Detect posting request in our own inbox

1 files changed, 10 insertions, 1 deletions

diff --git a/server/middlewares/validators/activitypub/activity.ts b/server/middlewares/validators/activitypub/activity.ts
index 208e23f86..15e8bb079 100644
--- a/server/middlewares/validators/activitypub/activity.ts
+++ b/server/middlewares/validators/activitypub/activity.ts
@@ -2,16 +2,25 @@ import * as express from 'express'
 import { body } from 'express-validator/check'
 import { isRootActivityValid } from '../../../helpers/custom-validators/activitypub/activity'
 import { logger } from '../../../helpers/logger'
+import { getServerActor } from '../../../helpers/utils'
+import { ActorModel } from '../../../models/activitypub/actor'
 import { areValidationErrors } from '../utils'
 
 const activityPubValidator = [
   body('').custom((value, { req }) => isRootActivityValid(req.body)),
 
-  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking activity pub parameters')
 
     if (areValidationErrors(req, res)) return
 
+    const serverActor = await getServerActor()
+    const remoteActor = res.locals.signature.actor as ActorModel
+    if (serverActor.id === remoteActor.id) {
+      logger.error('Receiving request in INBOX by ourselves!', req.body)
+      return res.sendStatus(409)
+    }
+
     return next()
   }
 ]