fix: closes #13056, guard against undefined keyid,compare

2025-10-26 08:36:12 +01:00 · 2025-01-15 17:19:27 -05:00
parent b61a9031ed
commit 6073a25bb5
1 changed files with 4 additions and 3 deletions
--- a/src/middleware/activitypub.js
+++ b/src/middleware/activitypub.js
@@ -107,12 +107,13 @@ middleware.assertPayload = async function (req, res, next) {

 	// Cross-check key ownership against received actor
 	await activitypub.actors.assert(actor);
-	const compare = (await db.getObjectField(`userRemote:${actor}:keys`, 'id')).replace(/#[\w-]+$/, '');
+	const compare = ((await db.getObjectField(`userRemote:${actor}:keys`, 'id')) || '').replace(/#[\w-]+$/, '');
 	const { signature } = req.headers;
-	const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
+	let keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
 		const index = v.indexOf('=');
 		return [v.substring(0, index), v.slice(index + 1)];
-	})).get('keyId').slice(1, -1).replace(/#[\w-]+$/, '');
+	})).get('keyId');
+	keyId = (keyId || '').slice(1, -1).replace(/#[\w-]+$/, '');
 	if (compare !== keyId) {
 		activitypub.helpers.log('[middleware/activitypub] Key ownership cross-check failed.');
 		return res.sendStatus(403);