From 9642e357e5f94e46b67c2a6480289855eee66230 Mon Sep 17 00:00:00 2001
From: asonix <asonix@asonix.dog>
Date: Tue, 17 Mar 2020 14:52:33 -0500
Subject: [PATCH] Enforce sig is from correct actor

---
 Cargo.lock   |  4 ++--
 Cargo.toml   |  2 +-
 src/error.rs |  3 +++
 src/inbox.rs | 11 +++++++++++
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 26c3861..fc5fa6d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1079,9 +1079,9 @@ dependencies = [
 
 [[package]]
 name = "http-signature-normalization-actix"
-version = "0.3.0-alpha.2"
+version = "0.3.0-alpha.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3f035288c367f436250512a6e7efba4636d3354c0200baa2fdc0f5f1bb72b1a"
+checksum = "36b2d8e485a1403413d543ccaa5bb02be59d1ef93e0ecb97314bfdf2573b2ba7"
 dependencies = [
  "actix-http",
  "actix-web",
diff --git a/Cargo.toml b/Cargo.toml
index 34c1f39..9b72262 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,7 +17,7 @@ base64 = "0.12"
 bb8-postgres = "0.4.0"
 dotenv = "0.15.0"
 futures = "0.3.4"
-http-signature-normalization-actix = { version = "0.3.0-alpha.2", default-features = false, features = ["sha-2"] }
+http-signature-normalization-actix = { version = "0.3.0-alpha.3", default-features = false, features = ["sha-2"] }
 log = "0.4"
 lru = "0.4.3"
 pretty_env_logger = "0.4.0"
diff --git a/src/error.rs b/src/error.rs
index 36b8144..6f63b02 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -30,6 +30,9 @@ pub enum MyError {
     #[error("Couldn't decode base64")]
     Base64(#[from] base64::DecodeError),
 
+    #[error("Actor tried to submit another actor's payload")]
+    BadActor,
+
     #[error("Invalid algorithm provided to verifier")]
     Algorithm,
 
diff --git a/src/inbox.rs b/src/inbox.rs
index 6b2c0fd..2018eba 100644
--- a/src/inbox.rs
+++ b/src/inbox.rs
@@ -15,6 +15,7 @@ use activitystreams::{
 use actix::Addr;
 use actix_web::{client::Client, web, HttpResponse};
 use futures::join;
+use http_signature_normalization_actix::middleware::SignatureVerified;
 use log::error;
 
 pub async fn inbox(
@@ -22,9 +23,19 @@ pub async fn inbox(
     state: web::Data<State>,
     client: web::Data<Client>,
     input: web::Json<AcceptedObjects>,
+    verified: SignatureVerified,
 ) -> Result<HttpResponse, MyError> {
     let input = input.into_inner();
 
+    if input.actor.as_str() != verified.key_id() {
+        error!(
+            "Request payload and requestor disagree on actor, {} != {}",
+            input.actor,
+            verified.key_id()
+        );
+        return Err(MyError::BadActor);
+    }
+
     let actor = fetch_actor(
         state.clone().into_inner(),
         client.clone().into_inner(),