From e6b9120bbf8e5e3eb9d5218ff5456f90db957e67 Mon Sep 17 00:00:00 2001 From: alemi Date: Fri, 7 Jun 2024 19:05:37 +0200 Subject: [PATCH] fix: more appropriate http signature errors if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx) --- upub/routes/src/auth.rs | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/upub/routes/src/auth.rs b/upub/routes/src/auth.rs index 5fa7782..6bba80f 100644 --- a/upub/routes/src/auth.rs +++ b/upub/routes/src/auth.rs @@ -1,7 +1,7 @@ use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}}; use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter}; use httpsign::HttpSignature; -use upub::traits::Fetcher; +use upub::traits::{fetch::PullError, Fetcher}; use crate::ApiError; @@ -120,21 +120,26 @@ where .next().ok_or(ApiError::bad_request())? .to_string(); - let user = ctx.fetch_user(&user_id, ctx.db()).await?; + match ctx.fetch_user(&user_id, ctx.db()).await { + Err(PullError::Database(x)) => return Err(PullError::Database(x).into()), + Err(_) => tracing::debug!("could not fetch {user_id} to verify signature"), + Ok(user) => { + let valid = http_signature + .build_from_parts(parts) + .verify(&user.public_key)?; - let valid = http_signature - .build_from_parts(parts) - .verify(&user.public_key)?; + if !valid { + tracing::warn!("refusing mismatching http signature"); + return Err(ApiError::unauthorized()); + } - if !valid { - tracing::warn!("refusing mismatching http signature"); - return Err(ApiError::unauthorized()); + let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db()) + .await? + .ok_or_else(ApiError::internal_server_error)?; // user but not their domain??? + identity = Identity::Remote { user: user.id, domain: user.domain, internal }; + }, } - let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db()) - .await? - .ok_or_else(ApiError::internal_server_error)?; // user but not their domain??? - identity = Identity::Remote { user: user.id, domain: user.domain, internal }; } Ok(AuthIdentity(identity))