Added setting to enable/disable Authorized-Fetch (#1017)

* Added setting to enable/disable Authorized-Fetch

Fixes #726

* update changelog

* follow the spec

https://keepachangelog.com/en/1.1.0/

* hide if const is set

props @obenland

* Update templates/settings.php

Co-authored-by: Konstantin Obenland <[email protected]>

* Update templates/settings.php

Co-authored-by: Konstantin Obenland <[email protected]>

---------

Co-authored-by: Konstantin Obenland <[email protected]>

Author: pfefferle

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+* Setting to enable/disable Authorized-Fetch
+
 ### Improved
 
 * Added screen reader text to the "Follow Me" block for improved accessibility

includes/class-activitypub.php

@@ -119,7 +119,7 @@ public static function render_activitypub_template( $template ) {
 		 * @see https://www.w3.org/wiki/SocialCG/ActivityPub/Primer/Authentication_Authorization#Authorized_fetch
 		 * @see https://swicg.github.io/activitypub-http-signature/#authorized-fetch
 		 */
-		if ( $activitypub_template && ACTIVITYPUB_AUTHORIZED_FETCH ) {
+		if ( $activitypub_template && use_authorized_fetch() ) {
 			$verification = Signature::verify_http_signature( $_SERVER );
 			if ( \is_wp_error( $verification ) ) {
 				header( 'HTTP/1.1 401 Unauthorized' );

includes/class-admin.php

@@ -301,6 +301,16 @@ public static function register_settings() {
 			)
 		);
 
+		\register_setting(
+			'activitypub',
+			'activitypub_authorized_fetch',
+			array(
+				'type'        => 'boolean',
+				'description' => \__( 'Require HTTP signature authentication.', 'activitypub' ),
+				'default'     => false,
+			)
+		);
+
 		// Blog-User Settings.
 		\register_setting(
 			'activitypub_blog',

includes/constants.php

@@ -16,7 +16,6 @@
 \defined( 'ACTIVITYPUB_USERNAME_REGEXP' ) || \define( 'ACTIVITYPUB_USERNAME_REGEXP', '(?:([A-Za-z0-9\._-]+)@((?:[A-Za-z0-9_-]+\.)+[A-Za-z]+))' );
 \defined( 'ACTIVITYPUB_URL_REGEXP' ) || \define( 'ACTIVITYPUB_URL_REGEXP', '(https?:|www\.)\S+[\w\/]' );
 \defined( 'ACTIVITYPUB_CUSTOM_POST_CONTENT' ) || \define( 'ACTIVITYPUB_CUSTOM_POST_CONTENT', "[ap_title type=\"html\"]\n\n[ap_content]\n\n[ap_hashtags]" );
-\defined( 'ACTIVITYPUB_AUTHORIZED_FETCH' ) || \define( 'ACTIVITYPUB_AUTHORIZED_FETCH', false );
 \defined( 'ACTIVITYPUB_DISABLE_REWRITES' ) || \define( 'ACTIVITYPUB_DISABLE_REWRITES', false );
 \defined( 'ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS' ) || \define( 'ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS', false );
 // Disable reactions like `Like` and `Announce` by default.

includes/functions.php

@@ -1503,6 +1503,31 @@ function get_upload_baseurl() {
 	return apply_filters( 'activitypub_get_upload_baseurl', $upload_dir['baseurl'] );
 }
 
+/**
+ * Check if Authorized-Fetch is enabled.
+ *
+ * @see https://docs.joinmastodon.org/admin/config/#authorized_fetch
+ *
+ * @return boolean True if Authorized-Fetch is enabled, false otherwise.
+ */
+function use_authorized_fetch() {
+	$use = false;
+
+	// Prefer the constant over the option.
+	if ( \defined( 'ACTIVITYPUB_AUTHORIZED_FETCH' ) ) {
+		$use = ACTIVITYPUB_AUTHORIZED_FETCH;
+	} else {
+		$use = (bool) \get_option( 'activitypub_authorized_fetch', '0' );
+	}
+
+	/**
+	 * Filters whether to use Authorized-Fetch.
+	 *
+	 * @param boolean $use_authorized_fetch True if Authorized-Fetch is enabled, false otherwise.
+	 */
+	return apply_filters( 'activitypub_use_authorized_fetch', $use );
+}
+
 /**
  * Check if an ID is from the same domain as the site.
  *

includes/rest/class-server.php

@@ -13,6 +13,8 @@
 use Activitypub\Signature;
 use Activitypub\Model\Application;
 
