forked from forks/microblog.pub
Tweak HTTP sig handling for blocked servers
This commit is contained in:
parent
1e8a4f933e
commit
08618c3c72
1 changed files with 10 additions and 1 deletions
|
@ -143,9 +143,12 @@ async def _get_public_key(db_session: AsyncSession, key_id: str) -> Key:
|
|||
class HTTPSigInfo:
|
||||
has_valid_signature: bool
|
||||
signed_by_ap_actor_id: str | None = None
|
||||
|
||||
is_ap_actor_gone: bool = False
|
||||
is_unsupported_algorithm: bool = False
|
||||
is_expired: bool = False
|
||||
is_from_blocked_server: bool = False
|
||||
|
||||
server: str | None = None
|
||||
|
||||
|
||||
|
@ -169,6 +172,12 @@ async def httpsig_checker(
|
|||
)
|
||||
|
||||
server = urlparse(key_id).hostname
|
||||
if server in BLOCKED_SERVERS:
|
||||
return HTTPSigInfo(
|
||||
has_valid_signature=False,
|
||||
server=server,
|
||||
is_from_blocked_server=True,
|
||||
)
|
||||
|
||||
if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]:
|
||||
logger.info(f"Unsupported HTTP sig algorithm: {alg}")
|
||||
|
@ -222,7 +231,7 @@ async def enforce_httpsig(
|
|||
httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker),
|
||||
) -> HTTPSigInfo:
|
||||
"""FastAPI Depends"""
|
||||
if httpsig_info.server in BLOCKED_SERVERS:
|
||||
if httpsig_info.is_from_blocked_server:
|
||||
logger.warning(f"{httpsig_info.server} is blocked")
|
||||
raise fastapi.HTTPException(status_code=403, detail="Blocked")
|
||||
|
||||
|
|
Loading…
Reference in a new issue