server/middlewares/activitypub.ts

   1 import { NextFunction, Request, Response } from 'express'
   2 import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor'
   3 import { getAPId } from '@server/lib/activitypub/activity'
   4 import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing'
   5 import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models'
   6 import { logger } from '../helpers/logger'
   7 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
   8 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
   9 import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors'
  10
  11 async function checkSignature (req: Request, res: Response, next: NextFunction) {
  12   try {
  13     const httpSignatureChecked = await checkHttpSignature(req, res)
  14     if (httpSignatureChecked !== true) return
  15
  16     const actor = res.locals.signature.actor
  17
  18     // Forwarded activity
  19     const bodyActor = req.body.actor
  20     const bodyActorId = getAPId(bodyActor)
  21     if (bodyActorId && bodyActorId !== actor.url) {
  22       const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
  23       if (jsonLDSignatureChecked !== true) return
  24     }
  25
  26     return next()
  27   } catch (err) {
  28     const activity: ActivityDelete = req.body
  29     if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) {
  30       logger.debug('Handling signature error on actor delete activity', { err })
  31       return res.status(HttpStatusCode.NO_CONTENT_204).end()
  32     }
  33
  34     logger.warn('Error in ActivityPub signature checker.', { err })
  35     return res.fail({
  36       status: HttpStatusCode.FORBIDDEN_403,
  37       message: 'ActivityPub signature could not be checked'
  38     })
  39   }
  40 }
  41
  42 function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
  43   const accepted = req.accepts(ACCEPT_HEADERS)
  44   if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) {
  45     // Bypass this route
  46     return next('route')
  47   }
  48
  49   logger.debug('ActivityPub request for %s.', req.url)
  50
  51   return next()
  52 }
  53
  54 // ---------------------------------------------------------------------------
  55
  56 export {
  57   checkSignature,
  58   executeIfActivityPub,
  59   checkHttpSignature
  60 }
  61
  62 // ---------------------------------------------------------------------------
  63
  64 async function checkHttpSignature (req: Request, res: Response) {
  65   return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => {
  66     // FIXME: compatibility with http-signature < v1.3
  67     const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  68     if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
  69
  70     let parsed: any
  71
  72     try {
  73       parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
  74     } catch (err) {
  75       logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
  76
  77       res.fail({
  78         status: HttpStatusCode.FORBIDDEN_403,
  79         message: err.message
  80       })
  81       return false
  82     }
  83
  84     const keyId = parsed.keyId
  85     if (!keyId) {
  86       res.fail({
  87         status: HttpStatusCode.FORBIDDEN_403,
  88         message: 'Invalid key ID',
  89         data: {
  90           keyId
  91         }
  92       })
  93       return false
  94     }
  95
  96     logger.debug('Checking HTTP signature of actor %s...', keyId)
  97
  98     let [ actorUrl ] = keyId.split('#')
  99     if (actorUrl.startsWith('acct:')) {
 100       actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
 101     }
 102
 103     const actor = await getOrCreateAPActor(actorUrl)
 104
 105     const verified = isHTTPSignatureVerified(parsed, actor)
 106     if (verified !== true) {
 107       logger.warn('Signature from %s is invalid', actorUrl, { parsed })
 108
 109       res.fail({
 110         status: HttpStatusCode.FORBIDDEN_403,
 111         message: 'Invalid signature',
 112         data: {
 113           actorUrl
 114         }
 115       })
 116       return false
 117     }
 118
 119     res.locals.signature = { actor }
 120     return true
 121   })
 122 }
 123
 124 async function checkJsonLDSignature (req: Request, res: Response) {
 125   return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => {
 126     const signatureObject: ActivityPubSignature = req.body.signature
 127
 128     if (!signatureObject?.creator) {
 129       res.fail({
 130         status: HttpStatusCode.FORBIDDEN_403,
 131         message: 'Object and creator signature do not match'
 132       })
 133       return false
 134     }
 135
 136     const [ creator ] = signatureObject.creator.split('#')
 137
 138     logger.debug('Checking JsonLD signature of actor %s...', creator)
 139
 140     const actor = await getOrCreateAPActor(creator)
 141     const verified = await isJsonLDSignatureVerified(actor, req.body)
 142
 143     if (verified !== true) {
 144       logger.warn('Signature not verified.', req.body)
 145
 146       res.fail({
 147         status: HttpStatusCode.FORBIDDEN_403,
 148         message: 'Signature could not be verified'
 149       })
 150       return false
 151     }
 152
 153     res.locals.signature = { actor }
 154     return true
 155   })
 156 }