forked from alemi/upub
fix: make sure activity comes from httpsign author
This commit is contained in:
parent
b7a8a6004f
commit
746ba4bbee
1 changed files with 6 additions and 2 deletions
|
@ -55,14 +55,18 @@ pub async fn post(
|
||||||
}
|
}
|
||||||
tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
|
tracing::warn!("refusing unauthorized activity: {}", pretty_json!(activity));
|
||||||
if matches!(auth, Identity::Anonymous) {
|
if matches!(auth, Identity::Anonymous) {
|
||||||
return Ok(StatusCode::UNAUTHORIZED);
|
return Err(crate::ApiError::unauthorized());
|
||||||
} else {
|
} else {
|
||||||
return Ok(StatusCode::FORBIDDEN);
|
return Err(crate::ApiError::forbidden());
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let aid = activity.id()?.to_string();
|
let aid = activity.id()?.to_string();
|
||||||
|
|
||||||
|
if activity.actor().id()? != uid {
|
||||||
|
return Err(crate::ApiError::forbidden());
|
||||||
|
}
|
||||||
|
|
||||||
if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
|
if let Some(_internal) = upub::model::activity::Entity::ap_to_internal(&aid, ctx.db()).await? {
|
||||||
return Ok(StatusCode::OK); // already processed
|
return Ok(StatusCode::OK); // already processed
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue