Merge pull request #550 from nextcloud/enhancement/noid/fediverse-right-access

limit request to fediverse

appinfo/info.xml

@@ -48,6 +48,7 @@
 	<commands>
 		<command>OCA\Social\Command\CacheRefresh</command>
 		<command>OCA\Social\Command\CheckInstall</command>
+		<command>OCA\Social\Command\Fediverse</command>
 		<command>OCA\Social\Command\NoteCreate</command>
 		<command>OCA\Social\Command\NoteBoost</command>
 		<command>OCA\Social\Command\Reset</command>

lib/Command/Fediverse.php

@@ -0,0 +1,232 @@
+<?php
+declare(strict_types=1);
+
+
+/**
+ * Nextcloud - Social Support
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Maxence Lange <maxence@artificial-owl.com>
+ * @copyright 2018, Maxence Lange <maxence@artificial-owl.com>
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+namespace OCA\Social\Command;
+
+
+use Exception;
+use OC\Core\Command\Base;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
+use OCA\Social\Service\ConfigService;
+use OCA\Social\Service\FediverseService;
+use OCA\Social\Service\MiscService;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+
+/**
+ * Class Fediverse
+ *
+ * @package OCA\Social\Command
+ */
+class Fediverse extends Base {
+
+
+	/** @var FediverseService */
+	private $fediverseService;
+
+	/** @var ConfigService */
+	private $configService;
+
+	/** @var MiscService */
+	private $miscService;
+
+
+	/** @var OutputInterface */
+	private $output;
+
+
+	/**
+	 * CacheUpdate constructor.
+	 *
+	 * @param FediverseService $fediverseService
+	 * @param ConfigService $configService
+	 * @param MiscService $miscService
+	 */
+	public function __construct(
+		FediverseService $fediverseService, ConfigService $configService,
+		MiscService $miscService
+	) {
+		parent::__construct();
+
+		$this->fediverseService = $fediverseService;
+		$this->configService = $configService;
+		$this->miscService = $miscService;
+	}
+
+
+	/**
+	 *
+	 */
+	protected function configure() {
+		parent::configure();
+		$this->setName('social:fediverse')
+			 ->addOption(
+				 'type', 't', InputArgument::OPTIONAL,
+				 'Change the type of access management', ''
+			 )
+			 ->addArgument('action', InputArgument::OPTIONAL, 'add/remove/test address', '')
+			 ->addArgument('address', InputArgument::OPTIONAL, 'address/host', '')
+			 ->setDescription('Allow or deny access to the fediverse');
+	}
+
+
+	/**
+	 * @param InputInterface $input
+	 * @param OutputInterface $output
+	 *
+	 * @throws Exception
+	 */
+	protected function execute(InputInterface $input, OutputInterface $output) {
+		$this->output = $output;
+
+		if ($this->typeAccess($input->getOption('type'))) {
+			return;
+		}
+
+		$this->output->writeln(
+			'Current access type: <info>' . $this->fediverseService->getAccessType() . '</info>'
+		);
+
+		switch ($input->getArgument('action')) {
+			case '':
+				$this->listAddresses(false);
+				break;
+
+			case 'list':
+				$this->listAddresses(true);
+				break;
+
+			case 'add':
+				$this->addAddress($input->getArgument('address'));
+				break;
+
+			case 'remove':
+				$this->removeAddress($input->getArgument('address'));
+				break;
+
+			case 'test':
+				$this->testAddress($input->getArgument('address'));
+				break;
+
+			case 'reset':
+				$this->resetAddresses();
+				break;
+
+			default:
+				throw new Exception('specify action: add, remove, list, reset');
+		}
+	}
+
+
+	/**
+	 * @param string $type
+	 *
+	 * @return bool
+	 * @throws Exception
+	 */
+	private function typeAccess(string $type) {
+		if ($type === '') {
+			return false;
+		}
+
+		$this->fediverseService->setAccessType($type);
+
+		return true;
+	}
+
+
+	/**
+	 * @param bool $allKnownAddress
+	 */
+	private function listAddresses(bool $allKnownAddress = false) {
+
+		if ($allKnownAddress) {
+			$this->output->writeln('- Known address:');
+			foreach ($this->fediverseService->getKnownAddresses() as $address) {
+				$this->output->writeln('  <info>' . $address . '</info>');
+			}
+		}
+
+		$this->output->writeln('- List:');
+		foreach ($this->fediverseService->getListedAddresses() as $address) {
+			$this->output->writeln('  <info>' . $address . '</info>');
+		}
+
+	}
+
+
+	/**
+	 * @param string $address
+	 *
+	 * @throws Exception
+	 */
+	private function addAddress(string $address) {
+		$this->fediverseService->addAddress($address);
+		$this->output->writeln('<info>' . $address . '</info> added to the list');
+	}
+
+
+	/**
+	 * @param string $address
+	 *
+	 * @throws Exception
+	 */
+	private function removeAddress(string $address) {
+		$this->fediverseService->removeAddress($address);
+		$this->output->writeln('<info>' . $address . '</info> removed from the list');
+	}
+
+
+	/**
+	 * @param string $address
+	 */
+	private function testAddress(string $address) {
+		try {
+			$this->fediverseService->authorized($address);
+			$this->output->writeln('<info>Authorized</info>');
+		} catch (UnauthorizedFediverseException $e) {
+			$this->output->writeln('<comment>Unauthorized</comment>');
+		}
+	}
+
+
+	/**
+	 *
+	 */
+	private function resetAddresses() {
+		$this->fediverseService->resetAddresses();
+		$this->output->writeln('list is now empty');
+	}
+
+
+}
+

lib/Controller/ActivityPubController.php

@@ -40,6 +40,7 @@ use OCA\Social\Exceptions\SignatureIsGoneException;
 use OCA\Social\Exceptions\ItemUnknownException;
 use OCA\Social\Exceptions\UrlCloudException;
 use OCA\Social\Service\CacheActorService;
+use OCA\Social\Service\FediverseService;
 use OCA\Social\Service\FollowService;
 use OCA\Social\Service\ImportService;
 use OCA\Social\Service\MiscService;
@@ -61,6 +62,9 @@ class ActivityPubController extends Controller {
 	/** @var SocialPubController */
 	private $socialPubController;
 
+	/** @var FediverseService */
+	private $fediverseService;
+
 	/** @var CacheActorService */
 	private $cacheActorService;
 
@@ -85,6 +89,7 @@ class ActivityPubController extends Controller {
 	 *
 	 * @param IRequest $request
 	 * @param SocialPubController $socialPubController
+	 * @param FediverseService $fediverseService
 	 * @param CacheActorService $cacheActorService
 	 * @param SignatureService $signatureService
 	 * @param StreamQueueService $streamQueueService
@@ -94,13 +99,14 @@ class ActivityPubController extends Controller {
 	 */
 	public function __construct(
 		IRequest $request, SocialPubController $socialPubController,
-		CacheActorService $cacheActorService, SignatureService $signatureService,
-		StreamQueueService $streamQueueService, ImportService $importService,
-		FollowService $followService, MiscService $miscService
+		FediverseService $fediverseService, CacheActorService $cacheActorService,
+		SignatureService $signatureService, StreamQueueService $streamQueueService,
+		ImportService $importService, FollowService $followService, MiscService $miscService
 	) {
 		parent::__construct(Application::APP_NAME, $request);
 
 		$this->socialPubController = $socialPubController;
+		$this->fediverseService = $fediverseService;
 		$this->cacheActorService = $cacheActorService;
 		$this->signatureService = $signatureService;
 		$this->streamQueueService = $streamQueueService;
@@ -178,6 +184,7 @@ class ActivityPubController extends Controller {
 
 			$requestTime = 0;
 			$origin = $this->signatureService->checkRequest($this->request, $requestTime);
+			$this->fediverseService->authorized($origin);
 
