Even if we have the specified keyid in the DB, check AP actor header if present

Previously, when verifying an HTTP signature and we find out we have the
provided keyid in the DB, and this key is a personal key, we would just grab
the key owner from the DB and ignore the ActivityPub-Actor header.

This patch adds a check: If we find the key in the DB and it's a personal key,
do grab the owner from that DB row, but also check the actor header: If it's
provided, it has to be identical to the key owner ID URI.
This commit is contained in:
fr33domlover 2019-02-17 00:32:38 +00:00
parent fa5c509a25
commit 69e807214d

View file

@ -699,7 +699,13 @@ instance YesodHttpSig App where
Just (Entity vkid vk, mremote) -> do Just (Entity vkid vk, mremote) -> do
(ua, s) <- (ua, s) <-
case mremote of case mremote of
Just remote -> return (remoteSharerIdent remote, False) Just remote -> do
let sharer = remoteSharerIdent remote
for_ muActorHeader $ \ u ->
if sharer == u
then return ()
else throwE "Key's owner doesn't match actor header"
return (sharer, False)
Nothing -> Nothing ->
case muActorHeader of case muActorHeader of
Nothing -> throwE "Got a sig with an instance key, but actor header not specified!" Nothing -> throwE "Got a sig with an instance key, but actor header not specified!"