Enforce sig is from correct actor

Cargo.lock

@@ -1079,9 +1079,9 @@ dependencies = [
 
 [[package]]
 name = "http-signature-normalization-actix"
-version = "0.3.0-alpha.2"
+version = "0.3.0-alpha.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3f035288c367f436250512a6e7efba4636d3354c0200baa2fdc0f5f1bb72b1a"
+checksum = "36b2d8e485a1403413d543ccaa5bb02be59d1ef93e0ecb97314bfdf2573b2ba7"
 dependencies = [
  "actix-http",
  "actix-web",

Cargo.toml

@@ -17,7 +17,7 @@ base64 = "0.12"
 bb8-postgres = "0.4.0"
 dotenv = "0.15.0"
 futures = "0.3.4"
-http-signature-normalization-actix = { version = "0.3.0-alpha.2", default-features = false, features = ["sha-2"] }
+http-signature-normalization-actix = { version = "0.3.0-alpha.3", default-features = false, features = ["sha-2"] }
 log = "0.4"
 lru = "0.4.3"
 pretty_env_logger = "0.4.0"

src/error.rs

@@ -30,6 +30,9 @@ pub enum MyError {
     #[error("Couldn't decode base64")]
     Base64(#[from] base64::DecodeError),
 
+    #[error("Actor tried to submit another actor's payload")]
+    BadActor,
+
     #[error("Invalid algorithm provided to verifier")]
     Algorithm,
 

src/inbox.rs

@@ -15,6 +15,7 @@ use activitystreams::{
 use actix::Addr;
 use actix_web::{client::Client, web, HttpResponse};
 use futures::join;
+use http_signature_normalization_actix::middleware::SignatureVerified;
 use log::error;
 
 pub async fn inbox(
@@ -22,9 +23,19 @@ pub async fn inbox(
     state: web::Data<State>,
     client: web::Data<Client>,
     input: web::Json<AcceptedObjects>,
+    verified: SignatureVerified,
 ) -> Result<HttpResponse, MyError> {
     let input = input.into_inner();
 
+    if input.actor.as_str() != verified.key_id() {
+        error!(
+            "Request payload and requestor disagree on actor, {} != {}",
+            input.actor,
+            verified.key_id()
+        );
+        return Err(MyError::BadActor);
+    }
+
     let actor = fetch_actor(
         state.clone().into_inner(),
         client.clone().into_inner(),