forked from alemi/upub
fix: remove excessive instruments, check actor
before we were checking only for server match, now check whole uid match on inbox activities
This commit is contained in:
parent
6469dbe85e
commit
5a57fd69b9
2 changed files with 6 additions and 9 deletions
|
@ -1,4 +1,4 @@
|
||||||
use apb::{server::Inbox, Activity, ActivityType};
|
use apb::{server::Inbox, Activity, ActivityType, Base};
|
||||||
use axum::{extract::{Query, State}, http::StatusCode, Json};
|
use axum::{extract::{Query, State}, http::StatusCode, Json};
|
||||||
use sea_orm::{sea_query::IntoCondition, ColumnTrait};
|
use sea_orm::{sea_query::IntoCondition, ColumnTrait};
|
||||||
use upub::{server::auth::{AuthIdentity, Identity}, Context};
|
use upub::{server::auth::{AuthIdentity, Identity}, Context};
|
||||||
|
@ -38,13 +38,12 @@ macro_rules! pretty_json {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
|
|
||||||
pub async fn post(
|
pub async fn post(
|
||||||
State(ctx): State<Context>,
|
State(ctx): State<Context>,
|
||||||
AuthIdentity(auth): AuthIdentity,
|
AuthIdentity(auth): AuthIdentity,
|
||||||
Json(activity): Json<serde_json::Value>
|
Json(activity): Json<serde_json::Value>
|
||||||
) -> upub::Result<()> {
|
) -> upub::Result<()> {
|
||||||
let Identity::Remote { domain: server, .. } = auth else {
|
let Identity::Remote { domain: server, user: uid, .. } = auth else {
|
||||||
if activity.activity_type() == Some(ActivityType::Delete) {
|
if activity.activity_type() == Some(ActivityType::Delete) {
|
||||||
// this is spammy af, ignore them!
|
// this is spammy af, ignore them!
|
||||||
// we basically received a delete for a user we can't fetch and verify, meaning remote
|
// we basically received a delete for a user we can't fetch and verify, meaning remote
|
||||||
|
@ -62,15 +61,14 @@ pub async fn post(
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let Some(actor) = activity.actor().id() else {
|
let aid = activity.id().ok_or_else(|| upub::Error::field("id"))?.to_string();
|
||||||
return Err(upub::Error::bad_request());
|
let actor = activity.actor().id().ok_or_else(|| upub::Error::field("actor"))?;
|
||||||
};
|
|
||||||
|
|
||||||
if server != Context::server(&actor) {
|
if uid != actor {
|
||||||
return Err(upub::Error::unauthorized());
|
return Err(upub::Error::unauthorized());
|
||||||
}
|
}
|
||||||
|
|
||||||
tracing::debug!("processing federated activity: '{}'", serde_json::to_string(&activity).unwrap_or_default());
|
tracing::debug!("processing federated activity: '{:#}'", activity);
|
||||||
|
|
||||||
// TODO we could process Links and bare Objects maybe, but probably out of AP spec?
|
// TODO we could process Links and bare Objects maybe, but probably out of AP spec?
|
||||||
match activity.activity_type().ok_or_else(upub::Error::bad_request)? {
|
match activity.activity_type().ok_or_else(upub::Error::bad_request)? {
|
||||||
|
|
|
@ -37,7 +37,6 @@ pub async fn page(
|
||||||
.await
|
.await
|
||||||
}
|
}
|
||||||
|
|
||||||
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
|
|
||||||
pub async fn post(
|
pub async fn post(
|
||||||
State(ctx): State<Context>,
|
State(ctx): State<Context>,
|
||||||
Path(id): Path<String>,
|
Path(id): Path<String>,
|
||||||
|
|
Loading…
Reference in a new issue