From 328485b55f4200fe6cbb91a83cbbd43ddd170914 Mon Sep 17 00:00:00 2001
From: Sven Sauleau <sven@cloudflare.com>
Date: Mon, 6 Feb 2023 15:38:59 +0000
Subject: [PATCH] inbox return 401 when signature fails to verify

---
 functions/ap/users/[id]/inbox.ts | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/functions/ap/users/[id]/inbox.ts b/functions/ap/users/[id]/inbox.ts
index f78eb38..ff6bfa9 100644
--- a/functions/ap/users/[id]/inbox.ts
+++ b/functions/ap/users/[id]/inbox.ts
@@ -12,14 +12,19 @@ import { fetchKey, verifySignature } from 'wildebeest/backend/src/utils/httpsigj
 import { generateDigestHeader } from 'wildebeest/backend/src/utils/http-signing-cavage'
 
 export const onRequest: PagesFunction<Env, any> = async ({ params, request, env }) => {
-	const parsedSignature = parseRequest(request)
-	const pubKey = await fetchKey(parsedSignature)
-	if (pubKey === null) {
-		return new Response('signature key not found', { status: 401 })
-	}
-	const valid = await verifySignature(parsedSignature, pubKey)
-	if (!valid) {
-		return new Response('invalid signature', { status: 401 })
+	try {
+		const parsedSignature = parseRequest(request)
+		const pubKey = await fetchKey(parsedSignature)
+		if (pubKey === null) {
+			return new Response('signature key not found', { status: 401 })
+		}
+		const valid = await verifySignature(parsedSignature, pubKey)
+		if (!valid) {
+			return new Response('invalid signature', { status: 401 })
+		}
+	} catch (err: unknown) {
+		console.warn((err as any).stack)
+		return new Response('signature verification failed', { status: 401 })
 	}
 
 	const body = await request.text()