receive: drop activity if protocol doesn't own actor

it's probably from a bridged user, and we only want to handle original activities, not bridged ones. fixes https://console.cloud.google.com/errors/detail/CM6i4sH4176iaQ;time=P30D?project=bridgy-federated
2024-04-24 15:57:00 -07:00 · 2024-04-24 15:57:00 -07:00 · 06bf3bf534
commit 06bf3bf534
--- a/protocol.py
+++ b/protocol.py
@ -707,6 +707,8 @@ class Protocol:
        actor = as1.get_owner(obj.as1)
        if not actor:
            error('Activity missing actor or author', status=400)
+        elif from_cls.owns_id(actor) is False:
+            error(f"{from_cls.LABEL} doesn't own actor {actor}, this is probably a bridged activity. Skipping.", status=204)

        if authed_as:
            assert isinstance(authed_as, str)
--- a/tests/test_activitypub.py
+++ b/tests/test_activitypub.py
@ -962,11 +962,12 @@ class ActivityPubTest(TestCase):
        self.assert_user(ActivityPub, 'https://mas.to/actor', obj_as2=LIKE_ACTOR)

    def test_inbox_like_no_object_error(self, *_):
-        Fake.fetchable = {'fake:user': {'id': 'fake:user'}}
+        swentel = self.make_user('https://inst/user', cls=ActivityPub)
+
        got = self.post('/inbox', json={
-            'id': 'fake:like',
+            'id': 'https://inst/like',
            'type': 'Like',
-            'actor': 'fake:user',
+            'actor': 'https://inst/user',
            'object': None,
        })
        self.assertEqual(400, got.status_code)
--- a/tests/test_protocol.py
+++ b/tests/test_protocol.py
@ -1649,6 +1649,27 @@ class ProtocolReceiveTest(TestCase):
        self.assertEqual(1, len(followers))
        self.assertEqual(self.alice.key, followers[0].to)

+    def test_skip_bridged_user(self):
+        """If the actor isn't from the source protocol, skip the activity.
+
+        (It's probably from a bridged user, and we only want to handle source
+        activities, not bridged activities.)
+        """
+        self.user.copies = [Target(uri='other:user', protocol='other')]
+        self.user.put()
+
+        with self.assertRaises(NoContent):
+            OtherFake.receive_as1({
+                'id': 'other:follow',
+                'objectType': 'activity',
+                'verb': 'follow',
+                'actor': 'fake:user',
+                'object': 'fake:alice',
+            })
+        self.assertEqual(0, len(OtherFake.sent))
+        self.assertEqual(0, len(Fake.sent))
+        self.assertIsNone(Object.get_by_id('other:follow'))
+
    @patch('requests.post')
    @patch('requests.get')
    def test_skip_web_same_domain(self, mock_get, mock_post):