about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-09-28 17:50:14 +0200
committerGitHub <noreply@github.com>2017-09-28 17:50:14 +0200
commit76f360c625d6f7e1200a35430cced872fc6098ff (patch)
treecaa27ee739a112ff0b317a377e64903b39709619 /app
parenta3202f61af7d4833808d429c79dfc21e74f06c99 (diff)
If HTTP signature is wrong and webfinger cache is stale, retry with resolve (#5129)
If the signature could not be verified and the webfinger of the account
was last retrieved longer than the cache period, try re-resolving the
account and then attempting to verify the signature again
Diffstat (limited to 'app')
-rw-r--r--app/controllers/concerns/signature_verification.rb9
-rw-r--r--app/models/account.rb9
-rw-r--r--app/services/resolve_remote_account_service.rb2
3 files changed, 19 insertions, 1 deletions
diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb
index 4211283ed..52a9cf290 100644
--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
@@ -44,6 +44,15 @@ module SignatureVerification
     if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string)
       @signed_request_account = account
       @signed_request_account
+    elsif account.possibly_stale?
+      account = account.refresh!
+
+      if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string)
+        @signed_request_account = account
+        @signed_request_account
+      else
+        @signed_request_account = nil
+      end
     else
       @signed_request_account = nil
     end
diff --git a/app/models/account.rb b/app/models/account.rb
index 0b025d1be..ce7773b4b 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -137,6 +137,15 @@ class Account < ApplicationRecord
     subscription_expires_at.present?
   end
 
+  def possibly_stale?
+    last_webfingered_at.nil? || last_webfingered_at <= 1.day.ago
+  end
+
+  def refresh!
+    return if local?
+    ResolveRemoteAccountService.new.call(acct)
+  end
+
   def keypair
     @keypair ||= OpenSSL::PKey::RSA.new(private_key || public_key)
   end
diff --git a/app/services/resolve_remote_account_service.rb b/app/services/resolve_remote_account_service.rb
index 57c80fc82..93ba07702 100644
--- a/app/services/resolve_remote_account_service.rb
+++ b/app/services/resolve_remote_account_service.rb
@@ -74,7 +74,7 @@ class ResolveRemoteAccountService < BaseService
   end
 
   def webfinger_update_due?
-    @account.nil? || @account.last_webfingered_at.nil? || @account.last_webfingered_at <= 1.day.ago
+    @account.nil? || @account.possibly_stale?
   end
 
   def activitypub_ready?