Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements to signature verification #9667

Merged
merged 4 commits into from
Jan 7, 2019

Conversation

ClearlyClaire
Copy link
Contributor

  • Fix stored invalid keys preventing from updating account data
  • Always re-fetch keys if signature verification fails, albeit avoiding webfinger roundtrip and additional HTTP queries
  • Extend stoplight to account/key refresh too

This part of the code is a bit hairy, this should be thoroughly reviewed, and tests should probably be added.

@Gargron Gargron merged commit 28b4828 into mastodon:master Jan 7, 2019
@ClearlyClaire ClearlyClaire deleted the fixes/refresh-key branch March 14, 2019 15:44
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
* Refactor signature verification a bit

* Rescue signature verification if recorded public key is invalid

Fixes mastodon#8822

* Always re-fetch AP signing key when HTTP Signature verification fails

But when the account is not marked as stale, avoid fetching collections and
media, and avoid webfinger round-trip.

* Apply stoplight to key/account update as well as initial key retrieval
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants