Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return empty string when request isn't signed #172 #72

Merged
merged 6 commits into from
Jul 8, 2024
Merged

fix: return empty string when request isn't signed #172 #72

merged 6 commits into from
Jul 8, 2024

Conversation

fauno
Copy link
Collaborator

@fauno fauno commented Jul 4, 2024

feels weird to do it like this, but i noticed the function throws an error when the signature header is missing, so any check that comes afterwards isn't reachable. for instance, now the followers collection can show totalItems when the request isn't signed, instead of the matchAll error (because activitypub-http-signatures doesn't check headers.signature is undefined).

the idea with the empty string is to return an actor that doesn't match anything, but being an empty string returned by a promise is what feels weird (and probably open to vulnerabiities)

ping @catdevnull, couldn't find you on the reviewers list

catdevnull
catdevnull suggested changes Jul 5, 2024
View reviewed changes
Copy link
Contributor

@catdevnull catdevnull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't comment on whether this is idiomatic or safe :)

src/server/apsystem.ts Outdated Show resolved Hide resolved
@fauno
Copy link
Collaborator Author

fauno commented Jul 5, 2024

I can't comment on whether this is idiomatic or safe :)

you mean what i asked about using an empty string?

@catdevnull
Copy link
Contributor

I can't comment on whether this is idiomatic or safe :)

you mean what i asked about using an empty string?

Yes, I can't really comment on whether the change itself is OK and/or makes sense.

RangerMauve
RangerMauve requested changes Jul 8, 2024
View reviewed changes
src/server/apsystem.ts Outdated Show resolved Hide resolved
This was referenced Jul 8, 2024
Open
Closed
RangerMauve
RangerMauve approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@RangerMauve RangerMauve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect, ty!

@RangerMauve RangerMauve merged commit 5f760af into main Jul 8, 2024
2 checks passed
@fauno fauno deleted the issue-172 branch July 8, 2024 19:04
@fauno fauno mentioned this pull request Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catdevnull catdevnull catdevnull requested changes

@RangerMauve RangerMauve RangerMauve approved these changes

@akhileshthite akhileshthite Awaiting requested review from akhileshthite

Assignees
No one assigned
Labels
None yet
Projects
Distributed Press Organizing
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fauno @catdevnull @RangerMauve