From 746ba4bbee2c122cb40f5297d4f3f07f81d72999 Mon Sep 17 00:00:00 2001
From: alemi <me@alemi.dev>
Date: Fri, 7 Jun 2024 23:16:22 +0200
Subject: [PATCH] fix: make sure activity comes from httpsign author

---
 upub/routes/src/activitypub/inbox.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/upub/routes/src/activitypub/inbox.rs b/upub/routes/src/activitypub/inbox.rs
index 2f5b4c9b..1f97be13 100644
--- a/upub/routes/src/activitypub/inbox.rs
+++ b/upub/routes/src/activitypub/inbox.rs
@@ -55,14 +55,18 @@ pub async fn post(
 		}
 		tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
 		if matches!(auth, Identity::Anonymous) {
-			return Ok(StatusCode::UNAUTHORIZED);
+			return Err(crate::ApiError::unauthorized());
 		} else {
-			return Ok(StatusCode::FORBIDDEN);
+			return Err(crate::ApiError::forbidden());
 		}
 	};
 
 	let aid = activity.id()?.to_string();
 
+	if activity.actor().id()? != uid {
+		return Err(crate::ApiError::forbidden());
+	}
+
 	if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
 		return Ok(StatusCode::OK); // already processed
 	}