Refuse federation lookups for unauthenticated GraphQL callers

[dahlia]

Resolves #277.

Why

Five GraphQL resolvers branched on ctx.account == null only to pick a documentLoader, then still called fedCtx.lookupObject and persistActor/persistPost when the local DB lookup missed. An unauthenticated client could feed arbitrary handles or URLs and force the server into outbound WebFinger/ActivityPub fetches, persisting whatever came back as actor or post rows. That exposed the server to spam-driven row growth and attacker-controlled outbound requests, with federation-log noise as a secondary concern.

What changed

When ctx.account == null, the following sites now short-circuit to null after the local DB checks and before any federation work:

• actorByHandle in graphql/actor.ts
• lookupActorByUrl in graphql/lookup.ts, reached via actorByUrl
• lookupPostByUrl in graphql/lookup.ts, reached via searchObject → searchAsUrl
• searchAsHandle in graphql/search.ts, reached via searchObject (beyond the original issue scope; same guest-triggered federation path)
• Question.poll in graphql/poll.ts (surfaced from a Codex branch-level review; narrower than the others because the IRI is a known local Question's iri rather than caller input, but it still triggered a guest-driven outbound fetch and persistPost)

Authenticated paths are unchanged.

Out of scope

lookupRemoteFollower in graphql/webfinger.ts is intentionally not gated. It backs the cross-instance “follow from another instance” flow, where the caller has no local account by definition: a remote user pastes their handle to get back a remote-follow URL. It also does not call persistActor or persistPost, so the persistence concerns from the issue do not apply. Outbound-fetch concerns there can be handled separately with rate limiting or caching.

The legacy Fresh route at web/routes/search.tsx mirrors the same pattern but lives on the pre-migration stack and falls outside this GraphQL-focused fix.

UX trade-off

The mention hover cards from #90/#276 will fall back to “Could not load profile” for guests on remote actors that no signed-in user has pulled into the local DB yet. Acceptable per the issue.

Tests

deno task test reports 369/0 (was 362 before this branch).

New guest-path tests install a recording lookupObject via a new option on createFedCtx in test/postgres.ts, then assert the resolver returns null and that nothing was recorded. Without the gate, every call site under test records one entry, so the assertions show the gate ran instead of passing because an unrelated lookup returned null.

Three pre-existing Question.poll backfill tests in graphql/poll.test.ts moved from makeGuestContext to makeUserContext so they keep covering the authenticated backfill path; a new dedicated test, Question.poll refuses federation lookup for guests, locks in the guest contract.

The fixture stubs getDocumentLoader on createFedCtx too. The returned DocumentLoader rejects when invoked, so a test that needs genuine document loading fails with a named error instead of silently returning nothing.

Test plan

• deno task test passes locally
• deno task check passes (lint + format + tsc; also runs in the pre-commit hook)
• Manual: guest hover card for a remote actor absent from the local DB shows “Could not load profile”
• Manual: signed-in hover card for the same actor resolves normally
• Manual: guest search for a remote post URL returns null from searchObject (no redirect)

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR restricts unauthenticated federation lookups across five GraphQL resolvers by adding early-return guards when ctx.account is absent, preventing guest requests from triggering outbound network fetches or database persistence. Test infrastructure is enhanced to support federation lookup recording, and resolver test suites are updated to verify the new guard behavior.

Changes

Guest-Blocking Federation Lookups

Layer / File(s)	Summary
Test Infrastructure test/postgres.ts	createFedCtx is enhanced with optional lookupObject override, FedCtxLookupObject type alias is added, and getDocumentLoader() method is stubbed to support federation lookup recording in tests.
Core Resolver Guards graphql/actor.ts, graphql/lookup.ts, graphql/poll.ts, graphql/search.ts	Five resolvers (actorByHandle, lookupActorByUrl, lookupPostByUrl, Question.poll, searchAsHandle) now return null when ctx.account == null, blocking guest access to federation lookups. Authenticated paths now consistently use ctx.fedCtx.getDocumentLoader({ identifier: ctx.account.id }) instead of conditional loader selection.
Test Coverage & Assertions graphql/actor.more.test.ts, graphql/lookup.test.ts, graphql/poll.test.ts, graphql/search.test.ts	New tests verify that guests receive null without triggering federation lookups (using recording lookupObject). Existing backfill tests are updated to use authenticated context (makeUserContext) instead of guest context to maintain federation coverage for signed-in users.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Add DB-backed test coverage and run Postgres tests in CI #249: Modifies the test federation context infrastructure (createFedCtx, FedCtxLookupObject) and updates GraphQL resolver/test files in parallel, sharing the same test-infrastructure and resolver-update patterns.

Suggested labels

enhancement

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: preventing unauthenticated GraphQL callers from triggering federation lookups.
Linked Issues check	✅ Passed	All primary objectives from #277 are met: guest-gated federation lookups in actorByHandle, lookupActorByUrl, lookupPostByUrl, searchAsHandle, and Question.poll with new test coverage.
Out of Scope Changes check	✅ Passed	All changes align with the stated scope; lookupRemoteFollower and web/routes/search.tsx are intentionally excluded as documented.
Description check	✅ Passed	The pull request description clearly explains the security issue (unauthenticated clients forcing federation lookups and persistence), identifies all affected resolvers, documents the changes made, and provides test coverage details.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dahlia]

@codex review

[gemini-code-assist]

Code Review

This pull request implements a security measure to prevent unauthenticated guest users from triggering outbound federation lookups. Changes were made to the GraphQL resolvers for actors, posts, polls, and search to return null for guests instead of proceeding with federation fetches. Corresponding test cases were added to verify this behavior and existing tests were updated to use authenticated contexts where federation is required. I have no feedback to provide.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".