Use correct keyId with legacy fallback

Bookwyrm keyIds are at `userpath/#main-key`, however when signing AP objects we have claimed in the headers that the keyId is at `userpath#main-key`. This is incorrect, and makes GoToSocial's strict checking break. Simply updating the signatures to use the correct KeyId breaks legacy Bookwyrm's signature checks, becuase it assumes that the keyId path is the same as the user path plus a fragment. This commit allows for either option, by sending the request a second time with the incorrect keyId if sending with the correct one causes an error.
2023-04-11 15:45:06 +10:00 · 2023-04-11 15:45:06 +10:00 · 03f21b0f35
commit 03f21b0f35
parent c9dcd4f7ad
3 changed files with 18 additions and 4 deletions
--- a/bookwyrm/views/inbox.py
+++ b/bookwyrm/views/inbox.py
@ -137,7 +137,8 @@ def has_valid_signature(request, activity):
            return False

        if signature.key_id != remote_user.key_pair.remote_id:
-            raise ValueError("Wrong actor created signature.")
+            if signature.key_id != f"{remote_user.remote_id}#main-key": # legacy Bookwyrm
+                raise ValueError("Wrong actor created signature.")

        try:
            signature.verify(remote_user.key_pair.public_key, request)