Issue 14692: Prevent loops with remote servers

src/Util/HTTPSignature.php

@@ -604,13 +604,14 @@ class HTTPSignature
 	/**
 	 * Gets a signer from a given HTTP request
 	 *
-	 * @param string $content
-	 * @param array $http_headers
+	 * @param string   $content
+	 * @param array    $http_headers
+	 * @param ?boolean $update true = always update, false = never update, null = update when not found or outdated
 	 *
 	 * @return string|null|false Signer
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 */
-	public static function getSigner(string $content, array $http_headers)
+	public static function getSigner(string $content, array $http_headers, bool $update = null)
 	{
 		if (empty($http_headers['HTTP_SIGNATURE'])) {
 			DI::logger()->debug('No HTTP_SIGNATURE header');
@@ -700,7 +701,7 @@ class HTTPSignature
 			return false;
 		}
 
-		$key = self::fetchKey($sig_block['keyId'], $actor);
+		$key = self::fetchKey($sig_block['keyId'], $actor, $update);
 		if (empty($key)) {
 			DI::logger()->info('Empty key');
 			return false;
@@ -802,17 +803,18 @@ class HTTPSignature
 	/**
 	 * fetches a key for a given id and actor
 	 *
-	 * @param string $id
-	 * @param string $actor
+	 * @param string   $id
+	 * @param string   $actor
+	 * @param ?boolean $update true = always update, false = never update, null = update when not found or outdated
 	 *
 	 * @return array with actor url and public key
 	 * @throws \Exception
 	 */
-	private static function fetchKey(string $id, string $actor): array
+	private static function fetchKey(string $id, string $actor, bool $update = null): array
 	{
 		$url = (strpos($id, '#') ? substr($id, 0, strpos($id, '#')) : $id);
 
-		$profile = APContact::getByURL($url);
+		$profile = APContact::getByURL($url, $update);
 		if (!empty($profile)) {
 			DI::logger()->info('Taking key from id', ['id' => $id]);
 			return ['url' => $url, 'pubkey' => $profile['pubkey'], 'type' => $profile['type']];