From e5597399b625df478777bf5689db317f22af90a9 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Fri, 10 Aug 2018 20:53:01 -0500
Subject: [PATCH] harden AP side a bit

---
 viera/actor.py           | 5 ++++-
 viera/http_signatures.py | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/viera/actor.py b/viera/actor.py
index 42193e8..c1355cd 100644
--- a/viera/actor.py
+++ b/viera/actor.py
@@ -118,7 +118,10 @@ processors = {
 
 
 async def inbox(request):
-    data = await request.json()
+    data = await request.json(content_type=None)
+
+    if 'actor' not in data or not request['validated']:
+        raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain')
 
     actor = await fetch_actor(data["actor"])
     actor_uri = 'https://{}/actor'.format(request.host)
diff --git a/viera/http_signatures.py b/viera/http_signatures.py
index faf98f3..0cba6d7 100644
--- a/viera/http_signatures.py
+++ b/viera/http_signatures.py
@@ -91,14 +91,18 @@ async def validate(actor, request):
     h.update(sigstring.encode('ascii'))
     result = pkcs.verify(h, sigdata)
 
+    request['validated'] = result
+
     logging.debug('validates? %r', result)
     return result
 
 
 async def http_signatures_middleware(app, handler):
     async def http_signatures_handler(request):
+        request['validated'] = False
+
         if 'signature' in request.headers:
-            data = await request.json()
+            data = await request.json(content_type=None)
             if 'actor' not in data:
                 raise aiohttp.web.HTTPUnauthorized(body='signature check failed, no actor in message')