server/middlewares/activitypub.ts

   1 import { NextFunction, Request, Response } from 'express'
   2 import { ActivityDelete, ActivityPubSignature } from '../../shared'
   3 import { logger } from '../helpers/logger'
   4 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
   5 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
   6 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor'
   7 import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
   8 import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor'
   9 import { getAPId } from '@server/helpers/activitypub'
  10
  11 async function checkSignature (req: Request, res: Response, next: NextFunction) {
  12   try {
  13     const httpSignatureChecked = await checkHttpSignature(req, res)
  14     if (httpSignatureChecked !== true) return
  15
  16     const actor = res.locals.signature.actor
  17
  18     // Forwarded activity
  19     const bodyActor = req.body.actor
  20     const bodyActorId = getAPId(bodyActor)
  21     if (bodyActorId && bodyActorId !== actor.url) {
  22       const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
  23       if (jsonLDSignatureChecked !== true) return
  24     }
  25
  26     return next()
  27   } catch (err) {
  28     const activity: ActivityDelete = req.body
  29     if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) {
  30       logger.debug('Handling signature error on actor delete activity', { err })
  31       return res.sendStatus(204)
  32     }
  33
  34     logger.warn('Error in ActivityPub signature checker.', { err })
  35     return res.sendStatus(403)
  36   }
  37 }
  38
  39 function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
  40   const accepted = req.accepts(ACCEPT_HEADERS)
  41   if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) {
  42     // Bypass this route
  43     return next('route')
  44   }
  45
  46   logger.debug('ActivityPub request for %s.', req.url)
  47
  48   return next()
  49 }
  50
  51 // ---------------------------------------------------------------------------
  52
  53 export {
  54   checkSignature,
  55   executeIfActivityPub,
  56   checkHttpSignature
  57 }
  58
  59 // ---------------------------------------------------------------------------
  60
  61 async function checkHttpSignature (req: Request, res: Response) {
  62   // FIXME: compatibility with http-signature < v1.3
  63   const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  64   if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
  65
  66   let parsed: any
  67
  68   try {
  69     parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
  70   } catch (err) {
  71     logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
  72
  73     res.status(403).json({ error: err.message })
  74     return false
  75   }
  76
  77   const keyId = parsed.keyId
  78   if (!keyId) {
  79     res.sendStatus(403)
  80     return false
  81   }
  82
  83   logger.debug('Checking HTTP signature of actor %s...', keyId)
  84
  85   let [ actorUrl ] = keyId.split('#')
  86   if (actorUrl.startsWith('acct:')) {
  87     actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
  88   }
  89
  90   const actor = await getOrCreateActorAndServerAndModel(actorUrl)
  91
  92   const verified = isHTTPSignatureVerified(parsed, actor)
  93   if (verified !== true) {
  94     logger.warn('Signature from %s is invalid', actorUrl, { parsed })
  95
  96     res.sendStatus(403)
  97     return false
  98   }
  99
 100   res.locals.signature = { actor }
 101
 102   return true
 103 }
 104
 105 async function checkJsonLDSignature (req: Request, res: Response) {
 106   const signatureObject: ActivityPubSignature = req.body.signature
 107
 108   if (!signatureObject || !signatureObject.creator) {
 109     res.sendStatus(403)
 110     return false
 111   }
 112
 113   const [ creator ] = signatureObject.creator.split('#')
 114
 115   logger.debug('Checking JsonLD signature of actor %s...', creator)
 116
 117   const actor = await getOrCreateActorAndServerAndModel(creator)
 118   const verified = await isJsonLDSignatureVerified(actor, req.body)
 119
 120   if (verified !== true) {
 121     logger.warn('Signature not verified.', req.body)
 122
 123     res.sendStatus(403)
 124     return false
 125   }
 126
 127   res.locals.signature = { actor }
 128
 129   return true
 130 }