From 0fa082d4e14a687565d16e089bae3dfa83466af3 Mon Sep 17 00:00:00 2001
From: Anirudh Oppiliappan <anirudh@tangled.sh>
Date: Tue, 12 Aug 2025 21:59:44 +0300
Subject: [PATCH] knotserver: filter by known dids in processPublicKey
Change-Id: wzlvlnywrxrsovvktzzqmtowkvkrmkzp

Must've been removed by accident.

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>
---
 knotserver/ingester.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/knotserver/ingester.go b/knotserver/ingester.go
index 1f1cc218..6ce0b13b 100644
--- a/knotserver/ingester.go
+++ b/knotserver/ingester.go
@@ -27,6 +27,19 @@ import (
 
 func (h *Handle) processPublicKey(ctx context.Context, did string, record tangled.PublicKey) error {
 	l := log.FromContext(ctx)
+
+	allDids, err := h.db.GetAllDids()
+	if err != nil {
+		return err
+	}
+
+	// only process public keys from known DIDs
+	if !slices.Contains(allDids, did) {
+		reason := "not a known did"
+		l.Info("rejecting public key record", "reason", reason, "did", did)
+		return fmt.Errorf("rejected public key record: %s, %s", reason, did)
+	}
+
 	pk := db.PublicKey{
 		Did:       did,
 		PublicKey: record,
-- 
2.43.0