerHibernated: false, + withReplies: false, + notify: null, + followerHost: follower.host, + followerInbox: null, + followerSharedInbox: null, + followeeHost: followee.host, + followeeInbox: null, + followeeSharedInbox: null, + ...data, + } as MiFollowing; + + await followingsRepository.insert(following); + return following; + } + + beforeAll(async () => { + app = await Test.createTestingModule({ + imports: [GlobalModule], + providers: [ + UserSuspendService, + AccountUpdateService, + ApDeliverManagerService, + { + provide: AccountUpdateService.name, + useExisting: AccountUpdateService, + }, + { + provide: ApDeliverManagerService.name, + useExisting: ApDeliverManagerService, + }, + { + provide: UserEntityService, + useFactory: () => ({ + isLocalUser: jest.fn(), + genLocalUserUri: jest.fn(), + isSuspendedEither: jest.fn(), + }), + }, + { + provide: QueueService, + useFactory: () => ({ + deliverMany: jest.fn(), + deliver: jest.fn(), + }), + }, + { + provide: GlobalEventService, + useFactory: () => ({ + publishInternalEvent: jest.fn(), + }), + }, + { + provide: ModerationLogService, + useFactory: () => ({ + log: jest.fn(), + }), + }, + { + provide: RelayService, + useFactory: () => ({ + deliverToRelays: jest.fn(), + }), + }, + { + provide: ApRendererService, + useFactory: () => ({ + renderDelete: jest.fn(), + renderUndo: jest.fn(), + renderPerson: jest.fn(), + renderUpdate: jest.fn(), + addContext: jest.fn(), + }), + }, + { + provide: ApLoggerService, + useFactory: () => ({ + logger: { + createSubLogger: jest.fn().mockReturnValue({ + info: jest.fn(), error: jest.fn(), warn: jest.fn(), debug: jest.fn(), + }), + }, + }), + }, + { + provide: UserKeypairService, + useFactory: () => ({ + refreshAndPrepareEd25519KeyPair: jest.fn(), + }), + }, + ], + }).compile(); + + app.enableShutdownHooks(); + + userSuspendService = app.get(UserSuspendService); + usersRepository = app.get(DI.usersRepository); + followingsRepository = app.get(DI.followingsRepository); + followRequestsRepository = app.get(DI.followRequestsRepository); + userEntityService = app.get(UserEntityService) as jest.Mocked; + queueService = app.get(QueueService) as jest.Mocked; + globalEventService = app.get(GlobalEventService) as jest.Mocked; + apRendererService = app.get(ApRendererService) as jest.Mocked; + moderationLogService = app.get(ModerationLogService) as jest.Mocked; + userKeypairService = app.get(UserKeypairService) as jest.Mocked; + + apDeliverManagerService = app.get(ApDeliverManagerService); + await apDeliverManagerService.onModuleInit(); + accountUpdateService = app.get(AccountUpdateService.name); + await accountUpdateService.onModuleInit(); + }); + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('suspend', () => { + test('should suspend user and update database', async () => { + const user = await createUser(); + const moderator = await createUser(); + + await userSuspendService.suspend(user, moderator); + + // ユーザーが凍結されているかチェック + const suspendedUser = await usersRepository.findOneBy({ id: user.id }); + expect(suspendedUser?.isSuspended).toBe(true); + + // モデレーションログが記録されているかチェック + expect(moderationLogService.log).toHaveBeenCalledWith(moderator, 'suspend', { + userId: user.id, + userUsername: user.username, + userHost: user.host, + }); + }); + + test('should mark follower relationships as suspended', async () => { + const user = await createUser(); + const followee1 = await createUser(); + const followee2 = await createUser(); + const moderator = await createUser(); + + // ユーザーがフォローしている関係を作成 + await createFollowing(user, followee1); + await createFollowing(user, followee2); + + await userSuspendService.suspend(user, moderator); + await setTimeout(250); + + // フォロー関係が論理削除されているかチェック + const followings = await followingsRepository.find({ + where: { followerId: user.id }, + }); + + expect(followings).toHaveLength(2); + followings.forEach(following => { + expect(following.isFollowerSuspended).toBe(true); + }); + }); + + test('should publish internal event for suspension', async () => { + const user = await createUser(); + const moderator = await createUser(); + + await userSuspendService.suspend(user, moderator); + await setTimeout(250); + + // 内部イベントが発行されているかチェック(非同期処理のため少し待つ) + await setTimeout(100); + + expect(globalEventService.publishInternalEvent).toHaveBeenCalledWith( + 'userChangeSuspendedState', + { id: user.id, isSuspended: true }, + ); + }); + }); + + describe('unsuspend', () => { + test('should unsuspend user and update database', async () => { + const user = await createUser({ isSuspended: true }); + const moderator = await createUser(); + + await userSuspendService.unsuspend(user, moderator); + await setTimeout(250); + + // ユーザーの凍結が解除されているかチェック + const unsuspendedUser = await usersRepository.findOneBy({ id: user.id }); + expect(unsuspendedUser?.isSuspended).toBe(false); + + // モデレーションログが記録されているかチェック + expect(moderationLogService.log).toHaveBeenCalledWith(moderator, 'unsuspend', { + userId: user.id, + userUsername: user.username, + userHost: user.host, + }); + }); + + test('should restore follower relationships', async () => { + userEntityService.isSuspendedEither.mockReturnValue(false); + + const user = await createUser({ isSuspended: true }); + const followee1 = await createUser(); + const followee2 = await createUser(); + const moderator = await createUser(); + + // 凍結状態のフォロー関係を作成 + await createFollowing(user, followee1, { isFollowerSuspended: true }); + await createFollowing(user, followee2, { isFollowerSuspended: true }); + + await userSuspendService.unsuspend(user, moderator); + await setTimeout(250); + + // フォロー関係が復元されているかチェック + const followings = await followingsRepository.find({ + where: { followerId: user.id }, + }); + + expect(followings).toHaveLength(2); + followings.forEach(following => { + expect(following.isFollowerSuspended).toBe(false); + }); + }); + + test('should publish internal event for unsuspension', async () => { + const user = await createUser({ isSuspended: true }); + const moderator = await createUser(); + + await userSuspendService.unsuspend(user, moderator); + await setTimeout(250); + + // 内部イベントが発行されているかチェック(非同期処理のため少し待つ) + await setTimeout(100); + + expect(globalEventService.publishInternalEvent).toHaveBeenCalledWith( + 'userChangeSuspendedState', + { id: user.id, isSuspended: false }, + ); + }); + }); + + describe('integration test: suspend and unsuspend cycle', () => { + test('should preserve follow relationships through suspend/unsuspend cycle', async () => { + userEntityService.isSuspendedEither.mockReturnValue(false); + + const user = await createUser(); + const followee1 = await createUser(); + const followee2 = await createUser(); + const moderator = await createUser(); + + // 初期のフォロー関係を作成 + await createFollowing(user, followee1); + await createFollowing(user, followee2); + + // 初期状態の確認 + let followings = await followingsRepository.find({ + where: { followerId: user.id }, + }); + expect(followings).toHaveLength(2); + followings.forEach(following => { + expect(following.isFollowerSuspended).toBe(false); + }); + + // 凍結 + await userSuspendService.suspend(user, moderator); + await setTimeout(250); + + // 凍結後の状態確認 + followings = await followingsRepository.find({ + where: { followerId: user.id }, + }); + expect(followings).toHaveLength(2); + followings.forEach(following => { + expect(following.isFollowerSuspended).toBe(true); + }); + + // 凍結解除 + const suspendedUser = await usersRepository.findOneByOrFail({ id: user.id }); + await userSuspendService.unsuspend(suspendedUser, moderator); + await setTimeout(250); + + // 凍結解除後の状態確認 + followings = await followingsRepository.find({ + where: { followerId: user.id }, + }); + expect(followings).toHaveLength(2); + followings.forEach(following => { + expect(following.isFollowerSuspended).toBe(false); + }); + }); + }); + + describe('ActivityPub delivery', () => { + test('should deliver Update Person activity on suspend of local user', async () => { + const localUser = await createUser({ host: null }); + const moderator = await createUser(); + + userEntityService.isLocalUser.mockReturnValue(true); + userEntityService.genLocalUserUri.mockReturnValue(`https://example.com/users/${localUser.id}`); + apRendererService.renderUpdate.mockReturnValue({ type: 'Update' } as any); + apRendererService.renderPerson.mockReturnValue({ type: 'Person' } as any); + apRendererService.addContext.mockReturnValue({ '@context': '...', type: 'Update' } as any); + + await userSuspendService.suspend(localUser, moderator); + await setTimeout(250); + + // ActivityPub配信が呼ばれているかチェック + expect(userEntityService.isLocalUser).toHaveBeenCalledWith(localUser); + expect(apRendererService.renderUpdate).toHaveBeenCalled(); + expect(apRendererService.renderPerson).toHaveBeenCalled(); + expect(apRendererService.addContext).toHaveBeenCalled(); + expect(queueService.deliverMany).toHaveBeenCalled(); + }); + + test('should deliver Update Person activity on unsuspend of local user', async () => { + const localUser = await createUser({ host: null, isSuspended: true }); + const moderator = await createUser(); + + userEntityService.isLocalUser.mockReturnValue(true); + userEntityService.genLocalUserUri.mockReturnValue(`https://example.com/users/${localUser.id}`); + apRendererService.renderUpdate.mockReturnValue({ type: 'Update' } as any); + apRendererService.renderPerson.mockReturnValue({ type: 'Person' } as any); + apRendererService.addContext.mockReturnValue({ '@context': '...', type: 'Update' } as any); + + await userSuspendService.suspend(localUser, moderator); + await setTimeout(250); + + // ActivityPub配信が呼ばれているかチェック + expect(userEntityService.isLocalUser).toHaveBeenCalledWith(localUser); + expect(apRendererService.renderUpdate).toHaveBeenCalled(); + expect(apRendererService.renderPerson).toHaveBeenCalled(); + expect(apRendererService.addContext).toHaveBeenCalled(); + expect(queueService.deliverMany).toHaveBeenCalled(); + }); + + test('should not deliver any activity on suspend of remote user', async () => { + const remoteUser = await createUser({ host: 'remote.example.com' }); + const moderator = await createUser(); + + userEntityService.isLocalUser.mockReturnValue(false); + + await userSuspendService.suspend(remoteUser, moderator); + await setTimeout(250); + + // ActivityPub配信が呼ばれていないことをチェック + expect(userEntityService.isLocalUser).toHaveBeenCalledWith(remoteUser); + expect(apRendererService.renderDelete).not.toHaveBeenCalled(); + expect(queueService.deliver).not.toHaveBeenCalled(); + }); + }); + + describe('suspension for remote user', () => { + test('should suspend remote user without AP delivery', async () => { + const remoteUser = await createUser({ host: genHost() }); + const moderator = await createUser(); + + await userSuspendService.suspend(remoteUser, moderator); + await setTimeout(250); + + // ユーザーが凍結されているかチェック + const suspendedUser = await usersRepository.findOneBy({ id: remoteUser.id }); + expect(suspendedUser?.isSuspended).toBe(true); + + // モデレーションログが記録されているかチェック + expect(moderationLogService.log).toHaveBeenCalledWith(moderator, 'suspend', { + userId: remoteUser.id, + userUsername: remoteUser.username, + userHost: remoteUser.host, + }); + + // ActivityPub配信が呼ばれていないことを確認 + expect(queueService.deliver).not.toHaveBeenCalled(); + }); + + test('should unsuspend remote user without AP delivery', async () => { + const remoteUser = await createUser({ host: genHost(), isSuspended: true }); + const moderator = await createUser(); + + await userSuspendService.unsuspend(remoteUser, moderator); + + await setTimeout(250); + + // ユーザーの凍結が解除されているかチェック + const unsuspendedUser = await usersRepository.findOneBy({ id: remoteUser.id }); + expect(unsuspendedUser?.isSuspended).toBe(false); + + // モデレーションログが記録されているかチェック + expect(moderationLogService.log).toHaveBeenCalledWith(moderator, 'unsuspend', { + userId: remoteUser.id, + userUsername: remoteUser.username, + userHost: remoteUser.host, + }); + + // ActivityPub配信が呼ばれていないことを確認 + expect(queueService.deliver).not.toHaveBeenCalled(); + }); + }); + + describe('suspension from remote', () => { + test('should suspend remote user and post suspend event', async () => { + const remoteUser = await createUser({ host: genHost() }) as MiRemoteUser; + await userSuspendService.suspendFromRemote(remoteUser); + + // ユーザーがリモート凍結されているかチェック + const suspendedUser = await usersRepository.findOneBy({ id: remoteUser.id }); + expect(suspendedUser?.isRemoteSuspended).toBe(true); + + // イベントが発行されているかチェック + expect(globalEventService.publishInternalEvent).toHaveBeenCalledWith( + 'userChangeSuspendedState', + { id: remoteUser.id, isRemoteSuspended: true }, + ); + }); + + test('should unsuspend remote user and post unsuspend event', async () => { + const remoteUser = await createUser({ host: genHost(), isRemoteSuspended: true }) as MiRemoteUser; + await userSuspendService.unsuspendFromRemote(remoteUser); + + // ユーザーのリモート凍結が解除されているかチェック + const unsuspendedUser = await usersRepository.findOneBy({ id: remoteUser.id }); + expect(unsuspendedUser?.isRemoteSuspended).toBe(false); + + // イベントが発行されているかチェック + expect(globalEventService.publishInternalEvent).toHaveBeenCalledWith( + 'userChangeSuspendedState', + { id: remoteUser.id, isRemoteSuspended: false }, + ); + }); + }); +}); diff --git a/packages/backend/test/unit/ap-request.ts b/packages/backend/test/unit/ap-request.ts index f8b2a697f2..6b966f14d9 100644 --- a/packages/backend/test/unit/ap-request.ts +++ b/packages/backend/test/unit/ap-request.ts @@ -4,12 +4,11 @@ */ import * as assert from 'assert'; -import httpSignature from '@peertube/http-signature'; -import { genRsaKeyPair } from '@/misc/gen-key-pair.js'; -import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js'; import { assertActivityMatchesUrl, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js'; import { IObject } from '@/core/activitypub/type.js'; +import { verifyDraftSignature, parseRequestSignature, genRsaKeyPair, genEd25519KeyPair, importPrivateKey } from '@misskey-dev/node-http-message-signatures'; +import { createSignedGet, createSignedPost } from '@/core/activitypub/ApRequestService.js'; export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => { return { @@ -30,41 +29,73 @@ function cartesianProduct(a: T[], b: U[]): [T, U][] { return a.flatMap(a => b.map(b => [a, b] as [T, U])); } -describe('ap-request', () => { - test('createSignedPost with verify', async () => { - const keypair = await genRsaKeyPair(); - const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; - const url = 'https://example.com/inbox'; - const activity = { a: 1 }; - const body = JSON.stringify(activity); - const headers = { - 'User-Agent': 'UA', - }; +async function getKeyPair(level: string) { + if (level === '00') { + return await genRsaKeyPair(); + } else if (level === '01') { + return await