[backend] Improved http signature verification checks

This fixes an edge case where federation with split domain instances could fail.
This commit is contained in:
Laura Hausmann 2023-10-21 22:39:03 +02:00
parent 1f53affd76
commit 04fa6bef15
No known key found for this signature in database
GPG key ID: D044E84C5BE01605

View file

@ -81,8 +81,13 @@ export async function checkFetch(req: IncomingMessage): Promise<number> {
return 403; return 403;
} }
// もう一回チェック // Cannot authenticate against local user
if (authUser.user.host !== host) { if (authUser.user.uri === null || authUser.user.host === null) {
return 400;
}
// Check if keyId hostname matches actor hostname
if (toPuny(new URL(authUser.user.uri).hostname) !== host) {
return 403; return 403;
} }