From 2572cbf5d5395079a7a78ac056fbb0c6ef6d0d30 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 29 Apr 2025 11:18:24 -0400
Subject: [PATCH] fix: #13352, also do the webfinger backreference check when
 calling assertGroup

---
 src/activitypub/actors.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/activitypub/actors.js b/src/activitypub/actors.js
index 989656970c..fdaed03c2c 100644
--- a/src/activitypub/actors.js
+++ b/src/activitypub/actors.js
@@ -305,6 +305,13 @@ Actors.assertGroup = async (ids, options = {}) => {
 			activitypub.helpers.log(`[activitypub/actors] Processing group ${id}`);
 			const actor = (typeof id === 'object' && id.hasOwnProperty('id')) ? id : await activitypub.get('uid', 0, id, { cache: process.env.CI === 'true' });
 
+			// webfinger backreference check
+			const { hostname: domain } = new URL(id);
+			const { actorUri: canonicalId } = await activitypub.helpers.query(`${actor.preferredUsername}@${domain}`);
+			if (id !== canonicalId) {
+				return null;
+			}
+
 			const typeOk = Array.isArray(actor.type) ?
 				actor.type.some(type => activitypub._constants.acceptableGroupTypes.has(type)) :
 				activitypub._constants.acceptableGroupTypes.has(actor.type);