diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2021-09-16 11:35:09 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-09-16 11:35:09 +0200 |
| commit | 92186c8c6f1c374146f085b46a440b69a1d97aa8 (patch) | |
| tree | 06d7aea58ee399c4939ffa9052bcc548427cbfa4 /internal/federation/authenticate.go | |
| parent | Fix mentions not notifying (#230) (diff) | |
| download | gotosocial-92186c8c6f1c374146f085b46a440b69a1d97aa8.tar.xz | |
federated authentication better logging + tidying (#232)
* change trace logging in authenticator
* messing about
* lil changes
* go fmt
* error fix
* Fix broken test
Diffstat (limited to 'internal/federation/authenticate.go')
| -rw-r--r-- | internal/federation/authenticate.go | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/internal/federation/authenticate.go b/internal/federation/authenticate.go index 81ac84544..1e359aa28 100644 --- a/internal/federation/authenticate.go +++ b/internal/federation/authenticate.go @@ -102,10 +102,6 @@ func getPublicKeyFromResponse(c context.Context, b []byte, keyID *url.URL) (voca // Authenticate in this case is defined as making sure that the http request is actually signed by whoever claims // to have signed it, by fetching the public key from the signature and checking it against the remote public key. // -// To avoid making unnecessary http calls towards blocked domains, this function *does* bail early if an instance-level domain block exists -// for the request from the incoming domain. However, it does not check whether individual blocks exist between the requesting user or domain -// and the requested user: this should be done elsewhere. -// // The provided username will be used to generate a transport for making remote requests/derefencing the public key ID of the request signature. // Ideally you should pass in the username of the user *being requested*, so that the remote server can decide how to handle the request based on who's making it. // Ie., if the request on this server is for https://example.org/users/some_username then you should pass in the username 'some_username'. @@ -135,6 +131,19 @@ func (f *federator) AuthenticateFederatedRequest(ctx context.Context, requestedU return nil, false, nil // couldn't extract the verifier } + // we should have the signature itself set too + si := ctx.Value(util.APRequestingPublicKeySignature) + if vi == nil { + l.Debug("request wasn't signed") + return nil, false, nil // request wasn't signed + } + + signature, ok := si.(string) + if !ok { + l.Debug("couldn't extract signature") + return nil, false, nil // couldn't extract the signature + } + requestingPublicKeyID, err := url.Parse(verifier.KeyId()) if err != nil { l.Debug("couldn't parse public key URL") @@ -227,13 +236,14 @@ func (f *federator) AuthenticateFederatedRequest(ctx context.Context, requestedU for _, algo := range algos { l.Tracef("trying algo: %s", algo) - if err := verifier.Verify(publicKey, algo); err == nil { + err := verifier.Verify(publicKey, algo) + if err == nil { l.Tracef("authentication for %s PASSED with algorithm %s", pkOwnerURI, algo) return pkOwnerURI, true, nil } l.Tracef("authentication for %s NOT PASSED with algorithm %s: %s", pkOwnerURI, algo, err) } - l.Infof("authentication not passed for %s", pkOwnerURI) + l.Infof("authentication not passed for public key owner %s; signature value was '%s'", pkOwnerURI, signature) return nil, false, nil } |