projects / github / Chocobozzz / PeerTube.git / blame
| Commit | Line | Data |
|---|---|---|
| e65c0c5b | 1 | import { NextFunction, Request, Response } from 'express' |
| 75ba887d | 2 | import { ActivityDelete, ActivityPubSignature } from '../../shared' |
| da854ddd | 3 | import { logger } from '../helpers/logger' |
| 41f2ebae | 4 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
| 74dc3bca | 5 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' |
| 50d6de9c | 6 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' |
| 41f2ebae | 7 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' |
| 75ba887d | 8 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' |
| e4f97bab C |
9 | |
| 10 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
| 41f2ebae C |
11 | try { |
| 12 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
| 13 | if (httpSignatureChecked !== true) return | |
| e4f97bab | 14 | |
| dae86118 | 15 | const actor = res.locals.signature.actor |
| e12a0092 | 16 | |
| 41f2ebae C |
17 | // Forwarded activity |
| 18 | const bodyActor = req.body.actor | |
| 19 | const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor | |
| 20 | if (bodyActorId && bodyActorId !== actor.url) { | |
| 21 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
| 22 | if (jsonLDSignatureChecked !== true) return | |
| 23 | } | |
| e4f97bab | 24 | |
| 41f2ebae | 25 | return next() |
| 50d6de9c | 26 | } catch (err) { |
| 75ba887d C |
27 | const activity: ActivityDelete = req.body |
| 28 | if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { | |
| 29 | logger.debug('Handling signature error on actor delete activity', { err }) | |
| 30 | return res.sendStatus(204) | |
| 31 | } | |
| 32 | ||
| 33 | logger.warn('Error in ActivityPub signature checker.', { err }) | |
| 50d6de9c | 34 | return res.sendStatus(403) |
| e4f97bab | 35 | } |
| e4f97bab C |
36 | } |
| 37 | ||
| e65c0c5b C |
38 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { |
| 39 | const accepted = req.accepts(ACCEPT_HEADERS) | |
| 40 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { | |
| 41 | // Bypass this route | |
| 42 | return next('route') | |
| 43 | } | |
| e4f97bab | 44 | |
| e65c0c5b | 45 | logger.debug('ActivityPub request for %s.', req.url) |
| 165cdc75 | 46 | |
| e65c0c5b | 47 | return next() |
| e4f97bab C |
48 | } |
| 49 | ||
| 50 | // --------------------------------------------------------------------------- | |
| 51 | ||
| 52 | export { | |
| 53 | checkSignature, | |
| df66d815 C |
54 | executeIfActivityPub, |
| 55 | checkHttpSignature | |
| e4f97bab | 56 | } |
| 41f2ebae C |
57 | |
| 58 | // --------------------------------------------------------------------------- | |
| 59 | ||
| 60 | async function checkHttpSignature (req: Request, res: Response) { | |
| e9226905 | 61 | // FIXME: compatibility with http-signature < v1.3 |
| 41f2ebae | 62 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string |
| e9226905 | 63 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') |
| 41f2ebae | 64 | |
| f67d7574 | 65 | const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) |
| 41f2ebae C |
66 | |
| 67 | const keyId = parsed.keyId | |
| 68 | if (!keyId) { | |
| 69 | res.sendStatus(403) | |
| 70 | return false | |
| 71 | } | |
| 72 | ||
| 73 | logger.debug('Checking HTTP signature of actor %s...', keyId) | |
| 74 | ||
| 75 | let [ actorUrl ] = keyId.split('#') | |
| 76 | if (actorUrl.startsWith('acct:')) { | |
| 77 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
| 78 | } | |
| 79 | ||
| 80 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | |
| 81 | ||
| 82 | const verified = isHTTPSignatureVerified(parsed, actor) | |
| 83 | if (verified !== true) { | |
| c28bcdd1 C |
84 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) |
| 85 | ||
| 41f2ebae C |
86 | res.sendStatus(403) |
| 87 | return false | |
| 88 | } | |
| 89 | ||
| 90 | res.locals.signature = { actor } | |
| 91 | ||
| 92 | return true | |
| 93 | } | |
| 94 | ||
| 95 | async function checkJsonLDSignature (req: Request, res: Response) { | |
| 96 | const signatureObject: ActivityPubSignature = req.body.signature | |
| 97 | ||
| df66d815 | 98 | if (!signatureObject || !signatureObject.creator) { |
| 41f2ebae C |
99 | res.sendStatus(403) |
| 100 | return false | |
| 101 | } | |
| 102 | ||
| 103 | const [ creator ] = signatureObject.creator.split('#') | |
| 104 | ||
| 105 | logger.debug('Checking JsonLD signature of actor %s...', creator) | |
| 106 | ||
| 107 | const actor = await getOrCreateActorAndServerAndModel(creator) | |
| 108 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
| 109 | ||
| 110 | if (verified !== true) { | |
| ad513607 C |
111 | logger.warn('Signature not verified.', req.body) |
| 112 | ||
| 41f2ebae C |
113 | res.sendStatus(403) |
| 114 | return false | |
| 115 | } | |
| 116 | ||
| 117 | res.locals.signature = { actor } | |
| 118 | ||
| 119 | return true | |
| 120 | } |