authorized fetch #217

Created by: dakkar

What

When receiving GET requests for application/activity+json content, check that the request is properly signed, and not from an instance we've blocked

Why

This is variously called "secure mode" or "authorised fetch" in other fedi software. The main purposed is to make it hard for blocked instances to access data about our users/notes. They can, of course, still look at the HTML+JS output, but that's a bigger pain (and an admin can e.g. restrict seeing the various timelines to logged-in users, via roles).

Additional info (optional)

The implementation is copied from the other places we already check HTTP signatures, and cross-checked with Firefish's implementation. I'm defaulting it to "false", so we don't surprise admins/users with this rather big change. I've called the config key checkActivityPubGetSignature to mirror the existing signToActivityPubGet, but I'm not particularly attached to the name. We'll need to test this a lot, though! I know that this code can talk to another instance of itself, but that's it!

Checklist

• Read the contribution guide
• Test working in a local environment
• (If needed) Add story of storybook
• (If needed) Update CHANGELOG.md
• (If possible) Add tests