[chore] No sigs for retrieving instance actor

As a possible path towards resolving #1186, this removes the signature check on the instance actor. Also adds a test to check authentication for a user other than the instance actor to ensure we don't poke a big hole into that check.
2025-10-29 06:32:26 -05:00 · 2025-06-03 19:11:07 +02:00 · 2025-06-03 19:11:07 +02:00 · e65bda768c
commit e65bda768c
parent be6d80c020
6 changed files with 120 additions and 4 deletions
--- a/internal/api/activitypub.go
+++ b/internal/api/activitypub.go
@ -21,6 +21,7 @@ import (
 	"code.superseriousbusiness.org/gotosocial/internal/api/activitypub/emoji"
 	"code.superseriousbusiness.org/gotosocial/internal/api/activitypub/publickey"
 	"code.superseriousbusiness.org/gotosocial/internal/api/activitypub/users"
+	"code.superseriousbusiness.org/gotosocial/internal/config"
 	"code.superseriousbusiness.org/gotosocial/internal/db"
 	"code.superseriousbusiness.org/gotosocial/internal/middleware"
 	"code.superseriousbusiness.org/gotosocial/internal/processing"
@ -40,14 +41,22 @@ func (a *ActivityPub) Route(r *router.Router, m ...gin.HandlerFunc) {
 	emojiGroup := r.AttachGroup("emoji")
 	usersGroup := r.AttachGroup("users")

+	emojiGroup.Use(m...)
+	usersGroup.Use(m...)
+
 	// attach shared, non-global middlewares to both of these groups
 	ccMiddleware := middleware.CacheControl(middleware.CacheControlConfig{
 		Directives: []string{"no-store"},
 	})
-	emojiGroup.Use(m...)
-	usersGroup.Use(m...)
-	emojiGroup.Use(a.signatureCheckMiddleware, ccMiddleware)
-	usersGroup.Use(a.signatureCheckMiddleware, ccMiddleware)
+
+	emojiGroup.Use(ccMiddleware, a.signatureCheckMiddleware)
+	usersGroup.Use(ccMiddleware)
+
+	// hook the instance actor route first so we don't require auth
+	usersGroup.GET(config.InstanceActor(), a.users.InstanceActorGETHandler)
+
+	// add signature checking to any other users routes
+	usersGroup.Use(a.signatureCheckMiddleware)

 	a.emoji.Route(emojiGroup.Handle)
 	a.users.Route(usersGroup.Handle)