4 files changed, 100 insertions, 40 deletions
diff --git a/Database.go b/Database.go
index ac9ee27..80f62fe 100644
--- a/Database.go
+++ b/Database.go
@@ -78,6 +78,12 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
 
 		CreateVerification(db, verify)
 
+		verify.Identifier = actor.Id
+		verify.Code  = CreateKey(50)
+		verify.Type  = "post"
+
+		CreateVerification(db, verify)		
+
 		var nverify Verify
 		nverify.Board = actor.Id
 		nverify.Identifier = "admin"
@@ -87,7 +93,12 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
 		nverify.Board = actor.Id
 		nverify.Identifier = "janitor"
 		nverify.Type = "janitor"
-		CreateBoardMod(db, nverify)			
+		CreateBoardMod(db, nverify)
+
+		nverify.Board = actor.Id
+		nverify.Identifier = "post"
+		nverify.Type = "post"
+		CreateBoardMod(db, nverify)					
 
 		if actor.Name != "main" {
 			var nActor Actor
@@ -106,7 +117,7 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
 
 			response := AcceptFollow(nActivity)
 			SetActorFollowingDB(db, response)
-			MakeActivityRequest(nActivity)
+			MakeActivityRequest(db, nActivity)
 		}
 	}
 
diff --git a/OutboxPost.go b/OutboxPost.go
index 9b10ab7..aae2d45 100644
--- a/OutboxPost.go
+++ b/OutboxPost.go
@@ -50,7 +50,7 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 			nObj = writeObjectToDB(db, nObj)
 			activity := CreateActivity("Create", nObj)
 			activity = AddFollowersToActivity(db, activity)
-			MakeActivityRequest(activity)
+			MakeActivityRequest(db, activity)
 
 			var id string
 			op := len(nObj.InReplyTo) - 1
@@ -107,7 +107,7 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 				if validActor && validLocalActor && verification.Board == activity.Actor.Id || verification.Board == Domain {
 					rActivity = AcceptFollow(activity)
 					SetActorFollowingDB(db, rActivity)
-					MakeActivityRequest(activity)
+					MakeActivityRequest(db, activity)
 				}
 
 				w.Write([]byte(""))
@@ -503,11 +503,15 @@ func CheckCaptcha(db *sql.DB, captcha string) bool {
 
 func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 	activity := GetActivityFromJson(r, db)
+	
+	header := r.Header.Get("Authorization")
+
+	auth := strings.Split(header, " ")
 	switch(activity.Type) {
 	case "Create":
 		for _, e := range activity.To {
 			if IsActorLocal(db, e) {
-				if !IsActorLocal(db, activity.Actor.Id) {
+				if !IsActorLocal(db, activity.Actor.Id) && len(auth) > 1 && RemoteActorHasAuth(activity.Actor.Id, auth[1]){
 					WriteObjectToCache(db, *activity.Object)
 				}
 			}
@@ -532,11 +536,11 @@ func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 			if GetActorFromDB(db, e).Id != "" {
 				response := AcceptFollow(activity)
 				response = SetActorFollowerDB(db, response)
-				MakeActivityRequest(response)
+				MakeActivityRequest(db, response)
 			} else {
 				fmt.Println("follow request for rejected")				
 				response := RejectFollow(activity)
-				MakeActivityRequest(response)
+				MakeActivityRequest(db, response)
 			}
 		}
 		break
@@ -571,3 +575,21 @@ func MakeActivityFollowingReq(w http.ResponseWriter, r *http.Request, activity A
 
 	return false
 }
+
+func RemoteActorHasAuth(actor string, code string) bool {
+	req, err := http.NewRequest("GET", actor + "/verification&code=" + code, nil)
+
+	CheckError(err, "could not make remote actor auth req")
+
+	resp, err := http.DefaultClient.Do(req)
+
+	CheckError(err, "could not make remote actor auth resp")
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode == 200 {
+		return true
+	}
+
+	return false
+}
diff --git a/main.go b/main.go
index 551fce9..f6ed5f0 100644
--- a/main.go
+++ b/main.go
@@ -4,7 +4,6 @@ import "fmt"
 import "strings"
 import "strconv"
 import "net/http"
-import "net/url"
 import "database/sql"
 import _ "github.com/lib/pq"
 import "math/rand"
@@ -225,35 +224,28 @@ func main() {
 		}
 
 		if actorVerification {
-			if method == "POST" {
-				p, _ := url.ParseQuery(r.URL.RawQuery)
-				if len(p["email"]) > 0 {
-					email := p["email"][0]
-					verify := GetVerificationByEmail(db, email)
-					if verify.Identifier != "" || !IsEmailSetup() {
-						w.WriteHeader(http.StatusForbidden)
-						w.Write([]byte("400 no path"))																	
-					} else {
-						var nVerify Verify
-						nVerify.Type = "email"						
-						nVerify.Identifier = email
-						nVerify.Code = CreateKey(32)
-						nVerify.Board = actor.Id
-						CreateVerification(db, nVerify)
-						SendVerification(nVerify)
-						w.WriteHeader(http.StatusCreated)
-						w.Write([]byte("Verification added"))																							
-					}
+			r.ParseForm()
 
