Verify that the remote user is who they say they

fedireads/incoming.py

@@ -90,6 +90,7 @@ def shared_inbox(request):
 
 
 def get_public_key(key_actor):
+    ''' try a stored key or load it from remote '''
     try:
         user = models.User.objects.get(remote_id=key_actor)
         public_key = user.public_key

fedireads/remote_user.py

@@ -26,6 +26,9 @@ def get_or_create_remote_user(actor):
         response.raise_for_status()
     data = response.json()
 
+    # make sure our actor is who they say they are
+    assert actor == data['id']
+
     actor_parts = urlparse(actor)
     with transaction.atomic():
         user = create_remote_user(data)