X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=d00594059a40748126616d1c7d9e7bd67fb5e3ef;hb=bd2e2f11d09aa015125e5b5b05ca57a44b6f2d32;hp=b1e5b52369c115dadc556264262c1db4260c2f47;hpb=c28bcdd10a5a0d661e51c96345bbd6c4dcc43bc9;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index b1e5b5236..d00594059 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,10 +1,12 @@ import { NextFunction, Request, Response } from 'express' -import { ActivityPubSignature } from '../../shared' +import { ActivityDelete, ActivityPubSignature } from '../../shared' import { logger } from '../helpers/logger' import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' -import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' +import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' +import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' +import { getAPId } from '@server/helpers/activitypub' async function checkSignature (req: Request, res: Response, next: NextFunction) { try { @@ -15,7 +17,7 @@ async function checkSignature (req: Request, res: Response, next: NextFunction) // Forwarded activity const bodyActor = req.body.actor - const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + const bodyActorId = getAPId(bodyActor) if (bodyActorId && bodyActorId !== actor.url) { const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) if (jsonLDSignatureChecked !== true) return @@ -23,14 +25,20 @@ async function checkSignature (req: Request, res: Response, next: NextFunction) return next() } catch (err) { - logger.error('Error in ActivityPub signature checker.', err) + const activity: ActivityDelete = req.body + if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { + logger.debug('Handling signature error on actor delete activity', { err }) + return res.sendStatus(204) + } + + logger.warn('Error in ActivityPub signature checker.', { err }) return res.sendStatus(403) } } function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { const accepted = req.accepts(ACCEPT_HEADERS) - if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { + if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) { // Bypass this route return next('route') } @@ -51,11 +59,20 @@ export { // --------------------------------------------------------------------------- async function checkHttpSignature (req: Request, res: Response) { - // FIXME: mastodon does not include the Signature scheme + // FIXME: compatibility with http-signature < v1.3 const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string - if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') + + let parsed: any - const parsed = parseHTTPSignature(req) + try { + parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) + } catch (err) { + logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) + + res.status(403).json({ error: err.message }) + return false + } const keyId = parsed.keyId if (!keyId) { @@ -101,6 +118,8 @@ async function checkJsonLDSignature (req: Request, res: Response) { const verified = await isJsonLDSignatureVerified(actor, req.body) if (verified !== true) { + logger.warn('Signature not verified.', req.body) + res.sendStatus(403) return false }