| | 1 | import { NextFunction, Request, Response } from 'express' |
| | 2 | import { ActivityDelete, ActivityPubSignature } from '../../shared' |
| | 3 | import { logger } from '../helpers/logger' |
| | 4 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
| | 5 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' |
| | 6 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' |
| | 7 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' |
| | 8 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' |
| | 9 | import { getAPId } from '@server/helpers/activitypub' |
| | 10 | import { HttpStatusCode } from '../../shared/core-utils/miscs/http-error-codes' |
| | 11 | |
| | 12 | async function checkSignature (req: Request, res: Response, next: NextFunction) { |
| | 13 | try { |
| | 14 | const httpSignatureChecked = await checkHttpSignature(req, res) |
| | 15 | if (httpSignatureChecked !== true) return |
| | 16 | |
| | 17 | const actor = res.locals.signature.actor |
| | 18 | |
| | 19 | // Forwarded activity |
| | 20 | const bodyActor = req.body.actor |
| | 21 | const bodyActorId = getAPId(bodyActor) |
| | 22 | if (bodyActorId && bodyActorId !== actor.url) { |
| | 23 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) |
| | 24 | if (jsonLDSignatureChecked !== true) return |
| | 25 | } |
| | 26 | |
| | 27 | return next() |
| | 28 | } catch (err) { |
| | 29 | const activity: ActivityDelete = req.body |
| | 30 | if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { |
| | 31 | logger.debug('Handling signature error on actor delete activity', { err }) |
| | 32 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) |
| | 33 | } |
| | 34 | |
| | 35 | logger.warn('Error in ActivityPub signature checker.', { err }) |
| | 36 | return res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| | 37 | } |
| | 38 | } |
| | 39 | |
| | 40 | function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { |
| | 41 | const accepted = req.accepts(ACCEPT_HEADERS) |
| | 42 | if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { |
| | 43 | // Bypass this route |
| | 44 | return next('route') |
| | 45 | } |
| | 46 | |
| | 47 | logger.debug('ActivityPub request for %s.', req.url) |
| | 48 | |
| | 49 | return next() |
| | 50 | } |
| | 51 | |
| | 52 | // --------------------------------------------------------------------------- |
| | 53 | |
| | 54 | export { |
| | 55 | checkSignature, |
| | 56 | executeIfActivityPub, |
| | 57 | checkHttpSignature |
| | 58 | } |
| | 59 | |
| | 60 | // --------------------------------------------------------------------------- |
| | 61 | |
| | 62 | async function checkHttpSignature (req: Request, res: Response) { |
| | 63 | // FIXME: compatibility with http-signature < v1.3 |
| | 64 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string |
| | 65 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') |
| | 66 | |
| | 67 | let parsed: any |
| | 68 | |
| | 69 | try { |
| | 70 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) |
| | 71 | } catch (err) { |
| | 72 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) |
| | 73 | |
| | 74 | res.status(HttpStatusCode.FORBIDDEN_403).json({ error: err.message }) |
| | 75 | return false |
| | 76 | } |
| | 77 | |
| | 78 | const keyId = parsed.keyId |
| | 79 | if (!keyId) { |
| | 80 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| | 81 | return false |
| | 82 | } |
| | 83 | |
| | 84 | logger.debug('Checking HTTP signature of actor %s...', keyId) |
| | 85 | |
| | 86 | let [ actorUrl ] = keyId.split('#') |
| | 87 | if (actorUrl.startsWith('acct:')) { |
| | 88 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) |
| | 89 | } |
| | 90 | |
| | 91 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) |
| | 92 | |
| | 93 | const verified = isHTTPSignatureVerified(parsed, actor) |
| | 94 | if (verified !== true) { |
| | 95 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) |
| | 96 | |
| | 97 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| | 98 | return false |
| | 99 | } |
| | 100 | |
| | 101 | res.locals.signature = { actor } |
| | 102 | |
| | 103 | return true |
| | 104 | } |
| | 105 | |
| | 106 | async function checkJsonLDSignature (req: Request, res: Response) { |
| | 107 | const signatureObject: ActivityPubSignature = req.body.signature |
| | 108 | |
| | 109 | if (!signatureObject || !signatureObject.creator) { |
| | 110 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| | 111 | return false |
| | 112 | } |
| | 113 | |
| | 114 | const [ creator ] = signatureObject.creator.split('#') |
| | 115 | |
| | 116 | logger.debug('Checking JsonLD signature of actor %s...', creator) |
| | 117 | |
| | 118 | const actor = await getOrCreateActorAndServerAndModel(creator) |
| | 119 | const verified = await isJsonLDSignatureVerified(actor, req.body) |
| | 120 | |
| | 121 | if (verified !== true) { |
| | 122 | logger.warn('Signature not verified.', req.body) |
| | 123 | |
| | 124 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| | 125 | return false |
| | 126 | } |
| | 127 | |
| | 128 | res.locals.signature = { actor } |
| | 129 | |
| | 130 | return true |
| | 131 | } |
projects / github / Chocobozzz / PeerTube.git / blame_incremental