[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import 'mocha'
import * as chai from 'chai'
import { buildDigest } from '@server/helpers/peertube-crypto'
import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes'
import {
  buildAbsoluteFixturePath,
  cleanupTests,
  closeAllSequelize,
  flushAndRunMultipleServers,
  killallServers,
  reRunServer,
  ServerInfo,
  setActorField,
  wait
} from '../../../../shared/extra-utils'
import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
import { HTTP_SIGNATURE } from '../../../initializers/constants'
import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'

const expect = chai.expect

function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    setActorField(onServer.internalServerNumber, url, 'publicKey', publicKey),
    setActorField(onServer.internalServerNumber, url, 'privateKey', privateKey)
  ])
}

function setUpdatedAtOfServer (onServer: ServerInfo, ofServer: ServerInfo, updatedAt: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    setActorField(onServer.internalServerNumber, url, 'createdAt', updatedAt),
    setActorField(onServer.internalServerNumber, url, 'updatedAt', updatedAt)
  ])
}

function getAnnounceWithoutContext (server: ServerInfo) {
  const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: ServerInfo[]
  let url: string

  const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
  const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@localhost:' + servers[1].port,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await flushAndRunMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
    await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
    const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        try {
          await makePOSTAPRequest(url, body, signatureOptions, headers)
          expect(true, 'Did not throw').to.be.false
        } catch (err) {
          expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
        }
      }
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Update keys of server 2 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')

      // Invalid peertube actor cache
      killallServers([ servers[1] ])
      await reRunServer(servers[1])

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        console.error(err)
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
      const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Wait refresh invalidation
      await wait(10000)

      // Update keys of server 3 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)

