Add more security check/verification

2018-06-02 09:07:57 +02:00 · 2018-06-02 09:07:57 +02:00 · 791e55c7f5
commit 791e55c7f5
parent 84dec1e386
2 changed files with 90 additions and 13 deletions
--- a/app.py
+++ b/app.py
@ -901,14 +901,19 @@ def inbox():
    logger.debug(f'req_headers={request.headers}')
    logger.debug(f'raw_data={data}')
    try:                                            
-        print(verify_request(ACTOR_SERVICE))        
-    except Exception:                                         
+        if not verify_request(ACTOR_SERVICE):
+            raise Exception('failed to verify request')
+    except Exception:
        logger.exception('failed to verify request, trying to verify the payload by fetching the remote')
        try:
            data = OBJECT_SERVICE.get(data['id'])
        except Exception:
            logger.exception(f'failed to fetch remote id at {data["id"]}')
-            abort(422)
+            return Response(
+                status=422,
+                headers={'Content-Type': 'application/json'},
+                response=json.dumps({'error': 'failed to verify request (using HTTP signatures or fetching the IRI)'}),
+            )

    activity = activitypub.parse_activity(data)                 
    logger.debug(f'inbox activity={activity}/{data}')