]>
Commit | Line | Data |
---|---|---|
1 | import { NextFunction, Request, Response } from 'express' | |
2 | import { ActivityDelete, ActivityPubSignature } from '../../shared' | |
3 | import { logger } from '../helpers/logger' | |
4 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' | |
5 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' | |
6 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' | |
7 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' | |
8 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' | |
9 | import { getAPId } from '@server/helpers/activitypub' | |
10 | import { HttpStatusCode } from '../../shared/core-utils/miscs/http-error-codes' | |
11 | ||
12 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | |
13 | try { | |
14 | const httpSignatureChecked = await checkHttpSignature(req, res) | |
15 | if (httpSignatureChecked !== true) return | |
16 | ||
17 | const actor = res.locals.signature.actor | |
18 | ||
19 | // Forwarded activity | |
20 | const bodyActor = req.body.actor | |
21 | const bodyActorId = getAPId(bodyActor) | |
22 | if (bodyActorId && bodyActorId !== actor.url) { | |
23 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | |
24 | if (jsonLDSignatureChecked !== true) return | |
25 | } | |
26 | ||
27 | return next() | |
28 | } catch (err) { | |
29 | const activity: ActivityDelete = req.body | |
30 | if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { | |
31 | logger.debug('Handling signature error on actor delete activity', { err }) | |
32 | return res.status(HttpStatusCode.NO_CONTENT_204).end() | |
33 | } | |
34 | ||
35 | logger.warn('Error in ActivityPub signature checker.', { err }) | |
36 | return res.fail({ | |
37 | status: HttpStatusCode.FORBIDDEN_403, | |
38 | message: 'ActivityPub signature could not be checked' | |
39 | }) | |
40 | } | |
41 | } | |
42 | ||
43 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { | |
44 | const accepted = req.accepts(ACCEPT_HEADERS) | |
45 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { | |
46 | // Bypass this route | |
47 | return next('route') | |
48 | } | |
49 | ||
50 | logger.debug('ActivityPub request for %s.', req.url) | |
51 | ||
52 | return next() | |
53 | } | |
54 | ||
55 | // --------------------------------------------------------------------------- | |
56 | ||
57 | export { | |
58 | checkSignature, | |
59 | executeIfActivityPub, | |
60 | checkHttpSignature | |
61 | } | |
62 | ||
63 | // --------------------------------------------------------------------------- | |
64 | ||
65 | async function checkHttpSignature (req: Request, res: Response) { | |
66 | // FIXME: compatibility with http-signature < v1.3 | |
67 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | |
68 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') | |
69 | ||
70 | let parsed: any | |
71 | ||
72 | try { | |
73 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) | |
74 | } catch (err) { | |
75 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) | |
76 | ||
77 | res.fail({ | |
78 | status: HttpStatusCode.FORBIDDEN_403, | |
79 | message: err.message | |
80 | }) | |
81 | return false | |
82 | } | |
83 | ||
84 | const keyId = parsed.keyId | |
85 | if (!keyId) { | |
86 | res.fail({ | |
87 | status: HttpStatusCode.FORBIDDEN_403, | |
88 | message: 'Invalid key ID', | |
89 | data: { | |
90 | keyId | |
91 | } | |
92 | }) | |
93 | return false | |
94 | } | |
95 | ||
96 | logger.debug('Checking HTTP signature of actor %s...', keyId) | |
97 | ||
98 | let [ actorUrl ] = keyId.split('#') | |
99 | if (actorUrl.startsWith('acct:')) { | |
100 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | |
101 | } | |
102 | ||
103 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | |
104 | ||
105 | const verified = isHTTPSignatureVerified(parsed, actor) | |
106 | if (verified !== true) { | |
107 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) | |
108 | ||
109 | res.fail({ | |
110 | status: HttpStatusCode.FORBIDDEN_403, | |
111 | message: 'Invalid signature', | |
112 | data: { | |
113 | actorUrl | |
114 | } | |
115 | }) | |
116 | return false | |
117 | } | |
118 | ||
119 | res.locals.signature = { actor } | |
120 | return true | |
121 | } | |
122 | ||
123 | async function checkJsonLDSignature (req: Request, res: Response) { | |
124 | const signatureObject: ActivityPubSignature = req.body.signature | |
125 | ||
126 | if (!signatureObject || !signatureObject.creator) { | |
127 | res.fail({ | |
128 | status: HttpStatusCode.FORBIDDEN_403, | |
129 | message: 'Object and creator signature do not match' | |
130 | }) | |
131 | return false | |
132 | } | |
133 | ||
134 | const [ creator ] = signatureObject.creator.split('#') | |
135 | ||
136 | logger.debug('Checking JsonLD signature of actor %s...', creator) | |
137 | ||
138 | const actor = await getOrCreateActorAndServerAndModel(creator) | |
139 | const verified = await isJsonLDSignatureVerified(actor, req.body) | |
140 | ||
141 | if (verified !== true) { | |
142 | logger.warn('Signature not verified.', req.body) | |
143 | ||
144 | res.fail({ | |
145 | status: HttpStatusCode.FORBIDDEN_403, | |
146 | message: 'Signature could not be verified' | |
147 | }) | |
148 | return false | |
149 | } | |
150 | ||
151 | res.locals.signature = { actor } | |
152 | return true | |
153 | } |