server/middlewares/activitypub.ts

   1 import { NextFunction, Request, Response } from 'express'
   2 import { ActivityPubSignature } from '../../shared'
   3 import { logger } from '../helpers/logger'
   4 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
   5 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
   6 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
   7 import { ActorModel } from '../models/activitypub/actor'
   8 import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
   9
  10 async function checkSignature (req: Request, res: Response, next: NextFunction) {
  11   try {
  12     const httpSignatureChecked = await checkHttpSignature(req, res)
  13     if (httpSignatureChecked !== true) return
  14
  15     const actor: ActorModel = res.locals.signature.actor
  16
  17     // Forwarded activity
  18     const bodyActor = req.body.actor
  19     const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
  20     if (bodyActorId && bodyActorId !== actor.url) {
  21       const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
  22       if (jsonLDSignatureChecked !== true) return
  23     }
  24
  25     return next()
  26   } catch (err) {
  27     logger.error('Error in ActivityPub signature checker.', err)
  28     return res.sendStatus(403)
  29   }
  30 }
  31
  32 function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
  33   const accepted = req.accepts(ACCEPT_HEADERS)
  34   if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) {
  35     // Bypass this route
  36     return next('route')
  37   }
  38
  39   logger.debug('ActivityPub request for %s.', req.url)
  40
  41   return next()
  42 }
  43
  44 // ---------------------------------------------------------------------------
  45
  46 export {
  47   checkSignature,
  48   executeIfActivityPub,
  49   checkHttpSignature
  50 }
  51
  52 // ---------------------------------------------------------------------------
  53
  54 async function checkHttpSignature (req: Request, res: Response) {
  55   // FIXME: mastodon does not include the Signature scheme
  56   const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  57   if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
  58
  59   const parsed = parseHTTPSignature(req)
  60
  61   const keyId = parsed.keyId
  62   if (!keyId) {
  63     res.sendStatus(403)
  64     return false
  65   }
  66
  67   logger.debug('Checking HTTP signature of actor %s...', keyId)
  68
  69   let [ actorUrl ] = keyId.split('#')
  70   if (actorUrl.startsWith('acct:')) {
  71     actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
  72   }
  73
  74   const actor = await getOrCreateActorAndServerAndModel(actorUrl)
  75
  76   const verified = isHTTPSignatureVerified(parsed, actor)
  77   if (verified !== true) {
  78     res.sendStatus(403)
  79     return false
  80   }
  81
  82   res.locals.signature = { actor }
  83
  84   return true
  85 }
  86
  87 async function checkJsonLDSignature (req: Request, res: Response) {
  88   const signatureObject: ActivityPubSignature = req.body.signature
  89
  90   if (!signatureObject || !signatureObject.creator) {
  91     res.sendStatus(403)
  92     return false
  93   }
  94
  95   const [ creator ] = signatureObject.creator.split('#')
  96
  97   logger.debug('Checking JsonLD signature of actor %s...', creator)
  98
  99   const actor = await getOrCreateActorAndServerAndModel(creator)
 100   const verified = await isJsonLDSignatureVerified(actor, req.body)
 101
 102   if (verified !== true) {
 103     res.sendStatus(403)
 104     return false
 105   }
 106
 107   res.locals.signature = { actor }
 108
 109   return true
 110 }