Validate quote request responses

dahlia · dahlia · commit 3183bef73d27 · 2026-04-28T17:01:56.000+09:00
Accept and Reject responses for quote requests now require the responder to match the quoted post author before mutating quote state. Responses that use the stored QuoteRequest IRI form are also resolved from the local pending quote, so peers do not have to embed the QuoteRequest object. Fixes #457 (comment) Fixes #457 (comment) Assisted-by: Codex:gpt-5.5
diff --git a/src/federation/inbox.test.ts b/src/federation/inbox.test.ts
@@ -251,6 +251,62 @@ describe("quote request lifecycle", () => {
     expect(quoted?.quotesCount).toBe(1);
   });
 
+  it("marks a pending quote accepted from Accept<QuoteRequest IRI>", async () => {
+    expect.assertions(3);
+
+    const seeded = await seedPendingQuote();
+    const authorizationIri = `${seeded.quotedPostIri}/quote_authorizations/${seeded.quotePostId}`;
+    const accept = new Accept({
+      actor: new URL("https://hollo.test/@quote-author"),
+      object: new URL(`${seeded.quotePostIri}#quote-request`),
+      result: new URL(authorizationIri),
+    });
+
+    await onQuoteRequestAccepted(ctx, accept);
+
+    const quote = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotePostId),
+    });
+    const quoted = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotedPostId),
+    });
+    expect(quote?.quoteState).toBe("accepted");
+    expect(quote?.quoteAuthorizationIri).toBe(authorizationIri);
+    expect(quoted?.quotesCount).toBe(1);
+  });
+
+  it("ignores quote request responses from another actor", async () => {
+    expect.assertions(3);
+
+    const seeded = await seedPendingQuote();
+    const authorizationIri = `${seeded.quotedPostIri}/quote_authorizations/${seeded.quotePostId}`;
+    const accept = new Accept({
+      actor: new URL("https://hollo.test/@quote-quoter"),
+      object: new QuoteRequest({
+        object: new URL(seeded.quotedPostIri),
+        instrument: new URL(seeded.quotePostIri),
+      }),
+      result: new URL(authorizationIri),
+    });
+    const reject = new Reject({
+      actor: new URL("https://hollo.test/@quote-quoter"),
+      object: new URL(`${seeded.quotePostIri}#quote-request`),
+    });
+
+    await onQuoteRequestAccepted(ctx, accept);
+    await onQuoteRequestRejected(ctx, reject);
+
+    const quote = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotePostId),
+    });
+    const quoted = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotedPostId),
+    });
+    expect(quote?.quoteState).toBe("pending");
+    expect(quote?.quoteAuthorizationIri).toBeNull();
+    expect(quoted?.quotesCount).toBe(0);
+  });
+
   it("marks a pending quote rejected from Reject<QuoteRequest>", async () => {
     expect.assertions(2);
 
@@ -275,6 +331,27 @@ describe("quote request lifecycle", () => {
     expect(quoted?.quotesCount).toBe(0);
   });
 
+  it("marks a pending quote rejected from Reject<QuoteRequest IRI>", async () => {
+    expect.assertions(2);
+
+    const seeded = await seedPendingQuote();
+    const reject = new Reject({
+      actor: new URL("https://hollo.test/@quote-author"),
+      object: new URL(`${seeded.quotePostIri}#quote-request`),
+    });
+
+    await onQuoteRequestRejected(ctx, reject);
+
+    const quote = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotePostId),
+    });
+    const quoted = await db.query.posts.findFirst({
+      where: eq(posts.id, seeded.quotedPostId),
+    });
+    expect(quote?.quoteState).toBe("rejected");
+    expect(quoted?.quotesCount).toBe(0);
+  });
+
   it("marks an accepted quote revoked when its authorization is deleted", async () => {
     expect.assertions(2);
 
diff --git a/src/federation/inbox.ts b/src/federation/inbox.ts
@@ -380,39 +380,74 @@ export async function onFollowRejected(
   }
 }
 
-async function getQuoteRequestFromActivity(
+type QuoteRequestReference = {
+  quoteIri: string;
+  targetIri: string | null;
+};
+
+function getQuoteIriFromQuoteRequestId(requestId: URL): string {
+  const quoteIri = new URL(requestId.href);
+  if (quoteIri.hash === "#quote-request") quoteIri.hash = "";
+  return quoteIri.href;
+}
+
+async function getQuoteRequestReferenceFromActivity(
   activity: Accept | Reject,
-): Promise<QuoteRequest | null> {
-  const object = await activity.getObject({ crossOrigin: "trust" });
-  return object instanceof QuoteRequest ? object : null;
+): Promise<QuoteRequestReference | null> {
+  const object = await activity.getObject({
+    crossOrigin: "trust",
+    suppressError: true,
+  });
+  if (object instanceof QuoteRequest) {
+    const quoteIri = object.instrumentId?.href;
+    if (quoteIri == null) return null;
+    return {
+      quoteIri,
+      targetIri: object.objectId?.href ?? null,
+    };
+  }
+  if (activity.objectId == null) return null;
+  return {
+    quoteIri: getQuoteIriFromQuoteRequestId(activity.objectId),
+    targetIri: null,
+  };
 }
 
