From 8e5e208607a625a751f151613ae040f71d94c0a4 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 16 Apr 2026 14:22:17 -0400
Subject: [PATCH] feat: add domain blocklist check in activitypub middleware

---
 src/middleware/activitypub.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/middleware/activitypub.js b/src/middleware/activitypub.js
index 0a8a89324d..86d316d7d7 100644
--- a/src/middleware/activitypub.js
+++ b/src/middleware/activitypub.js
@@ -76,6 +76,14 @@ middleware.assertPayload = helpers.try(async function (req, res, next) {
 		return res.sendStatus(403);
 	}
 
+	// Domain check against blocklists
+	const { hostname } = new URL(req.body.actor);
+	const isAllowed = await activitypub.blocklists.check(hostname);
+	if (!isAllowed) {
+		activitypub.helpers.log(`[middleware/activitypub] Blocked incoming activity from ${hostname} due to blocklist.`);
+		return res.sendStatus(403);
+	}
+
 	// Sanity-check payload schema
 	const required = ['id', 'type', 'actor', 'object'];
 	if (!required.every(prop => req.body.hasOwnProperty(prop))) {