fix: continue as anon if can't fetch user
This commit is contained in:
parent
c342b7c936
commit
d60d29bf98
1 changed files with 16 additions and 15 deletions
|
@ -93,23 +93,24 @@ where
|
||||||
};
|
};
|
||||||
|
|
||||||
let user_id = unverified.key_id().replace("#main-key", "");
|
let user_id = unverified.key_id().replace("#main-key", "");
|
||||||
let user = ctx.fetch().user(&user_id).await?;
|
if let Ok(user) = ctx.fetch().user(&user_id).await {
|
||||||
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
|
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
|
||||||
|
|
||||||
let valid = unverified.verify(|sig, to_sign| {
|
let valid = unverified.verify(|sig, to_sign| {
|
||||||
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
|
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
|
||||||
verifier.update(to_sign.as_bytes())?;
|
verifier.update(to_sign.as_bytes())?;
|
||||||
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
|
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
if !valid {
|
if !valid {
|
||||||
return Err(UpubError::unauthorized());
|
return Err(UpubError::unauthorized());
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO assert payload's digest is equal to signature's
|
||||||
|
|
||||||
|
// TODO introduce hardened mode which identifies remotes by user and not server
|
||||||
|
identity = Identity::Remote(Context::server(&user_id));
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO assert payload's digest is equal to signature's
|
|
||||||
|
|
||||||
// TODO introduce hardened mode which identifies remotes by user and not server
|
|
||||||
identity = Identity::Remote(Context::server(&user_id));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(AuthIdentity(identity))
|
Ok(AuthIdentity(identity))
|
||||||
|
|
Loading…
Reference in a new issue