[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import 'mocha'
import * as chai from 'chai'
import { activityPubContextify, buildSignedActivity } from '@server/helpers/activitypub'
import { buildDigest } from '@server/helpers/peertube-crypto'
import { HTTP_SIGNATURE } from '@server/initializers/constants'
import { buildGlobalHeaders } from '@server/lib/job-queue/handlers/utils/activitypub-http-utils'
import { buildAbsoluteFixturePath, cleanupTests, createMultipleServers, killallServers, PeerTubeServer, wait } from '@shared/extra-utils'
import { makeFollowRequest, makePOSTAPRequest } from '@shared/extra-utils/requests/activitypub'
import { HttpStatusCode } from '@shared/models'

const expect = chai.expect

function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'publicKey', publicKey),
    onServer.sql.setActorField(url, 'privateKey', privateKey)
  ])
}

function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
  const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'createdAt', updatedAt),
    onServer.sql.setActorField(url, 'updatedAt', updatedAt)
  ])
}

function getAnnounceWithoutContext (server: PeerTubeServer) {
  const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: PeerTubeServer[]
  let url: string

  const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
  const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@localhost:' + servers[1].port,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await createMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
    await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
    const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        try {
          await makePOSTAPRequest(url, body, signatureOptions, headers)
          expect(true, 'Did not throw').to.be.false
        } catch (err) {
          expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
        }
      }
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Update keys of server 2 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')

      // Invalid peertube actor cache
      await killallServers([ servers[1] ])
      await servers[1].run()

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        console.error(err)
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
      const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Wait refresh invalidation
      await wait(10000)

