Merge 5641b0b3ad into b8ae7edcec

fix(gh): add minimumReleaseAge settings to renovate [ci skip]
fix: Refetch user keys when HTTP Signature validation fails
2025-09-28 18:32:22 +09:00 · 2025-09-28 18:28:37 +09:00 · 2023-10-17 15:00:26 +02:00
3 changed files with 26 additions and 1 deletions
--- a/packages/backend/src/core/activitypub/ApDbResolverService.ts
+++ b/packages/backend/src/core/activitypub/ApDbResolverService.ts
@ -173,6 +173,19 @@ export class ApDbResolverService implements OnApplicationShutdown {
 		};
 	}

+	/**
+	 * Miskey User -> Refetched Key
+	 */
+	@bindThis
+	public async refetchPublicKeyForApId(user: MiRemoteUser): Promise<MiUserPublickey | null> {
+		await this.apPersonService.updatePerson(user.uri!);
+		const key = this.userPublickeysRepository.findOneBy({ userId: user.id });
+		if (key != null) {
+			await this.publicKeyByUserIdCache.set(user.id, key);
+		}
+		return key;
+	}
+
 	@bindThis
 	public dispose(): void {
 		this.publicKeyCache.dispose();
--- a/packages/backend/src/queue/processors/InboxProcessorService.ts
+++ b/packages/backend/src/queue/processors/InboxProcessorService.ts
@ -116,7 +116,18 @@ export class InboxProcessorService implements OnApplicationShutdown {
 		}

 		// HTTP-Signatureの検証
-		const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+		let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+
+		// If signature validation failed, try refetching the actor
+		if (!httpSignatureValidated) {
+			authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
+
+			if (authUser.key == null) {
+				throw new Bull.UnrecoverableError('skip: failed to re-resolve user publicKey');
+			}
+
+			httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+		}

 		// また、signatureのsignerは、activity.actorと一致する必要がある
 		if (!httpSignatureValidated || authUser.user.uri !== activity.actor) {
--- a/renovate.json5
+++ b/renovate.json5
@ -15,6 +15,7 @@
 	dependencyDashboardAutoclose: true,
 	osvVulnerabilityAlerts: true,
 	dependencyDashboardOSVVulnerabilitySummary: 'unresolved',
+	minimumReleaseAge: '7 days',
 	ignoreDeps: [
 		// https://github.com/misskey-dev/misskey/pull/15489#issuecomment-2660717458
 		'@typescript/lib-webworker',