diff --git a/bp/actors/routes.py b/bp/actors/routes.py index d045dbd..49c0745 100644 --- a/bp/actors/routes.py +++ b/bp/actors/routes.py @@ -62,12 +62,15 @@ async def _send_accept( body_bytes = json.dumps(accept).encode() key_id = f"{actor_url}#main-key" + from urllib.parse import urlparse + parsed = urlparse(follower_inbox) headers = sign_request( - method="POST", - url=follower_inbox, - body=body_bytes, private_key_pem=actor.private_key_pem, key_id=key_id, + method="POST", + path=parsed.path, + host=parsed.netloc, + body=body_bytes, ) headers["Content-Type"] = AP_CONTENT_TYPE @@ -107,6 +110,7 @@ def register(url_prefix="/users"): "name": actor.display_name or username, "preferredUsername": username, "summary": actor.summary or "", + "manuallyApprovesFollowers": False, "inbox": f"https://{domain}/users/{username}/inbox", "outbox": f"https://{domain}/users/{username}/outbox", "followers": f"https://{domain}/users/{username}/followers", @@ -207,18 +211,20 @@ def register(url_prefix="/users"): sig_valid = False try: from shared.utils.http_signatures import verify_request_signature - raw_body = await request.get_data() req_headers = dict(request.headers) - req_headers["(request-target)"] = f"post /users/{username}/inbox" + sig_header = req_headers.get("Signature", "") # Fetch remote actor to get their public key remote_actor = await _fetch_remote_actor(from_actor_url) - if remote_actor: + if remote_actor and sig_header: pub_key_pem = (remote_actor.get("publicKey") or {}).get("publicKeyPem") if pub_key_pem: sig_valid = verify_request_signature( - headers=req_headers, public_key_pem=pub_key_pem, + signature_header=sig_header, + method="POST", + path=f"/users/{username}/inbox", + headers=req_headers, ) except Exception: log.debug("Signature verification failed for %s", from_actor_url, exc_info=True)