 			$activity = $this->importService->importFromJson($body);
 			if (!$this->signatureService->checkObject($activity)) {
@@ -221,6 +228,7 @@ class ActivityPubController extends Controller {
 
 			$requestTime = 0;
 			$origin = $this->signatureService->checkRequest($this->request, $requestTime);
+			$this->fediverseService->authorized($origin);
 
 			// TODO - check the recipient <-> username
 //			$actor = $this->actorService->getActor($username);

lib/Exceptions/UnauthorizedFediverseException.php

@@ -0,0 +1,40 @@
+<?php
+declare(strict_types=1);
+
+
+/**
+ * Nextcloud - Social Support
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Maxence Lange <maxence@artificial-owl.com>
+ * @copyright 2018, Maxence Lange <maxence@artificial-owl.com>
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+namespace OCA\Social\Exceptions;
+
+
+use Exception;
+
+
+class UnauthorizedFediverseException extends Exception {
+
+}
+

lib/Service/ActivityService.php

@@ -48,6 +48,7 @@ use OCA\Social\Exceptions\RequestResultNotJsonException;
 use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
 use OCA\Social\Exceptions\SocialAppConfigException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCA\Social\Model\ActivityPub\ACore;
 use OCA\Social\Model\ActivityPub\Activity\Create;
 use OCA\Social\Model\ActivityPub\Activity\Delete;
@@ -284,6 +285,8 @@ class ActivityService {
 			$this->signatureService->signRequest($request, $queue);
 			$this->curlService->request($request);
 			$this->requestQueueService->endRequest($queue, true);
+		} catch (UnauthorizedFediverseException $e) {
+			$this->requestQueueService->endRequest($queue, true);
 		} catch (RequestResultNotJsonException $e) {
 			$this->requestQueueService->endRequest($queue, true);
 		} catch (ActorDoesNotExistException $e) {

lib/Service/CacheActorService.php

@@ -47,6 +47,7 @@ use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
 use OCA\Social\Exceptions\SocialAppConfigException;
 use OCA\Social\Exceptions\ItemUnknownException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCA\Social\Model\ActivityPub\Actor\Person;
 
 
@@ -118,6 +119,7 @@ class CacheActorService {
 	 * @throws SocialAppConfigException
 	 * @throws ItemUnknownException
 	 * @throws RequestResultNotJsonException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function getFromId(string $id, bool $refresh = false): Person {
 

lib/Service/CacheDocumentService.php

@@ -43,6 +43,8 @@ use OCA\Social\Exceptions\RequestNetworkException;
 use OCA\Social\Exceptions\RequestResultNotJsonException;
 use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
+use OCA\Social\Exceptions\SocialAppConfigException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
 use OCP\Files\NotPermittedException;
@@ -96,13 +98,15 @@ class CacheDocumentService {
 	 * @return string
 	 * @throws CacheContentMimeTypeException
 	 * @throws MalformedArrayException
+	 * @throws NotFoundException
 	 * @throws NotPermittedException
 	 * @throws RequestContentException
 	 * @throws RequestNetworkException
-	 * @throws RequestServerException
-	 * @throws RequestResultSizeException
 	 * @throws RequestResultNotJsonException
-	 * @throws NotFoundException
+	 * @throws RequestResultSizeException
+	 * @throws RequestServerException
+	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function saveRemoteFileToCache(string $url, &$mime = '') {
 
@@ -190,9 +194,11 @@ class CacheDocumentService {
 	 * @throws MalformedArrayException
 	 * @throws RequestContentException
 	 * @throws RequestNetworkException
-	 * @throws RequestServerException
-	 * @throws RequestResultSizeException
 	 * @throws RequestResultNotJsonException
+	 * @throws RequestResultSizeException
+	 * @throws RequestServerException
+	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function retrieveContent(string $url) {
 		$url = parse_url($url);

lib/Service/ConfigService.php

@@ -54,6 +54,8 @@ class ConfigService {
 	const SOCIAL_ADDRESS = 'address';
 	const SOCIAL_SERVICE = 'service';
 	const SOCIAL_MAX_SIZE = 'max_size';
+	const SOCIAL_ACCESS_TYPE = 'access_type';
+	const SOCIAL_ACCESS_LIST = 'access_list';
 
 	const BACKGROUND_CRON = 1;
 	const BACKGROUND_ASYNC = 2;
@@ -62,11 +64,20 @@ class ConfigService {
 
