forked from alemi/upub
fix: continue as anon if can't fetch user
This commit is contained in:
parent
c342b7c936
commit
d60d29bf98
1 changed files with 16 additions and 15 deletions
|
@ -93,23 +93,24 @@ where
|
|||
};
|
||||
|
||||
let user_id = unverified.key_id().replace("#main-key", "");
|
||||
let user = ctx.fetch().user(&user_id).await?;
|
||||
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
|
||||
|
||||
let valid = unverified.verify(|sig, to_sign| {
|
||||
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
|
||||
verifier.update(to_sign.as_bytes())?;
|
||||
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
|
||||
})?;
|
||||
if let Ok(user) = ctx.fetch().user(&user_id).await {
|
||||
let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?;
|
||||
|
||||
let valid = unverified.verify(|sig, to_sign| {
|
||||
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap();
|
||||
verifier.update(to_sign.as_bytes())?;
|
||||
Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result<bool>
|
||||
})?;
|
||||
|
||||
if !valid {
|
||||
return Err(UpubError::unauthorized());
|
||||
if !valid {
|
||||
return Err(UpubError::unauthorized());
|
||||
}
|
||||
|
||||
// TODO assert payload's digest is equal to signature's
|
||||
|
||||
// TODO introduce hardened mode which identifies remotes by user and not server
|
||||
identity = Identity::Remote(Context::server(&user_id));
|
||||
}
|
||||
|
||||
// TODO assert payload's digest is equal to signature's
|
||||
|
||||
// TODO introduce hardened mode which identifies remotes by user and not server
|
||||
identity = Identity::Remote(Context::server(&user_id));
|
||||
}
|
||||
|
||||
Ok(AuthIdentity(identity))
|
||||
|
|
Loading…
Reference in a new issue