diff --git a/Cargo.lock b/Cargo.lock index 26c3861..fc5fa6d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1079,9 +1079,9 @@ dependencies = [ [[package]] name = "http-signature-normalization-actix" -version = "0.3.0-alpha.2" +version = "0.3.0-alpha.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3f035288c367f436250512a6e7efba4636d3354c0200baa2fdc0f5f1bb72b1a" +checksum = "36b2d8e485a1403413d543ccaa5bb02be59d1ef93e0ecb97314bfdf2573b2ba7" dependencies = [ "actix-http", "actix-web", diff --git a/Cargo.toml b/Cargo.toml index 34c1f39..9b72262 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ base64 = "0.12" bb8-postgres = "0.4.0" dotenv = "0.15.0" futures = "0.3.4" -http-signature-normalization-actix = { version = "0.3.0-alpha.2", default-features = false, features = ["sha-2"] } +http-signature-normalization-actix = { version = "0.3.0-alpha.3", default-features = false, features = ["sha-2"] } log = "0.4" lru = "0.4.3" pretty_env_logger = "0.4.0" diff --git a/src/error.rs b/src/error.rs index 36b8144..6f63b02 100644 --- a/src/error.rs +++ b/src/error.rs @@ -30,6 +30,9 @@ pub enum MyError { #[error("Couldn't decode base64")] Base64(#[from] base64::DecodeError), + #[error("Actor tried to submit another actor's payload")] + BadActor, + #[error("Invalid algorithm provided to verifier")] Algorithm, diff --git a/src/inbox.rs b/src/inbox.rs index 6b2c0fd..2018eba 100644 --- a/src/inbox.rs +++ b/src/inbox.rs @@ -15,6 +15,7 @@ use activitystreams::{ use actix::Addr; use actix_web::{client::Client, web, HttpResponse}; use futures::join; +use http_signature_normalization_actix::middleware::SignatureVerified; use log::error; pub async fn inbox( @@ -22,9 +23,19 @@ pub async fn inbox( state: web::Data, client: web::Data, input: web::Json, + verified: SignatureVerified, ) -> Result { let input = input.into_inner(); + if input.actor.as_str() != verified.key_id() { + error!( + "Request payload and requestor disagree on actor, {} != {}", + input.actor, + verified.key_id() + ); + return Err(MyError::BadActor); + } + let actor = fetch_actor( state.clone().into_inner(), client.clone().into_inner(),