From 0a9e7d4712663cb2b03c6bdb7d151f6695989c99 Mon Sep 17 00:00:00 2001
From: Oneric <oneric@oneric.stub>
Date: Sun, 8 Jun 2025 14:01:27 +0200
Subject: [PATCH] federation/in: improve reply on requests from blocked domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously all such requests led to '401 Unauthorized'
whih might have triggered retries.
Now, to not leak any MRF info, we just indicate an
accept for POST requests without actually processing the object
and indiscriminately return "not found" for GET requests.

Notably this change also now causes all signed fetch requests from
blocked domains to be rejected even if authorized_fetch isn’t enabled.

Fixes: https://akkoma.dev/AkkomaGang/akkoma/issues/929
---
 lib/pleroma/web/plugs/http_signature_plug.ex  | 14 ++++++++
 .../web/plugs/http_signature_plug_test.exs    | 34 ++++++++++++-------
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex
index b489a91eb..1b72a1d3a 100644
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@@ -95,6 +95,20 @@ defp maybe_halt(conn, :gone) do
     end
   end
 
+  defp maybe_halt(conn, {:reject, _}) do
+    cond do
+      conn.method == "POST" ->
+        conn
+        |> resp(202, "Accepted")
+        |> halt()
+
+      true ->
+        conn
+        |> resp(404, "Not found")
+        |> halt()
+    end
+  end
+
   defp maybe_halt(conn, _), do: conn
 
   defp assign_valid_signature(%{assigns: %{valid_signature: true}} = conn, _),
diff --git a/test/pleroma/web/plugs/http_signature_plug_test.exs b/test/pleroma/web/plugs/http_signature_plug_test.exs
index 722a52a22..681bea10b 100644
--- a/test/pleroma/web/plugs/http_signature_plug_test.exs
+++ b/test/pleroma/web/plugs/http_signature_plug_test.exs
@@ -163,19 +163,27 @@ test "fails on gone key for non-Delete" do
     assert conn.assigns.signature_user == nil
   end
 
-  test "fails on rejected keys", %{user: user} do
-    conn =
-      build_conn(:post, "/inbox", %{"type" => "Note"})
-      |> put_format("activity+json")
-      |> assign(:rejected_key_id, true)
-      |> put_req_header(
-        "signature",
-        "keyId=\"#{user.signing_key.key_id}\""
-      )
-      |> HTTPSignaturePlug.call(%{})
+  test "fakes accept for POST on rejected keys", %{user: user} do
+    build_conn(:post, "/inbox", %{"type" => "Note"})
+    |> put_format("activity+json")
+    |> assign(:rejected_key_id, true)
+    |> put_req_header(
+      "signature",
+      "keyId=\"#{user.signing_key.key_id}\""
+    )
+    |> HTTPSignaturePlug.call(%{})
+    |> response(202)
+  end
 
-    refute conn.halted
-    assert conn.assigns.valid_signature == false
-    assert conn.assigns.signature_user == nil
+  test "fakes not found for GET on rejected keys", %{user: user} do
+    build_conn(:get, "/doesntmattter", %{"user" => user.ap_id})
+    |> put_format("activity+json")
+    |> assign(:rejected_key_id, true)
+    |> put_req_header(
+      "signature",
+      "keyId=\"#{user.signing_key.key_id}\""
+    )
+    |> HTTPSignaturePlug.call(%{})
+    |> response(404)
   end
 end