Bookwyrm keyIds are at `userpath/#main-key`, however when signing AP objects we have claimed in the headers that the keyId is at `userpath#main-key`.
This is incorrect, and makes GoToSocial's strict checking break.
Simply updating the signatures to use the correct KeyId breaks legacy Bookwyrm's signature checks, becuase it assumes that the keyId path is the same as the user path plus a fragment.
This commit allows for either option, by sending the request a second time with the incorrect keyId if sending with the correct one causes an error.
Fixes#2801
Related to #2794
It is legitimate to use any url for the user's key id. We have been assuming this id is the user id plus a fragment (#key-id) but this is not always the case, notably in the case of GoToSocial it is at /key-id. This commit instead checks the remote user's information to see if the key id listed matches the key id of the message allegedly received from them.
Whilst troubleshooting this it also became apparent that there is a mismatch between Bookwyrm users' keyId and the KeyId we claim to be using in signed requests (there is a forward slash missing). Since everything after the slash is a fragment, this usually slips through but we should be consistent so I updated that.
If no digest value is passed to make_signature and Exception was thrown.
Since digest is added to the signature headers if it is not None anyway, there is no need to assign the digest value before that check.
When signing a request _as the server_ for Mastodon's AUTHORIZED_FETCH there is no need to include a digest.
Why update:
iohttp: supports now more of http standard.
celery: supports redis > = 4.0.2 (the docker image uses redis 7.0.6
django-celery-beat: better Django 3.2 support, bump celery to 5.2, downgrade of dependencies for better celery support
django-compressor: official Django 3.2 support, updates requirements
django-model-utils: official django 3.2 support.
django-sass-processor: remove deprecated default_app_config, support of ManifestStaticFilesStorage (which might be needed in the future)
environs: bugfixes
libsass: removes deprecated cli
Pillow: bug fixing
psycopg2: Bugfixing
pycryptodome: bugfixes
python-dateutil: updated tzdata
requests: better json Handling, bugfixing
responses: bugfixes and more
pytz: python3 code generation, All the corect timezone behaviour!
boto3: Updsate all the S3 Handling
signtures.py update because of breaking change in pycryptodome
migration because uf updated timezones
With updated celery I have less 501 errors on my instance. updated psycopg2 has better performance.
I have NOT chekced opentelemetry packages.
Upgrading redis package wold need a deeper inspection of the code as some functions are dropped in newer versions.
When mastodon is in authorized fetch mode any request has to be signed
or it fails with 401. This adds the needed signature to the requests
made to discover the actor when receiving something from mastodon (such
as a follow request)