Ignore actor delete messages for unknown actors (#124)

tests/conftest.py

@@ -92,6 +92,7 @@ def identity(user, domain) -> Identity:
     """
     identity = Identity.objects.create(
         actor_uri="https://example.com/@test@example.com/",
+        inbox_uri="https://example.com/@test@example.com/inbox/",
         username="test",
         domain=domain,
         name="Test User",
@@ -125,6 +126,7 @@ def other_identity(user, domain) -> Identity:
     """
     identity = Identity.objects.create(
         actor_uri="https://example.com/@other@example.com/",
+        inbox_uri="https://example.com/@other@example.com/inbox/",
         username="other",
         domain=domain,
         name="Other User",
@@ -143,6 +145,7 @@ def remote_identity() -> Identity:
     domain = Domain.objects.create(domain="remote.test", local=False)
     return Identity.objects.create(
         actor_uri="https://remote.test/test-actor/",
+        inbox_uri="https://remote.test/@test/inbox/",
         profile_uri="https://remote.test/@test/",
         username="test",
         domain=domain,

tests/users/views/test_activitypub.py

@@ -31,3 +31,25 @@ def test_webfinger_system_actor(client):
     data = client.get("/actor/", HTTP_ACCEPT="application/ld+json").json()
     assert data["id"] == "https://example.com/actor/"
     assert data["inbox"] == "https://example.com/actor/inbox/"
+
+
+@pytest.mark.django_db
+def test_delete_actor(client, identity):
+    data = {
+        "@context": "https://www.w3.org/ns/activitystreams",
+        "actor": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+        "id": "https://mastodon.social/users/fakec8b6984105c8f15070a2#delete",
+        "object": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+        "signature": {
+            "created": "2022-12-06T03:54:28Z",
+            "creator": "https://mastodon.social/users/fakec8b6984105c8f15070a2#main-key",
+            "signatureValue": "This value doesn't matter",
+            "type": "RsaSignature2017",
+        },
+        "to": ["https://www.w3.org/ns/activitystreams#Public"],
+        "type": "Delete",
+    }
+    resp = client.post(
+        identity.inbox_uri, data=data, content_type="application/activity+json"
+    )
+    assert resp.status_code == 202

users/views/activitypub.py

@@ -145,9 +145,21 @@ class Inbox(View):
         # This ensures that the signature used for the headers matches the actor
         # described in the payload.
         identity = Identity.by_actor_uri(document["actor"], create=True, transient=True)
+        if (
+            document["type"] == "Delete"
+            and document["actor"] == document["object"]
+            and not identity.pk
+        ):
+            # We don't have an Identity record for the user. No-op
+            exceptions.capture_message(
+                f"Inbox: Discarded delete message for unknown actor {document['actor']}"
+            )
+            return HttpResponse(status=202)
+
         if not identity.public_key:
             # See if we can fetch it right now
             async_to_sync(identity.fetch_actor)()
+
         if not identity.public_key:
             exceptions.capture_message(
                 f"Inbox error: cannot fetch actor {document['actor']}"
@@ -160,6 +172,7 @@ class Inbox(View):
                 f"Inbox: Discarded message from {identity.domain}"
             )
             return HttpResponse(status=202)
+
         # If there's a "signature" payload, verify against that
         if "signature" in document:
             try: