Server: do not forget to check the signature when another pod wants to

quit us

diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js
index 2bdfe0c923b6c623cef73a8ae90facf4d9a8eab3..d509db9647fd23e201cfb249fc4a4e0596a8ac13 100644 (file)
--- a/server/controllers/api/v1/pods.js
+++ b/server/controllers/api/v1/pods.js
@@ -10,6 +10,7 @@ const friends = require('../../../lib/friends')
 const middlewares = require('../../../middlewares')
 const admin = middlewares.admin
 const oAuth = middlewares.oauth
+const checkSignature = middlewares.secure.checkSignature
 const validators = middlewares.validators.pods
 const signatureValidator = middlewares.validators.remote.signature
 
@@ -31,7 +32,11 @@ router.get('/quitfriends',
   quitFriends
 )
 // Post because this is a secured request
-router.post('/remove', signatureValidator, removePods)
+router.post('/remove',
+  signatureValidator,
+  checkSignature,
+  removePods
+)
 
 // ---------------------------------------------------------------------------
 

diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js
index f452986b8e951aa0498fb5b35b7a4ffca0f6dde3..a22c5d1515b2255033330701a71ba1145a9965e4 100644 (file)
--- a/server/controllers/api/v1/remote.js
+++ b/server/controllers/api/v1/remote.js
@@ -16,6 +16,7 @@ const Video = mongoose.model('Video')
 router.post('/videos',
   validators.signature,
   validators.dataToDecrypt,
+  secureMiddleware.checkSignature,
   secureMiddleware.decryptBody,
   validators.remoteVideos,
   remoteVideos

diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index fa000c6f077b74b0dc418d5f5950ccee3160a300..33a52e8d9ba54121daa6961adcc1857ddfbbc669 100644 (file)
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
 const Pod = mongoose.model('Pod')
 
 const secureMiddleware = {
+  checkSignature: checkSignature,
   decryptBody: decryptBody
 }
 
-function decryptBody (req, res, next) {
+function checkSignature (req, res, next) {
   const url = req.body.signature.url
   Pod.loadByUrl(url, function (err, pod) {
     if (err) {
@@ -28,26 +29,30 @@ function decryptBody (req, res, next) {
     const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
 
     if (signatureOk === true) {
-      peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
-        if (err) {
-          logger.error('Cannot decrypt data.', { error: err })
-          return res.sendStatus(500)
-        }
-
-        try {
-          req.body.data = JSON.parse(decrypted)
-          delete req.body.key
-        } catch (err) {
-          logger.error('Error in JSON.parse', { error: err })
-          return res.sendStatus(500)
-        }
-
-        next()
-      })
-    } else {
-      logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
-      return res.sendStatus(403)
+      return next()
+    }
+
+    logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
+    return res.sendStatus(403)
+  })
+}
+
+function decryptBody (req, res, next) {
+  peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
+    if (err) {
+      logger.error('Cannot decrypt data.', { error: err })
+      return res.sendStatus(500)
     }
+
+    try {
+      req.body.data = JSON.parse(decrypted)
+      delete req.body.key
+    } catch (err) {
+      logger.error('Error in JSON.parse', { error: err })
+      return res.sendStatus(500)
+    }
+
+    next()
   })
 }