Conversation
rename verify_signature
|
I'll make a separate PR for LD Signatures |
|
Is the LD signature thing something we have to support? |
Considering the above, to properly verify the LD signature on an Actor Delete activity, we would need to have a cached copy of their actor key, or perhaps try to fetch this actor. The side effect of an Actor delete would be to remove their comments locally. |
|
@mediaformat should we require the signature verification? Since the signature is not part of the spec, maybe we should add a label |
Not officially, no. But this seems to be because the Editors had pressure to finalize the spec... and the HTTP Signatures spec itself was a working draft.
I think this part is important (emphasis my own):
What do you think? |
We could do this for the GET requests, similar to Mastodon's Authorized Fetch
|
|
@mediaformat is it easier if the signature class would be an object instead of a static helper class? |
|
So then I will run it on my live server for some more days and then we can merge it 😍 |
pfefferle
left a comment
pfefferle
left a comment
There was a problem hiding this comment.
No issues so far! I will merge it and if we find issues, we can improve on that.
jeherve
dismissed
their stale review
Dismissing my review as to not be a blocker, but I still think some tests would be nice.
|
@mediaformat could you add some tests, then I would merge it? |
|
@pfefferle test included! |
|
Thanks @mediaformat :) |
mediaformat
left a comment
mediaformat
left a comment
There was a problem hiding this comment.
I won't have any time to dedicate for the coming weeks, hopefully someone can help fix the test_rest_activity_signature test case
|
Awesome! Seems to work like a charm and tests are green! Thanks @mediaformat ! |
3 participants
This PR implements http signatures and digests verification thereby preventing impersonation and other MITM attacks.
Features:
Tested:
Lemmyseems to not work at all. lemmy seem to have a allow list, that blocks any other instance.