From bb3d7109271a678487208df1cff3a11e28ceedbc Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sun, 16 Mar 2025 10:49:16 -0400 Subject: allow unsigned fetch for all system users --- packages/backend/src/core/CreateSystemUserService.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'packages/backend/src/core/CreateSystemUserService.ts') diff --git a/packages/backend/src/core/CreateSystemUserService.ts b/packages/backend/src/core/CreateSystemUserService.ts index d198707a42..a0aa6bad06 100644 --- a/packages/backend/src/core/CreateSystemUserService.ts +++ b/packages/backend/src/core/CreateSystemUserService.ts @@ -29,7 +29,7 @@ export class CreateSystemUserService { } @bindThis - public async createSystemUser(username: string, data?: Partial): Promise { + public async createSystemUser(username: string): Promise { const password = randomUUID(); // Generate hash of password @@ -63,7 +63,13 @@ export class CreateSystemUserService { isExplorable: false, approved: true, isBot: true, - ...(data ?? {}), + /* we always allow requests about our instance actor, because when + a remote instance needs to check our signature on a request we + sent, it will need to fetch information about the user that + signed it (which is our instance actor), and if we try to check + their signature on *that* request, we'll fetch *their* instance + actor... leading to an infinite recursion */ + allowUnsignedFetch: 'always', }).then(x => transactionalEntityManager.findOneByOrFail(MiUser, x.identifiers[0])); await transactionalEntityManager.insert(MiUserKeypair, { -- cgit v1.2.3-freya