fix: make sure activity comes from httpsign author

2024-06-07 23:16:22 +02:00 · 2024-06-07 23:16:22 +02:00 · 746ba4bbee
commit 746ba4bbee
parent b7a8a6004f
1 changed files with 6 additions and 2 deletions
--- a/upub/routes/src/activitypub/inbox.rs
+++ b/upub/routes/src/activitypub/inbox.rs
@ -55,14 +55,18 @@ pub async fn post(
 		}
 		tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
 		if matches!(auth, Identity::Anonymous) {
-			return Ok(StatusCode::UNAUTHORIZED);
+			return Err(crate::ApiError::unauthorized());
 		} else {
-			return Ok(StatusCode::FORBIDDEN);
+			return Err(crate::ApiError::forbidden());
 		}
 	};

 	let aid = activity.id()?.to_string();

+	if activity.actor().id()? != uid {
+		return Err(crate::ApiError::forbidden());
+	}
+
 	if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
 		return Ok(StatusCode::OK); // already processed
 	}