forked from alemi/upub
fix: make sure activity comes from httpsign author
This commit is contained in:
parent
b7a8a6004f
commit
746ba4bbee
1 changed files with 6 additions and 2 deletions
|
@ -55,14 +55,18 @@ pub async fn post(
|
|||
}
|
||||
tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
|
||||
if matches!(auth, Identity::Anonymous) {
|
||||
return Ok(StatusCode::UNAUTHORIZED);
|
||||
return Err(crate::ApiError::unauthorized());
|
||||
} else {
|
||||
return Ok(StatusCode::FORBIDDEN);
|
||||
return Err(crate::ApiError::forbidden());
|
||||
}
|
||||
};
|
||||
|
||||
let aid = activity.id()?.to_string();
|
||||
|
||||
if activity.actor().id()? != uid {
|
||||
return Err(crate::ApiError::forbidden());
|
||||
}
|
||||
|
||||
if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
|
||||
return Ok(StatusCode::OK); // already processed
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue