harden AP side a bit

2024-11-21 22:17:59 +00:00 · 2018-08-10 20:53:01 -05:00 · 2018-08-10 20:53:01 -05:00 · e5597399b6
parent 6d234563e5
commit e5597399b6
2 changed files with 9 additions and 2 deletions
--- a/viera/actor.py
+++ b/viera/actor.py
@ -118,7 +118,10 @@ processors = {


 async def inbox(request):
-    data = await request.json()
+    data = await request.json(content_type=None)
+
+    if 'actor' not in data or not request['validated']:
+        raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain')

    actor = await fetch_actor(data["actor"])
    actor_uri = 'https://{}/actor'.format(request.host)
--- a/viera/http_signatures.py
+++ b/viera/http_signatures.py
@ -91,14 +91,18 @@ async def validate(actor, request):
    h.update(sigstring.encode('ascii'))
    result = pkcs.verify(h, sigdata)

+    request['validated'] = result
+
    logging.debug('validates? %r', result)
    return result


 async def http_signatures_middleware(app, handler):
    async def http_signatures_handler(request):
+        request['validated'] = False
+
        if 'signature' in request.headers:
-            data = await request.json()
+            data = await request.json(content_type=None)
            if 'actor' not in data:
                raise aiohttp.web.HTTPUnauthorized(body='signature check failed, no actor in message')