Enable strict HTTP signature verification in inbox

src/activitypub/receiver.rs

@@ -346,10 +346,18 @@ pub async fn process_note(
 pub async fn receive_activity(
     config: &Config,
     db_pool: &Pool,
+    signer_id: &str,
     activity_raw: &Value,
 ) -> Result<(), HttpError> {
     let activity: Activity = serde_json::from_value(activity_raw.clone())
         .map_err(|_| ValidationError("invalid activity"))?;
+    if activity.actor != signer_id {
+        log::warn!(
+            "request signer {} does not match actor {}",
+            signer_id,
+            activity.actor,
+        );
+    };
     let activity_type = activity.activity_type;
     let maybe_object_type = activity.object.get("type")
         .and_then(|val| val.as_str())

src/activitypub/views.rs

@@ -110,12 +110,17 @@ async fn inbox(
         log::info!("received in {}: {}", request.uri().path(), activity_type);
     };
     let signature_verified = verify_http_signature(&config, &db_pool, &request).await;
-    match signature_verified {
+    let signer_id = match signature_verified {
-        Ok(signer_id) => log::debug!("activity signed by {}", signer_id),
+        Ok(signer_id) => {
-        // TODO: return error 401
+            log::debug!("activity signed by {}", signer_id);
-        Err(err) => log::warn!("invalid signature: {}", err),
+            signer_id
+        },
+        Err(err) => {
+            log::warn!("invalid signature: {}", err);
+            return Err(HttpError::AuthError("invalid signature"));
+        },
     };
-    receive_activity(&config, &db_pool, &activity).await
+    receive_activity(&config, &db_pool, &signer_id, &activity).await
         .map_err(|err| {
             log::warn!("failed to process activity ({}): {}", err, activity);
             err