From 16989e3063d8450d435c2af168c4cfd0c33dbd85 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 13 Jan 2021 20:47:16 -0700 Subject: [PATCH 1/3] Add database migrations --- ..._12_14_103423_create_login_links_table.php | 40 +++++++++++++++++++ ...021_01_14_034521_add_cache_locks_table.php | 32 +++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 database/migrations/2020_12_14_103423_create_login_links_table.php create mode 100644 database/migrations/2021_01_14_034521_add_cache_locks_table.php diff --git a/database/migrations/2020_12_14_103423_create_login_links_table.php b/database/migrations/2020_12_14_103423_create_login_links_table.php new file mode 100644 index 00000000..404fac5d --- /dev/null +++ b/database/migrations/2020_12_14_103423_create_login_links_table.php @@ -0,0 +1,40 @@ +id(); + $table->string('key')->index(); + $table->string('secret')->index(); + $table->unsignedInteger('user_id')->index(); + $table->string('ip')->nullable(); + $table->string('user_agent')->nullable(); + $table->json('meta')->nullable(); + $table->timestamp('revoked_at')->nullable()->index(); + $table->timestamp('resent_at')->nullable()->index(); + $table->timestamp('used_at')->nullable()->index(); + $table->timestamps(); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropIfExists('login_links'); + } +} diff --git a/database/migrations/2021_01_14_034521_add_cache_locks_table.php b/database/migrations/2021_01_14_034521_add_cache_locks_table.php new file mode 100644 index 00000000..121c69a3 --- /dev/null +++ b/database/migrations/2021_01_14_034521_add_cache_locks_table.php @@ -0,0 +1,32 @@ +string('key')->primary(); + $table->string('owner'); + $table->integer('expiration'); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::dropTable('cache_locks'); + } +} From 4a4d8f0069d9289afe22b5b0ca24fda83a30b4e0 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 13 Jan 2021 21:38:22 -0700 Subject: [PATCH 2/3] Update InboxWorker, fix race condition in account deletes --- app/Jobs/InboxPipeline/InboxValidator.php | 52 +++++++++++++++++++++ app/Jobs/InboxPipeline/InboxWorker.php | 55 +++++++++++++++++++++-- 2 files changed, 104 insertions(+), 3 deletions(-) diff --git a/app/Jobs/InboxPipeline/InboxValidator.php b/app/Jobs/InboxPipeline/InboxValidator.php index 732ad082..64015f88 100644 --- a/app/Jobs/InboxPipeline/InboxValidator.php +++ b/app/Jobs/InboxPipeline/InboxValidator.php @@ -14,6 +14,7 @@ use Illuminate\Foundation\Bus\Dispatchable; use Illuminate\Queue\InteractsWithQueue; use Illuminate\Queue\SerializesModels; use Zttp\Zttp; +use App\Jobs\DeletePipeline\DeleteRemoteProfilePipeline; class InboxValidator implements ShouldQueue { @@ -59,6 +60,57 @@ class InboxValidator implements ShouldQueue return; } + if( $payload['type'] === 'Delete' && + ( ( is_string($payload['object']) && + $payload['object'] === $payload['actor'] ) || + ( is_array($payload['object']) && + isset($payload['object']['id'], $payload['object']['type']) && + $payload['object']['type'] === 'Person' && + $payload['actor'] === $payload['object']['id'] + )) + ) { + $actor = $payload['actor']; + $hash = strlen($actor) <= 48 ? + 'b:' . base64_encode($actor) : + 'h:' . hash('sha256', $actor); + + $lockKey = 'ap:inbox:actor-delete-exists:lock:' . $hash; + Cache::lock($lockKey, 10)->block(5, function () use( + $headers, + $payload, + $actor, + $hash + ) { + $key = 'ap:inbox:actor-delete-exists:' . $hash; + $actorDelete = Cache::remember($key, now()->addMinutes(15), function() use($actor) { + return Profile::whereRemoteUrl($actor) + ->whereNotNull('domain') + ->exists(); + }); + if($actorDelete) { + if($this->verifySignature($headers, $payload) == true) { + Cache::set($key, false); + $profile = Profile::whereNotNull('domain') + ->whereNull('status') + ->whereRemoteUrl($actor) + ->first(); + if($profile) { + DeleteRemoteProfilePipeline::dispatchNow($profile); + } + return; + } else { + // Signature verification failed, exit. + return; + } + } else { + // Remote user doesn't exist, exit early. + return; + } + }); + + return; + } + if($profile->status != null) { return; } diff --git a/app/Jobs/InboxPipeline/InboxWorker.php b/app/Jobs/InboxPipeline/InboxWorker.php index c4ddab6e..efb2c62e 100644 --- a/app/Jobs/InboxPipeline/InboxWorker.php +++ b/app/Jobs/InboxPipeline/InboxWorker.php @@ -14,13 +14,13 @@ use Illuminate\Foundation\Bus\Dispatchable; use Illuminate\Queue\InteractsWithQueue; use Illuminate\Queue\SerializesModels; use Zttp\Zttp; +use App\Jobs\DeletePipeline\DeleteRemoteProfilePipeline; class InboxWorker implements ShouldQueue { use Dispatchable, InteractsWithQueue, Queueable, SerializesModels; protected $headers; - protected $profile; protected $payload; public $timeout = 60; @@ -56,6 +56,57 @@ class InboxWorker implements ShouldQueue return; } + if( $payload['type'] === 'Delete' && + ( ( is_string($payload['object']) && + $payload['object'] === $payload['actor'] ) || + ( is_array($payload['object']) && + isset($payload['object']['id'], $payload['object']['type']) && + $payload['object']['type'] === 'Person' && + $payload['actor'] === $payload['object']['id'] + )) + ) { + $actor = $payload['actor']; + $hash = strlen($actor) <= 48 ? + 'b:' . base64_encode($actor) : + 'h:' . hash('sha256', $actor); + + $lockKey = 'ap:inbox:actor-delete-exists:lock:' . $hash; + Cache::lock($lockKey, 10)->block(5, function () use( + $headers, + $payload, + $actor, + $hash + ) { + $key = 'ap:inbox:actor-delete-exists:' . $hash; + $actorDelete = Cache::remember($key, now()->addMinutes(15), function() use($actor) { + return Profile::whereRemoteUrl($actor) + ->whereNotNull('domain') + ->exists(); + }); + if($actorDelete) { + if($this->verifySignature($headers, $payload) == true) { + Cache::set($key, false); + $profile = Profile::whereNotNull('domain') + ->whereNull('status') + ->whereRemoteUrl($actor) + ->first(); + if($profile) { + DeleteRemoteProfilePipeline::dispatchNow($profile); + } + return; + } else { + // Signature verification failed, exit. + return; + } + } else { + // Remote user doesn't exist, exit early. + return; + } + }); + + return; + } + if($this->verifySignature($headers, $payload) == true) { (new Inbox($headers, $profile, $payload))->handle(); return; @@ -95,12 +146,10 @@ class InboxWorker implements ShouldQueue ) { if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) { return; - abort(400, 'Invalid request'); } } if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) { return; - abort(400, 'Invalid request'); } $actor = Profile::whereKeyId($keyId)->first(); if(!$actor) { From e5970fd6650eb0db0167ddf566daedda5114c6ce Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 13 Jan 2021 21:39:04 -0700 Subject: [PATCH 3/3] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 064ddd2f..67f5fff8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -155,6 +155,7 @@ - Updated AP helpers, fixed federation bug. ([a52564f3](https://github.com/pixelfed/pixelfed/commit/a52564f3)) - Updated Helpers, cache profiles. ([1f672ecf](https://github.com/pixelfed/pixelfed/commit/1f672ecf)) - Updated DiscoverController, improve trending api performance. ([d8d3331f](https://github.com/pixelfed/pixelfed/commit/d8d3331f)) +- Update InboxWorker, fix race condition in account deletes. ([4a4d8f00](https://github.com/pixelfed/pixelfed/commit/4a4d8f00)) ## [v0.10.9 (2020-04-17)](https://github.com/pixelfed/pixelfed/compare/v0.10.8...v0.10.9) ### Added