 	/** @var array */
 	public $defaults = [
-		self::SOCIAL_ADDRESS  => '',
-		self::SOCIAL_SERVICE  => 1,
-		self::SOCIAL_MAX_SIZE => 10
+		self::SOCIAL_ADDRESS     => '',
+		self::SOCIAL_SERVICE     => 1,
+		self::SOCIAL_MAX_SIZE    => 10,
+		self::SOCIAL_ACCESS_TYPE => 'all_but',
+		self::SOCIAL_ACCESS_LIST => '[]'
 	];
 
+	/** @var array */
+	public $accessTypeList = [
+		'BLACKLIST' => 'all_but',
+		'WHITELIST' => 'none_but'
+	];
+
+
 	/** @var string */
 	private $userId;
 

lib/Service/CurlService.php

@@ -48,6 +48,7 @@ use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
 use OCA\Social\Exceptions\SocialAppConfigException;
 use OCA\Social\Exceptions\ItemUnknownException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCA\Social\Model\ActivityPub\Actor\Person;
 
 class CurlService {
@@ -64,6 +65,9 @@ class CurlService {
 	/** @var ConfigService */
 	private $configService;
 
+	/** @var FediverseService */
+	private $fediverseService;
+
 	/** @var MiscService */
 	private $miscService;
 
@@ -79,10 +83,14 @@ class CurlService {
 	 * CurlService constructor.
 	 *
 	 * @param ConfigService $configService
+	 * @param FediverseService $fediverseService
 	 * @param MiscService $miscService
 	 */
-	public function __construct(ConfigService $configService, MiscService $miscService) {
+	public function __construct(
+		ConfigService $configService, FediverseService $fediverseService, MiscService $miscService
+	) {
 		$this->configService = $configService;
+		$this->fediverseService = $fediverseService;
 		$this->miscService = $miscService;
 	}
 
@@ -94,9 +102,11 @@ class CurlService {
 	 * @throws InvalidResourceException
 	 * @throws RequestContentException
 	 * @throws RequestNetworkException
+	 * @throws RequestResultNotJsonException
 	 * @throws RequestResultSizeException
 	 * @throws RequestServerException
-	 * @throws RequestResultNotJsonException
+	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function webfingerAccount(string $account): array {
 		$account = $this->withoutBeginAt($account);
@@ -144,6 +154,7 @@ class CurlService {
 	 * @throws SocialAppConfigException
 	 * @throws ItemUnknownException
 	 * @throws RequestResultNotJsonException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function retrieveAccount(string $account): Person {
 		$result = $this->webfingerAccount($account);
@@ -178,9 +189,11 @@ class CurlService {
 	 * @throws MalformedArrayException
 	 * @throws RequestContentException
 	 * @throws RequestNetworkException
-	 * @throws RequestServerException
-	 * @throws RequestResultSizeException
 	 * @throws RequestResultNotJsonException
+	 * @throws RequestResultSizeException
+	 * @throws RequestServerException
+	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function retrieveObject($id): array {
 
@@ -205,11 +218,14 @@ class CurlService {
 	 * @return mixed
 	 * @throws RequestContentException
 	 * @throws RequestNetworkException
+	 * @throws RequestResultNotJsonException
 	 * @throws RequestResultSizeException
 	 * @throws RequestServerException
-	 * @throws RequestResultNotJsonException
+	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	public function request(Request $request) {
+		$this->fediverseService->authorized($request->getAddress());
 
