[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import 'mocha'
import * as chai from 'chai'
import { buildDigest } from '@server/helpers/peertube-crypto'
import { HTTP_SIGNATURE } from '@server/initializers/constants'
import { buildSignedActivity } from '@server/lib/activitypub/activity'
import { activityPubContextify } from '@server/lib/activitypub/context'
import { buildGlobalHeaders } from '@server/lib/job-queue/handlers/utils/activitypub-http-utils'
import { makeFollowRequest, makePOSTAPRequest } from '@server/tests/shared'
import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'

const expect = chai.expect

function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'publicKey', publicKey),
    onServer.sql.setActorField(url, 'privateKey', privateKey)
  ])
}

function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'createdAt', updatedAt),
    onServer.sql.setActorField(url, 'updatedAt', updatedAt)
  ])
}

function getAnnounceWithoutContext (server: PeerTubeServer) {
  const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: PeerTubeServer[]
  let url: string

  const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
  const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@localhost:' + servers[1].port,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await createMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
    await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
    const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        try {
          await makePOSTAPRequest(url, body, signatureOptions, headers)
          expect(true, 'Did not throw').to.be.false
        } catch (err) {
          expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
        }
      }
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Update keys of server 2 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')

      // Invalid peertube actor cache
      await killallServers([ servers[1] ])
      await servers[1].run()

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        console.error(err)
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
      const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Wait refresh invalidation
      await wait(10000)

      // Update keys of server 3 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)
  })
})
Commit	Line	Data
a1587156	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
df66d815 C	2
df66d815 C	3	import 'mocha'
df66d815	4	import * as chai from 'chai'
8dc8a34e	5	import { buildDigest } from '@server/helpers/peertube-crypto'
c0e8b12e	6	import { HTTP_SIGNATURE } from '@server/initializers/constants'
7e98a7df C	7	import { buildSignedActivity } from '@server/lib/activitypub/activity'
7e98a7df C	8	import { activityPubContextify } from '@server/lib/activitypub/context'
c0e8b12e	9	import { buildGlobalHeaders } from '@server/lib/job-queue/handlers/utils/activitypub-http-utils'
06aad801	10	import { makeFollowRequest, makePOSTAPRequest } from '@server/tests/shared'
c55e3d72	11	import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
c0e8b12e	12	import { HttpStatusCode } from '@shared/models'
c55e3d72	13	import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'
df66d815 C	14
	15	const expect = chai.expect
	16
254d3579	17	function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
e7053b1d C	18	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
	19
	20	return Promise.all([
89d241a7 C	21	onServer.sql.setActorField(url, 'publicKey', publicKey),
89d241a7 C	22	onServer.sql.setActorField(url, 'privateKey', privateKey)
e7053b1d C	23	])
	24	}
	25
254d3579	26	function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
e7053b1d C	27	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
e7053b1d C	28
df66d815	29	return Promise.all([
89d241a7 C	30	onServer.sql.setActorField(url, 'createdAt', updatedAt),
89d241a7 C	31	onServer.sql.setActorField(url, 'updatedAt', updatedAt)
df66d815 C	32	])
	33	}
	34
254d3579	35	function getAnnounceWithoutContext (server: PeerTubeServer) {
3d470a53	36	const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
48f07b4a C	37	const result: typeof json = {}
	38
	39	for (const key of Object.keys(json)) {
	40	if (Array.isArray(json[key])) {
e7053b1d	41	result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
48f07b4a	42	} else {
e7053b1d	43	result[key] = json[key].replace(':9002', `:${server.port}`)
48f07b4a C	44	}
	45	}
	46
	47	return result
df66d815 C	48	}
	49
	50	describe('Test ActivityPub security', function () {
254d3579	51	let servers: PeerTubeServer[]
df66d815 C	52	let url: string
df66d815 C	53
3d470a53 C	54	const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
3d470a53 C	55	const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
48f07b4a	56	const baseHttpSignature = () => ({
df66d815 C	57	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	58	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
48f07b4a	59	keyId: 'acct:peertube@localhost:' + servers[1].port,
df66d815 C	60	key: keys.privateKey,
df66d815 C	61	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	62	})
df66d815 C	63
	64	// ---------------------------------------------------------------
	65
	66	before(async function () {
	67	this.timeout(60000)
	68
254d3579	69	servers = await createMultipleServers(3)
df66d815 C	70
	71	url = servers[0].url + '/inbox'
	72
e7053b1d C	73	await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
e7053b1d C	74	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	75
48f07b4a C	76	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	77	const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	78	await makeFollowRequest(to, by)
	79	})
	80
	81	describe('When checking HTTP signature', function () {
	82
	83	it('Should fail with an invalid digest', async function () {
48f07b4a	84	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	85	const headers = {
	86	Digest: buildDigest({ hello: 'coucou' })
	87	}
	88
b5c36108 C	89	try {
	90	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	91	expect(true, 'Did not throw').to.be.false
	92	} catch (err) {
	93	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	94	}
df66d815 C	95	})
	96
	97	it('Should fail with an invalid date', async function () {
48f07b4a	98	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	99	const headers = buildGlobalHeaders(body)
	100	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	101
b5c36108 C	102	try {
	103	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	104	expect(true, 'Did not throw').to.be.false
	105	} catch (err) {
	106	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	107	}
df66d815 C	108	})
	109
	110	it('Should fail with bad keys', async function () {
48f07b4a C	111	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	112	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	113
48f07b4a	114	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	115	const headers = buildGlobalHeaders(body)
df66d815 C	116
b5c36108 C	117	try {
	118	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	119	expect(true, 'Did not throw').to.be.false
	120	} catch (err) {
	121	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	122	}
df66d815 C	123	})
df66d815 C	124
797d05bd	125	it('Should reject requests without appropriate signed headers', async function () {
48f07b4a C	126	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	127	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	128
48f07b4a	129	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815	130	const headers = buildGlobalHeaders(body)
797d05bd C	131
	132	const signatureOptions = baseHttpSignature()
	133	const badHeadersMatrix = [
	134	[ '(request-target)', 'date', 'digest' ],
	135	[ 'host', 'date', 'digest' ],
	136	[ '(request-target)', 'host', 'digest' ]
	137	]
	138
	139	for (const badHeaders of badHeadersMatrix) {
	140	signatureOptions.headers = badHeaders
	141
b5c36108 C	142	try {
	143	await makePOSTAPRequest(url, body, signatureOptions, headers)
	144	expect(true, 'Did not throw').to.be.false
	145	} catch (err) {
	146	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	147	}
797d05bd C	148	}
	149	})
	150
	151	it('Should succeed with a valid HTTP signature', async function () {
	152	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	153	const headers = buildGlobalHeaders(body)
df66d815	154
db4b15f2	155	const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
db4b15f2	156	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	157	})
095e2258 C	158
	159	it('Should refresh the actor keys', async function () {
	160	this.timeout(20000)
	161
095e2258 C	162	// Update keys of server 2 to invalid keys
	163	// Server 1 should refresh the actor and fail
	164	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
e7053b1d C	165	await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')
	166
	167	// Invalid peertube actor cache
9293139f	168	await killallServers([ servers[1] ])
254d3579	169	await servers[1].run()
095e2258 C	170
	171	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	172	const headers = buildGlobalHeaders(body)
	173
b5c36108 C	174	try {
	175	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	176	expect(true, 'Did not throw').to.be.false
	177	} catch (err) {
e7053b1d	178	console.error(err)
b5c36108 C	179	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
b5c36108 C	180	}
095e2258	181	})
df66d815 C	182	})
	183
	184	describe('When checking Linked Data Signature', function () {
095e2258 C	185	before(async function () {
	186	this.timeout(10000)
	187
	188	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
	189	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
48f07b4a	190	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	191
48f07b4a C	192	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	193	const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	194	await makeFollowRequest(to, by)
	195	})
	196
	197	it('Should fail with bad keys', async function () {
	198	this.timeout(10000)
	199
48f07b4a C	200	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	201	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	202
48f07b4a C	203	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	204	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	205
48f07b4a	206	const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	207	const signedBody = await buildSignedActivity(signer, body)
	208
	209	const headers = buildGlobalHeaders(signedBody)
	210
b5c36108 C	211	try {
	212	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	213	expect(true, 'Did not throw').to.be.false
	214	} catch (err) {
	215	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	216	}
df66d815 C	217	})
	218
	219	it('Should fail with an altered body', async function () {
	220	this.timeout(10000)
	221
48f07b4a C	222	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	223	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	224
48f07b4a C	225	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	226	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	227
48f07b4a	228	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	229	const signedBody = await buildSignedActivity(signer, body)
df66d815 C	230
48f07b4a	231	signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
df66d815 C	232
	233	const headers = buildGlobalHeaders(signedBody)
	234
b5c36108 C	235	try {
	236	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	237	expect(true, 'Did not throw').to.be.false
	238	} catch (err) {
	239	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	240	}
df66d815 C	241	})
	242
	243	it('Should succeed with a valid signature', async function () {
	244	this.timeout(10000)
	245
48f07b4a C	246	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	247	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	248
48f07b4a	249	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	250	const signedBody = await buildSignedActivity(signer, body)
	251
	252	const headers = buildGlobalHeaders(signedBody)
	253
db4b15f2	254	const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
db4b15f2	255	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	256	})
095e2258 C	257
	258	it('Should refresh the actor keys', async function () {
	259	this.timeout(20000)
	260
	261	// Wait refresh invalidation
	262	await wait(10000)
	263
	264	// Update keys of server 3 to invalid keys
	265	// Server 1 should refresh the actor and fail
	266	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
	267
	268	const body = getAnnounceWithoutContext(servers[1])
	269	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
	270
	271	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
	272	const signedBody = await buildSignedActivity(signer, body)
	273
	274	const headers = buildGlobalHeaders(signedBody)
	275
b5c36108 C	276	try {
	277	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	278	expect(true, 'Did not throw').to.be.false
	279	} catch (err) {
	280	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	281	}
095e2258	282	})
df66d815 C	283	})
	284
	285	after(async function () {
48f07b4a C	286	this.timeout(10000)
	287
	288	await cleanupTests(servers)
df66d815 C	289	})
df66d815 C	290	})