forked from alemi/upub
fix: http signatures errors are 500, not 401
if user provides an http signature and we fail to verify, bail out! if our db didn't give us the local user its unlikely that we will be able to serve anything anyway, just give up
This commit is contained in:
parent
6b24db86f2
commit
d93e4f091b
1 changed files with 14 additions and 15 deletions
|
@ -120,22 +120,21 @@ where
|
||||||
.next().ok_or(ApiError::bad_request())?
|
.next().ok_or(ApiError::bad_request())?
|
||||||
.to_string();
|
.to_string();
|
||||||
|
|
||||||
match ctx.fetch_user(&user_id, ctx.db()).await {
|
let user = ctx.fetch_user(&user_id, ctx.db()).await?;
|
||||||
Err(e) => tracing::warn!("failed resolving http signature actor: {e}"),
|
|
||||||
Ok(user) => match http_signature
|
let valid = http_signature
|
||||||
.build_from_parts(parts)
|
.build_from_parts(parts)
|
||||||
.verify(&user.public_key)
|
.verify(&user.public_key)?;
|
||||||
{
|
|
||||||
Ok(true) => {
|
if !valid {
|
||||||
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
tracing::warn!("refusing mismatching http signature");
|
||||||
.await?
|
return Err(ApiError::unauthorized());
|
||||||
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
|
||||||
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
|
||||||
},
|
|
||||||
Ok(false) => tracing::warn!("invalid signature: {http_signature:?}"),
|
|
||||||
Err(e) => tracing::error!("error verifying signature: {e}"),
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
||||||
|
.await?
|
||||||
|
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
||||||
|
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(AuthIdentity(identity))
|
Ok(AuthIdentity(identity))
|
||||||
|
|
Loading…
Reference in a new issue