 async function updateQuoteRequestState(
-  request: QuoteRequest,
+  request: QuoteRequestReference,
+  responderIri: string | null,
   state: "accepted" | "rejected",
   quoteAuthorizationIri: string | null,
-): Promise<void> {
-  const quoteIri = request.instrumentId?.href;
-  if (quoteIri == null) return;
+): Promise<boolean> {
   const quote = await db.query.posts.findFirst({
-    where: eq(posts.iri, quoteIri),
+    where: eq(posts.iri, request.quoteIri),
+    with: { quoteTarget: { with: { account: true } } },
   });
-  if (quote == null) return;
+  if (quote == null) return false;
+  if (quote.quoteState !== "pending") return false;
   const target =
-    request.objectId == null
-      ? null
+    request.targetIri == null
+      ? quote.quoteTarget
       : await db.query.posts.findFirst({
-          where: eq(posts.iri, request.objectId.href),
+          where: eq(posts.iri, request.targetIri),
+          with: { account: true },
         });
+  if (target == null) return false;
+  if (responderIri == null || responderIri !== target.account.iri) {
+    return false;
+  }
+  if (quote.quoteTargetIri == null) return false;
+  if (request.targetIri != null && quote.quoteTargetIri !== request.targetIri) {
+    return false;
+  }
   await db.transaction(async (tx) => {
     await tx
       .update(posts)
       .set({
         quoteState: state,
         quoteAuthorizationIri,
-        quoteTargetId: target?.id ?? quote.quoteTargetId,
-        quoteTargetIri:
-          request.objectId?.href ?? quote.quoteTargetIri ?? target?.iri ?? null,
+        quoteTargetId: target.id,
+        quoteTargetIri: request.targetIri ?? quote.quoteTargetIri ?? target.iri,
         updated: new Date(),
       })
       .where(eq(posts.id, quote.id));
@@ -427,16 +462,18 @@ async function updateQuoteRequestState(
         .where(eq(posts.id, target.id));
     }
   });
+  return true;
 }
 
 export async function onQuoteRequestAccepted(
   _ctx: InboxContext<void>,
   accept: Accept,
-): Promise<void> {
-  const request = await getQuoteRequestFromActivity(accept);
-  if (request == null) return;
-  await updateQuoteRequestState(
+): Promise<boolean> {
+  const request = await getQuoteRequestReferenceFromActivity(accept);
+  if (request == null) return false;
+  return await updateQuoteRequestState(
     request,
+    accept.actorId?.href ?? null,
     "accepted",
     accept.resultId?.href ?? null,
   );
@@ -445,10 +482,15 @@ export async function onQuoteRequestAccepted(
 export async function onQuoteRequestRejected(
   _ctx: InboxContext<void>,
   reject: Reject,
-): Promise<void> {
-  const request = await getQuoteRequestFromActivity(reject);
-  if (request == null) return;
-  await updateQuoteRequestState(request, "rejected", null);
+): Promise<boolean> {
+  const request = await getQuoteRequestReferenceFromActivity(reject);
+  if (request == null) return false;
+  return await updateQuoteRequestState(
+    request,
+    reject.actorId?.href ?? null,
+    "rejected",
+    null,
+  );
 }
 
 export async function onQuoteAuthorizationDeleted(
diff --git a/src/federation/index.ts b/src/federation/index.ts
@@ -87,20 +87,12 @@ federation
   })
   .on(Follow, onFollowed)
   .on(Accept, async (ctx, accept) => {
-    const object = await accept.getObject({ crossOrigin: "trust" });
-    if (object instanceof QuoteRequest) {
-      await onQuoteRequestAccepted(ctx, accept);
-    } else {
-      await onFollowAccepted(ctx, accept);
-    }
+    if (await onQuoteRequestAccepted(ctx, accept)) return;
+    await onFollowAccepted(ctx, accept);
   })
   .on(Reject, async (ctx, reject) => {
-    const object = await reject.getObject({ crossOrigin: "trust" });
-    if (object instanceof QuoteRequest) {
-      await onQuoteRequestRejected(ctx, reject);
-    } else {
-      await onFollowRejected(ctx, reject);
-    }
+    if (await onQuoteRequestRejected(ctx, reject)) return;
+    await onFollowRejected(ctx, reject);
   })
   .on(QuoteRequest, onQuoteRequested)
   .on(Create, async (ctx, create) => {
