fix: make sure activity comes from httpsign author

This commit is contained in:
əlemi 2024-06-07 23:16:22 +02:00
parent b7a8a6004f
commit 746ba4bbee
Signed by: alemi
GPG key ID: A4895B84D311642C

View file

@ -55,14 +55,18 @@ pub async fn post(
}
tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
if matches!(auth, Identity::Anonymous) {
return Ok(StatusCode::UNAUTHORIZED);
return Err(crate::ApiError::unauthorized());
} else {
return Ok(StatusCode::FORBIDDEN);
return Err(crate::ApiError::forbidden());
}
};
let aid = activity.id()?.to_string();
if activity.actor().id()? != uid {
return Err(crate::ApiError::forbidden());
}
if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
return Ok(StatusCode::OK); // already processed
}