Verify that the remote user is who they say they

This commit is contained in:
Mouse Reeve 2020-05-18 18:26:00 -07:00
parent 1b48ca2f85
commit 373a378452
2 changed files with 4 additions and 0 deletions

View file

@ -90,6 +90,7 @@ def shared_inbox(request):
def get_public_key(key_actor): def get_public_key(key_actor):
''' try a stored key or load it from remote '''
try: try:
user = models.User.objects.get(remote_id=key_actor) user = models.User.objects.get(remote_id=key_actor)
public_key = user.public_key public_key = user.public_key

View file

@ -26,6 +26,9 @@ def get_or_create_remote_user(actor):
response.raise_for_status() response.raise_for_status()
data = response.json() data = response.json()
# make sure our actor is who they say they are
assert actor == data['id']
actor_parts = urlparse(actor) actor_parts = urlparse(actor)
with transaction.atomic(): with transaction.atomic():
user = create_remote_user(data) user = create_remote_user(data)