alemi/upub
alemi/upub
1
0
Fork 1
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: make sure activity comes from httpsign author

Browse source
This commit is contained in:
əlemi 2024-06-07 23:16:22 +02:00
parent b7a8a6004f
commit 746ba4bbee
Signed by: alemi
GPG key ID: A4895B84D311642C
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
upub/routes/src/activitypub/inbox.rs
View file

@ -55,14 +55,18 @@ pub async fn post(
} }
tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity)); tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
if matches!(auth, Identity::Anonymous) { if matches!(auth, Identity::Anonymous) {
return Ok(StatusCode::UNAUTHORIZED); return Err(crate::ApiError::unauthorized());
} else { } else {
return Ok(StatusCode::FORBIDDEN); return Err(crate::ApiError::forbidden());
} }
}; };
let aid = activity.id()?.to_string(); let aid = activity.id()?.to_string();
if activity.actor().id()? != uid {
return Err(crate::ApiError::forbidden());
}
if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? { if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
return Ok(StatusCode::OK); // already processed return Ok(StatusCode::OK); // already processed
} }