This commit is contained in:
Matthias Pfefferle 2023-05-22 13:35:46 +02:00
parent ec4e22f570
commit d2b7c287fc

View file

@ -88,6 +88,7 @@ class Server {
public static function authorize_activitypub_requests( $response, $handler, $request ) { public static function authorize_activitypub_requests( $response, $handler, $request ) {
$route = $request->get_route(); $route = $request->get_route();
// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints
if ( if (
! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) || ! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) || str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
@ -96,12 +97,13 @@ class Server {
return $response; return $response;
} }
// POST-Requets are always signed
if ( 'POST' === $request->get_method() ) { if ( 'POST' === $request->get_method() ) {
$verified_request = Signature::verify_http_signature( $request ); $verified_request = Signature::verify_http_signature( $request );
if ( \is_wp_error( $verified_request ) ) { if ( \is_wp_error( $verified_request ) ) {
return $verified_request; return $verified_request;
} }
} elseif ( 'GET' === $request->get_method() ) { } elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode
if ( ACTIVITYPUB_SECURE_MODE ) { if ( ACTIVITYPUB_SECURE_MODE ) {
$verified_request = Signature::verify_http_signature( $request ); $verified_request = Signature::verify_http_signature( $request );
if ( \is_wp_error( $verified_request ) ) { if ( \is_wp_error( $verified_request ) ) {