From 642babad94461497c705072a8f701a76c326e524 Mon Sep 17 00:00:00 2001
From: lesion <lesion@autistici.org>
Date: Mon, 20 Jan 2025 17:05:28 +0100
Subject: [PATCH] fix: do not verify AP /inbox POST for wrong actor

---
 server/federation/helpers.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/server/federation/helpers.js b/server/federation/helpers.js
index 3b6a3b38..7cf99e95 100644
--- a/server/federation/helpers.js
+++ b/server/federation/helpers.js
@@ -1,3 +1,4 @@
+const escape = require('lodash/escape')
 const axios = require('axios')
 const crypto = require('crypto')
 const config = require('../config')
@@ -495,9 +496,19 @@ const Helpers = {
    */
   async verifySignature (req, res, next) {
 
+    const name = req.params.name
     const actor_url = req?.body?.actor
-
     const isDelete = req?.body?.type === 'Delete'
+    const settings = settingsController.settings
+
+    if (!name) {
+      log.info('[AP] Bad /inbox request')
+      return res.status(400).send('Bad request.')
+    }
+    if (name !== settings.instance_name) {
+      log.info(`[FEDI] No record found for ${name} (applicationActor is ${settings.instance_name})`)
+      return res.status(404).send(`No record found for ${escape(name)}`)
+    }
 
     // do we have an actor?
     if (!actor_url) {