]>
Commit | Line | Data |
---|---|---|
e65c0c5b | 1 | import { NextFunction, Request, Response } from 'express' |
10363c74 | 2 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' |
7e98a7df | 3 | import { getAPId } from '@server/lib/activitypub/activity' |
2a95b884 | 4 | import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing' |
d17c7b4e | 5 | import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models' |
da854ddd | 6 | import { logger } from '../helpers/logger' |
41f2ebae | 7 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
74dc3bca | 8 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' |
10363c74 | 9 | import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors' |
e4f97bab C |
10 | |
11 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
41f2ebae C |
12 | try { |
13 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
14 | if (httpSignatureChecked !== true) return | |
e4f97bab | 15 | |
dae86118 | 16 | const actor = res.locals.signature.actor |
e12a0092 | 17 | |
41f2ebae C |
18 | // Forwarded activity |
19 | const bodyActor = req.body.actor | |
a1587156 | 20 | const bodyActorId = getAPId(bodyActor) |
41f2ebae C |
21 | if (bodyActorId && bodyActorId !== actor.url) { |
22 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
23 | if (jsonLDSignatureChecked !== true) return | |
24 | } | |
e4f97bab | 25 | |
41f2ebae | 26 | return next() |
50d6de9c | 27 | } catch (err) { |
75ba887d C |
28 | const activity: ActivityDelete = req.body |
29 | if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { | |
30 | logger.debug('Handling signature error on actor delete activity', { err }) | |
76148b27 | 31 | return res.status(HttpStatusCode.NO_CONTENT_204).end() |
75ba887d C |
32 | } |
33 | ||
34 | logger.warn('Error in ActivityPub signature checker.', { err }) | |
76148b27 RK |
35 | return res.fail({ |
36 | status: HttpStatusCode.FORBIDDEN_403, | |
37 | message: 'ActivityPub signature could not be checked' | |
38 | }) | |
e4f97bab | 39 | } |
e4f97bab C |
40 | } |
41 | ||
e65c0c5b C |
42 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { |
43 | const accepted = req.accepts(ACCEPT_HEADERS) | |
bdd428a6 | 44 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { |
e65c0c5b C |
45 | // Bypass this route |
46 | return next('route') | |
47 | } | |
e4f97bab | 48 | |
e65c0c5b | 49 | logger.debug('ActivityPub request for %s.', req.url) |
165cdc75 | 50 | |
e65c0c5b | 51 | return next() |
e4f97bab C |
52 | } |
53 | ||
54 | // --------------------------------------------------------------------------- | |
55 | ||
56 | export { | |
57 | checkSignature, | |
df66d815 C |
58 | executeIfActivityPub, |
59 | checkHttpSignature | |
e4f97bab | 60 | } |
41f2ebae C |
61 | |
62 | // --------------------------------------------------------------------------- | |
63 | ||
64 | async function checkHttpSignature (req: Request, res: Response) { | |
2a95b884 C |
65 | return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => { |
66 | // FIXME: compatibility with http-signature < v1.3 | |
67 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | |
68 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') | |
69 | ||
70 | let parsed: any | |
71 | ||
72 | try { | |
73 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) | |
74 | } catch (err) { | |
75 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) | |
76 | ||
77 | res.fail({ | |
78 | status: HttpStatusCode.FORBIDDEN_403, | |
79 | message: err.message | |
80 | }) | |
81 | return false | |
82 | } | |
41f2ebae | 83 | |
2a95b884 C |
84 | const keyId = parsed.keyId |
85 | if (!keyId) { | |
86 | res.fail({ | |
87 | status: HttpStatusCode.FORBIDDEN_403, | |
88 | message: 'Invalid key ID', | |
89 | data: { | |
90 | keyId | |
91 | } | |
92 | }) | |
93 | return false | |
94 | } | |
41f2ebae | 95 | |
2a95b884 | 96 | logger.debug('Checking HTTP signature of actor %s...', keyId) |
41f2ebae | 97 | |
2a95b884 C |
98 | let [ actorUrl ] = keyId.split('#') |
99 | if (actorUrl.startsWith('acct:')) { | |
100 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
101 | } | |
41f2ebae | 102 | |
2a95b884 | 103 | const actor = await getOrCreateAPActor(actorUrl) |
41f2ebae | 104 | |
2a95b884 C |
105 | const verified = isHTTPSignatureVerified(parsed, actor) |
106 | if (verified !== true) { | |
107 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) | |
c28bcdd1 | 108 | |
2a95b884 C |
109 | res.fail({ |
110 | status: HttpStatusCode.FORBIDDEN_403, | |
111 | message: 'Invalid signature', | |
112 | data: { | |
113 | actorUrl | |
114 | } | |
115 | }) | |
116 | return false | |
117 | } | |
41f2ebae | 118 | |
2a95b884 C |
119 | res.locals.signature = { actor } |
120 | return true | |
121 | }) | |
41f2ebae C |
122 | } |
123 | ||
124 | async function checkJsonLDSignature (req: Request, res: Response) { | |
2a95b884 C |
125 | return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => { |
126 | const signatureObject: ActivityPubSignature = req.body.signature | |
127 | ||
128 | if (!signatureObject || !signatureObject.creator) { | |
129 | res.fail({ | |
130 | status: HttpStatusCode.FORBIDDEN_403, | |
131 | message: 'Object and creator signature do not match' | |
132 | }) | |
133 | return false | |
134 | } | |
41f2ebae | 135 | |
2a95b884 | 136 | const [ creator ] = signatureObject.creator.split('#') |
41f2ebae | 137 | |
2a95b884 | 138 | logger.debug('Checking JsonLD signature of actor %s...', creator) |
41f2ebae | 139 | |
2a95b884 C |
140 | const actor = await getOrCreateAPActor(creator) |
141 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
41f2ebae | 142 | |
2a95b884 C |
143 | if (verified !== true) { |
144 | logger.warn('Signature not verified.', req.body) | |
ad513607 | 145 | |
2a95b884 C |
146 | res.fail({ |
147 | status: HttpStatusCode.FORBIDDEN_403, | |
148 | message: 'Signature could not be verified' | |
149 | }) | |
150 | return false | |
151 | } | |
41f2ebae | 152 | |
2a95b884 C |
153 | res.locals.signature = { actor } |
154 | return true | |
155 | }) | |
41f2ebae | 156 | } |