 		$this->maxDownloadSizeReached = false;
 		$curl = $this->initRequest($request);

lib/Service/DocumentService.php

@@ -46,6 +46,7 @@ use OCA\Social\Exceptions\RequestResultNotJsonException;
 use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
 use OCA\Social\Exceptions\SocialAppConfigException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCA\Social\Exceptions\UrlCloudException;
 use OCA\Social\Model\ActivityPub\Actor\Person;
 use OCA\Social\Model\ActivityPub\Object\Document;
@@ -117,6 +118,7 @@ class DocumentService {
 	 * @throws CacheDocumentDoesNotExistException
 	 * @throws MalformedArrayException
 	 * @throws RequestResultNotJsonException
+	 * @throws SocialAppConfigException
 	 */
 	public function cacheRemoteDocument(string $id, bool $public = false) {
 		$document = $this->cacheDocumentsRequest->getById($id, $public);
@@ -169,6 +171,8 @@ class DocumentService {
 			$this->cacheDocumentsRequest->endCaching($document);
 		} catch (RequestContentException $e) {
 			$this->cacheDocumentsRequest->deleteById($id);
+		} catch (UnauthorizedFediverseException $e) {
+			$this->cacheDocumentsRequest->deleteById($id);
 		} catch (RequestNetworkException $e) {
 			$this->cacheDocumentsRequest->endCaching($document);
 		} catch (RequestServerException $e) {
@@ -189,6 +193,7 @@ class DocumentService {
 	 * @throws CacheDocumentDoesNotExistException
 	 * @throws MalformedArrayException
 	 * @throws RequestResultNotJsonException
+	 * @throws SocialAppConfigException
 	 */
 	public function getFromCache(string $id, bool $public = false) {
 		$document = $this->cacheRemoteDocument($id, $public);

