Do not host remote AP objects

diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts
index ffbf1ba196d84737b53d9e45aaf2ed3dae93bcfc..a342a48d4084e143fe775007a86d9aae0d3cce2f 100644 (file)
--- a/server/controllers/activitypub/client.ts
+++ b/server/controllers/activitypub/client.ts
@@ -39,6 +39,7 @@ import {
 import { VideoCaptionModel } from '../../models/video/video-caption'
 import { videoRedundancyGetValidator } from '../../middlewares/validators/redundancy'
 import { getServerActor } from '../../helpers/utils'
+import { VideoRedundancyModel } from '../../models/redundancy/video-redundancy'
 
 const activityPubClientRouter = express.Router()
 
@@ -164,6 +165,8 @@ function getAccountVideoRate (rateType: VideoRateType) {
 async function videoController (req: express.Request, res: express.Response, next: express.NextFunction) {
   const video: VideoModel = res.locals.video
 
+  if (video.isOwned() === false) return res.redirect(video.url)
+
   // We need captions to render AP object
   video.VideoCaptions = await VideoCaptionModel.listVideoCaptions(video.id)
 
@@ -180,6 +183,9 @@ async function videoController (req: express.Request, res: express.Response, nex
 
 async function videoAnnounceController (req: express.Request, res: express.Response, next: express.NextFunction) {
   const share = res.locals.videoShare as VideoShareModel
+
+  if (share.Actor.isOwned() === false) return res.redirect(share.url)
+
   const { activity } = await buildAnnounceWithVideoAudience(share.Actor, share, res.locals.video, undefined)
 
   return activityPubResponse(activityPubContextify(activity), res)
@@ -252,6 +258,8 @@ async function videoChannelFollowingController (req: express.Request, res: expre
 async function videoCommentController (req: express.Request, res: express.Response, next: express.NextFunction) {
   const videoComment: VideoCommentModel = res.locals.videoComment
 
+  if (videoComment.isOwned() === false) return res.redirect(videoComment.url)
+
   const threadParentComments = await VideoCommentModel.listThreadParentComments(videoComment, undefined)
   const isPublic = true // Comments are always public
   const audience = getAudience(videoComment.Account.Actor, isPublic)
@@ -267,7 +275,9 @@ async function videoCommentController (req: express.Request, res: express.Respon
 }
 
 async function videoRedundancyController (req: express.Request, res: express.Response) {
-  const videoRedundancy = res.locals.videoRedundancy
+  const videoRedundancy: VideoRedundancyModel = res.locals.videoRedundancy
+  if (videoRedundancy.isOwned() === false) return res.redirect(videoRedundancy.url)
+
   const serverActor = await getServerActor()
 
   const audience = getAudience(serverActor)

diff --git a/server/middlewares/cache.ts b/server/middlewares/cache.ts
index 1e00fc7316aaa674c93b251302e3038de45090dd..8ffe7570098100b25df2a9393b8e78020885f082 100644 (file)
--- a/server/middlewares/cache.ts
+++ b/server/middlewares/cache.ts
@@ -19,6 +19,7 @@ function cacheRoute (lifetimeArg: string | number) {
           logger.debug('No cached results for route %s.', req.originalUrl)
 
           const sendSave = res.send.bind(res)
+          const redirectSave = res.redirect.bind(res)
 
           res.send = (body) => {
             if (res.statusCode >= 200 && res.statusCode < 400) {
@@ -38,6 +39,12 @@ function cacheRoute (lifetimeArg: string | number) {
             return sendSave(body)
           }
 
+          res.redirect = url => {
+            done()
+
+            return redirectSave(url)
+          }
+
           return next()
         }
 

diff --git a/server/models/redundancy/video-redundancy.ts b/server/models/redundancy/video-redundancy.ts
index 35e0cd3b1b2427892852abff453abd49e4500bc7..9de4356b408c45961ea52e7087969c984f1dca3a 100644 (file)
--- a/server/models/redundancy/video-redundancy.ts
+++ b/server/models/redundancy/video-redundancy.ts
@@ -117,8 +117,7 @@ export class VideoRedundancyModel extends Model<VideoRedundancyModel> {
 
   @BeforeDestroy
   static async removeFile (instance: VideoRedundancyModel) {
-    // Not us
-    if (!instance.strategy) return
+    if (!instance.isOwned()) return
 
     const videoFile = await VideoFileModel.loadWithVideo(instance.videoFileId)
 
@@ -404,6 +403,10 @@ export class VideoRedundancyModel extends Model<VideoRedundancyModel> {
       }))
   }
 
+  isOwned () {
+    return !!this.strategy
+  }
+
   toActivityPubObject (): CacheFileObject {
     return {
       id: this.url,

diff --git a/server/tests/api/check-params/user-subscriptions.ts b/server/tests/api/check-params/user-subscriptions.ts
index 9fba99ac8f92d7e2283396c39e776f9bef989432..6af7ed43b1fd3552f8e9fc17b766e5361d1912a2 100644 (file)
--- a/server/tests/api/check-params/user-subscriptions.ts
+++ b/server/tests/api/check-params/user-subscriptions.ts
@@ -15,6 +15,7 @@ import {
   userLogin
 } from '../../utils'
 import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '../../utils/requests/check-api-params'
+import { waitJobs } from '../../utils/server/jobs'
 
 describe('Test user subscriptions API validators', function () {
   const path = '/api/v1/users/me/subscriptions'
@@ -141,6 +142,8 @@ describe('Test user subscriptions API validators', function () {
     })
 
     it('Should succeed with the correct parameters', async function () {
+      this.timeout(20000)
+
       await makePostBodyRequest({
         url: server.url,
         path,
@@ -148,6 +151,8 @@ describe('Test user subscriptions API validators', function () {
         fields: { uri: 'user1_channel@localhost:9001' },
         statusCodeExpected: 204
       })
+
+      await waitJobs([ server ])
     })
   })