🐛 Fixed private mentions being treated as public

ref https://linear.app/ghost/issue/BER-2987

- we currently don't support private mentions or DMs, and they were wrongly been treated as public content
- added an extra check when handling Create activity, to ignore non-public content

Author: sagzy

features/handle-mention.feature

@@ -1,7 +1,11 @@
 Feature: Incoming mentions
 
-    Scenario: We receive a Create(Note) with a mention
+    Scenario: We receive a public mention from someone
         Given an Actor "Person(Alice)"
-        And a "Create(Note)" Activity "Note" by "Alice" with content "Hello @index@site.com" that mentions "Us"
-        When "Alice" sends "Note" to the Inbox
-        Then the request is accepted
+        When "Alice" sends us a public mention
+        And the mention is in our notifications
+
+    Scenario: We receive a private mention from someone
+        Given an Actor "Person(Alice)"
+        When "Alice" sends us a private mention
+        And the mention is not in our notifications

features/step_definitions/activitypub_steps.js

@@ -67,46 +67,6 @@ async function activityCreatedByWithContent(
     }
 }
 
-async function activityCreatedByWithMention(
-    activityDef,
-    name,
-    actorName,
-    content,
-    mentionedActorName,
-) {
-    const { activity: activityType, object: objectName } =
-        parseActivityString(activityDef);
-    if (!activityType) {
-        throw new Error(`could not match ${activityDef} to an activity`);
-    }
-
-    const actor = this.actors[actorName];
-    const mentionedActor = this.actors[mentionedActorName];
-    const tags = [
-        {
-            type: 'Mention',
-            name: `@${mentionedActor.username}@${mentionedActor.domain}`,
-            href: mentionedActor.apId,
-        },
-    ];
-    const object =
-        this.actors[objectName] ??
-        this.activities[objectName] ??
-        this.objects[objectName] ??
-        (await createObject(objectName, actor, content, tags));
-
-    const activity = await createActivity(activityType, object, actor);
-
-    const parsed = parseActivityString(name);
-    if (parsed.activity === null || parsed.object === null) {
-        this.activities[name] = activity;
-        this.objects[name] = object;
-    } else {
-        this.activities[parsed.activity] = activity;
-        this.objects[parsed.object] = object;
-    }
-}
-
 Given('a {string} Activity {string} by {string}', activityCreatedBy);
 
 Given(
@@ -119,11 +79,6 @@ Given(
     activityCreatedBy,
 );
 
-Given(
-    'a {string} Activity {string} by {string} with content {string} that mentions {string}',
-    activityCreatedByWithMention,
-);
-
 Given('an Actor {string}', async function (actorDef) {
     const { type, name } = parseActorString(actorDef);
 

features/step_definitions/mention_steps.js

@@ -0,0 +1,123 @@
+import { Then, When } from '@cucumber/cucumber';
+
+import assert from 'node:assert';
+
+import { createActivity, createObject } from '../support/fixtures.js';
+import { waitForItemInNotifications } from '../support/notifications.js';
+import { fetchActivityPub } from '../support/request.js';
+
+When('{string} sends us a public mention', async function (actorName) {
+    const actor = this.actors[actorName];
+    if (!actor) {
+        throw new Error(
+            `Actor ${actorName} not found - did you forget a step?`,
+        );
+    }
+
+    // Use the existing local actor (Us) from the test context
+    const localActor = this.actors.Us;
+    if (!localActor) {
+        throw new Error('Local actor (Us) not found in test context');
+    }
+
+    const mention = `@${localActor.preferredUsername}@self.test`;
+    const tags = [
+        {
+            type: 'Mention',
+            name: mention,
+            href: localActor.id,
+        },
+    ];
+
+    // Create a public Note with the mention (uses defaults: to='as:Public')
+    const object = await createObject('Note', actor, `Hello ${mention}`, tags);
+    const activity = await createActivity('Create', object, actor);
+
+    await fetchActivityPub('https://self.test/.ghost/activitypub/inbox/index', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/ld+json',
+        },
+        body: JSON.stringify(activity),
+    });
+
+    this.mentionId = object.id;
+    this.activities['Create(Note)'] = activity;
+    this.objects.Note = object;
+});
+
+When('{string} sends us a private mention', async function (actorName) {
+    const actor = this.actors[actorName];
+    if (!actor) {
+        throw new Error(
+            `Actor ${actorName} not found - did you forget a step?`,
+        );
+    }
+
+    // Use the existing local actor (Us) from the test context
+    const localActor = this.actors.Us;
+    if (!localActor) {
+        throw new Error('Local actor (Us) not found in test context');
+    }
+
+    const mention = `@${localActor.preferredUsername}@self.test`;
+    const tags = [
+        {
+            type: 'Mention',
+            name: mention,
+            href: localActor.id,
+        },
+    ];
+
+    // Create a Note with the mention
+    const object = await createObject('Note', actor, `Hello ${mention}`, tags);
+
+    // Make it private by addressing it only to the mentioned user
+    object.to = localActor.id;
+    object.cc = [];
+
+    const activity = await createActivity('Create', object, actor);
+    activity.to = localActor.id;
+    activity.cc = [];
+
+    await fetchActivityPub('https://self.test/.ghost/activitypub/inbox/index', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/ld+json',
+        },
+        body: JSON.stringify(activity),
+    });
+
+    this.mentionId = object.id;
+    this.activities['Create(Note)'] = activity;
+    this.objects.Note = object;
+});
+
+Then('the mention is in our notifications', async function () {
+    if (!this.mentionId) {
+        throw new Error(
+            'You need to call a step which creates a mention before this',
+        );
+    }
+
+    const found = await waitForItemInNotifications(this.mentionId);
+    assert(found, `Expected mention ${this.mentionId} to be in notifications`);
+});
+
+Then('the mention is not in our notifications', async function () {
+    if (!this.mentionId) {
+        throw new Error(
+            'You need to call a step which creates a mention before this',
+        );
+    }
+
+    try {
+        await waitForItemInNotifications(this.mentionId);
+        assert.fail(`Expected mention ${this.mentionId} to not be in notifications`);
+    } catch (error) {
+        assert.equal(
+            error.message,
+            `Max retries reached when waiting on item in notifications`,
+        );
+    }
+});

features/support/notifications.js

@@ -39,7 +39,7 @@ export async function waitForItemInNotifications(
 
     if (options.retryCount === MAX_RETRIES) {
         throw new Error(
-            `Max retries reached (${MAX_RETRIES}) when waiting on item in notifications`,
+            `Max retries reached when waiting on item in notifications`,
         );
     }
 

src/activity-handlers/create.handler.ts

@@ -1,4 +1,4 @@
-import type { Context, Create } from '@fedify/fedify';
+import { type Context, type Create, PUBLIC_COLLECTION } from '@fedify/fedify';
 
 import type { ContextData } from '@/app';
 import { exhaustiveCheck, getError, isError } from '@/core/result';
@@ -21,6 +21,16 @@ export class CreateHandler {
             return;
         }
 
+        const recipients = [...create.toIds, ...create.ccIds].map(
+            (id) => id.href,
+        );
+        const isPublic = recipients.includes(PUBLIC_COLLECTION.href);
+
+        if (!isPublic) {
+            ctx.data.logger.info('Create activity is not public - exit');
+            return;
+        }
+
         // This handles storing the posts in the posts table
         const postResult = await this.postService.getByApId(create.objectId);