      // Update keys of server 3 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)
  })
})
Commit	Line	Data
a1587156	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
df66d815 C	2
df66d815 C	3	import 'mocha'
df66d815	4	import * as chai from 'chai'
c0e8b12e	5	import { activityPubContextify, buildSignedActivity } from '@server/helpers/activitypub'
8dc8a34e	6	import { buildDigest } from '@server/helpers/peertube-crypto'
c0e8b12e C	7	import { HTTP_SIGNATURE } from '@server/initializers/constants'
	8	import { buildGlobalHeaders } from '@server/lib/job-queue/handlers/utils/activitypub-http-utils'
	9	import { buildAbsoluteFixturePath, cleanupTests, createMultipleServers, killallServers, PeerTubeServer, wait } from '@shared/extra-utils'
	10	import { makeFollowRequest, makePOSTAPRequest } from '@shared/extra-utils/requests/activitypub'
	11	import { HttpStatusCode } from '@shared/models'
df66d815 C	12
	13	const expect = chai.expect
	14
254d3579	15	function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
e7053b1d C	16	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
	17
	18	return Promise.all([
89d241a7 C	19	onServer.sql.setActorField(url, 'publicKey', publicKey),
89d241a7 C	20	onServer.sql.setActorField(url, 'privateKey', privateKey)
e7053b1d C	21	])
	22	}
	23
254d3579	24	function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
e7053b1d C	25	const url = 'http://localhost:' + ofServer.port + '/accounts/peertube'
e7053b1d C	26
df66d815	27	return Promise.all([
89d241a7 C	28	onServer.sql.setActorField(url, 'createdAt', updatedAt),
89d241a7 C	29	onServer.sql.setActorField(url, 'updatedAt', updatedAt)
df66d815 C	30	])
	31	}
	32
254d3579	33	function getAnnounceWithoutContext (server: PeerTubeServer) {
3d470a53	34	const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
48f07b4a C	35	const result: typeof json = {}
	36
	37	for (const key of Object.keys(json)) {
	38	if (Array.isArray(json[key])) {
e7053b1d	39	result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
48f07b4a	40	} else {
e7053b1d	41	result[key] = json[key].replace(':9002', `:${server.port}`)
48f07b4a C	42	}
	43	}
	44
	45	return result
df66d815 C	46	}
	47
	48	describe('Test ActivityPub security', function () {
254d3579	49	let servers: PeerTubeServer[]
df66d815 C	50	let url: string
df66d815 C	51
3d470a53 C	52	const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
3d470a53 C	53	const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
48f07b4a	54	const baseHttpSignature = () => ({
df66d815 C	55	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	56	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
48f07b4a	57	keyId: 'acct:peertube@localhost:' + servers[1].port,
df66d815 C	58	key: keys.privateKey,
df66d815 C	59	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	60	})
df66d815 C	61
	62	// ---------------------------------------------------------------
	63
	64	before(async function () {
	65	this.timeout(60000)
	66
254d3579	67	servers = await createMultipleServers(3)
df66d815 C	68
	69	url = servers[0].url + '/inbox'
	70
e7053b1d C	71	await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
e7053b1d C	72	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	73
48f07b4a C	74	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	75	const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	76	await makeFollowRequest(to, by)
	77	})
	78
	79	describe('When checking HTTP signature', function () {
	80
	81	it('Should fail with an invalid digest', async function () {
48f07b4a	82	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	83	const headers = {
	84	Digest: buildDigest({ hello: 'coucou' })
	85	}
	86
b5c36108 C	87	try {
	88	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	89	expect(true, 'Did not throw').to.be.false
	90	} catch (err) {
	91	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	92	}
df66d815 C	93	})
	94
	95	it('Should fail with an invalid date', async function () {
48f07b4a	96	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	97	const headers = buildGlobalHeaders(body)
	98	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	99
b5c36108 C	100	try {
	101	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	102	expect(true, 'Did not throw').to.be.false
	103	} catch (err) {
	104	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	105	}
df66d815 C	106	})
	107
	108	it('Should fail with bad keys', async function () {
48f07b4a C	109	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	110	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	111
48f07b4a	112	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	113	const headers = buildGlobalHeaders(body)
df66d815 C	114
b5c36108 C	115	try {
	116	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	117	expect(true, 'Did not throw').to.be.false
	118	} catch (err) {
	119	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	120	}
df66d815 C	121	})
df66d815 C	122
797d05bd	123	it('Should reject requests without appropriate signed headers', async function () {
48f07b4a C	124	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	125	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	126
48f07b4a	127	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815	128	const headers = buildGlobalHeaders(body)
797d05bd C	129
	130	const signatureOptions = baseHttpSignature()
	131	const badHeadersMatrix = [
	132	[ '(request-target)', 'date', 'digest' ],
	133	[ 'host', 'date', 'digest' ],
	134	[ '(request-target)', 'host', 'digest' ]
	135	]
	136
	137	for (const badHeaders of badHeadersMatrix) {
	138	signatureOptions.headers = badHeaders
	139
b5c36108 C	140	try {
	141	await makePOSTAPRequest(url, body, signatureOptions, headers)
	142	expect(true, 'Did not throw').to.be.false
	143	} catch (err) {
	144	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	145	}
797d05bd C	146	}
	147	})
	148
	149	it('Should succeed with a valid HTTP signature', async function () {
	150	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	151	const headers = buildGlobalHeaders(body)
df66d815	152
db4b15f2	153	const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
db4b15f2	154	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	155	})
095e2258 C	156
	157	it('Should refresh the actor keys', async function () {
	158	this.timeout(20000)
	159
095e2258 C	160	// Update keys of server 2 to invalid keys
	161	// Server 1 should refresh the actor and fail
	162	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
e7053b1d C	163	await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')
	164
	165	// Invalid peertube actor cache
9293139f	166	await killallServers([ servers[1] ])
254d3579	167	await servers[1].run()
095e2258 C	168
	169	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	170	const headers = buildGlobalHeaders(body)
	171
b5c36108 C	172	try {
	173	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	174	expect(true, 'Did not throw').to.be.false
	175	} catch (err) {
e7053b1d	176	console.error(err)
b5c36108 C	177	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
b5c36108 C	178	}
095e2258	179	})
df66d815 C	180	})
	181
	182	describe('When checking Linked Data Signature', function () {
095e2258 C	183	before(async function () {
	184	this.timeout(10000)
	185
	186	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
	187	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
48f07b4a	188	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	189
48f07b4a C	190	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	191	const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	192	await makeFollowRequest(to, by)
	193	})
	194
	195	it('Should fail with bad keys', async function () {
	196	this.timeout(10000)
	197
48f07b4a C	198	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	199	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	200
48f07b4a C	201	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	202	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	203
48f07b4a	204	const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	205	const signedBody = await buildSignedActivity(signer, body)
	206
	207	const headers = buildGlobalHeaders(signedBody)
	208
b5c36108 C	209	try {
	210	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	211	expect(true, 'Did not throw').to.be.false
	212	} catch (err) {
	213	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	214	}
df66d815 C	215	})
	216
	217	it('Should fail with an altered body', async function () {
	218	this.timeout(10000)
	219
48f07b4a C	220	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	221	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	222
48f07b4a C	223	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	224	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	225
48f07b4a	226	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	227	const signedBody = await buildSignedActivity(signer, body)
df66d815 C	228
48f07b4a	229	signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
df66d815 C	230
	231	const headers = buildGlobalHeaders(signedBody)
	232
b5c36108 C	233	try {
	234	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	235	expect(true, 'Did not throw').to.be.false
	236	} catch (err) {
	237	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	238	}
df66d815 C	239	})
	240
	241	it('Should succeed with a valid signature', async function () {
	242	this.timeout(10000)
	243
48f07b4a C	244	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	245	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	246
48f07b4a	247	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	248	const signedBody = await buildSignedActivity(signer, body)
	249
	250	const headers = buildGlobalHeaders(signedBody)
	251
db4b15f2	252	const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
db4b15f2	253	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	254	})
095e2258 C	255
	256	it('Should refresh the actor keys', async function () {
	257	this.timeout(20000)
	258
	259	// Wait refresh invalidation
	260	await wait(10000)
	261
	262	// Update keys of server 3 to invalid keys
	263	// Server 1 should refresh the actor and fail
	264	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
	265
	266	const body = getAnnounceWithoutContext(servers[1])
	267	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
	268
	269	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
	270	const signedBody = await buildSignedActivity(signer, body)
	271
	272	const headers = buildGlobalHeaders(signedBody)
	273
b5c36108 C	274	try {
	275	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	276	expect(true, 'Did not throw').to.be.false
	277	} catch (err) {
	278	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	279	}
095e2258	280	})
df66d815 C	281	})
	282
	283	after(async function () {
48f07b4a C	284	this.timeout(10000)
	285
	286	await cleanupTests(servers)
df66d815 C	287	})
df66d815 C	288	})