From a3e1a666b876e0b3ccbb5284dd826c8c90c113b4 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 19 Jan 2024 11:43:21 -0500
Subject: [PATCH] fix: automatically reject unsigned POSTs to inbox

---
 src/activitypub/index.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/activitypub/index.js b/src/activitypub/index.js
index d738553bde..791472456e 100644
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -138,6 +138,10 @@ ActivityPub.sign = async (uid, url, payload) => {
 };
 
 ActivityPub.verify = async (req) => {
+	if (!req.headers.hasOwnProperty('signature')) {
+		return false;
+	}
+
 	// Break the signature apart
 	const { keyId, headers, signature } = req.headers.signature.split(',').reduce((memo, cur) => {
 		const split = cur.split('="');
@@ -181,6 +185,7 @@ ActivityPub.get = async (uid, uri) => {
 
 	const headers = uid > 0 ? await ActivityPub.sign(uid, uri) : {};
 	winston.verbose(`[activitypub/get] ${uri}`);
+	console.log(headers);
 	const { response, body } = await request.get(uri, {
 		headers: {
 			...headers,