[bugfix] Ensure activities sender always = activities actor (#2608)

2025-06-05 21:59:39 +02:00 · 2024-02-06 12:59:37 +01:00
parent aa396c78d3
commit b6fe8e7a5b
6 changed files with 147 additions and 15 deletions
--- a/internal/federation/authenticate.go
+++ b/internal/federation/authenticate.go
@@ -214,6 +214,17 @@ func (f *Federator) AuthenticateFederatedRequest(ctx context.Context, requestedU
 			err := gtserror.Newf("error dereferencing account %s: %w", pubKeyAuth.OwnerURI, err)
 			return nil, gtserror.NewErrorInternalError(err)
 		}
+
+		// Catch a possible (but very rare) race condition where
+		// we've fetched a key, then fetched the Actor who owns the
+		// key, but the Key of the Actor has changed in the meantime.
+		if !pubKeyAuth.Owner.PublicKey.Equal(pubKeyAuth.FetchedPubKey) {
+			err := gtserror.Newf(
+				"key mismatch: fetched key %s does not match pubkey of fetched Actor %s",
+				pubKeyID, pubKeyAuth.Owner.URI,
+			)
+			return nil, gtserror.NewErrorUnauthorized(err)
+		}
 	}

 	if !pubKeyAuth.Owner.SuspendedAt.IsZero() {