lib/Service/FediverseService.php

@@ -0,0 +1,281 @@
+<?php
+declare(strict_types=1);
+
+
+/**
+ * Nextcloud - Social Support
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Maxence Lange <maxence@artificial-owl.com>
+ * @copyright 2018, Maxence Lange <maxence@artificial-owl.com>
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+namespace OCA\Social\Service;
+
+use Exception;
+use OCA\Social\Exceptions\SocialAppConfigException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
+
+
+/**
+ * Class FediverseService
+ *
+ * @package OCA\Social\Service
+ */
+class FediverseService {
+
+
+	/** @var ConfigService */
+	private $configService;
+
+	/** @var MiscService */
+	private $miscService;
+
+
+	/**
+	 * FediverseService constructor.
+	 *
+	 * @param ConfigService $configService
+	 * @param MiscService $miscService
+	 */
+	public function __construct(
+		ConfigService $configService, MiscService $miscService
+	) {
+		$this->configService = $configService;
+		$this->miscService = $miscService;
+	}
+
+
+	/**
+	 * @param string $address
+	 *
+	 * @return bool
+	 * @throws UnauthorizedFediverseException
+	 * @throws SocialAppConfigException
+	 */
+	public function authorized(string $address): bool {
+		if ($this->getAccessType() ===
+			$this->configService->accessTypeList['BLACKLIST']
+			&& !$this->isListed($address)) {
+			return true;
+		}
+
+		if ($this->getAccessType() ===
+			$this->configService->accessTypeList['WHITELIST']
+			&& ($this->isListed($address) || $this->isLocal($address))) {
+			return true;
+		}
+
+		throw new UnauthorizedFediverseException('Unauthorized Fediverse');
+	}
+
+
+	/**
+	 * @throws UnauthorizedFediverseException
+	 */
+	public function jailed() {
+		if ($this->getAccessType() !== $this->configService->accessTypeList['WHITELIST']
+			|| !empty($this->getListedAddresses())) {
+			return;
+		}
+
+		throw new UnauthorizedFediverseException('Jailed Fediverse');
+	}
+
+
+	/**
+	 * @return string
+	 */
+	public function getAccessType(): string {
+		return $this->configService->getAppValue(ConfigService::SOCIAL_ACCESS_TYPE);
+	}
+
+
+	/**
+	 * @param string $type
+	 *
+	 * @throws Exception
+	 */
+	public function setAccessType(string $type) {
+		$accepted = array_values($this->configService->accessTypeList);
+		if (!in_array($type, $accepted)) {
+			throw new Exception('invalid type: ' . json_encode($accepted));
+		}
+
+		$this->configService->setAppValue(ConfigService::SOCIAL_ACCESS_TYPE, $type);
+	}
+
+
+	/**
+	 * @param string $address
+	 *
+	 * @return bool
+	 * @throws SocialAppConfigException
+	 */
+	public function isLocal(string $address): bool {
+		$local = $this->configService->getCloudAddress(true);
+
+		return ($local === $address);
+	}
+
+
+	/**
+	 * @return array
+	 */
+	public function getKnownAddresses(): array {
+		return [];
+	}
+
+
+	/**
+	 * @return array
+	 */
+	public function getListedAddresses(): array {
+		return json_decode($this->configService->getAppValue(ConfigService::SOCIAL_ACCESS_LIST));
+	}
+
+	/**
+	 * @param string $address
+	 *
+	 * @return bool
+	 */
+	public function isListed(string $address): bool {
+		$list = $this->getListedAddresses();
+
+		return (in_array($address, $list));
+	}
+
+	/**
+	 *
+	 */
+	public function resetAddresses() {
+		$this->configService->setAppValue(ConfigService::SOCIAL_ACCESS_LIST, '[]');
+	}
+
+	/**
+	 * @param string $address
+	 */
+	public function addAddress(string $address) {
+		if ($this->isListed($address)) {
+			return;
+		}
+
+		$list = $this->getListedAddresses();
+		array_push($list, $address);
+
+		$this->configService->setAppValue(ConfigService::SOCIAL_ACCESS_LIST, json_encode($list));
+	}
+
+	/**
+	 * @param string $address
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	public function removeAddress(string $address) {
+		$list = $this->getListedAddresses();
+		$list = array_diff($list, [$address]);
+		$this->configService->setAppValue(ConfigService::SOCIAL_ACCESS_LIST, json_encode($list));
+	}
+
+
+//
+//	/**
+//	 * @param string $address
+//	 *
+//	 * @throws Exception
+//	 */
+//	public function blockAddress(string $address) {
+//		if ($this->isBlocked($address)) {
+//			return;
+//		}
+//
+//		if ($this->isAllowed($address)) {
+//			throw new Exception($address . ' is already in the whitelist');
+//		}
+//
+//		$blackList = $this->getBlockedAddresses();
+//		array_push($blackList, $address);
+//
+//		$this->configService->setAppValue(ConfigService::SOCIAL_BLACKLIST, json_encode($blackList));
+//	}
+//
+//	/**
+//	 * @return array
+//	 */
+//	public function getBlockedAddresses(): array {
+//		return json_decode($this->configService->getAppValue(ConfigService::SOCIAL_BLACKLIST));
+//	}
+//
+//	/**
+//	 * @param string $address
+//	 *
+//	 * @return bool
+//	 */
+//	public function isBlocked(string $address): bool {
+//		return (in_array('ALL', $this->getBlockedAddresses())
+//				|| in_array($address, $this->getBlockedAddresses()));
+//	}
+//
+//
+//	/**
+//	 * @param string $address
+//	 *
+//	 * @return void
+//	 * @throws Exception
+//	 */
+//	public function allowAddress(string $address) {
+//		if ($this->isAllowed($address)) {
+//			return;
+//		}
+//
+//		if ($this->isBlocked($address)) {
+//			throw new Exception($address . ' is already in the blacklist');
+//		}
+//
+//		$whiteList = $this->getAllowedAddresses();
+//		array_push($whiteList, $address);
+//
+//		$this->configService->setAppValue(ConfigService::SOCIAL_WHITELIST, json_encode($whiteList));
+//	}
+//
+//	/**
+//	 * @return array
+//	 */
+//	public function getAllowedAddresses(): array {
+//		return json_decode($this->configService->getAppValue(ConfigService::SOCIAL_WHITELIST));
+//
+//	}
+//
+//	/**
+//	 * @param string $address
+//	 *
+//	 * @return bool
+//	 */
+//	public function isAllowed(string $address): bool {
+//		return (in_array('ALL', $this->getAllowedAddresses())
+//				|| in_array($address, $this->getAllowedAddresses()));
+//	}
+//
+//
+
+}
+

