Archived
2
0
Fork 0

Improvements to signature verification (#9667)

* Refactor signature verification a bit

* Rescue signature verification if recorded public key is invalid

Fixes #8822

* Always re-fetch AP signing key when HTTP Signature verification fails

But when the account is not marked as stale, avoid fetching collections and
media, and avoid webfinger round-trip.

* Apply stoplight to key/account update as well as initial key retrieval
This commit is contained in:
ThibG 2019-01-07 21:45:13 +01:00 committed by Eugen Rochko
parent cf3c0fc38c
commit 28b482874a
3 changed files with 41 additions and 22 deletions

View file

@ -33,8 +33,10 @@ class ActivityPub::ProcessAccountService < BaseService
after_protocol_change! if protocol_changed?
after_key_change! if key_changed? && !@options[:signed_with_known_key]
check_featured_collection! if @account.featured_collection_url.present?
check_links! unless @account.fields.empty?
unless @options[:only_key]
check_featured_collection! if @account.featured_collection_url.present?
check_links! unless @account.fields.empty?
end
@account
rescue Oj::ParseError
@ -54,11 +56,11 @@ class ActivityPub::ProcessAccountService < BaseService
end
def update_account
@account.last_webfingered_at = Time.now.utc
@account.last_webfingered_at = Time.now.utc unless @options[:only_key]
@account.protocol = :activitypub
set_immediate_attributes!
set_fetchable_attributes!
set_fetchable_attributes! unless @options[:only_keys]
@account.save_with_optional_media!
end