fix: automatically reject unsigned POSTs to inbox

2025-10-26 08:36:12 +01:00 · 2024-01-19 11:43:21 -05:00
parent 2ff70fdde2
commit a3e1a666b8
1 changed files with 5 additions and 0 deletions
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -138,6 +138,10 @@ ActivityPub.sign = async (uid, url, payload) => {
 };

 ActivityPub.verify = async (req) => {
+	if (!req.headers.hasOwnProperty('signature')) {
+		return false;
+	}
+
 	// Break the signature apart
 	const { keyId, headers, signature } = req.headers.signature.split(',').reduce((memo, cur) => {
 		const split = cur.split('="');
@@ -181,6 +185,7 @@ ActivityPub.get = async (uid, uri) => {

 	const headers = uid > 0 ? await ActivityPub.sign(uid, uri) : {};
 	winston.verbose(`[activitypub/get] ${uri}`);
+	console.log(headers);
 	const { response, body } = await request.get(uri, {
 		headers: {
 			...headers,