lib/Service/StreamQueueService.php

@@ -48,6 +48,7 @@ use OCA\Social\Exceptions\RequestResultNotJsonException;
 use OCA\Social\Exceptions\RequestResultSizeException;
 use OCA\Social\Exceptions\RequestServerException;
 use OCA\Social\Exceptions\SocialAppConfigException;
+use OCA\Social\Exceptions\UnauthorizedFediverseException;
 use OCA\Social\Model\ActivityPub\Object\Note;
 use OCA\Social\Model\ActivityPub\Stream;
 use OCA\Social\Model\StreamQueue;
@@ -259,6 +260,12 @@ class StreamQueueService {
 					. $e->getMessage(), 1
 				);
 				$cache->removeItem($item->getUrl());
+			} catch (UnauthorizedFediverseException $e) {
+				$this->miscService->log(
+					'Error caching stream: ' . json_encode($item) . ' ' . get_class($e) . ' '
+					. $e->getMessage(), 1
+				);
+				$cache->removeItem($item->getUrl());
 			} catch (RequestNetworkException $e) {
 				$this->miscService->log(
 					'Error caching stream: ' . json_encode($item) . ' ' . get_class($e) . ' '
@@ -299,6 +306,7 @@ class StreamQueueService {
 	 * @throws RequestResultSizeException
 	 * @throws RequestServerException
 	 * @throws SocialAppConfigException
+	 * @throws UnauthorizedFediverseException
 	 */
 	private function cacheItem(CacheItem &$item) {
 

lib/webfinger.php

@@ -33,6 +33,7 @@ use Exception;
 use OC;
 use OCA\Social\Service\CacheActorService;
 use OCA\Social\Service\ConfigService;
+use OCA\Social\Service\FediverseService;
 
 require_once(__DIR__ . '/../appinfo/autoload.php');
 
@@ -56,15 +57,21 @@ if ($type !== 'acct') {
 list($username, $instance) = explode('@', $account);
 try {
 	$cacheActorService = OC::$server->query(CacheActorService::class);
+	$fediverseService = OC::$server->query(FediverseService::class);
 	$configService = OC::$server->query(ConfigService::class);
 
+	$fediverseService->jailed();
+
 	if ($configService->getCloudAddress(true) !== $instance) {
-		throw new Exception('instance is ' . $instance . ', expected ' . $configService->getCloudAddress(true));
+		throw new Exception(
+			'instance is ' . $instance . ', expected ' . $configService->getCloudAddress(true)
+		);
 	}
 
 	$cacheActorService->getFromLocalAccount($username);
 } catch (Exception $e) {
-	OC::$server->getLogger()->log(1, 'Exception on webfinger - ' . $e->getMessage());
+	OC::$server->getLogger()
+			   ->log(1, 'Exception on webfinger - ' . $e->getMessage());
 	http_response_code(404);
 	exit;
 }
@@ -81,14 +88,17 @@ $finger = [
 	'subject' => $subject,
 	'links'   => [
 		[
-			'rel' => 'self',
+			'rel'  => 'self',
 			'type' => 'application/activity+json',
 			'href' => $href
 		],
 		[
 			'rel'      => 'http://ostatus.org/schema/1.0/subscribe',
 			'template' => urldecode(
-				$href = $urlGenerator->linkToRouteAbsolute('social.OStatus.subscribe', ['uri' => '{uri}']))
+				$href = $urlGenerator->linkToRouteAbsolute(
+					'social.OStatus.subscribe', ['uri' => '{uri}']
+				)
+			)
 		]
 	]
 ];