Skip to content

Align HTTP signature validation with Hub spec#100

Merged
RebelliousSmile merged 1 commit into
mainfrom
claude/hub-signature-validation-2ebzne
Jul 7, 2026
Merged

Align HTTP signature validation with Hub spec#100
RebelliousSmile merged 1 commit into
mainfrom
claude/hub-signature-validation-2ebzne

Conversation

@RebelliousSmile

Copy link
Copy Markdown
Owner

Point 3 (SSRF guard):

  • Block reserved, multicast, and unspecified IP ranges in _is_blocked_ip
    (in addition to private/loopback/link-local).
  • Require https for actor fetches by default; plain http is only allowed
    when AP_ALLOW_INSECURE_HTTP is set (enabled in development).
  • Make follow_redirects=False explicit on the httpx client.

Point 5 (accepted algorithms):

  • Accept hs2019 alongside rsa-sha256; with an RSA key both denote the same
    RSA-PKCS1v15/SHA-256 signature (hs2019 is Mastodon's advertised default),
    so they verify identically.

Adds tests covering hs2019 acceptance, unknown-algorithm rejection, the new
blocked IP ranges, and https-only enforcement.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01QrWgMrRyfByCYafRwaYW6a

Point 3 (SSRF guard):
- Block reserved, multicast, and unspecified IP ranges in _is_blocked_ip
  (in addition to private/loopback/link-local).
- Require https for actor fetches by default; plain http is only allowed
  when AP_ALLOW_INSECURE_HTTP is set (enabled in development).
- Make follow_redirects=False explicit on the httpx client.

Point 5 (accepted algorithms):
- Accept hs2019 alongside rsa-sha256; with an RSA key both denote the same
  RSA-PKCS1v15/SHA-256 signature (hs2019 is Mastodon's advertised default),
  so they verify identically.

Adds tests covering hs2019 acceptance, unknown-algorithm rejection, the new
blocked IP ranges, and https-only enforcement.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QrWgMrRyfByCYafRwaYW6a
@RebelliousSmile
RebelliousSmile merged commit 6b8cdc4 into main Jul 7, 2026
1 check failed
@RebelliousSmile
RebelliousSmile deleted the claude/hub-signature-validation-2ebzne branch July 7, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants