Federation: Backlinks Authentication
Currently the backlinks permissions are set to AllowAny
. This means that a malicious user can inject data onto my server simply by posting to my inbox
The original suggestion on this issue was to do server-to-server authentication using server keys. Later it was discussed that sending the user as the actor of the activity (and authenticating them) might be better