[security] harden account update logic (#3198)

* on account update, ensure that public key has not changed

* change expected error message

* also support the case of changing account keys when expired (not waiting for handshake)

* tweak account update hardening logic, add tests for updating account with pubkey expired

* add check for whether incoming data was via federator, accepting keys if so

* use freshest window for federated account updates + comment about it

internal/processing/workers/fromfediapi.go

@@ -674,8 +674,13 @@ func (p *fediAPI) UpdateAccount(ctx context.Context, fMsg *messages.FromFediAPI)
 		fMsg.Receiving.Username,
 		account,
 		apubAcc,
-		// Force refresh within 5min window.
-		dereferencing.Fresh,
+
+		// Force refresh within 10s window.
+		//
+		// Missing account updates could be
+		// detrimental to federation if they
+		// include public key changes.
+		dereferencing.Freshest,
 	)
 	if err != nil {
 		log.Errorf(ctx, "error refreshing account: %v", err)