diff --git a/upub/routes/src/activitypub/inbox.rs b/upub/routes/src/activitypub/inbox.rs index 2f5b4c9b..1f97be13 100644 --- a/upub/routes/src/activitypub/inbox.rs +++ b/upub/routes/src/activitypub/inbox.rs @@ -55,14 +55,18 @@ pub async fn post( } tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity)); if matches!(auth, Identity::Anonymous) { - return Ok(StatusCode::UNAUTHORIZED); + return Err(crate::ApiError::unauthorized()); } else { - return Ok(StatusCode::FORBIDDEN); + return Err(crate::ApiError::forbidden()); } }; let aid = activity.id()?.to_string(); + if activity.actor().id()? != uid { + return Err(crate::ApiError::forbidden()); + } + if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? { return Ok(StatusCode::OK); // already processed }