X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=580606a68387067186565384432261e91d3f8f5d;hb=38c2fde13e90973731d56b97e92edd89c4c62dbb;hp=1ec8884772d6ea8186c92a3cdfae8f416caf0c6c;hpb=f7509cbec875ec4ee3201cce08839f2a02676c1c;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 1ec888477..580606a68 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,23 +1,23 @@ -import { eachSeries } from 'async' -import { NextFunction, Request, RequestHandler, Response } from 'express' -import { ActivityPubSignature } from '../../shared' +import { NextFunction, Request, Response } from 'express' +import { ActivityDelete, ActivityPubSignature } from '../../shared' import { logger } from '../helpers/logger' import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' -import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers' -import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' -import { ActorModel } from '../models/activitypub/actor' +import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' +import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' +import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' +import { getAPId } from '@server/helpers/activitypub' async function checkSignature (req: Request, res: Response, next: NextFunction) { try { const httpSignatureChecked = await checkHttpSignature(req, res) if (httpSignatureChecked !== true) return - const actor: ActorModel = res.locals.signature.actor + const actor = res.locals.signature.actor // Forwarded activity const bodyActor = req.body.actor - const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + const bodyActorId = getAPId(bodyActor) if (bodyActorId && bodyActorId !== actor.url) { const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) if (jsonLDSignatureChecked !== true) return @@ -25,45 +25,45 @@ async function checkSignature (req: Request, res: Response, next: NextFunction) return next() } catch (err) { - logger.error('Error in ActivityPub signature checker.', err) + const activity: ActivityDelete = req.body + if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { + logger.debug('Handling signature error on actor delete activity', { err }) + return res.sendStatus(204) + } + + logger.warn('Error in ActivityPub signature checker.', { err }) return res.sendStatus(403) } } -function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { - return (req: Request, res: Response, next: NextFunction) => { - const accepted = req.accepts(ACCEPT_HEADERS) - if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { - return next() - } +function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { + const accepted = req.accepts(ACCEPT_HEADERS) + if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { + // Bypass this route + return next('route') + } - logger.debug('ActivityPub request for %s.', req.url) + logger.debug('ActivityPub request for %s.', req.url) - if (Array.isArray(fun) === true) { - return eachSeries(fun as RequestHandler[], (f, cb) => { - f(req, res, cb) - }, next) - } - - return (fun as RequestHandler)(req, res, next) - } + return next() } // --------------------------------------------------------------------------- export { checkSignature, - executeIfActivityPub + executeIfActivityPub, + checkHttpSignature } // --------------------------------------------------------------------------- async function checkHttpSignature (req: Request, res: Response) { - // FIXME: mastodon does not include the Signature scheme + // FIXME: compatibility with http-signature < v1.3 const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string - if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') - const parsed = parseHTTPSignature(req) + const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) const keyId = parsed.keyId if (!keyId) { @@ -82,6 +82,8 @@ async function checkHttpSignature (req: Request, res: Response) { const verified = isHTTPSignatureVerified(parsed, actor) if (verified !== true) { + logger.warn('Signature from %s is invalid', actorUrl, { parsed }) + res.sendStatus(403) return false } @@ -94,7 +96,7 @@ async function checkHttpSignature (req: Request, res: Response) { async function checkJsonLDSignature (req: Request, res: Response) { const signatureObject: ActivityPubSignature = req.body.signature - if (!signatureObject.creator) { + if (!signatureObject || !signatureObject.creator) { res.sendStatus(403) return false } @@ -107,6 +109,8 @@ async function checkJsonLDSignature (req: Request, res: Response) { const verified = await isJsonLDSignatureVerified(actor, req.body) if (verified !== true) { + logger.warn('Signature not verified.', req.body) + res.sendStatus(403) return false }