fixup inboxFilter and bump apex

CHANGELOG.md

@@ -1,3 +1,9 @@
+## Unreleased
+
+### Fixed
+* Fix irrelevant activities filter and allow deletes and updates through
+* Fixed unverifiable delete detection for duplicate deliveries
+
 ## v1.5.1 (2023-06-23)
 Efficiency and compatibility updates
 ### Fixed

index.js

@@ -92,16 +92,31 @@ async function actorOnDemand (req, res, next) {
   } catch (err) { return next(err) }
   next()
 }
-// Lots of servers are delivering inappropriate activities to Guppe, move the filtering up earlier in the process to save work
-apex.net.inbox.post.slice(
+const acceptablePublicActivities = ['delete', 'update']
+apex.net.inbox.post.splice(
   // just after standardizing the jsonld
   apex.net.inbox.post.indexOf(apex.net.validators.jsonld) + 1,
   0,
-  function (req, res, next) {
+  function inboxLogger (req, res, next) {
     try {
-      const groupIRI = apex.utils.usernameToIRI(apex.actorParam)
-      if (!apex.audienceFromActivity(req.body).includes(groupIRI) && !req.body.object?.[0] === groupIRI) {
-        console.log('Ignoring irrelevant activity', req.body)
+      console.log('%s from %s to %s', req.body.type, req.body.actor?.[0], req.params[apex.actorParam])
+    } finally {
+      next()
+    }
+  },
+  // Lots of servers are delivering inappropriate activities to Guppe, move the filtering up earlier in the process to save work
+  function inboxFilter (req, res, next) {
+    try {
+      const groupIRI = apex.utils.usernameToIRI(req.params[apex.actorParam])
+      const activityAudience = apex.audienceFromActivity(req.body)
+      const activityType = req.body.type?.toLowerCase()
+      const activityObject = req.body.object?.[0]
+      if (
+        !activityAudience.includes(groupIRI) &&
+        activityObject !== groupIRI &&
+        !acceptablePublicActivities.includes(activityType)
+      ) {
+        console.log('Ignoring irrelevant activity sent to %s: %j', groupIRI, req.body)
         return res.status(202).send('Irrelevant activity ignored')
       }
     } catch (err) {

package-lock.json

@@ -10,7 +10,7 @@
       "license": "AGPL-3.0-or-later",
       "dependencies": {
         "@small-tech/auto-encrypt": "^3.1.0",
-        "activitypub-express": "^4.4.0",
+        "activitypub-express": "^4.4.1",
         "connect-history-api-fallback": "^2.0.0",
         "cors": "^2.8.4",
         "dotenv": "^16.0.3",
@@ -1450,9 +1450,9 @@
       }
     },
     "node_modules/activitypub-express": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/activitypub-express/-/activitypub-express-4.4.0.tgz",
-      "integrity": "sha512-viVA1g8FIEKM+f8nN5ow7MFJsevlu2j3HvCV91oDWWlLGR0JdW6uX30q46eZFiycJzAH3oMrTqPZTBjkjMfMbQ==",
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/activitypub-express/-/activitypub-express-4.4.1.tgz",
+      "integrity": "sha512-pMh3ylzYFn/psSojmCCcpwV9Tqu2JIPGAVJu6o2M4nGyA1OXpSsaF67EVn2+r4tU1mqGsQWHWTWSqCn1KuzLkg==",
       "dependencies": {
         "deepmerge": "^4.2.2",
         "express": "^4.18.0",
@@ -7084,9 +7084,9 @@
       "requires": {}
     },
     "activitypub-express": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/activitypub-express/-/activitypub-express-4.4.0.tgz",
-      "integrity": "sha512-viVA1g8FIEKM+f8nN5ow7MFJsevlu2j3HvCV91oDWWlLGR0JdW6uX30q46eZFiycJzAH3oMrTqPZTBjkjMfMbQ==",
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/activitypub-express/-/activitypub-express-4.4.1.tgz",
+      "integrity": "sha512-pMh3ylzYFn/psSojmCCcpwV9Tqu2JIPGAVJu6o2M4nGyA1OXpSsaF67EVn2+r4tU1mqGsQWHWTWSqCn1KuzLkg==",
       "requires": {
         "deepmerge": "^4.2.2",
         "express": "^4.18.0",

package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "dependencies": {
     "@small-tech/auto-encrypt": "^3.1.0",
-    "activitypub-express": "^4.4.0",
+    "activitypub-express": "^4.4.1",
     "connect-history-api-fallback": "^2.0.0",
     "cors": "^2.8.4",
     "dotenv": "^16.0.3",