X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=bea213d270af840ba0edfd1beddfb4ea5ac75905;hb=8d5e65349deebd499c0be10fe02d535a77d58ddb;hp=6cf8eea6f4297dd08f72bff6ef8340806d4b2d96;hpb=e4f97babf701481b55cc10fb3448feab5f97c867;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 6cf8eea6f..bea213d27 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,57 +1,113 @@ -import { Request, Response, NextFunction } from 'express' - -import { database as db } from '../initializers' -import { - logger, - getAccountFromWebfinger, - isSignatureVerified -} from '../helpers' +import { NextFunction, Request, Response } from 'express' import { ActivityPubSignature } from '../../shared' +import { logger } from '../helpers/logger' +import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' +import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' +import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' +import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' async function checkSignature (req: Request, res: Response, next: NextFunction) { - const signatureObject: ActivityPubSignature = req.body.signature - - logger.debug('Checking signature of account %s...', signatureObject.creator) - - let account = await db.Account.loadByUrl(signatureObject.creator) + try { + const httpSignatureChecked = await checkHttpSignature(req, res) + if (httpSignatureChecked !== true) return - // We don't have this account in our database, fetch it on remote - if (!account) { - account = await getAccountFromWebfinger(signatureObject.creator) + const actor = res.locals.signature.actor - if (!account) { - return res.sendStatus(403) + // Forwarded activity + const bodyActor = req.body.actor + const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + if (bodyActorId && bodyActorId !== actor.url) { + const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) + if (jsonLDSignatureChecked !== true) return } - // Save our new account in database - await account.save() + return next() + } catch (err) { + logger.error('Error in ActivityPub signature checker.', err) + return res.sendStatus(403) } +} - const verified = await isSignatureVerified(account, req.body) - if (verified === false) return res.sendStatus(403) +function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { + const accepted = req.accepts(ACCEPT_HEADERS) + if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { + // Bypass this route + return next('route') + } - res.locals.signature.account = account + logger.debug('ActivityPub request for %s.', req.url) return next() } -function executeIfActivityPub (fun: any | any[]) { - return (req: Request, res: Response, next: NextFunction) => { - if (req.header('Accept') !== 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"') { - return next() - } +// --------------------------------------------------------------------------- - if (Array.isArray(fun) === true) { - fun[0](req, res, next) // FIXME: doesn't work - } +export { + checkSignature, + executeIfActivityPub, + checkHttpSignature +} + +// --------------------------------------------------------------------------- + +async function checkHttpSignature (req: Request, res: Response) { + // FIXME: mastodon does not include the Signature scheme + const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string + if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + + const parsed = parseHTTPSignature(req) - return fun(req, res, next) + const keyId = parsed.keyId + if (!keyId) { + res.sendStatus(403) + return false } + + logger.debug('Checking HTTP signature of actor %s...', keyId) + + let [ actorUrl ] = keyId.split('#') + if (actorUrl.startsWith('acct:')) { + actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) + } + + const actor = await getOrCreateActorAndServerAndModel(actorUrl) + + const verified = isHTTPSignatureVerified(parsed, actor) + if (verified !== true) { + logger.warn('Signature from %s is invalid', actorUrl, { parsed }) + + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true } -// --------------------------------------------------------------------------- +async function checkJsonLDSignature (req: Request, res: Response) { + const signatureObject: ActivityPubSignature = req.body.signature -export { - checkSignature, - executeIfActivityPub + if (!signatureObject || !signatureObject.creator) { + res.sendStatus(403) + return false + } + + const [ creator ] = signatureObject.creator.split('#') + + logger.debug('Checking JsonLD signature of actor %s...', creator) + + const actor = await getOrCreateActorAndServerAndModel(creator) + const verified = await isJsonLDSignatureVerified(actor, req.body) + + if (verified !== true) { + logger.warn('Signature not verified.', req.body) + + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true }