Migrate server to ESM

Sorry for the very big commit that may lead to git log issues and merge conflicts, but it's a major step forward: * Server can be faster at startup because imports() are async and we can easily lazy import big modules * Angular doesn't seem to support ES import (with .js extension), so we had to correctly organize peertube into a monorepo: * Use yarn workspace feature * Use typescript reference projects for dependencies * Shared projects have been moved into "packages", each one is now a node module (with a dedicated package.json/tsconfig.json) * server/tools have been moved into apps/ and is now a dedicated app bundled and published on NPM so users don't have to build peertube cli tools manually * server/tests have been moved into packages/ so we don't compile them every time we want to run the server * Use isolatedModule option: * Had to move from const enum to const (https://www.typescriptlang.org/docs/handbook/enums.html#objects-vs-enums) * Had to explictely specify "type" imports when used in decorators * Prefer tsx (that uses esbuild under the hood) instead of ts-node to load typescript files (tests with mocha or scripts): * To reduce test complexity as esbuild doesn't support decorator metadata, we only test server files that do not import server models * We still build tests files into js files for a faster CI * Remove unmaintained peertube CLI import script * Removed some barrels to speed up execution (less imports)
author: Chocobozzz <me@florianbigard.com> 2023-07-31 14:34:36 +0200
committer: Chocobozzz <me@florianbigard.com> 2023-08-11 15:02:33 +0200
commit: 3a4992633ee62d5edfbb484d9c6bcb3cf158489d (patch)
tree: e4510b39bdac9c318fdb4b47018d08f15368b8f0 /server/middlewares/activitypub.ts
parent: 04d1da5621d25d59bd5fa1543b725c497bf5d9a8 (diff)
download: PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.tar.gz
PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.tar.zst
PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.zip
1 files changed, 0 insertions, 156 deletions
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts
deleted file mode 100644
index 261b9f690..000000000
--- a/server/middlewares/activitypub.ts
+++ /dev/null
@@ -1,156 +0,0 @@
-import { NextFunction, Request, Response } from 'express'
-import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor'
-import { getAPId } from '@server/lib/activitypub/activity'
-import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing'
-import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models'
-import { logger } from '../helpers/logger'
-import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
-import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
-import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors'
-async function checkSignature (req: Request, res: Response, next: NextFunction) {
-  try {
-    const httpSignatureChecked = await checkHttpSignature(req, res)
-    if (httpSignatureChecked !== true) return
-    const actor = res.locals.signature.actor
-    // Forwarded activity
-    const bodyActor = req.body.actor
-    const bodyActorId = getAPId(bodyActor)
-    if (bodyActorId && bodyActorId !== actor.url) {
-      const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
-      if (jsonLDSignatureChecked !== true) return
-    }
-    return next()
-  } catch (err) {
-    const activity: ActivityDelete = req.body
-    if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) {
-      logger.debug('Handling signature error on actor delete activity', { err })
-      return res.status(HttpStatusCode.NO_CONTENT_204).end()
-    }
-    logger.warn('Error in ActivityPub signature checker.', { err })
-    return res.fail({
-      status: HttpStatusCode.FORBIDDEN_403,
-      message: 'ActivityPub signature could not be checked'
-    })
-  }
-}
-function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
-  const accepted = req.accepts(ACCEPT_HEADERS)
-  if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) {
-    // Bypass this route
-    return next('route')
-  }
-  logger.debug('ActivityPub request for %s.', req.url)
-  return next()
-}
-// ---------------------------------------------------------------------------
-export {
-  checkSignature,
-  executeIfActivityPub,
-  checkHttpSignature
-}
-// ---------------------------------------------------------------------------
-async function checkHttpSignature (req: Request, res: Response) {
-  return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => {
-    // FIXME: compatibility with http-signature < v1.3
-    const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
-    if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
-    let parsed: any
-    try {
-      parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
-    } catch (err) {
-      logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
-      res.fail({
-        status: HttpStatusCode.FORBIDDEN_403,
-        message: err.message
-      })
-      return false
-    }
-    const keyId = parsed.keyId
-    if (!keyId) {
-      res.fail({
-        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Invalid key ID',
-        data: {
-          keyId
-        }
-      })
-      return false
-    }
-    logger.debug('Checking HTTP signature of actor %s...', keyId)
-    let [ actorUrl ] = keyId.split('#')
-    if (actorUrl.startsWith('acct:')) {
-      actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
-    }
-    const actor = await getOrCreateAPActor(actorUrl)
-    const verified = isHTTPSignatureVerified(parsed, actor)
-    if (verified !== true) {
-      logger.warn('Signature from %s is invalid', actorUrl, { parsed })
-      res.fail({
-        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Invalid signature',
-        data: {
-          actorUrl
-        }
-      })
-      return false
-    }
-    res.locals.signature = { actor }
-    return true
-  })
-}
-async function checkJsonLDSignature (req: Request, res: Response) {
-  return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => {
-    const signatureObject: ActivityPubSignature = req.body.signature
-    if (!signatureObject?.creator) {
-      res.fail({
-        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Object and creator signature do not match'
-      })
-      return false
-    }
-    const [ creator ] = signatureObject.creator.split('#')
-    logger.debug('Checking JsonLD signature of actor %s...', creator)
-    const actor = await getOrCreateAPActor(creator)
-    const verified = await isJsonLDSignatureVerified(actor, req.body)
-    if (verified !== true) {
-      logger.warn('Signature not verified.', req.body)
-      res.fail({
-        status: HttpStatusCode.FORBIDDEN_403,
-        message: 'Signature could not be verified'
-      })
-      return false
-    }
-    res.locals.signature = { actor }
-    return true
-  })
-}
author	Chocobozzz <me@florianbigard.com>	2023-07-31 14:34:36 +0200
committer	Chocobozzz <me@florianbigard.com>	2023-08-11 15:02:33 +0200
commit	3a4992633ee62d5edfbb484d9c6bcb3cf158489d (patch)
tree	e4510b39bdac9c318fdb4b47018d08f15368b8f0 /server/middlewares/activitypub.ts
parent	04d1da5621d25d59bd5fa1543b725c497bf5d9a8 (diff)
download	PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.tar.gz PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.tar.zst PeerTube-3a4992633ee62d5edfbb484d9c6bcb3cf158489d.zip

diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts deleted file mode 100644 index 261b9f690..000000000 --- a/server/middlewares/activitypub.ts +++ /dev/null
@@ -1,156 +0,0 @@
1	import { NextFunction, Request, Response } from 'express'
2	import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor'
3	import { getAPId } from '@server/lib/activitypub/activity'
4	import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing'
5	import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models'
6	import { logger } from '../helpers/logger'
7	import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
8	import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants'
9	import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors'
10
11	async function checkSignature (req: Request, res: Response, next: NextFunction) {
12	try {
13	const httpSignatureChecked = await checkHttpSignature(req, res)
14	if (httpSignatureChecked !== true) return
15
16	const actor = res.locals.signature.actor
17
18	// Forwarded activity
19	const bodyActor = req.body.actor
20	const bodyActorId = getAPId(bodyActor)
21	if (bodyActorId && bodyActorId !== actor.url) {
22	const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
23	if (jsonLDSignatureChecked !== true) return
24	}
25
26	return next()
27	} catch (err) {
28	const activity: ActivityDelete = req.body
29	if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) {
30	logger.debug('Handling signature error on actor delete activity', { err })
31	return res.status(HttpStatusCode.NO_CONTENT_204).end()
32	}
33
34	logger.warn('Error in ActivityPub signature checker.', { err })
35	return res.fail({
36	status: HttpStatusCode.FORBIDDEN_403,
37	message: 'ActivityPub signature could not be checked'
38	})
39	}
40	}
41
42	function executeIfActivityPub (req: Request, res: Response, next: NextFunction) {
43	const accepted = req.accepts(ACCEPT_HEADERS)
44	if (accepted === false \|\| ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.includes(accepted) === false) {
45	// Bypass this route
46	return next('route')
47	}
48
49	logger.debug('ActivityPub request for %s.', req.url)
50
51	return next()
52	}
53
54	// ---------------------------------------------------------------------------
55
56	export {
57	checkSignature,
58	executeIfActivityPub,
59	checkHttpSignature
60	}
61
62	// ---------------------------------------------------------------------------
63
64	async function checkHttpSignature (req: Request, res: Response) {
65	return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => {
66	// FIXME: compatibility with http-signature < v1.3
67	const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
68	if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
69
70	let parsed: any
71
72	try {
73	parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
74	} catch (err) {
75	logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
76
77	res.fail({
78	status: HttpStatusCode.FORBIDDEN_403,
79	message: err.message
80	})
81	return false
82	}
83
84	const keyId = parsed.keyId
85	if (!keyId) {
86	res.fail({
87	status: HttpStatusCode.FORBIDDEN_403,
88	message: 'Invalid key ID',
89	data: {
90	keyId
91	}
92	})
93	return false
94	}
95
96	logger.debug('Checking HTTP signature of actor %s...', keyId)
97
98	let [ actorUrl ] = keyId.split('#')
99	if (actorUrl.startsWith('acct:')) {
100	actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
101	}
102
103	const actor = await getOrCreateAPActor(actorUrl)
104
105	const verified = isHTTPSignatureVerified(parsed, actor)
106	if (verified !== true) {
107	logger.warn('Signature from %s is invalid', actorUrl, { parsed })
108
109	res.fail({
110	status: HttpStatusCode.FORBIDDEN_403,
111	message: 'Invalid signature',
112	data: {
113	actorUrl
114	}
115	})
116	return false
117	}
118
119	res.locals.signature = { actor }
120	return true
121	})
122	}
123
124	async function checkJsonLDSignature (req: Request, res: Response) {
125	return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => {
126	const signatureObject: ActivityPubSignature = req.body.signature
127
128	if (!signatureObject?.creator) {
129	res.fail({
130	status: HttpStatusCode.FORBIDDEN_403,
131	message: 'Object and creator signature do not match'
132	})
133	return false
134	}
135
136	const [ creator ] = signatureObject.creator.split('#')
137
138	logger.debug('Checking JsonLD signature of actor %s...', creator)
139
140	const actor = await getOrCreateAPActor(creator)
141	const verified = await isJsonLDSignatureVerified(actor, req.body)
142
143	if (verified !== true) {
144	logger.warn('Signature not verified.', req.body)
145
146	res.fail({
147	status: HttpStatusCode.FORBIDDEN_403,
148	message: 'Signature could not be verified'
149	})
150	return false
151	}
152
153	res.locals.signature = { actor }
154	return true
155	})
156	}