From e9df81db4051a18906727f91bbfa1f45b90aee78 Mon Sep 17 00:00:00 2001 From: gilesb Date: Fri, 9 Jan 2026 17:43:08 +0000 Subject: [PATCH] Require L1 server authorization for token verification L1 servers must now identify themselves when calling /auth/verify. Only servers listed in L1_SERVERS can verify tokens. Co-Authored-By: Claude Opus 4.5 --- server.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/server.py b/server.py index 04b77b6..67d64aa 100644 --- a/server.py +++ b/server.py @@ -1309,17 +1309,30 @@ async def get_me(user: User = Depends(get_required_user)): } +class VerifyRequest(BaseModel): + l1_server: str # URL of the L1 server requesting verification + + @app.post("/auth/verify") -async def verify_auth(credentials: HTTPAuthorizationCredentials = Depends(security)): - """Verify a token and return username. Used by L1 server.""" +async def verify_auth( + request: VerifyRequest, + credentials: HTTPAuthorizationCredentials = Depends(security) +): + """Verify a token and return username. Only authorized L1 servers can call this.""" if not credentials: raise HTTPException(401, "No token provided") + # Check L1 is authorized + l1_normalized = request.l1_server.rstrip("/") + authorized = any(l1_normalized == s.rstrip("/") for s in L1_SERVERS) + if not authorized: + raise HTTPException(403, f"L1 server not authorized: {request.l1_server}") + username = verify_token(credentials.credentials) if not username: raise HTTPException(401, "Invalid token") - return {"username": username, "valid": True} + return {"username": username, "valid": True, "l1_server": request.l1_server} @app.get("/.well-known/webfinger")