1 import { NextFunction, Request, Response } from 'express'
2 import { getAPId } from '@server/helpers/activitypub'
3 import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor'
4 import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models'
5 import { logger } from '../helpers/logger'
6 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
7 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
8 import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors'
10 async function checkSignature (req: Request, res: Response, next: NextFunction) {
12 const httpSignatureChecked = await checkHttpSignature(req, res)
13 if (httpSignatureChecked !== true) return
15 const actor = res.locals.signature.actor
18 const bodyActor = req.body.actor
19 const bodyActorId = getAPId(bodyActor)
20 if (bodyActorId && bodyActorId !== actor.url) {
21 const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
22 if (jsonLDSignatureChecked !== true) return
27 const activity: ActivityDelete = req.body
28 if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) {
29 logger.debug('Handling signature error on actor delete activity', { err })
30 return res.status(HttpStatusCode.NO_CONTENT_204).end()
33 logger.warn('Error in ActivityPub signature checker.', { err })
35 status: HttpStatusCode.FORBIDDEN_403,
36 message: 'ActivityPub signature could not be checked'
41 function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
42 const accepted = req.accepts(ACCEPT_HEADERS)
43 if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) {
48 logger.debug('ActivityPub request for %s.', req.url)
53 // ---------------------------------------------------------------------------
61 // ---------------------------------------------------------------------------
63 async function checkHttpSignature (req: Request, res: Response) {
64 // FIXME: compatibility with http-signature < v1.3
65 const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
66 if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
71 parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
73 logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
76 status: HttpStatusCode.FORBIDDEN_403,
82 const keyId = parsed.keyId
85 status: HttpStatusCode.FORBIDDEN_403,
86 message: 'Invalid key ID',
94 logger.debug('Checking HTTP signature of actor %s...', keyId)
96 let [ actorUrl ] = keyId.split('#')
97 if (actorUrl.startsWith('acct:')) {
98 actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
101 const actor = await getOrCreateAPActor(actorUrl)
103 const verified = isHTTPSignatureVerified(parsed, actor)
104 if (verified !== true) {
105 logger.warn('Signature from %s is invalid', actorUrl, { parsed })
108 status: HttpStatusCode.FORBIDDEN_403,
109 message: 'Invalid signature',
117 res.locals.signature = { actor }
121 async function checkJsonLDSignature (req: Request, res: Response) {
122 const signatureObject: ActivityPubSignature = req.body.signature
124 if (!signatureObject || !signatureObject.creator) {
126 status: HttpStatusCode.FORBIDDEN_403,
127 message: 'Object and creator signature do not match'
132 const [ creator ] = signatureObject.creator.split('#')
134 logger.debug('Checking JsonLD signature of actor %s...', creator)
136 const actor = await getOrCreateAPActor(creator)
137 const verified = await isJsonLDSignatureVerified(actor, req.body)
139 if (verified !== true) {
140 logger.warn('Signature not verified.', req.body)
143 status: HttpStatusCode.FORBIDDEN_403,
144 message: 'Signature could not be verified'
149 res.locals.signature = { actor }