From 04fa6bef15716f477f81ce4702132fa28b8cf9ae Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Sat, 21 Oct 2023 22:39:03 +0200
Subject: [PATCH] [backend] Improved http signature verification checks

This fixes an edge case where federation with split domain instances could fail.
---
 packages/backend/src/remote/activitypub/check-fetch.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/remote/activitypub/check-fetch.ts b/packages/backend/src/remote/activitypub/check-fetch.ts
index b583a4d7e..96bc21495 100644
--- a/packages/backend/src/remote/activitypub/check-fetch.ts
+++ b/packages/backend/src/remote/activitypub/check-fetch.ts
@@ -81,8 +81,13 @@ export async function checkFetch(req: IncomingMessage): Promise<number> {
 			return 403;
 		}
 
-		// もう一回チェック
-		if (authUser.user.host !== host) {
+		// Cannot authenticate against local user
+		if (authUser.user.uri === null || authUser.user.host === null) {
+			return 400;
+		}
+
+		// Check if keyId hostname matches actor hostname
+		if (toPuny(new URL(authUser.user.uri).hostname) !== host) {
 			return 403;
 		}