genEd25519KeyPair(); + } + throw new Error('Invalid level'); +} - const req = ApRequestCreator.createSignedPost({ key, url, body, additionalHeaders: headers }); +describe('ap-request post', () => { + const url = 'https://example.com/inbox'; + const activity = { a: 1 }; + const body = JSON.stringify(activity); + const headers = { + 'User-Agent': 'UA', + }; - const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256'); + describe.each(['00', '01'])('createSignedPost with verify', (level) => { + test('pem', async () => { + const keypair = await getKeyPair(level); + const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; - const result = httpSignature.verifySignature(parsed, keypair.publicKey); - assert.deepStrictEqual(result, true); + const req = await createSignedPost({ level, key, url, body, additionalHeaders: headers }); + + const parsed = parseRequestSignature(req.request); + expect(parsed.version).toBe('draft'); + expect(Array.isArray(parsed.value)).toBe(false); + const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); + assert.deepStrictEqual(verify, true); + }); + test('imported', async () => { + const keypair = await getKeyPair(level); + const key = { keyId: 'x', 'privateKey': await importPrivateKey(keypair.privateKey) }; + + const req = await createSignedPost({ level, key, url, body, additionalHeaders: headers }); + + const parsed = parseRequestSignature(req.request); + expect(parsed.version).toBe('draft'); + expect(Array.isArray(parsed.value)).toBe(false); + const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); + assert.deepStrictEqual(verify, true); + }); }); +}); - test('createSignedGet with verify', async () => { - const keypair = await genRsaKeyPair(); - const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; - const url = 'https://example.com/outbox'; - const headers = { - 'User-Agent': 'UA', - }; +describe('ap-request get', () => { + describe.each(['00', '01'])('createSignedGet with verify', (level) => { + test('pass', async () => { + const keypair = await getKeyPair(level); + const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; + const url = 'https://example.com/outbox'; + const headers = { + 'User-Agent': 'UA', + }; - const req = ApRequestCreator.createSignedGet({ key, url, additionalHeaders: headers }); + const req = await createSignedGet({ level, key, url, additionalHeaders: headers }); - const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256'); - - const result = httpSignature.verifySignature(parsed, keypair.publicKey); - assert.deepStrictEqual(result, true); + const parsed = parseRequestSignature(req.request); + expect(parsed.version).toBe('draft'); + expect(Array.isArray(parsed.value)).toBe(false); + const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); + assert.deepStrictEqual(verify, true); + }); }); +}); +describe('assertActivityMatchesUrl', () => { test('rejects non matching domain', () => { assert.doesNotThrow(() => assertActivityMatchesUrl( 'https://alice.example.com/abc', @@ -78,7 +109,7 @@ describe('ap-request', () => { 'https://alice.example.com/abc', FetchAllowSoftFailMask.Any, ), 'validation should fail no matter what if the response URL is inconsistent with the object ID'); - + assert.doesNotThrow(() => assertActivityMatchesUrl( 'https://alice.example.com/abc#test', { id: 'https://alice.example.com/abc' } as IObject, diff --git a/packages/backend/test/unit/entities/UserEntityService.ts b/packages/backend/test/unit/entities/UserEntityService.ts index ca6a639be8..f2b40e83a8 100644 --- a/packages/backend/test/unit/entities/UserEntityService.ts +++ b/packages/backend/test/unit/entities/UserEntityService.ts @@ -51,6 +51,7 @@ import { ReactionService } from '@/core/ReactionService.js'; import { NotificationService } from '@/core/NotificationService.js'; import { ReactionsBufferingService } from '@/core/ReactionsBufferingService.js'; import { ChatService } from '@/core/ChatService.js'; +import { UserSuspendService } from '@/core/UserSuspendService.js'; process.env.NODE_ENV = 'test'; @@ -170,6 +171,7 @@ describe('UserEntityService', () => { InstanceChart, ApLoggerService, AccountMoveService, + UserSuspendService, ReactionService, ReactionsBufferingService, NotificationService, diff --git a/packages/frontend/src/pages/admin-user.vue b/packages/frontend/src/pages/admin-user.vue index 24f2d0d5eb..34bcbec738 100644 --- a/packages/frontend/src/pages/admin-user.vue +++ b/packages/frontend/src/pages/admin-user.vue @@ -14,6 +14,7 @@ SPDX-License-Identifier: AGPL-3.0-only @{{ acct(user) }} Suspended + Suspended in Remote Silenced Moderator @@ -261,6 +262,7 @@ const ap = ref(null); const moderator = ref(info.value.isModerator); const silenced = ref(info.value.isSilenced); const suspended = ref(info.value.isSuspended); +const remoteSuspended = ref(info.value.isRemoteSuspended); const isSystem = ref(user.value.host == null && user.value.username.includes('.')); const moderationNote = ref(info.value.moderationNote); const filesPaginator = markRaw(new Paginator('admin/drive/files', { @@ -317,6 +319,7 @@ async function refreshUser() { moderator.value = info.value.isModerator; silenced.value = info.value.isSilenced; suspended.value = info.value.isSuspended; + remoteSuspended.value = info.value.isRemoteSuspended; isSystem.value = user.value.host == null && user.value.username.includes('.'); moderationNote.value = info.value.moderationNote; } diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts index 22a3733fcb..efb8cd05ca 100644 --- a/packages/misskey-js/src/autogen/types.ts +++ b/packages/misskey-js/src/autogen/types.ts @@ -5026,6 +5026,7 @@ export type components = { /** Format: date-time */ latestRequestReceivedAt: string | null; moderationNote?: string | null; + httpMessageSignaturesImplementationLevel: string; }; GalleryPost: { /** @@ -11720,6 +11721,7 @@ export interface operations { isModerator: boolean; isSilenced: boolean; isSuspended: boolean; + isRemoteSuspended: boolean; isHibernated: boolean; lastActiveDate: string | null; moderationNote: string; @@ -11731,6 +11733,18 @@ export interface operations { expiresAt: string | null; roleId: string; }[]; + publicKeys: { + userId: string; + keyId: string; + keyPem: string; + }[] | null; + keyPairs: { + userId: string; + publicKey: string; + privateKey: string; + ed25519PublicKey: string | null; + ed25519PrivateKey: string | null; + } | null; }; }; }; diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 9060fee7c9..fb97e0c4e7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -128,6 +128,9 @@ importers: '@fastify/view': specifier: 10.0.2 version: 10.0.2 + '@misskey-dev/node-http-message-signatures': + specifier: 0.0.10 + version: 0.0.10 '@misskey-dev/sharp-read-bmp': specifier: 1.2.0 version: 1.2.0 @@ -146,9 +149,6 @@ importers: '@nestjs/testing': specifier: 11.1.6 version: 11.1.6(@nestjs/common@11.1.6(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.6)(@nestjs/platform-express@10.4.20) - '@peertube/http-signature': - specifier: 1.7.0 - version: 1.7.0 '@sentry/node': specifier: 8.55.0 version: 8.55.0 @@ -2798,6 +2798,11 @@ packages: '@kurkle/color@0.3.2': resolution: {integrity: sha512-fuscdXJ9G1qb7W8VdHi+IwRqij3lBkosAm4ydQtEmbY58OzHXqQhvlxqEkoz0yssNVn38bcpRWgA9PP+OGoisw==} + '@lapo/asn1js@2.0.4': + resolution: {integrity: sha512-KJD3wQAZxozcraJdWp3utDU6DEZgAVBGp9INCdptUpZaXCEYkpwNb7h7wyYh5y6DxtpvIud8k0suhWJ/z2rKvw==} + engines: {node: '>=12.20.0'} + hasBin: true + '@levischuck/tiny-cbor@0.2.2': resolution: {integrity: sha512-f5CnPw997Y2GQ8FAvtuVVC19FX8mwNNC+1XJcIi16n/LTJifKO6QBgGLgN3YEmqtGMk17SKSuoWES3imJVxAVw==} @@ -2852,6 +2857,10 @@ packages: eslint-plugin-import: '>= 2' globals: '>= 15' + '@misskey-dev/node-http-message-signatures@0.0.10': + resolution: {integrity: sha512-HiAuc//tOU077KFUJhHYLAPWku9enTpOFIqQiK6l2i2mIizRvv7HhV7Y+yuav5quDOAz+WZGK/i5C9OR5fkKIg==} + engines: {node: '>=18.4.0'} + '@misskey-dev/sharp-read-bmp@1.2.0': resolution: {integrity: sha512-er4pRakXzHYfEgOFAFfQagqDouG+wLm+kwNq1I30oSdIHDa0wM3KjFpfIGQ25Fks4GcmOl1s7Zh6xoQu5dNjTw==} @@ -3378,10 +3387,6 @@ packages: '@peculiar/asn1-x509@2.3.8': resolution: {integrity: sha512-voKxGfDU1c6r9mKiN5ZUsZWh3Dy1BABvTM3cimf0tztNwyMJPhiXY94eRTgsMQe6ViLfT6EoXxkWVzcm3mFAFw==} - '@peertube/http-signature@1.7.0': - resolution: {integrity: sha512-aGQIwo6/sWtyyqhVK4e1MtxYz4N1X8CNt6SOtCc+Wnczs5S5ONaLHDDR8LYaGn0MgOwvGgXyuZ5sJIfd7iyoUw==} - engines: {node: '>=0.10'} - '@pkgjs/parseargs@0.11.0': resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} engines: {node: '>=14'} @@ -7938,10 +7943,6 @@ packages: resolution: {integrity: sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==} engines: {node: '>=0.10.0'} - jsprim@1.4.2: - resolution: {integrity: sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==} - engines: {node: '>=0.6.0'} - jsprim@2.0.2: resolution: {integrity: sha512-gqXddjPqQ6G40VdnI6T6yObEC+pDNvyP95wdQhkWkg7crHH3km5qP1FsOXEkzEQwnz6gz5qGTn1c2Y52wP3OyQ==} engines: {'0': node >=0.6.0} @@ -9709,6 +9710,9 @@ packages: resolution: {integrity: sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==} engines: {iojs: '>=1.0.0', node: '>=0.10.0'} + rfc4648@1.5.3: + resolution: {integrity: sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==} + rfdc@1.4.1: resolution: {integrity: sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==} @@ -10307,6 +10311,10 @@ packages: resolution: {integrity: sha512-ERPW+XkvX9W2A+ov07iy+ZFJpVdik04GhDA4eVogiG9hpC97Kem2iucyzhFxbFRvQ5o2UckFtKZdp1hkGvnrEw==} engines: {node: '>=16'} + structured-headers@1.0.1: + resolution: {integrity: sha512-QYBxdBtA4Tl5rFPuqmbmdrS9kbtren74RTJTcs0VSQNVV5iRhJD4QlYTLD0+81SBwUQctjEQzjTRI3WG4DzICA==} + engines: {node: '>= 14', npm: '>=6'} + stylehacks@7.0.5: resolution: {integrity: sha512-5kNb7V37BNf0Q3w+1pxfa+oiNPS++/b4Jil9e/kPDgrk1zjEd6uR7SZeJiYaLYH6RRSC1XX2/37OTeU/4FvuIA==} engines: {node: ^18.12.0 || ^20.9.0 || >=22.0} @@ -13208,6 +13216,8 @@ snapshots: '@kurkle/color@0.3.2': {} + '@lapo/asn1js@2.0.4': {} + '@levischuck/tiny-cbor@0.2.2': {} '@lukeed/csprng@1.0.1': {} @@ -13289,6 +13299,12 @@ snapshots: eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.42.0(eslint@9.35.0)(typescript@5.9.2))(eslint@9.35.0) globals: 16.3.0 + '@misskey-dev/node-http-message-signatures@0.0.10': + dependencies: + '@lapo/asn1js': 2.0.4 + rfc4648: 1.5.3 + structured-headers: 1.0.1 + '@misskey-dev/sharp-read-bmp@1.2.0': dependencies: decode-bmp: 0.2.1 @@ -13854,12 +13870,6 @@ snapshots: pvtsutils: 1.3.5 tslib: 2.8.1 - '@peertube/http-signature@1.7.0': - dependencies: - assert-plus: 1.0.0 - jsprim: 1.4.2 - sshpk: 1.18.0 - '@pkgjs/parseargs@0.11.0': optional: true @@ -19412,13 +19422,6 @@ snapshots: jsonpointer@5.0.1: {} - jsprim@1.4.2: - dependencies: - assert-plus: 1.0.0 - extsprintf: 1.3.0 - json-schema: 0.4.0 - verror: 1.10.0 - jsprim@2.0.2: dependencies: assert-plus: 1.0.0 @@ -21407,6 +21410,8 @@ snapshots: reusify@1.0.4: {} + rfc4648@1.5.3: {} + rfdc@1.4.1: {} rimraf@2.7.1: @@ -22148,6 +22153,8 @@ snapshots: '@tokenizer/token': 0.3.0 peek-readable: 5.3.1 + structured-headers@1.0.1: {} + stylehacks@7.0.5(postcss@8.5.6): dependencies: browserslist: 4.25.1