server/middlewares/activitypub.ts

   1 import { eachSeries } from 'async'
   2 import { NextFunction, Request, RequestHandler, Response } from 'express'
   3 import { ActivityPubSignature } from '../../shared'
   4 import { logger } from '../helpers/logger'
   5 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
   6 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
   7 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
   8 import { ActorModel } from '../models/activitypub/actor'
   9 import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
  10
  11 async function checkSignature (req: Request, res: Response, next: NextFunction) {
  12   try {
  13     const httpSignatureChecked = await checkHttpSignature(req, res)
  14     if (httpSignatureChecked !== true) return
  15
  16     const actor: ActorModel = res.locals.signature.actor
  17
  18     // Forwarded activity
  19     const bodyActor = req.body.actor
  20     const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
  21     if (bodyActorId && bodyActorId !== actor.url) {
  22       const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
  23       if (jsonLDSignatureChecked !== true) return
  24     }
  25
  26     return next()
  27   } catch (err) {
  28     logger.error('Error in ActivityPub signature checker.', err)
  29     return res.sendStatus(403)
  30   }
  31 }
  32
  33 function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) {
  34   return (req: Request, res: Response, next: NextFunction) => {
  35     const accepted = req.accepts(ACCEPT_HEADERS)
  36     if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) {
  37       return next()
  38     }
  39
  40     logger.debug('ActivityPub request for %s.', req.url)
  41
  42     if (Array.isArray(fun) === true) {
  43       return eachSeries(fun as RequestHandler[], (f, cb) => {
  44         f(req, res, cb)
  45       }, next)
  46     }
  47
  48     return (fun as RequestHandler)(req, res, next)
  49   }
  50 }
  51
  52 // ---------------------------------------------------------------------------
  53
  54 export {
  55   checkSignature,
  56   executeIfActivityPub,
  57   checkHttpSignature
  58 }
  59
  60 // ---------------------------------------------------------------------------
  61
  62 async function checkHttpSignature (req: Request, res: Response) {
  63   // FIXME: mastodon does not include the Signature scheme
  64   const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  65   if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
  66
  67   const parsed = parseHTTPSignature(req)
  68
  69   const keyId = parsed.keyId
  70   if (!keyId) {
  71     res.sendStatus(403)
  72     return false
  73   }
  74
  75   logger.debug('Checking HTTP signature of actor %s...', keyId)
  76
  77   let [ actorUrl ] = keyId.split('#')
  78   if (actorUrl.startsWith('acct:')) {
  79     actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
  80   }
  81
  82   const actor = await getOrCreateActorAndServerAndModel(actorUrl)
  83
  84   const verified = isHTTPSignatureVerified(parsed, actor)
  85   if (verified !== true) {
  86     res.sendStatus(403)
  87     return false
  88   }
  89
  90   res.locals.signature = { actor }
  91
  92   return true
  93 }
  94
  95 async function checkJsonLDSignature (req: Request, res: Response) {
  96   const signatureObject: ActivityPubSignature = req.body.signature
  97
  98   if (!signatureObject || !signatureObject.creator) {
  99     res.sendStatus(403)
 100     return false
 101   }
 102
 103   const [ creator ] = signatureObject.creator.split('#')
 104
 105   logger.debug('Checking JsonLD signature of actor %s...', creator)
 106
 107   const actor = await getOrCreateActorAndServerAndModel(creator)
 108   const verified = await isJsonLDSignatureVerified(actor, req.body)
 109
 110   if (verified !== true) {
 111     res.sendStatus(403)
 112     return false
 113   }
 114
 115   res.locals.signature = { actor }
 116
 117   return true
 118 }