From 373a37845274e22e3719100953e882934affb975 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Mon, 18 May 2020 18:26:00 -0700
Subject: [PATCH] Verify that the remote user is who they say they

---
 fedireads/incoming.py    | 1 +
 fedireads/remote_user.py | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/fedireads/incoming.py b/fedireads/incoming.py
index 5e5a457e..6ca51d0e 100644
--- a/fedireads/incoming.py
+++ b/fedireads/incoming.py
@@ -90,6 +90,7 @@ def shared_inbox(request):
 
 
 def get_public_key(key_actor):
+    ''' try a stored key or load it from remote '''
     try:
         user = models.User.objects.get(remote_id=key_actor)
         public_key = user.public_key
diff --git a/fedireads/remote_user.py b/fedireads/remote_user.py
index 955f6bfb..1a3a65e1 100644
--- a/fedireads/remote_user.py
+++ b/fedireads/remote_user.py
@@ -26,6 +26,9 @@ def get_or_create_remote_user(actor):
         response.raise_for_status()
     data = response.json()
 
+    # make sure our actor is who they say they are
+    assert actor == data['id']
+
     actor_parts = urlparse(actor)
     with transaction.atomic():
         user = create_remote_user(data)