harden AP side a bit
This commit is contained in:
parent
6d234563e5
commit
e5597399b6
|
@ -118,7 +118,10 @@ processors = {
|
|||
|
||||
|
||||
async def inbox(request):
|
||||
data = await request.json()
|
||||
data = await request.json(content_type=None)
|
||||
|
||||
if 'actor' not in data or not request['validated']:
|
||||
raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain')
|
||||
|
||||
actor = await fetch_actor(data["actor"])
|
||||
actor_uri = 'https://{}/actor'.format(request.host)
|
||||
|
|
|
@ -91,14 +91,18 @@ async def validate(actor, request):
|
|||
h.update(sigstring.encode('ascii'))
|
||||
result = pkcs.verify(h, sigdata)
|
||||
|
||||
request['validated'] = result
|
||||
|
||||
logging.debug('validates? %r', result)
|
||||
return result
|
||||
|
||||
|
||||
async def http_signatures_middleware(app, handler):
|
||||
async def http_signatures_handler(request):
|
||||
request['validated'] = False
|
||||
|
||||
if 'signature' in request.headers:
|
||||
data = await request.json()
|
||||
data = await request.json(content_type=None)
|
||||
if 'actor' not in data:
|
||||
raise aiohttp.web.HTTPUnauthorized(body='signature check failed, no actor in message')
|
||||
|
||||
|
|
Loading…
Reference in a new issue