diff --git a/src/server/auth.rs b/src/server/auth.rs index 621122af..a86475f1 100644 --- a/src/server/auth.rs +++ b/src/server/auth.rs @@ -93,23 +93,24 @@ where }; let user_id = unverified.key_id().replace("#main-key", ""); - let user = ctx.fetch().user(&user_id).await?; - let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?; - - let valid = unverified.verify(|sig, to_sign| { - let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap(); - verifier.update(to_sign.as_bytes())?; - Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result - })?; + if let Ok(user) = ctx.fetch().user(&user_id).await { + let pubkey = PKey::public_key_from_pem(user.public_key.as_bytes())?; + + let valid = unverified.verify(|sig, to_sign| { + let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey).unwrap(); + verifier.update(to_sign.as_bytes())?; + Ok(verifier.verify(&base64::prelude::BASE64_URL_SAFE.decode(sig).unwrap_or_default())?) as crate::Result + })?; - if !valid { - return Err(UpubError::unauthorized()); + if !valid { + return Err(UpubError::unauthorized()); + } + + // TODO assert payload's digest is equal to signature's + + // TODO introduce hardened mode which identifies remotes by user and not server + identity = Identity::Remote(Context::server(&user_id)); } - - // TODO assert payload's digest is equal to signature's - - // TODO introduce hardened mode which identifies remotes by user and not server - identity = Identity::Remote(Context::server(&user_id)); } Ok(AuthIdentity(identity))