]>
Commit | Line | Data |
---|---|---|
e65c0c5b | 1 | import { NextFunction, Request, Response } from 'express' |
75ba887d | 2 | import { ActivityDelete, ActivityPubSignature } from '../../shared' |
da854ddd | 3 | import { logger } from '../helpers/logger' |
41f2ebae | 4 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
74dc3bca | 5 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' |
8dc8a34e | 6 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' |
41f2ebae | 7 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' |
75ba887d | 8 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' |
a1587156 | 9 | import { getAPId } from '@server/helpers/activitypub' |
2d53be02 | 10 | import { HttpStatusCode } from '../../shared/core-utils/miscs/http-error-codes' |
e4f97bab C |
11 | |
12 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
41f2ebae C |
13 | try { |
14 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
15 | if (httpSignatureChecked !== true) return | |
e4f97bab | 16 | |
dae86118 | 17 | const actor = res.locals.signature.actor |
e12a0092 | 18 | |
41f2ebae C |
19 | // Forwarded activity |
20 | const bodyActor = req.body.actor | |
a1587156 | 21 | const bodyActorId = getAPId(bodyActor) |
41f2ebae C |
22 | if (bodyActorId && bodyActorId !== actor.url) { |
23 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
24 | if (jsonLDSignatureChecked !== true) return | |
25 | } | |
e4f97bab | 26 | |
41f2ebae | 27 | return next() |
50d6de9c | 28 | } catch (err) { |
75ba887d C |
29 | const activity: ActivityDelete = req.body |
30 | if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { | |
31 | logger.debug('Handling signature error on actor delete activity', { err }) | |
2d53be02 | 32 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) |
75ba887d C |
33 | } |
34 | ||
35 | logger.warn('Error in ActivityPub signature checker.', { err }) | |
2d53be02 | 36 | return res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
e4f97bab | 37 | } |
e4f97bab C |
38 | } |
39 | ||
e65c0c5b C |
40 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { |
41 | const accepted = req.accepts(ACCEPT_HEADERS) | |
bdd428a6 | 42 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { |
e65c0c5b C |
43 | // Bypass this route |
44 | return next('route') | |
45 | } | |
e4f97bab | 46 | |
e65c0c5b | 47 | logger.debug('ActivityPub request for %s.', req.url) |
165cdc75 | 48 | |
e65c0c5b | 49 | return next() |
e4f97bab C |
50 | } |
51 | ||
52 | // --------------------------------------------------------------------------- | |
53 | ||
54 | export { | |
55 | checkSignature, | |
df66d815 C |
56 | executeIfActivityPub, |
57 | checkHttpSignature | |
e4f97bab | 58 | } |
41f2ebae C |
59 | |
60 | // --------------------------------------------------------------------------- | |
61 | ||
62 | async function checkHttpSignature (req: Request, res: Response) { | |
e9226905 | 63 | // FIXME: compatibility with http-signature < v1.3 |
41f2ebae | 64 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string |
e9226905 | 65 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') |
41f2ebae | 66 | |
797d05bd C |
67 | let parsed: any |
68 | ||
69 | try { | |
70 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) | |
71 | } catch (err) { | |
72 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) | |
73 | ||
2d53be02 | 74 | res.status(HttpStatusCode.FORBIDDEN_403).json({ error: err.message }) |
797d05bd C |
75 | return false |
76 | } | |
41f2ebae C |
77 | |
78 | const keyId = parsed.keyId | |
79 | if (!keyId) { | |
2d53be02 | 80 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
41f2ebae C |
81 | return false |
82 | } | |
83 | ||
84 | logger.debug('Checking HTTP signature of actor %s...', keyId) | |
85 | ||
86 | let [ actorUrl ] = keyId.split('#') | |
87 | if (actorUrl.startsWith('acct:')) { | |
88 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
89 | } | |
90 | ||
91 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | |
92 | ||
93 | const verified = isHTTPSignatureVerified(parsed, actor) | |
94 | if (verified !== true) { | |
c28bcdd1 C |
95 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) |
96 | ||
2d53be02 | 97 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
41f2ebae C |
98 | return false |
99 | } | |
100 | ||
101 | res.locals.signature = { actor } | |
102 | ||
103 | return true | |
104 | } | |
105 | ||
106 | async function checkJsonLDSignature (req: Request, res: Response) { | |
107 | const signatureObject: ActivityPubSignature = req.body.signature | |
108 | ||
df66d815 | 109 | if (!signatureObject || !signatureObject.creator) { |
2d53be02 | 110 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
41f2ebae C |
111 | return false |
112 | } | |
113 | ||
114 | const [ creator ] = signatureObject.creator.split('#') | |
115 | ||
116 | logger.debug('Checking JsonLD signature of actor %s...', creator) | |
117 | ||
118 | const actor = await getOrCreateActorAndServerAndModel(creator) | |
119 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
120 | ||
121 | if (verified !== true) { | |
ad513607 C |
122 | logger.warn('Signature not verified.', req.body) |
123 | ||
2d53be02 | 124 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
41f2ebae C |
125 | return false |
126 | } | |
127 | ||
128 | res.locals.signature = { actor } | |
129 | ||
130 | return true | |
131 | } |