-				} else {
-					w.WriteHeader(http.StatusForbidden)
-					w.Write([]byte("400 no path"))											
-				}
+			code := r.FormValue("code")
+
+			var verify Verify
+
+			verify.Board = actor.Id
+			verify.Identifier = "post"
+
+			verify = GetVerificationCode(db, verify)
+
+			auth := CreateTripCode(verify.Code)
+			auth = CreateTripCode(auth)
+		
+
+			if CreateTripCode(auth) == code {
+				w.WriteHeader(http.StatusOK)
 			} else {
-				w.WriteHeader(http.StatusForbidden)
-				w.Write([]byte("400 no path"))											
+				w.WriteHeader(http.StatusUnauthorized)
 			}
-			return 
+			
+			w.Write([]byte(""))																										
 		}
 
 		//catch all
@@ -344,7 +336,7 @@ func main() {
 		CheckError(err, "error with post form req")
 		
 		req.Header.Set("Content-Type", we.FormDataContentType())
-		req.Header.Set("Authorization", "basic: " + *Key)		
+		req.Header.Set("Authorization", "Basic " + *Key)		
 
 		resp, err := http.DefaultClient.Do(req)
 
@@ -1595,9 +1587,20 @@ func GetActorReported(w http.ResponseWriter, r *http.Request, db *sql.DB, id str
 	w.Write(enc)
 }
 
-func MakeActivityRequest(activity Activity) {
+func MakeActivityRequest(db *sql.DB, activity Activity) {
 
 	j, _ := json.MarshalIndent(activity, "", "\t")
+
+	var verify Verify
+
+	verify.Board = activity.Actor.Id
+	verify.Identifier = "post"
+
+	verify = GetVerificationCode(db, verify)
+
+	auth := CreateTripCode(verify.Code)
+
+	auth = CreateTripCode(auth)
 	
 	for _, e := range activity.To {
 
@@ -1605,8 +1608,9 @@ func MakeActivityRequest(activity Activity) {
 
 		if actor.Inbox != "" {
 			req, err := http.NewRequest("POST", actor.Inbox, bytes.NewBuffer(j))
-
-			req.Header.Set("Content-Type", activitystreams)				
+			
+			req.Header.Set("Content-Type", activitystreams)
+			req.Header.Set("Authorization", "Basic " + auth)			
 
 			CheckError(err, "error with sending activity req to")
 
@@ -1748,7 +1752,7 @@ func DeleteObjectRequest(db *sql.DB, id string) {
 		activity.To = append(activity.To, e.Id)
 	}	
 
-	MakeActivityRequest(activity)
+	MakeActivityRequest(db, activity)
 }
 
 func DeleteObjectAndRepliesRequest(db *sql.DB, id string) {
@@ -1764,7 +1768,7 @@ func DeleteObjectAndRepliesRequest(db *sql.DB, id string) {
 		activity.To = append(activity.To, e.Id)
 	}
 
-	MakeActivityRequest(activity)
+	MakeActivityRequest(db, activity)
 }
 
 func ResizeAttachmentToPreview(db *sql.DB) {
diff --git a/verification.go b/verification.go
index b1ebe13..e0d94b8 100644
--- a/verification.go
+++ b/verification.go
@@ -170,6 +170,29 @@ func GetVerificationByCode(db *sql.DB, code string) Verify {
 	return verify
 }
 
+func GetVerificationCode(db *sql.DB, verify Verify) Verify {
+	var nVerify Verify
+
+	query := `select type, identifier, code, board from boardaccess where identifier=$1 and board=$2`
+
+	rows, err := db.Query(query, verify.Identifier, verify.Board)	
+
+	defer rows.Close()
+
+	if err != nil {
+		CheckError(err, "error getting verify by code query")
+		return verify
+	}
+
+	for rows.Next() {
+		err := rows.Scan(&nVerify.Type, &nVerify.Identifier, &nVerify.Code, &nVerify.Board)
+
+		CheckError(err, "error getting verify by code scan")				
+	}
+	
+	return verify
+}
+
 func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown {
 	var current VerifyCooldown