+use function Activitypub\use_authorized_fetch;
+
 /**
  * ActivityPub Server REST-Class.
  *
@@ -128,7 +130,7 @@ public static function authorize_activitypub_requests( $response, $handler, $req
 			// POST-Requests are always signed.
 			'GET' !== $request->get_method() ||
 			// GET-Requests only require a signature in secure mode.
-			( 'GET' === $request->get_method() && ACTIVITYPUB_AUTHORIZED_FETCH )
+			( 'GET' === $request->get_method() && use_authorized_fetch() )
 		) {
 			$verified_request = Signature::verify_http_signature( $request );
 			if ( \is_wp_error( $verified_request ) ) {

readme.txt

@@ -107,7 +107,7 @@ The plugin uses PHP Constants to enable, disable or change its default behaviour
 * `ACTIVITYPUB_USERNAME_REGEXP` - Change the default regex to detect @-replies in a text. Default: `(?:([A-Za-z0-9\._-]+)@((?:[A-Za-z0-9_-]+\.)+[A-Za-z]+))`.
 * `ACTIVITYPUB_URL_REGEXP` - Change the default regex to detect urls in a text. Default: `(www.|http:|https:)+[^\s]+[\w\/]`.
 * `ACTIVITYPUB_CUSTOM_POST_CONTENT` - Change the default template for Activities. Default: `<strong>[ap_title]</strong>\n\n[ap_content]\n\n[ap_hashtags]\n\n[ap_shortlink]`.
-* `ACTIVITYPUB_AUTHORIZED_FETCH` - Enable AUTHORIZED_FETCH. Default: `false`.
+* `ACTIVITYPUB_AUTHORIZED_FETCH` - Enable AUTHORIZED_FETCH.
 * `ACTIVITYPUB_DISABLE_REWRITES` - Disable auto generation of `mod_rewrite` rules. Default: `false`.
 * `ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS` - Block incoming replies/comments/likes. Default: `false`.
 * `ACTIVITYPUB_DISABLE_OUTGOING_INTERACTIONS` - Disable outgoing replies/comments/likes. Default: `false`.
@@ -134,6 +134,7 @@ For reasons of data protection, it is not possible to see the followers of other
 
 = Unreleased =
 
+* Added: Setting to enable/disable Authorized-Fetch
 * Improved: Added screen reader text for the "Follow Me" block for improved accessibility
 * Improved: Added `media_type` support to Activity-Object-Transformers
 * Improved: Clarified settings page text around which users get Activitypub profiles

templates/settings.php

@@ -237,6 +237,35 @@
 			<?php \do_settings_fields( 'activitypub', 'general' ); ?>
 			<?php \do_settings_fields( 'activitypub', 'server' ); ?>
 		</div>
+		<div class="box">
+			<h3><?php \esc_html_e( 'Security', 'activitypub' ); ?></h3>
+			<table class="form-table">
+				<tbody>
+					<?php if ( ! defined( 'ACTIVITYPUB_AUTHORIZED_FETCH' ) ) : ?>
+					<tr>
+						<th scope="row">
+							<?php \esc_html_e( 'Authorized-Fetch', 'activitypub' ); ?>
+						</th>
+						<td>
+							<p>
+								<label>
+									<input type="checkbox" name="activitypub_authorized_fetch" id="activitypub_authorized_fetch" value="1" <?php \checked( '1', \get_option( 'activitypub_authorized_fetch', '0' ) ); ?> />
+									<?php \esc_html_e( 'Require HTTP signature authentication on ActivityPub representations of public posts and profiles.', 'activitypub' ); ?>
+								</label>
+							</p>
+							<p class="description">
+								<?php \esc_html_e( '⚠ Secure mode has its limitations, which is why it is not enabled by default. It is not fully supported by all software in the fediverse, and some features may break, especially when interacting with Mastodon servers older than version 3.0. Additionally, since it requires authentication for public content, caching is not possible, leading to higher computational costs.', 'activitypub' ); ?>
+							</p>
+							<p class="description">
+								<?php \esc_html_e( '⚠ Secure mode does not hide the HTML representations of public posts and profiles. While HTML is a less consistant format (that potentially changes often) compared to first-class ActivityPub representations or the REST API, it still poses a potential risk for content scraping.', 'activitypub' ); ?>
+							</p>
+						</td>
+					</tr>
+					<?php endif; ?>
+				</tbody>
+			</table>
+			<?php \do_settings_fields( 'activitypub', 'security' ); ?>
+		</div>
 		<?php \do_settings_sections( 'activitypub' ); ?>
 
 		<?php \submit_button(); ?>