art-dag/activity-pub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Require L1 server authorization for token verification

Browse Source 
L1 servers must now identify themselves when calling /auth/verify.
Only servers listed in L1_SERVERS can verify tokens.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
2026-01-09 17:43:08 +00:00
parent d244a62c48
commit e9df81db40
1 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
server.py
View File

@@ -1309,17 +1309,30 @@ async def get_me(user: User = Depends(get_required_user)):
} }
class VerifyRequest(BaseModel):
l1_server: str # URL of the L1 server requesting verification
@app.post("/auth/verify") @app.post("/auth/verify")
async def verify_auth(credentials: HTTPAuthorizationCredentials = Depends(security)): async def verify_auth(
"""Verify a token and return username. Used by L1 server.""" request: VerifyRequest,
credentials: HTTPAuthorizationCredentials = Depends(security)
):
"""Verify a token and return username. Only authorized L1 servers can call this."""
if not credentials: if not credentials:
raise HTTPException(401, "No token provided") raise HTTPException(401, "No token provided")
# Check L1 is authorized
l1_normalized = request.l1_server.rstrip("/")
authorized = any(l1_normalized == s.rstrip("/") for s in L1_SERVERS)
if not authorized:
raise HTTPException(403, f"L1 server not authorized: {request.l1_server}")
username = verify_token(credentials.credentials) username = verify_token(credentials.credentials)
if not username: if not username:
raise HTTPException(401, "Invalid token") raise HTTPException(401, "Invalid token")
return {"username": username, "valid": True} return {"username": username, "valid": True, "l1_server": request.l1_server}
@app.get("/.well-known/webfinger") @app.get("/.well-known/webfinger")