Require L1 server authorization for token verification

L1 servers must now identify themselves when calling /auth/verify. Only servers listed in L1_SERVERS can verify tokens. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 17:43:08 +00:00
parent d244a62c48
commit e9df81db40
1 changed files with 16 additions and 3 deletions
--- a/server.py
+++ b/server.py
@@ -1309,17 +1309,30 @@ async def get_me(user: User = Depends(get_required_user)):
    }


+class VerifyRequest(BaseModel):
+    l1_server: str  # URL of the L1 server requesting verification
+
+
@app.post("/auth/verify")
-async def verify_auth(credentials: HTTPAuthorizationCredentials = Depends(security)):
-    """Verify a token and return username. Used by L1 server."""
+async def verify_auth(
+    request: VerifyRequest,
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+):
+    """Verify a token and return username. Only authorized L1 servers can call this."""
    if not credentials:
        raise HTTPException(401, "No token provided")

+    # Check L1 is authorized
+    l1_normalized = request.l1_server.rstrip("/")
+    authorized = any(l1_normalized == s.rstrip("/") for s in L1_SERVERS)
+    if not authorized:
+        raise HTTPException(403, f"L1 server not authorized: {request.l1_server}")
+
    username = verify_token(credentials.credentials)
    if not username:
        raise HTTPException(401, "Invalid token")

-    return {"username": username, "valid": True}
+    return {"username": username, "valid": True, "l1_server": request.l1_server}


@app.get("/.well-known/webfinger")