[backend/configuration] Allow disabling authorized fetch signature validation

Iceshrimp.Backend/Core/Configuration/Config.cs

@@ -54,18 +54,19 @@ public sealed class Config
 
 	public sealed class SecuritySection
 	{
-		public bool                 AuthorizedFetch      { get; init; } = true;
+		public bool                 AuthorizedFetch           { get; init; } = true;
-		public bool                 AttachLdSignatures   { get; init; } = false;
+		public bool                 ValidateRequestSignatures { get; init; } = true;
-		public bool                 AcceptLdSignatures   { get; init; } = false;
+		public bool                 AttachLdSignatures        { get; init; } = false;
-		public bool                 AllowLoopback        { get; init; } = false;
+		public bool                 AcceptLdSignatures        { get; init; } = false;
-		public bool                 AllowLocalIPv6       { get; init; } = false;
+		public bool                 AllowLoopback             { get; init; } = false;
-		public bool                 AllowLocalIPv4       { get; init; } = false;
+		public bool                 AllowLocalIPv6            { get; init; } = false;
-		public ExceptionVerbosity   ExceptionVerbosity   { get; init; } = ExceptionVerbosity.Basic;
+		public bool                 AllowLocalIPv4            { get; init; } = false;
-		public Enums.Registrations  Registrations        { get; init; } = Enums.Registrations.Closed;
+		public ExceptionVerbosity   ExceptionVerbosity        { get; init; } = ExceptionVerbosity.Basic;
-		public Enums.FederationMode FederationMode       { get; init; } = Enums.FederationMode.BlockList;
+		public Enums.Registrations  Registrations             { get; init; } = Enums.Registrations.Closed;
-		public Enums.ItemVisibility ExposeFederationList { get; init; } = Enums.ItemVisibility.Registered;
+		public Enums.FederationMode FederationMode            { get; init; } = Enums.FederationMode.BlockList;
-		public Enums.ItemVisibility ExposeBlockReasons   { get; init; } = Enums.ItemVisibility.Registered;
+		public Enums.ItemVisibility ExposeFederationList      { get; init; } = Enums.ItemVisibility.Registered;
-		public Enums.PublicPreview  PublicPreview        { get; init; } = Enums.PublicPreview.Public;
+		public Enums.ItemVisibility ExposeBlockReasons        { get; init; } = Enums.ItemVisibility.Registered;
+		public Enums.PublicPreview  PublicPreview             { get; init; } = Enums.PublicPreview.Public;
 	}
 
 	public sealed class NetworkSection

Iceshrimp.Backend/Core/Middleware/AuthorizedFetchMiddleware.cs

@@ -39,6 +39,13 @@ public class AuthorizedFetchMiddleware(
 		mfmConverter.SupportsHtmlFormatting.Value = true;
 		mfmConverter.SupportsInlineMedia.Value    = true;
 
+		// Short-circuit fetches when signature validation is disabled
+		if (config.Value is { AuthorizedFetch: false, ValidateRequestSignatures: false })
+		{
+			await next(ctx);
+			return;
+		}
+
 		// Short-circuit instance & relay actor fetches
 		_instanceActorUri ??= $"/users/{(await systemUserSvc.GetInstanceActorAsync()).Id}";
 		_relayActorUri    ??= $"/users/{(await systemUserSvc.GetRelayActorAsync()).Id}";

Iceshrimp.Backend/configuration.ini

@@ -28,6 +28,11 @@ CharacterLimit = 8192
 ;; It is highly recommend you keep this enabled if you intend to use block- or allowlist federation
 AuthorizedFetch = true
 
+;; Whether to validate incoming ActivityPub requests. Always enabled when AuthorizedFetch is enabled.
+;; Disabling this improves performance during large request bursts, but prevents remote instances from fetching follower-only notes.
+;; AP inbox delivery & AP inbox signature validation are unaffected by this option.
+ValidateRequestSignatures = true
+
 ;; Whether to attach LD signatures to outgoing activities. Outgoing relayed activities get signed regardless of this option.
 AttachLdSignatures = false