aboutsummaryrefslogblamecommitdiffhomepage
path: root/server/middlewares/activitypub.ts
blob: b1e5b52369c115dadc556264262c1db4260c2f47 (plain) (tree) 
e65c0c5b1

e4f97babf

da854ddd5

41f2ebae4

74dc3bca2

50d6de9c2

41f2ebae4

e4f97babf


41f2ebae4



e4f97babf

dae86118e

e12a00925

41f2ebae4







e4f97babf

41f2ebae4

50d6de9c2

41f2ebae4

50d6de9c2

e4f97babf

e4f97babf


e65c0c5b1






e4f97babf

e65c0c5b1

165cdc75b

e65c0c5b1

e4f97babf






df66d8158


e4f97babf

41f2ebae4



























c28bcdd10


41f2ebae4












df66d8158

41f2ebae4




















1

2

3

4

5

6

7

8
9

10
11
12

13

14

15

16
17
18
19
20
21
22

23

24

25

26

27

28

29
30

31
32
33
34
35
36

37

38

39

40

41
42
43
44
45
46

47
48

49

50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

77
78

79
80
81
82
83
84
85
86
87
88
89
90

91

92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

                                                         
                                                   
                                          
                                                                                                                   
                                                                                        
                                                                      
                                                                     

                                                                                 


                                                                   
 
                                            
 






                                                                            
 
                 
                 
                                                                
                              
   

 





                                                                                             
 
                                                      
 
               





                                                                              

                       
 


























                                                                                                                 

                                                                     











                                                                   
                                                     



















                                                                   
import { NextFunction, Request, Response } from 'express'
import { ActivityPubSignature } from '../../shared'
import { logger } from '../helpers/logger'
import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'

async function checkSignature (req: Request, res: Response, next: NextFunction) {
  try {
    const httpSignatureChecked = await checkHttpSignature(req, res)
    if (httpSignatureChecked !== true) return

    const actor = res.locals.signature.actor

    // Forwarded activity
    const bodyActor = req.body.actor
    const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
    if (bodyActorId && bodyActorId !== actor.url) {
      const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
      if (jsonLDSignatureChecked !== true) return
    }

    return next()
  } catch (err) {
    logger.error('Error in ActivityPub signature checker.', err)
    return res.sendStatus(403)
  }
}

function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
  const accepted = req.accepts(ACCEPT_HEADERS)
  if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) {
    // Bypass this route
    return next('route')
  }

  logger.debug('ActivityPub request for %s.', req.url)

  return next()
}

// ---------------------------------------------------------------------------

export {
  checkSignature,
  executeIfActivityPub,
  checkHttpSignature
}

// ---------------------------------------------------------------------------

async function checkHttpSignature (req: Request, res: Response) {
  // FIXME: mastodon does not include the Signature scheme
  const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig

  const parsed = parseHTTPSignature(req)

  const keyId = parsed.keyId
  if (!keyId) {
    res.sendStatus(403)
    return false
  }

  logger.debug('Checking HTTP signature of actor %s...', keyId)

  let [ actorUrl ] = keyId.split('#')
  if (actorUrl.startsWith('acct:')) {
    actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
  }

  const actor = await getOrCreateActorAndServerAndModel(actorUrl)

  const verified = isHTTPSignatureVerified(parsed, actor)
  if (verified !== true) {
    logger.warn('Signature from %s is invalid', actorUrl, { parsed })

    res.sendStatus(403)
    return false
  }

  res.locals.signature = { actor }

  return true
}

async function checkJsonLDSignature (req: Request, res: Response) {
  const signatureObject: ActivityPubSignature = req.body.signature

  if (!signatureObject || !signatureObject.creator) {
    res.sendStatus(403)
    return false
  }

  const [ creator ] = signatureObject.creator.split('#')

  logger.debug('Checking JsonLD signature of actor %s...', creator)

  const actor = await getOrCreateActorAndServerAndModel(creator)
  const verified = await isJsonLDSignatureVerified(actor, req.body)

  if (verified !== true) {
    res.sendStatus(403)
    return false
  }

  res.locals.signature = { actor }

  return true
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-18 08:19:12 +0000