X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=bea213d270af840ba0edfd1beddfb4ea5ac75905;hb=00aab0666c6f772548c160fdfa871a8843b88f37;hp=061b2dddc432d4ec156f47b04be688832e29a3a8;hpb=0f91ae62df8a37194fea84ce1efa9e733d9c1fd8;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 061b2dddc..bea213d27 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,59 +1,113 @@ -import { eachSeries } from 'async' -import { NextFunction, Request, RequestHandler, Response } from 'express' +import { NextFunction, Request, Response } from 'express' import { ActivityPubSignature } from '../../shared' -import { isSignatureVerified, logger } from '../helpers' -import { database as db } from '../initializers' -import { ACTIVITY_PUB } from '../initializers/constants' -import { fetchRemoteAccount, saveAccountAndServerIfNotExist } from '../lib/activitypub/account' +import { logger } from '../helpers/logger' +import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' +import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' +import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' +import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' async function checkSignature (req: Request, res: Response, next: NextFunction) { - const signatureObject: ActivityPubSignature = req.body.signature - - logger.debug('Checking signature of account %s...', signatureObject.creator) - - let account = await db.Account.loadByUrl(signatureObject.creator) + try { + const httpSignatureChecked = await checkHttpSignature(req, res) + if (httpSignatureChecked !== true) return - // We don't have this account in our database, fetch it on remote - if (!account) { - account = await fetchRemoteAccount(signatureObject.creator) + const actor = res.locals.signature.actor - if (!account) { - return res.sendStatus(403) + // Forwarded activity + const bodyActor = req.body.actor + const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + if (bodyActorId && bodyActorId !== actor.url) { + const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) + if (jsonLDSignatureChecked !== true) return } - // Save our new account and its server in database - await saveAccountAndServerIfNotExist(account) + return next() + } catch (err) { + logger.error('Error in ActivityPub signature checker.', err) + return res.sendStatus(403) } +} - const verified = await isSignatureVerified(account, req.body) - if (verified === false) return res.sendStatus(403) - - res.locals.signature = { - account +function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { + const accepted = req.accepts(ACCEPT_HEADERS) + if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { + // Bypass this route + return next('route') } + logger.debug('ActivityPub request for %s.', req.url) + return next() } -function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { - return (req: Request, res: Response, next: NextFunction) => { - if (req.header('Accept') !== ACTIVITY_PUB.ACCEPT_HEADER) { - return next() - } +// --------------------------------------------------------------------------- - if (Array.isArray(fun) === true) { - return eachSeries(fun as RequestHandler[], (f, cb) => { - f(req, res, cb) - }, next) - } +export { + checkSignature, + executeIfActivityPub, + checkHttpSignature +} + +// --------------------------------------------------------------------------- + +async function checkHttpSignature (req: Request, res: Response) { + // FIXME: mastodon does not include the Signature scheme + const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string + if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + + const parsed = parseHTTPSignature(req) + + const keyId = parsed.keyId + if (!keyId) { + res.sendStatus(403) + return false + } + + logger.debug('Checking HTTP signature of actor %s...', keyId) - return (fun as RequestHandler)(req, res, next) + let [ actorUrl ] = keyId.split('#') + if (actorUrl.startsWith('acct:')) { + actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) } + + const actor = await getOrCreateActorAndServerAndModel(actorUrl) + + const verified = isHTTPSignatureVerified(parsed, actor) + if (verified !== true) { + logger.warn('Signature from %s is invalid', actorUrl, { parsed }) + + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true } -// --------------------------------------------------------------------------- +async function checkJsonLDSignature (req: Request, res: Response) { + const signatureObject: ActivityPubSignature = req.body.signature -export { - checkSignature, - executeIfActivityPub + if (!signatureObject || !signatureObject.creator) { + res.sendStatus(403) + return false + } + + const [ creator ] = signatureObject.creator.split('#') + + logger.debug('Checking JsonLD signature of actor %s...', creator) + + const actor = await getOrCreateActorAndServerAndModel(creator) + const verified = await isJsonLDSignatureVerified(actor, req.body) + + if (verified !== true) { + logger.warn('Signature not verified.', req.body) + + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true }