From 0ad8ed9d4eb5c1ffc3099f4b1bc9cf4990605426 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 30 Dec 2024 17:06:08 -0500
Subject: [PATCH] fix: #13014, possible fix for peertube incompatibility: strip
 hash value from key IDs during check

---
 src/middleware/activitypub.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/middleware/activitypub.js b/src/middleware/activitypub.js
index 10ab302369..30b40e1c7d 100644
--- a/src/middleware/activitypub.js
+++ b/src/middleware/activitypub.js
@@ -107,13 +107,13 @@ middleware.assertPayload = async function (req, res, next) {
 
 	// Cross-check key ownership against received actor
 	await activitypub.actors.assert(actor);
-	const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id');
+	const compare = (await db.getObjectField(`userRemote:${actor}:keys`, 'id')).replace(/#[\w-]+$/, '');
 	const { signature } = req.headers;
 	const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
 		const index = v.indexOf('=');
 		return [v.substring(0, index), v.slice(index + 1)];
-	})).get('keyId');
-	if (`"${compare}"` !== keyId) {
+	})).get('keyId').slice(1, -1).replace(/#[\w-]+$/, '');
+	if (compare !== keyId) {
 		activitypub.helpers.log('[middleware/activitypub] Key ownership cross-check failed.');
 		return res.sendStatus(403);
 	}