]>
Commit | Line | Data |
---|---|---|
9a27cdc2 C |
1 | import { eachSeries } from 'async' |
2 | import { NextFunction, Request, RequestHandler, Response } from 'express' | |
e4f97bab | 3 | import { ActivityPubSignature } from '../../shared' |
da854ddd | 4 | import { logger } from '../helpers/logger' |
41f2ebae C |
5 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
6 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers' | |
50d6de9c C |
7 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' |
8 | import { ActorModel } from '../models/activitypub/actor' | |
41f2ebae | 9 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' |
e4f97bab C |
10 | |
11 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
41f2ebae C |
12 | try { |
13 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
14 | if (httpSignatureChecked !== true) return | |
e4f97bab | 15 | |
41f2ebae | 16 | const actor: ActorModel = res.locals.signature.actor |
e12a0092 | 17 | |
41f2ebae C |
18 | // Forwarded activity |
19 | const bodyActor = req.body.actor | |
20 | const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor | |
21 | if (bodyActorId && bodyActorId !== actor.url) { | |
22 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
23 | if (jsonLDSignatureChecked !== true) return | |
24 | } | |
e4f97bab | 25 | |
41f2ebae | 26 | return next() |
50d6de9c | 27 | } catch (err) { |
41f2ebae | 28 | logger.error('Error in ActivityPub signature checker.', err) |
50d6de9c | 29 | return res.sendStatus(403) |
e4f97bab | 30 | } |
e4f97bab C |
31 | } |
32 | ||
350e31d6 | 33 | function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { |
e4f97bab | 34 | return (req: Request, res: Response, next: NextFunction) => { |
4f491371 C |
35 | const accepted = req.accepts(ACCEPT_HEADERS) |
36 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { | |
e4f97bab C |
37 | return next() |
38 | } | |
39 | ||
165cdc75 C |
40 | logger.debug('ActivityPub request for %s.', req.url) |
41 | ||
e4f97bab | 42 | if (Array.isArray(fun) === true) { |
350e31d6 C |
43 | return eachSeries(fun as RequestHandler[], (f, cb) => { |
44 | f(req, res, cb) | |
45 | }, next) | |
e4f97bab C |
46 | } |
47 | ||
350e31d6 | 48 | return (fun as RequestHandler)(req, res, next) |
e4f97bab C |
49 | } |
50 | } | |
51 | ||
52 | // --------------------------------------------------------------------------- | |
53 | ||
54 | export { | |
55 | checkSignature, | |
df66d815 C |
56 | executeIfActivityPub, |
57 | checkHttpSignature | |
e4f97bab | 58 | } |
41f2ebae C |
59 | |
60 | // --------------------------------------------------------------------------- | |
61 | ||
62 | async function checkHttpSignature (req: Request, res: Response) { | |
63 | // FIXME: mastodon does not include the Signature scheme | |
64 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | |
65 | if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig | |
66 | ||
67 | const parsed = parseHTTPSignature(req) | |
68 | ||
69 | const keyId = parsed.keyId | |
70 | if (!keyId) { | |
71 | res.sendStatus(403) | |
72 | return false | |
73 | } | |
74 | ||
75 | logger.debug('Checking HTTP signature of actor %s...', keyId) | |
76 | ||
77 | let [ actorUrl ] = keyId.split('#') | |
78 | if (actorUrl.startsWith('acct:')) { | |
79 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
80 | } | |
81 | ||
82 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | |
83 | ||
84 | const verified = isHTTPSignatureVerified(parsed, actor) | |
85 | if (verified !== true) { | |
86 | res.sendStatus(403) | |
87 | return false | |
88 | } | |
89 | ||
90 | res.locals.signature = { actor } | |
91 | ||
92 | return true | |
93 | } | |
94 | ||
95 | async function checkJsonLDSignature (req: Request, res: Response) { | |
96 | const signatureObject: ActivityPubSignature = req.body.signature | |
97 | ||
df66d815 | 98 | if (!signatureObject || !signatureObject.creator) { |
41f2ebae C |
99 | res.sendStatus(403) |
100 | return false | |
101 | } | |
102 | ||
103 | const [ creator ] = signatureObject.creator.split('#') | |
104 | ||
105 | logger.debug('Checking JsonLD signature of actor %s...', creator) | |
106 | ||
107 | const actor = await getOrCreateActorAndServerAndModel(creator) | |
108 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
109 | ||
110 | if (verified !== true) { | |
111 | res.sendStatus(403) | |
112 | return false | |
113 | } | |
114 | ||
115 | res.locals.signature = { actor } | |
116 | ||
117 | return true | |
118 | } |