Improve the request verification checking

This commit is contained in:
Thomas Sileo 2018-05-21 14:41:47 +02:00
parent dc9df98084
commit 67643482c8
2 changed files with 12 additions and 9 deletions

11
app.py
View file

@ -178,6 +178,7 @@ def login_required(f):
return f(*args, **kwargs) return f(*args, **kwargs)
return decorated_function return decorated_function
def _api_required(): def _api_required():
if session.get('logged_in'): if session.get('logged_in'):
return return
@ -189,6 +190,8 @@ def _api_required():
# Will raise a BadSignature on bad auth # Will raise a BadSignature on bad auth
payload = JWT.loads(token) payload = JWT.loads(token)
def api_required(f): def api_required(f):
@wraps(f) @wraps(f)
def decorated_function(*args, **kwargs): def decorated_function(*args, **kwargs):
@ -672,12 +675,16 @@ def inbox():
)) ))
data = request.get_json(force=True) data = request.get_json(force=True)
# FIXME(tsileo): ensure verify_request() == True
print(data) print(data)
try: try:
print(verify_request(ACTOR_SERVICE)) print(verify_request(ACTOR_SERVICE))
except Exception: except Exception:
print('failed to verify request') print('failed to verify request, trying to verify the payload by fetching the remote')
try:
data = OBJECT_SERVICE.get(data['id'])
except Exception:
print(f'failed to fetch remote id at {data["id"]}')
abort(422)
activity = activitypub.parse_activity(data) activity = activitypub.parse_activity(data)
print(activity) print(activity)

View file

@ -77,11 +77,7 @@ class HTTPSigAuth(AuthBase):
sig = base64.b64encode(signer.sign(digest)) sig = base64.b64encode(signer.sign(digest))
sig = sig.decode('utf-8') sig = sig.decode('utf-8')
headers = { headers = {
'Signature': 'keyId="{keyid}",algorithm="rsa-sha256",headers="{headers}",signature="{signature}"'.format( 'Signature': f'keyId="{self.keyid}",algorithm="rsa-sha256",headers="{sigheaders}",signature="{sig}"'
keyid=self.keyid,
signature=sig,
headers=sigheaders,
),
} }
r.headers.update(headers) r.headers.update(headers)
return r return r