Fix swarm interaction and reply identity verification

This commit is contained in:
cyph3rasi
2026-03-07 23:47:17 -08:00
parent 11b0ebb34a
commit c5984145dc
10 changed files with 28 additions and 53 deletions
+2
View File
@@ -133,6 +133,8 @@ export async function POST(request: Request) {
handle: user.handle,
displayName: user.displayName || user.handle,
avatarUrl: user.avatarUrl || undefined,
did: user.did,
publicKey: user.publicKey,
},
nodeDomain,
mediaUrls: attachedMedia.map(m => m.url),
@@ -13,7 +13,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, users, notifications, remoteFollowers } from '@/db';
import { eq, and, sql } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmFollowSchema = z.object({
@@ -46,12 +46,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.follow.followerHandle,
data.follow.followerNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.follow.followerNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for follow from ${data.follow.followerHandle}@${data.follow.followerNodeDomain}`);
+2 -7
View File
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, posts, users, notifications, remoteLikes } from '@/db';
import { eq, and } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmLikeSchema = z.object({
@@ -42,12 +42,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.like.actorHandle,
data.like.actorNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.like.actorNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for like from ${data.like.actorHandle}@${data.like.actorNodeDomain}`);
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, users, notifications } from '@/db';
import { eq } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmMentionSchema = z.object({
@@ -44,12 +44,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.mention.actorHandle,
data.mention.actorNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.mention.actorNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for mention from ${data.mention.actorHandle}@${data.mention.actorNodeDomain}`);
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, posts, users, notifications } from '@/db';
import { eq, sql } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmRepostSchema = z.object({
@@ -43,12 +43,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.repost.actorHandle,
data.repost.actorNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.repost.actorNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for repost from ${data.repost.actorHandle}@${data.repost.actorNodeDomain}`);
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, users, remoteFollowers } from '@/db';
import { eq, and, sql } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmUnfollowSchema = z.object({
@@ -40,12 +40,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.unfollow.followerHandle,
data.unfollow.followerNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.unfollow.followerNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for unfollow from ${data.unfollow.followerHandle}@${data.unfollow.followerNodeDomain}`);
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, posts, remoteLikes } from '@/db';
import { eq, and } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmUnlikeSchema = z.object({
@@ -40,12 +40,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.unlike.actorHandle,
data.unlike.actorNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.unlike.actorNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for unlike from ${data.unlike.actorHandle}@${data.unlike.actorNodeDomain}`);
@@ -10,7 +10,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { db, posts } from '@/db';
import { eq, sql } from 'drizzle-orm';
import { z } from 'zod';
import { verifyUserInteraction } from '@/lib/swarm/signature';
import { verifySwarmRequest } from '@/lib/swarm/signature';
import { localHandleSchema, nodeDomainSchema } from '@/lib/utils/federation';
const swarmUnrepostSchema = z.object({
@@ -40,12 +40,7 @@ export async function POST(request: NextRequest) {
// SECURITY: Verify the signature
const { signature, ...payload } = data;
const isValid = await verifyUserInteraction(
payload,
signature,
data.unrepost.actorHandle,
data.unrepost.actorNodeDomain
);
const isValid = await verifySwarmRequest(payload, signature, data.unrepost.actorNodeDomain);
if (!isValid) {
console.warn(`[Swarm] Invalid signature for unrepost from ${data.unrepost.actorHandle}@${data.unrepost.actorNodeDomain}`);
+4 -1
View File
@@ -23,6 +23,8 @@ const swarmReplySchema = z.object({
handle: z.string(),
displayName: z.string().optional().nullable(),
avatarUrl: z.string().optional(),
did: z.string().optional(),
publicKey: z.string().optional(),
}),
nodeDomain: z.string(),
mediaUrls: z.array(z.string()).optional(),
@@ -79,13 +81,14 @@ export async function POST(request: NextRequest) {
}
const remoteHandle = `${data.reply.author.handle}@${sourceDomain}`;
const remoteDid = `did:swarm:${sourceDomain}:${data.reply.author.handle}`;
const remoteDid = data.reply.author.did || `did:swarm:${sourceDomain}:${data.reply.author.handle}`;
await upsertRemoteUser({
handle: remoteHandle,
displayName: data.reply.author.displayName || data.reply.author.handle,
avatarUrl: data.reply.author.avatarUrl || null,
did: remoteDid,
publicKey: data.reply.author.publicKey,
});
const remoteUser = await db.query.users.findFirst({