server/middlewares/activitypub.ts

   1 import { eachSeries } from 'async'
   2 import { NextFunction, Request, RequestHandler, Response } from 'express'
   3 import { ActivityPubSignature } from '../../shared'
   4 import { logger } from '../helpers/logger'
   5 import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
   6 import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
   7 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
   8 import { ActorModel } from '../models/activitypub/actor'
   9 import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
  10
  11 async function checkSignature (req: Request, res: Response, next: NextFunction) {
  12   try {
  13     const httpSignatureChecked = await checkHttpSignature(req, res)
  14     if (httpSignatureChecked !== true) return
  15
  16     const actor: ActorModel = res.locals.signature.actor
  17
  18     // Forwarded activity
  19     const bodyActor = req.body.actor
  20     const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
  21     if (bodyActorId && bodyActorId !== actor.url) {
  22       const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
  23       if (jsonLDSignatureChecked !== true) return
  24     }
  25
  26     return next()
  27   } catch (err) {
  28     logger.error('Error in ActivityPub signature checker.', err)
  29     return res.sendStatus(403)
  30   }
  31 }
  32
  33 function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) {
  34   return (req: Request, res: Response, next: NextFunction) => {
  35     const accepted = req.accepts(ACCEPT_HEADERS)
  36     if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) {
  37       return next()
  38     }
  39
  40     logger.debug('ActivityPub request for %s.', req.url)
  41
  42     if (Array.isArray(fun) === true) {
  43       return eachSeries(fun as RequestHandler[], (f, cb) => {
  44         f(req, res, cb)
  45       }, next)
  46     }
  47
  48     return (fun as RequestHandler)(req, res, next)
  49   }
  50 }
  51
  52 // ---------------------------------------------------------------------------
  53
  54 export {
  55   checkSignature,
  56   executeIfActivityPub
  57 }
  58
  59 // ---------------------------------------------------------------------------
  60
  61 async function checkHttpSignature (req: Request, res: Response) {
  62   // FIXME: mastodon does not include the Signature scheme
  63   const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  64   if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
  65
  66   const parsed = parseHTTPSignature(req)
  67
  68   const keyId = parsed.keyId
  69   if (!keyId) {
  70     res.sendStatus(403)
  71     return false
  72   }
  73
  74   logger.debug('Checking HTTP signature of actor %s...', keyId)
  75
  76   let [ actorUrl ] = keyId.split('#')
  77   if (actorUrl.startsWith('acct:')) {
  78     actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
  79   }
  80
  81   const actor = await getOrCreateActorAndServerAndModel(actorUrl)
  82
  83   const verified = isHTTPSignatureVerified(parsed, actor)
  84   if (verified !== true) {
  85     res.sendStatus(403)
  86     return false
  87   }
  88
  89   res.locals.signature = { actor }
  90
  91   return true
  92 }
  93
  94 async function checkJsonLDSignature (req: Request, res: Response) {
  95   const signatureObject: ActivityPubSignature = req.body.signature
  96
  97   if (!signatureObject.creator) {
  98     res.sendStatus(403)
  99     return false
 100   }
 101
 102   const [ creator ] = signatureObject.creator.split('#')
 103
 104   logger.debug('Checking JsonLD signature of actor %s...', creator)
 105
 106   const actor = await getOrCreateActorAndServerAndModel(creator)
 107   const verified = await isJsonLDSignatureVerified(actor, req.body)
 108
 109   if (verified !== true) {
 110     res.sendStatus(403)
 111     return false
 112   }
 113
 114   res.locals.signature = { actor }
 115
 116   return true
 117 }