From 426669d870667635545ff8894250c41725a2dfc4 Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Thu, 14 Jul 2022 19:43:02 +0200
Subject: [PATCH] Tweak HTTPsig

---
 app/activitypub.py | 8 ++++++--
 app/httpsig.py     | 4 +++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/activitypub.py b/app/activitypub.py
index 7851368..11a1989 100644
--- a/app/activitypub.py
+++ b/app/activitypub.py
@@ -107,7 +107,11 @@ class NotAnObjectError(Exception):
         self.resp = resp
 
 
-async def fetch(url: str, params: dict[str, Any] | None = None) -> RawObject:
+async def fetch(
+    url: str,
+    params: dict[str, Any] | None = None,
+    disable_httpsig: bool = False,
+) -> RawObject:
     async with httpx.AsyncClient() as client:
         resp = await client.get(
             url,
@@ -117,7 +121,7 @@ async def fetch(url: str, params: dict[str, Any] | None = None) -> RawObject:
             },
             params=params,
             follow_redirects=True,
-            auth=auth,
+            auth=None if disable_httpsig else auth,
         )
 
     # Special handling for deleted object
diff --git a/app/httpsig.py b/app/httpsig.py
index 8ec267e..f48bd2e 100644
--- a/app/httpsig.py
+++ b/app/httpsig.py
@@ -90,7 +90,9 @@ async def _get_public_key(db_session: AsyncSession, key_id: str) -> Key:
     # Fetch it
     from app import activitypub as ap
 
-    actor = await ap.fetch(key_id)
+    # Without signing the request as if it's the first contact, the 2 servers
+    # might race to fetch each other key
+    actor = await ap.fetch(key_id, disable_httpsig=True)
     if actor["type"] == "Key":
         # The Key is not embedded in the Person
         k = Key(actor["owner"], actor["id"])