Enable strict HTTP signature verification in inbox

2021-12-30 19:53:40 +00:00 · 2021-12-30 19:53:40 +00:00 · 5b0a9ff931
commit 5b0a9ff931
parent 452894c224
2 changed files with 18 additions and 5 deletions
--- a/src/activitypub/receiver.rs
+++ b/src/activitypub/receiver.rs
@ -346,10 +346,18 @@ pub async fn process_note(
 pub async fn receive_activity(
    config: &Config,
    db_pool: &Pool,
+    signer_id: &str,
    activity_raw: &Value,
 ) -> Result<(), HttpError> {
    let activity: Activity = serde_json::from_value(activity_raw.clone())
        .map_err(|_| ValidationError("invalid activity"))?;
+    if activity.actor != signer_id {
+        log::warn!(
+            "request signer {} does not match actor {}",
+            signer_id,
+            activity.actor,
+        );
+    };
    let activity_type = activity.activity_type;
    let maybe_object_type = activity.object.get("type")
        .and_then(|val| val.as_str())
--- a/src/activitypub/views.rs
+++ b/src/activitypub/views.rs
@ -110,12 +110,17 @@ async fn inbox(
        log::info!("received in {}: {}", request.uri().path(), activity_type);
    };
    let signature_verified = verify_http_signature(&config, &db_pool, &request).await;
-    match signature_verified {
-        Ok(signer_id) => log::debug!("activity signed by {}", signer_id),
-        // TODO: return error 401
-        Err(err) => log::warn!("invalid signature: {}", err),
+    let signer_id = match signature_verified {
+        Ok(signer_id) => {
+            log::debug!("activity signed by {}", signer_id);
+            signer_id
+        },
+        Err(err) => {
+            log::warn!("invalid signature: {}", err);
+            return Err(HttpError::AuthError("invalid signature"));
+        },
    };
-    receive_activity(&config, &db_pool, &activity).await
+    receive_activity(&config, &db_pool, &signer_id, &activity).await
        .map_err(|err| {
            log::warn!("failed to process activity ({}): {}", err, activity);
            err