feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests.
- Verify the HTTP signature of all incoming requests, except for the server actor.
- Caches keys of incoming requests for users and servers actors.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>

modules/setting/federation.go

@@ -15,18 +15,20 @@ var (
 		Enabled             bool
 		ShareUserStatistics bool
 		MaxSize             int64
-		Algorithms          []string
+		SignatureAlgorithms []string
 		DigestAlgorithm     string
 		GetHeaders          []string
 		PostHeaders         []string
+		SignatureEnforced   bool
 	}{
 		Enabled:             false,
 		ShareUserStatistics: true,
 		MaxSize:             4,
-		Algorithms:          []string{"rsa-sha256", "rsa-sha512", "ed25519"},
+		SignatureAlgorithms: []string{"rsa-sha256", "rsa-sha512", "ed25519"},
 		DigestAlgorithm:     "SHA-256",
 		GetHeaders:          []string{"(request-target)", "Date", "Host"},
 		PostHeaders:         []string{"(request-target)", "Date", "Host", "Digest"},
+		SignatureEnforced:   true,
 	}
 )
 
@@ -44,8 +46,8 @@ func loadFederationFrom(rootCfg ConfigProvider) {
 	// Get MaxSize in bytes instead of MiB
 	Federation.MaxSize = 1 << 20 * Federation.MaxSize
 
-	HttpsigAlgs = make([]httpsig.Algorithm, len(Federation.Algorithms))
-	for i, alg := range Federation.Algorithms {
+	HttpsigAlgs = make([]httpsig.Algorithm, len(Federation.SignatureAlgorithms))
+	for i, alg := range Federation.SignatureAlgorithms {
 		HttpsigAlgs[i] = httpsig.Algorithm(alg)
 	}
 }