Reject unconfirmed FASPs (#37926)

app/controllers/api/fasp/base_controller.rb

@@ -47,7 +47,7 @@ class Api::Fasp::BaseController < ApplicationController
     provider = nil
 
     Linzer.verify!(request.rack_request, no_older_than: 5.minutes) do |keyid|
-      provider = Fasp::Provider.find(keyid)
+      provider = Fasp::Provider.confirmed.find(keyid)
       Linzer.new_ed25519_public_key(provider.provider_public_key_pem, keyid)
     end
 

app/models/fasp/provider.rb

@@ -37,6 +37,7 @@ class Fasp::Provider < ApplicationRecord
   before_create :create_keypair
   after_commit :update_remote_capabilities
 
+  scope :confirmed, -> { where(confirmed: true) }
   scope :with_capability, lambda { |capability_name|
     where('fasp_providers.capabilities @> ?::jsonb', "[{\"id\": \"#{capability_name}\", \"enabled\": true}]")
   }

app/workers/fasp/base_worker.rb

@@ -8,7 +8,7 @@ class Fasp::BaseWorker
   private
 
   def with_provider(provider)
-    return unless provider.available?
+    return unless provider.confirmed? && provider.available?
 
     yield
   rescue *Mastodon::HTTP_CONNECTION_ERRORS