3 files changed, 24 insertions, 14 deletions

diff --git a/src/main/java/com/juick/server/SignatureManager.java b/src/main/java/com/juick/server/SignatureManager.java
index b3b7a301..26e482ad 100644
--- a/src/main/java/com/juick/server/SignatureManager.java
+++ b/src/main/java/com/juick/server/SignatureManager.java
@@ -1,11 +1,14 @@
 package com.juick.server;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.juick.User;
 import com.juick.server.api.activity.model.Context;
 import com.juick.server.api.activity.model.objects.Person;
 import com.juick.server.api.webfinger.model.Account;
 import com.juick.server.api.webfinger.model.Link;
+import com.juick.service.UserService;
 import com.juick.util.DateFormattersHolder;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
@@ -41,7 +44,7 @@ public class SignatureManager {
     @Inject
     private ObjectMapper jsonMapper;
     @Inject
-    private ApplicationEventPublisher applicationEventPublisher;
+    private UserService userService;
     @Inject
     private RestTemplate apClient;
 
@@ -70,23 +73,28 @@ public class SignatureManager {
         logger.info("accepted follower: {}", response.getStatusCodeValue());
 
     }
-    public boolean verifySignature(String signatureString, URI actor, String method, String path, Map<String, String> headers) {
-        Optional<Context> context = getContext(actor);
+    public User verifySignature(String method, String path, Map<String, String> headers) throws IOException {
+        Signature signature = Signature.fromString(headers.get("signature"));
+        Optional<Context> context = getContext(URI.create(signature.getKeyId()));
         if (context.isPresent() && context.get() instanceof Person) {
             Person person = (Person) context.get();
             Key key = KeystoreManager.publicKeyOf(person);
-            Verifier verifier = new Verifier(key, Signature.fromString(signatureString));
+
+            Verifier verifier = new Verifier(key, signature);
             try {
                 boolean result = verifier.verify(method, path, headers);
                 logger.info("signature is valid: {}", result);
-                return result;
+                User user = new User();
+                user.setUri(URI.create(person.getId()));
+                if (key.equals(keystoreManager.getPublicKey())) {
+                    return userService.getUserByName(person.getName());
+                }
+                return user;
             } catch (NoSuchAlgorithmException | SignatureException | IOException e) {
-                logger.info("signature exception", e);
-                return false;
+                throw new IOException("Invalid signature");
             }
         }
-        logger.info("person not found");
-        return false;
+        throw new IOException("Person not found");
     }
     public Optional<Context> getContext(URI contextUri) {
         Context context = apClient.getForEntity(contextUri, Context.class).getBody();
diff --git a/src/main/java/com/juick/server/api/activity/Profile.java b/src/main/java/com/juick/server/api/activity/Profile.java
index 305b7c4a..2614cded 100644
--- a/src/main/java/com/juick/server/api/activity/Profile.java
+++ b/src/main/java/com/juick/server/api/activity/Profile.java
@@ -268,9 +268,10 @@ public class Profile {
         headers.put("content-type", contentType);
         headers.put("user-agent", userAgent);
         headers.put("accept-encoding", acceptEncoding);
-        boolean valid = signatureManager.verifySignature(signature, URI.create(activity.getActor()), "POST",
+        headers.put("signature", signature);
+        User signedUser = signatureManager.verifySignature( "POST",
                 componentsBuilder.getPath(), headers);
-        if (valid) {
+        if ((StringUtils.isNotEmpty(signedUser.getUri().toString()) && signedUser.getUri().equals(URI.create(activity.getActor()))) || !signedUser.isAnonymous()) {
             if (activity instanceof Follow) {
                 Follow followRequest = (Follow) activity;
                 String actor = followRequest.getActor();
diff --git a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
index 9215d09a..2fd5a2a7 100644
--- a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
+++ b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
@@ -30,6 +30,7 @@ import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.WebUtils;
 
+import javax.annotation.Nonnull;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -59,9 +60,9 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
 
     @Override
     protected void doFilterInternal(
-            HttpServletRequest request,
-            HttpServletResponse response,
-            FilterChain filterChain) throws ServletException, IOException {
+            @Nonnull HttpServletRequest request,
+            @Nonnull HttpServletResponse response,
+            @Nonnull FilterChain filterChain) throws ServletException, IOException {
 
         String hash = getHashFromRequest(request);