]>
Commit | Line | Data |
---|---|---|
e65c0c5b | 1 | import { NextFunction, Request, Response } from 'express' |
e4f97bab | 2 | import { ActivityPubSignature } from '../../shared' |
da854ddd | 3 | import { logger } from '../helpers/logger' |
41f2ebae | 4 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
74dc3bca | 5 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' |
50d6de9c | 6 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' |
41f2ebae | 7 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' |
e4f97bab C |
8 | |
9 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
41f2ebae C |
10 | try { |
11 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
12 | if (httpSignatureChecked !== true) return | |
e4f97bab | 13 | |
dae86118 | 14 | const actor = res.locals.signature.actor |
e12a0092 | 15 | |
41f2ebae C |
16 | // Forwarded activity |
17 | const bodyActor = req.body.actor | |
18 | const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor | |
19 | if (bodyActorId && bodyActorId !== actor.url) { | |
20 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
21 | if (jsonLDSignatureChecked !== true) return | |
22 | } | |
e4f97bab | 23 | |
41f2ebae | 24 | return next() |
50d6de9c | 25 | } catch (err) { |
41f2ebae | 26 | logger.error('Error in ActivityPub signature checker.', err) |
50d6de9c | 27 | return res.sendStatus(403) |
e4f97bab | 28 | } |
e4f97bab C |
29 | } |
30 | ||
e65c0c5b C |
31 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { |
32 | const accepted = req.accepts(ACCEPT_HEADERS) | |
33 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { | |
34 | // Bypass this route | |
35 | return next('route') | |
36 | } | |
e4f97bab | 37 | |
e65c0c5b | 38 | logger.debug('ActivityPub request for %s.', req.url) |
165cdc75 | 39 | |
e65c0c5b | 40 | return next() |
e4f97bab C |
41 | } |
42 | ||
43 | // --------------------------------------------------------------------------- | |
44 | ||
45 | export { | |
46 | checkSignature, | |
df66d815 C |
47 | executeIfActivityPub, |
48 | checkHttpSignature | |
e4f97bab | 49 | } |
41f2ebae C |
50 | |
51 | // --------------------------------------------------------------------------- | |
52 | ||
53 | async function checkHttpSignature (req: Request, res: Response) { | |
e9226905 | 54 | // FIXME: compatibility with http-signature < v1.3 |
41f2ebae | 55 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string |
e9226905 | 56 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') |
41f2ebae | 57 | |
e9226905 | 58 | logger.info('coucou', { signature: req.headers[HTTP_SIGNATURE.HEADER_NAME] }) |
f67d7574 | 59 | const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) |
41f2ebae C |
60 | |
61 | const keyId = parsed.keyId | |
62 | if (!keyId) { | |
63 | res.sendStatus(403) | |
64 | return false | |
65 | } | |
66 | ||
67 | logger.debug('Checking HTTP signature of actor %s...', keyId) | |
68 | ||
69 | let [ actorUrl ] = keyId.split('#') | |
70 | if (actorUrl.startsWith('acct:')) { | |
71 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
72 | } | |
73 | ||
74 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | |
75 | ||
76 | const verified = isHTTPSignatureVerified(parsed, actor) | |
77 | if (verified !== true) { | |
c28bcdd1 C |
78 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) |
79 | ||
41f2ebae C |
80 | res.sendStatus(403) |
81 | return false | |
82 | } | |
83 | ||
84 | res.locals.signature = { actor } | |
85 | ||
86 | return true | |
87 | } | |
88 | ||
89 | async function checkJsonLDSignature (req: Request, res: Response) { | |
90 | const signatureObject: ActivityPubSignature = req.body.signature | |
91 | ||
df66d815 | 92 | if (!signatureObject || !signatureObject.creator) { |
41f2ebae C |
93 | res.sendStatus(403) |
94 | return false | |
95 | } | |
96 | ||
97 | const [ creator ] = signatureObject.creator.split('#') | |
98 | ||
99 | logger.debug('Checking JsonLD signature of actor %s...', creator) | |
100 | ||
101 | const actor = await getOrCreateActorAndServerAndModel(creator) | |
102 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
103 | ||
104 | if (verified !== true) { | |
ad513607 C |
105 | logger.warn('Signature not verified.', req.body) |
106 | ||
41f2ebae C |
107 | res.sendStatus(403) |
108 | return false | |
109 | } | |
110 | ||
111 | res.locals.signature = { actor } | |
112 | ||
113 | return true | |
114 | } |