Verify that the remote user is who they say they

2020-05-18 18:26:00 -07:00
parent 1b48ca2f85
commit 373a378452
2 changed files with 4 additions and 0 deletions
--- a/fedireads/remote_user.py
+++ b/fedireads/remote_user.py
@ -26,6 +26,9 @@ def get_or_create_remote_user(actor):
        response.raise_for_status()
    data = response.json()

+    # make sure our actor is who they say they are
+    assert actor == data['id']
+
    actor_parts = urlparse(actor)
    with transaction.atomic():
        user = create_remote_user(data)