fix: continue as anon if can't fetch user

This commit is contained in:
əlemi 2024-04-13 03:31:37 +02:00
parent c342b7c936
commit d60d29bf98
Signed by: alemi
GPG key ID: A4895B84D311642C

View file

@ -93,23 +93,24 @@ where
};
let user_id = unverified.key_id().replace("#main-key", "");
let user = ctx.fetch().user(&user_id).await?;
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
let valid = unverified.verify(|sig, to_sign| {
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
verifier.update(to_sign.as_bytes())?;
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
})?;
if let Ok(user) = ctx.fetch().user(&user_id).await {
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
let valid = unverified.verify(|sig, to_sign| {
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
verifier.update(to_sign.as_bytes())?;
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
})?;
if !valid {
return Err(UpubError::unauthorized());
if !valid {
return Err(UpubError::unauthorized());
}
// TODO assert payload's digest is equal to signature's
// TODO introduce hardened mode which identifies remotes by user and not server
identity = Identity::Remote(Context::server(&user_id));
}
// TODO assert payload's digest is equal to signature's
// TODO introduce hardened mode which identifies remotes by user and not server
identity = Identity::Remote(Context::server(&user_id));
}
Ok(AuthIdentity(identity))