forked from alemi/upub
fix: more appropriate http signature errors
if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx)
This commit is contained in:
parent
1814d7b187
commit
e6b9120bbf
1 changed files with 17 additions and 12 deletions
|
@ -1,7 +1,7 @@
|
||||||
use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}};
|
use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}};
|
||||||
use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter};
|
use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter};
|
||||||
use httpsign::HttpSignature;
|
use httpsign::HttpSignature;
|
||||||
use upub::traits::Fetcher;
|
use upub::traits::{fetch::PullError, Fetcher};
|
||||||
|
|
||||||
use crate::ApiError;
|
use crate::ApiError;
|
||||||
|
|
||||||
|
@ -120,21 +120,26 @@ where
|
||||||
.next().ok_or(ApiError::bad_request())?
|
.next().ok_or(ApiError::bad_request())?
|
||||||
.to_string();
|
.to_string();
|
||||||
|
|
||||||
let user = ctx.fetch_user(&user_id, ctx.db()).await?;
|
match ctx.fetch_user(&user_id, ctx.db()).await {
|
||||||
|
Err(PullError::Database(x)) => return Err(PullError::Database(x).into()),
|
||||||
|
Err(_) => tracing::debug!("could not fetch {user_id} to verify signature"),
|
||||||
|
Ok(user) => {
|
||||||
|
let valid = http_signature
|
||||||
|
.build_from_parts(parts)
|
||||||
|
.verify(&user.public_key)?;
|
||||||
|
|
||||||
let valid = http_signature
|
if !valid {
|
||||||
.build_from_parts(parts)
|
tracing::warn!("refusing mismatching http signature");
|
||||||
.verify(&user.public_key)?;
|
return Err(ApiError::unauthorized());
|
||||||
|
}
|
||||||
|
|
||||||
if !valid {
|
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
||||||
tracing::warn!("refusing mismatching http signature");
|
.await?
|
||||||
return Err(ApiError::unauthorized());
|
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
||||||
|
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
|
|
||||||
.await?
|
|
||||||
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
|
|
||||||
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(AuthIdentity(identity))
|
Ok(AuthIdentity(identity))
|
||||||
|
|
Loading…
Reference in a new issue