Return 401s when logged out of more activitypub api endpoints#750
Merged
slothful-vassal merged 7 commits intoopen-wanderer:mainfrom Jan 31, 2026
Merged
Return 401s when logged out of more activitypub api endpoints#750slothful-vassal merged 7 commits intoopen-wanderer:mainfrom
slothful-vassal merged 7 commits intoopen-wanderer:mainfrom
Conversation
Contributor
|
Hi, Many thanks for this PR 👍 I have centralised the actor get call and reintroduced a more robust origin check for the handler. I hope this is OK with everyone. |
Contributor
Author
|
Thanks @slothful-vassal, looks good :) |
Contributor
Author
|
This is what I've been running on my server for a few days, and is behaving as I'd expect. |
cugu
approved these changes
Jan 31, 2026
Contributor
Author
|
Thanks for the review :). Anyone got merge perms? |
Merged
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates a few more of the activitypub endpoints to return a 401 when requesting external users when the client is not logged in to Wanderer.
The reason for this is because lots of web crawlers are hitting my instance, causing it to constantly pull more external users into PocketBase, eventually slowing down the system significantly.
Some more testing of this by other people would be appreciated. Locally this seems to work fine, returning a 401 when logged out, and working as expected when logged in. However when I run this image on my production instance, I seem to get a 400 error when trying to visit external user pages when I'm logged in.