[Federation]: Allow non-fragment-based actor keys

[poorsquinky]

Description

I'm trying to federate my app against loops.video and started getting 401 with "invalid actor".

It looks like Loops's VerifyUserHttpSignature.php assumes your actor's key URIs are something like https://path/to/user#key-id, which is what Mastodon does, but it is NOT in the ActivityPub spec that way. Key IDs do not require a fragment, and rejecting an actor as invalid because of this breaks compatibility.

        $actorUrl = preg_replace('/#.*$/', '', $keyId);

...

        if (! app(SanitizeService::class)->url($actorUrl, true)) {
            return $this->unauthorized('Invalid actor');
        }

I assume the reason we're doing this is because we're trying to verify that a particular key belongs to a particular actor, without going out and querying the actor on the originating host to see what their key is

Steps to reproduce

1. Generate ActivityPub messages to Loops from a service that does not use fragment-based key IDs
2. Send a follow request to a Loops user
3. Get rejected and become sad

Loops version

current main branch

Acknowledgements

Yes

[dansup]

@poorsquinky Can you provide an example of your Actor object please?