From 67643482c888e69da2c46860aa7e2a665400d4bb Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Mon, 21 May 2018 14:41:47 +0200 Subject: [PATCH] Improve the request verification checking --- app.py | 15 +++++++++++---- utils/httpsig.py | 6 +----- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/app.py b/app.py index 8895019..7763b01 100644 --- a/app.py +++ b/app.py @@ -178,6 +178,7 @@ def login_required(f): return f(*args, **kwargs) return decorated_function + def _api_required(): if session.get('logged_in'): return @@ -189,7 +190,9 @@ def _api_required(): # Will raise a BadSignature on bad auth payload = JWT.loads(token) - def api_required(f): + + +def api_required(f): @wraps(f) def decorated_function(*args, **kwargs): try: @@ -197,7 +200,7 @@ def _api_required(): except BadSignature: abort(401) - return f(*args, **kwargs) + return f(*args, **kwargs) return decorated_function @@ -672,12 +675,16 @@ def inbox(): )) data = request.get_json(force=True) - # FIXME(tsileo): ensure verify_request() == True print(data) try: print(verify_request(ACTOR_SERVICE)) except Exception: - print('failed to verify request') + print('failed to verify request, trying to verify the payload by fetching the remote') + try: + data = OBJECT_SERVICE.get(data['id']) + except Exception: + print(f'failed to fetch remote id at {data["id"]}') + abort(422) activity = activitypub.parse_activity(data) print(activity) diff --git a/utils/httpsig.py b/utils/httpsig.py index a2e77c5..84245fb 100644 --- a/utils/httpsig.py +++ b/utils/httpsig.py @@ -77,11 +77,7 @@ class HTTPSigAuth(AuthBase): sig = base64.b64encode(signer.sign(digest)) sig = sig.decode('utf-8') headers = { - 'Signature': 'keyId="{keyid}",algorithm="rsa-sha256",headers="{headers}",signature="{signature}"'.format( - keyid=self.keyid, - signature=sig, - headers=sigheaders, - ), + 'Signature': f'keyId="{self.keyid}",algorithm="rsa-sha256",headers="{sigheaders}",signature="{sig}"' } r.headers.update(headers) return r