incoming AP: allow missing HTTP Sig when DEBUG is on

2023-06-27 22:31:48 -07:00 · 2023-06-27 22:31:48 -07:00 · 44fee79838
commit 44fee79838
--- a/activitypub.py
+++ b/activitypub.py
@ -11,7 +11,7 @@ from granary import as1, as2
 from httpsig import HeaderVerifier
 from httpsig.requests_auth import HTTPSignatureAuth
 from httpsig.utils import parse_signature_header
-from oauth_dropins.webutil import flask_util, util
+from oauth_dropins.webutil import appengine_info, flask_util, util
 from oauth_dropins.webutil.util import fragmentless, json_dumps, json_loads
 import requests
 from werkzeug.exceptions import BadGateway
@ -267,6 +267,9 @@ class ActivityPub(User, Protocol):
        headers = dict(request.headers)  # copy so we can modify below
        sig = headers.get('Signature')
        if not sig:
+            if appengine_info.DEBUG:
+                logging.info('No HTTP Signature, allowing due to DEBUG=true')
+                return
            error('No HTTP Signature', status=401)

        logger.info('Verifying HTTP Signature')
--- a/tests/test_activitypub.py
+++ b/tests/test_activitypub.py
@ -1017,6 +1017,7 @@ class ActivityPubTest(TestCase):

    @patch('activitypub.logger.info', side_effect=logging.info)
    @patch('common.logger.info', side_effect=logging.info)
+    @patch('oauth_dropins.webutil.appengine_info.DEBUG', False)
    def test_inbox_verify_http_signature(self, mock_common_log, mock_activitypub_log,
                                         _, mock_get, ___):
        # actor with a public key