Check signature is correct with the activity pub actor

diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts
index 243ae738191e7f67ce538359c988fd820e01d633..92bd20ddb0ffd25a3e864ce9d76f543606614ec2 100644 (file)
--- a/server/controllers/activitypub/inbox.ts
+++ b/server/controllers/activitypub/inbox.ts
@@ -48,7 +48,7 @@ async function inboxController (req: express.Request, res: express.Response, nex
   activities = activities.filter(a => isActivityValid(a))
   logger.debug('We keep %d activities.', activities.length, { activities })
 
-  await processActivities(activities, res.locals.account)
+  await processActivities(activities, res.locals.signature.account, res.locals.account)
 
   res.status(204).end()
 }

diff --git a/server/lib/activitypub/process/process.ts b/server/lib/activitypub/process/process.ts
index 40f19c7010ed22e38d20c181eabd68ee82ea16bc..54981c289fd640ec9b4865ec9ac92cc72d25361b 100644 (file)
--- a/server/lib/activitypub/process/process.ts
+++ b/server/lib/activitypub/process/process.ts
@@ -23,8 +23,14 @@ const processActivity: { [ P in ActivityType ]: (activity: Activity, inboxAccoun
   Like: processLikeActivity
 }
 
-async function processActivities (activities: Activity[], inboxAccount?: AccountInstance) {
+async function processActivities (activities: Activity[], signatureAccount?: AccountInstance, inboxAccount?: AccountInstance) {
   for (const activity of activities) {
+    // When we fetch remote data, we don't have signature
+    if (signatureAccount && activity.actor !== signatureAccount.url) {
+      logger.warn('Signature mismatch between %s and %s.', activity.actor, signatureAccount.url)
+      continue
+    }
+
     const activityProcessor = processActivity[activity.type]
     if (activityProcessor === undefined) {
       logger.warn('Unknown activity type %s.', activity.type, { activityId: activity.id })