[backend] Improved http signature verification checks

This fixes an edge case where federation with split domain instances could fail.
2024-11-22 00:43:49 +01:00 · 2023-10-21 22:39:03 +02:00 · 2023-10-21 22:39:03 +02:00 · 04fa6bef15
commit 04fa6bef15
parent 1f53affd76
1 changed files with 7 additions and 2 deletions
--- a/packages/backend/src/remote/activitypub/check-fetch.ts
+++ b/packages/backend/src/remote/activitypub/check-fetch.ts
@ -81,8 +81,13 @@ export async function checkFetch(req: IncomingMessage): Promise<number> {
 			return 403;
 		}

-		// もう一回チェック
-		if (authUser.user.host !== host) {
+		// Cannot authenticate against local user
+		if (authUser.user.uri === null || authUser.user.host === null) {
+			return 400;
+		}
+
+		// Check if keyId hostname matches actor hostname
+		if (toPuny(new URL(authUser.user.uri).hostname) !== host) {
 			return 403;
 		}