    await closeAllSequelize(servers)
  })
})
Commit	Line	Data
a1587156	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
df66d815 C	2
df66d815 C	3	import 'mocha'
df66d815	4	import * as chai from 'chai'
8dc8a34e	5	import { buildDigest } from '@server/helpers/peertube-crypto'
2d53be02	6	import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes'
095e2258	7	import {
3d470a53	8	buildAbsoluteFixturePath,
095e2258 C	9	cleanupTests,
	10	closeAllSequelize,
	11	flushAndRunMultipleServers,
e7053b1d C	12	killallServers,
e7053b1d C	13	reRunServer,
095e2258 C	14	ServerInfo,
	15	setActorField,
	16	wait
	17	} from '../../../../shared/extra-utils'
	18	import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
	19	import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
	20	import { HTTP_SIGNATURE } from '../../../initializers/constants'
	21	import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
df66d815 C	22
	23	const expect = chai.expect
	24
48f07b4a	25	function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
e7053b1d C	26	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
	27
	28	return Promise.all([
	29	setActorField(onServer.internalServerNumber, url, 'publicKey', publicKey),
	30	setActorField(onServer.internalServerNumber, url, 'privateKey', privateKey)
	31	])
	32	}
	33
	34	function setUpdatedAtOfServer (onServer: ServerInfo, ofServer: ServerInfo, updatedAt: string) {
	35	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
	36
df66d815	37	return Promise.all([
e7053b1d C	38	setActorField(onServer.internalServerNumber, url, 'createdAt', updatedAt),
e7053b1d C	39	setActorField(onServer.internalServerNumber, url, 'updatedAt', updatedAt)
df66d815 C	40	])
	41	}
	42
e7053b1d	43	function getAnnounceWithoutContext (server: ServerInfo) {
3d470a53	44	const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
48f07b4a C	45	const result: typeof json = {}
	46
	47	for (const key of Object.keys(json)) {
	48	if (Array.isArray(json[key])) {
e7053b1d	49	result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
48f07b4a	50	} else {
e7053b1d	51	result[key] = json[key].replace(':9002', `:${server.port}`)
48f07b4a C	52	}
	53	}
	54
	55	return result
df66d815 C	56	}
	57
	58	describe('Test ActivityPub security', function () {
	59	let servers: ServerInfo[]
	60	let url: string
	61
3d470a53 C	62	const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
3d470a53 C	63	const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
48f07b4a	64	const baseHttpSignature = () => ({
df66d815 C	65	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	66	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
48f07b4a	67	keyId: 'acct:peertube@localhost:' + servers[1].port,
df66d815 C	68	key: keys.privateKey,
df66d815 C	69	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	70	})
df66d815 C	71
	72	// ---------------------------------------------------------------
	73
	74	before(async function () {
	75	this.timeout(60000)
	76
	77	servers = await flushAndRunMultipleServers(3)
	78
	79	url = servers[0].url + '/inbox'
	80
e7053b1d C	81	await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
e7053b1d C	82	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	83
48f07b4a C	84	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	85	const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	86	await makeFollowRequest(to, by)
	87	})
	88
	89	describe('When checking HTTP signature', function () {
	90
	91	it('Should fail with an invalid digest', async function () {
48f07b4a	92	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	93	const headers = {
	94	Digest: buildDigest({ hello: 'coucou' })
	95	}
	96
b5c36108 C	97	try {
	98	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	99	expect(true, 'Did not throw').to.be.false
	100	} catch (err) {
	101	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	102	}
df66d815 C	103	})
	104
	105	it('Should fail with an invalid date', async function () {
48f07b4a	106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	107	const headers = buildGlobalHeaders(body)
	108	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	109
b5c36108 C	110	try {
	111	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	112	expect(true, 'Did not throw').to.be.false
	113	} catch (err) {
	114	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	115	}
df66d815 C	116	})
	117
	118	it('Should fail with bad keys', async function () {
48f07b4a C	119	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	120	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	121
48f07b4a	122	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	123	const headers = buildGlobalHeaders(body)
df66d815 C	124
b5c36108 C	125	try {
	126	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	127	expect(true, 'Did not throw').to.be.false
	128	} catch (err) {
	129	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	130	}
df66d815 C	131	})
df66d815 C	132
797d05bd	133	it('Should reject requests without appropriate signed headers', async function () {
48f07b4a C	134	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	135	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	136
48f07b4a	137	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815	138	const headers = buildGlobalHeaders(body)
797d05bd C	139
	140	const signatureOptions = baseHttpSignature()
	141	const badHeadersMatrix = [
	142	[ '(request-target)', 'date', 'digest' ],
	143	[ 'host', 'date', 'digest' ],
	144	[ '(request-target)', 'host', 'digest' ]
	145	]
	146
	147	for (const badHeaders of badHeadersMatrix) {
	148	signatureOptions.headers = badHeaders
	149
b5c36108 C	150	try {
	151	await makePOSTAPRequest(url, body, signatureOptions, headers)
	152	expect(true, 'Did not throw').to.be.false
	153	} catch (err) {
	154	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	155	}
797d05bd C	156	}
	157	})
	158
	159	it('Should succeed with a valid HTTP signature', async function () {
	160	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	161	const headers = buildGlobalHeaders(body)
df66d815	162
db4b15f2	163	const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
db4b15f2	164	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	165	})
095e2258 C	166
	167	it('Should refresh the actor keys', async function () {
	168	this.timeout(20000)
	169
095e2258 C	170	// Update keys of server 2 to invalid keys
	171	// Server 1 should refresh the actor and fail
	172	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
e7053b1d C	173	await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')
	174
	175	// Invalid peertube actor cache
	176	killallServers([ servers[1] ])
	177	await reRunServer(servers[1])
095e2258 C	178
	179	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	180	const headers = buildGlobalHeaders(body)
	181
b5c36108 C	182	try {
	183	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	184	expect(true, 'Did not throw').to.be.false
	185	} catch (err) {
e7053b1d	186	console.error(err)
b5c36108 C	187	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
b5c36108 C	188	}
095e2258	189	})
df66d815 C	190	})
	191
	192	describe('When checking Linked Data Signature', function () {
095e2258 C	193	before(async function () {
	194	this.timeout(10000)
	195
	196	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
	197	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
48f07b4a	198	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	199
48f07b4a C	200	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	201	const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	202	await makeFollowRequest(to, by)
	203	})
	204
	205	it('Should fail with bad keys', async function () {
	206	this.timeout(10000)
	207
48f07b4a C	208	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	209	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	210
48f07b4a C	211	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	212	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	213
48f07b4a	214	const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	215	const signedBody = await buildSignedActivity(signer, body)
	216
	217	const headers = buildGlobalHeaders(signedBody)
	218
b5c36108 C	219	try {
	220	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	221	expect(true, 'Did not throw').to.be.false
	222	} catch (err) {
	223	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	224	}
df66d815 C	225	})
	226
	227	it('Should fail with an altered body', async function () {
	228	this.timeout(10000)
	229
48f07b4a C	230	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	231	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	232
48f07b4a C	233	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	234	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	235
48f07b4a	236	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	237	const signedBody = await buildSignedActivity(signer, body)
df66d815 C	238
48f07b4a	239	signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
df66d815 C	240
	241	const headers = buildGlobalHeaders(signedBody)
	242
b5c36108 C	243	try {
	244	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	245	expect(true, 'Did not throw').to.be.false
	246	} catch (err) {
	247	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	248	}
df66d815 C	249	})
	250
	251	it('Should succeed with a valid signature', async function () {
	252	this.timeout(10000)
	253
48f07b4a C	254	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	255	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	256
48f07b4a	257	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	258	const signedBody = await buildSignedActivity(signer, body)
	259
	260	const headers = buildGlobalHeaders(signedBody)
	261
db4b15f2	262	const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
db4b15f2	263	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	264	})
095e2258 C	265
	266	it('Should refresh the actor keys', async function () {
	267	this.timeout(20000)
	268
	269	// Wait refresh invalidation
	270	await wait(10000)
	271
	272	// Update keys of server 3 to invalid keys
	273	// Server 1 should refresh the actor and fail
	274	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
	275
	276	const body = getAnnounceWithoutContext(servers[1])
	277	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
	278
	279	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
	280	const signedBody = await buildSignedActivity(signer, body)
	281
	282	const headers = buildGlobalHeaders(signedBody)
	283
b5c36108 C	284	try {
	285	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	286	expect(true, 'Did not throw').to.be.false
	287	} catch (err) {
	288	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	289	}
095e2258	290	})
df66d815 C	291	})
	292
	293	after(async function () {
48f07b4a C	294	this.timeout(10000)
	295
	296	await cleanupTests(servers)
df66d815	297
c8000975	298	await closeAllSequelize(servers)
df66d815 C	299	})
df66d815 C	300	})