From f70d837258c35936a7e56e821c2728d597df92cb Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Thu, 27 Apr 2023 12:31:11 -0700
Subject: [PATCH] modules/client/keys/claim: Enforce remote authority over
 results; relax log level.

---
 modules/client/keys/claim.cc | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/modules/client/keys/claim.cc b/modules/client/keys/claim.cc
index e957bb9b2..c1113b4d4 100644
--- a/modules/client/keys/claim.cc
+++ b/modules/client/keys/claim.cc
@@ -154,7 +154,7 @@ post__keys_claim(client &client,
 
 	recv_responses(queries, failures, top, timeout);
 	handle_failures(failures, top);
-	return {};
+	return response;
 }
 
 void
@@ -223,14 +223,22 @@ try
 	};
 
 	for(const auto &[user_id, keys] : one_time_keys)
+	{
+		if(m::user::id(user_id).host() != remote)
+			continue;
+
 		json::stack::member
 		{
-			object, user_id, json::object{keys}
+			object, user_id, json::object
+			{
+				keys
+			}
 		};
+	}
 }
 catch(const std::exception &e)
 {
-	log::error
+	log::derror
 	{
 		m::log, "user keys claim from %s :%s",
 		remote,
@@ -292,7 +300,7 @@ try
 }
 catch(const std::exception &e)
 {
-	log::error
+	log::derror
 	{
 		m::log, "user keys claim to %s for %zu users :%s",
 		remote,