Add support for signature verification on pseudo header
Add support for pseudo-header '(request-target)' Add some logging for denied request
This commit is contained in:
parent
0d6a2af851
commit
ba4695f490
@ -1,5 +1,5 @@
|
|||||||
use rocket::request::{self, FromRequest, Request};
|
use rocket::request::{self, FromRequest, Request};
|
||||||
use rocket::{http::HeaderMap, Outcome};
|
use rocket::{http::{Header, HeaderMap}, Outcome};
|
||||||
|
|
||||||
|
|
||||||
pub struct Headers<'r>(pub HeaderMap<'r>);
|
pub struct Headers<'r>(pub HeaderMap<'r>);
|
||||||
@ -12,6 +12,16 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers<'r> {
|
|||||||
for header in request.headers().clone().into_iter() {
|
for header in request.headers().clone().into_iter() {
|
||||||
headers.add(header);
|
headers.add(header);
|
||||||
}
|
}
|
||||||
|
let ori = request.uri();
|
||||||
|
let uri = if let Some(query) = ori.query() {
|
||||||
|
format!("{}?{}", ori.path(), query)
|
||||||
|
} else {
|
||||||
|
ori.path().to_owned()
|
||||||
|
};
|
||||||
|
headers.add(Header::new("(request-target)",
|
||||||
|
format!("{} {}",
|
||||||
|
request.method().as_str().to_lowercase(),
|
||||||
|
uri.to_lowercase())));
|
||||||
Outcome::Success(Headers(headers))
|
Outcome::Success(Headers(headers))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -200,8 +200,9 @@ fn shared_inbox(conn: DbConn, data: String, headers: Headers) -> String {
|
|||||||
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));
|
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));
|
||||||
|
|
||||||
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
|
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
|
||||||
if !verify_http_headers(&actor, headers.0, data).is_secure() &&
|
if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
|
||||||
!act.clone().verify(&actor) {
|
!act.clone().verify(&actor) {
|
||||||
|
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
|
||||||
return "invalid signature".to_owned();
|
return "invalid signature".to_owned();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -306,8 +306,9 @@ fn inbox(name: String, conn: DbConn, data: String, headers: Headers) -> String {
|
|||||||
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));
|
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));
|
||||||
|
|
||||||
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
|
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
|
||||||
if !verify_http_headers(&actor, headers.0, data).is_secure() &&
|
if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
|
||||||
!act.clone().verify(&actor) {
|
!act.clone().verify(&actor) {
|
||||||
|
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
|
||||||
return "invalid signature".to_owned();
|
return "invalid signature".to_owned();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user