fix: http signatures errors are 500, not 401
if user provides an http signature and we fail to verify, bail out! if our db didn't give us the local user its unlikely that we will be able to serve anything anyway, just give up
This commit is contained in:
parent
6b24db86f2
commit
d93e4f091b
GPG key ID:
A4895B84D311642C
1 changed files with 14 additions and 15 deletions
|
|
@ -120,22 +120,21 @@ where
|
||||||
.next().ok_or(ApiError::bad_request())?
|
.next().ok_or(ApiError::bad_request())?
|
||||||
.to_string();
|
.to_string();
|
||||||
|
|
||||||
match ctx.fetch_user(&user_id, ctx.db()).await {
|
let user = ctx.fetch_user(&user_id, ctx.db()).await?;
|
||||||
Err(e) => tracing::warn!("failed resolving http signature actor: {e}"),
|
|
||||||
Ok(user) => match http_signature
|
let valid = http_signature
|
||||||
.build_from_parts(parts)
|
.build_from_parts(parts)
|
||||||
.verify(&user.public_key)
|
.verify(&user.public_key)?;
|
||||||
{
|
|
||||||
Ok(true) => {
|
if !valid {
|
||||||
|
tracing::warn!("refusing mismatching http signature");
|
||||||
|
return Err(ApiError::unauthorized());
|
||||||
|
}
|
||||||
|
|
||||||
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
||||||
.await?
|
.await?
|
||||||
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
||||||
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
||||||
},
|
|
||||||
Ok(false) => tracing::warn!("invalid signature: {http_signature:?}"),
|
|
||||||
Err(e) => tracing::error!("error verifying signature: {e}"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(AuthIdentity(identity))
|
Ok(AuthIdentity(identity))
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue