misskey/packages/backend/src/server/api/endpoints/ap, branch master

enable and fix no-unused-vars and no-async-promise-executor (#17070)

2026-01-08T02:49:12Z

* dev: set --no-bail for lint task * lint: enable no-async-promise-executor lint and fix them * lint: enable no-unused-vars with allowing _ prefix * lint: fix semi

refactor: use TRANSIENT scope to avoid service bucket relay (#16985)

2025-12-22T08:01:10Z

* refactor: use TRANSIENT scope to avoid service bucket relay * lint: fix lints * refactor: use transient for apResolver * Update packages/backend/src/core/activitypub/models/ApImageService.ts * fix

feat(frontend): 自分のプロフィールページの二次元コード(QRコード)を表示し、他の人のコードを読み取りするページを追加 (#16456)

2025-09-19T12:02:30Z

* wip (qr.show.vue) * added to navbar * qr.show.vue * fix * added to navbar * fix size * :art: * :art: * fix div warn * fix * use * 0.25 * fix?? * fix lint * clean up * ??? * ? * fix * :art: * :art: * refactor * :art: * :art: * :ar:t * :art: * iphone flip * no lazy import * :art: * :art: * :art: * ユーザー全部flipでいいや * :v: * fix * fix * fix lint * :art: * fix type * fix: local user profile url cannot be resolved with ap/show * fix: local user url with hostname could not be resolved * chore: use common utility for checking self host * wip * :art: * :art: * fix imports * fix * fix * fix * :art: * fix... * set spacer-w * :v: * 全画面でQRを読むように * fix * :art: * modify navbar.ts * start/stop on vue activation * display raw content read from qr * 端末のQRをスキャンするボタンを追加 * chore * やっぱりmfmを先に表示する * :art: * fix 18n * QRの内容は/users/:userIdにする * add spdx * use cqh * `defineProps` is a compiler macro and no longer needs to be imported. * use MkUserName * 🎨 * 🎨 * refactor * clean up * refactor * 🎨 * Update qr.show.vue * Misskeyロゴにdrop-shadowを追加 * clean up: do not use empty css * fix os.select usage * Update qr.vue * Update qr.show.vue * Update qr.show.vue * Update get-user-menu.ts * ✌️ * Update show.ts * Update ja-JP.yml * watermark * Update CHANGELOG.md * Update qr.read.vue * Update qr.read.vue * wip * Update MkWatermarkEditorDialog.Layer.vue --------- Co-authored-by: anatawa12 Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>

Merge commit from fork

2025-02-23T10:21:34Z

* fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD * apply suggestions Signed-off-by: eternal-flame-AD * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD * apply suggestions Signed-off-by: eternal-flame-AD --------- Signed-off-by: eternal-flame-AD

enhance(frontend): 照会の際にエラーを表示するように (#15147)

2024-12-19T07:05:33Z

* enhance: 照会の失敗理由を表示するように * Update Changelog * fix * fix test * lookupErrors-> remoteLookupErrors

fix(backend): fix apResolver (#15010)

2024-11-21T05:36:24Z

* fix(backend): fix apResolver * fix * add comments * tweak comment

fix(backend): fix security patches (#15008)

2024-11-21T01:30:30Z

fix ap/show

2024-11-21T00:25:18Z

Merge commit from fork

2024-11-20T23:20:09Z

* enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar Co-authored-by: Laura Hausmann Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>

wip (#14643)

2024-09-28T09:15:32Z