forked from alemi/upub
fix: remove excessive instruments, check actor
before we were checking only for server match, now check whole uid match on inbox activities
This commit is contained in:
parent
6469dbe85e
commit
5a57fd69b9
2 changed files with 6 additions and 9 deletions
|
@ -1,4 +1,4 @@
|
|||
use apb::{server::Inbox, Activity, ActivityType};
|
||||
use apb::{server::Inbox, Activity, ActivityType, Base};
|
||||
use axum::{extract::{Query, State}, http::StatusCode, Json};
|
||||
use sea_orm::{sea_query::IntoCondition, ColumnTrait};
|
||||
use upub::{server::auth::{AuthIdentity, Identity}, Context};
|
||||
|
@ -38,13 +38,12 @@ macro_rules! pretty_json {
|
|||
}
|
||||
|
||||
|
||||
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
|
||||
pub async fn post(
|
||||
State(ctx): State<Context>,
|
||||
AuthIdentity(auth): AuthIdentity,
|
||||
Json(activity): Json<serde_json::Value>
|
||||
) -> upub::Result<()> {
|
||||
let Identity::Remote { domain: server, .. } = auth else {
|
||||
let Identity::Remote { domain: server, user: uid, .. } = auth else {
|
||||
if activity.activity_type() == Some(ActivityType::Delete) {
|
||||
// this is spammy af, ignore them!
|
||||
// we basically received a delete for a user we can't fetch and verify, meaning remote
|
||||
|
@ -62,15 +61,14 @@ pub async fn post(
|
|||
}
|
||||
};
|
||||
|
||||
let Some(actor) = activity.actor().id() else {
|
||||
return Err(upub::Error::bad_request());
|
||||
};
|
||||
let aid = activity.id().ok_or_else(|| upub::Error::field("id"))?.to_string();
|
||||
let actor = activity.actor().id().ok_or_else(|| upub::Error::field("actor"))?;
|
||||
|
||||
if server != Context::server(&actor) {
|
||||
if uid != actor {
|
||||
return Err(upub::Error::unauthorized());
|
||||
}
|
||||
|
||||
tracing::debug!("processing federated activity: '{}'", serde_json::to_string(&activity).unwrap_or_default());
|
||||
tracing::debug!("processing federated activity: '{:#}'", activity);
|
||||
|
||||
// TODO we could process Links and bare Objects maybe, but probably out of AP spec?
|
||||
match activity.activity_type().ok_or_else(upub::Error::bad_request)? {
|
||||
|
|
|
@ -37,7 +37,6 @@ pub async fn page(
|
|||
.await
|
||||
}
|
||||
|
||||
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
|
||||
pub async fn post(
|
||||
State(ctx): State<Context>,
|
||||
Path(id): Path<String>,
|
||||
|
|
Loading…
Reference in a new issue