Merge branch 'develop' into pr/1217

16 files changed, 1091 insertions, 0 deletions

diff --git a/server/tests/api/activitypub/client.ts b/server/tests/api/activitypub/client.ts
new file mode 100644
index 000000000..6d90d8643
--- /dev/null
+++ b/server/tests/api/activitypub/client.ts
@@ -0,0 +1,67 @@
+/* tslint:disable:no-unused-expression */
+
+import * as chai from 'chai'
+import 'mocha'
+import {
+  doubleFollow,
+  flushAndRunMultipleServers,
+  flushTests,
+  killallServers,
+  makeActivityPubGetRequest,
+  ServerInfo,
+  setAccessTokensToServers,
+  uploadVideo
+} from '../../../../shared/utils'
+
+const expect = chai.expect
+
+describe('Test activitypub', function () {
+  let servers: ServerInfo[] = []
+  let videoUUID: string
+
+  before(async function () {
+    this.timeout(30000)
+
+    await flushTests()
+
+    servers = await flushAndRunMultipleServers(2)
+
+    await setAccessTokensToServers(servers)
+
+    {
+      const res = await uploadVideo(servers[0].url, servers[0].accessToken, { name: 'video' })
+      videoUUID = res.body.video.uuid
+    }
+
+    await doubleFollow(servers[0], servers[1])
+  })
+
+  it('Should return the account object', async function () {
+    const res = await makeActivityPubGetRequest(servers[0].url, '/accounts/root')
+    const object = res.body
+
+    expect(object.type).to.equal('Person')
+    expect(object.id).to.equal('http://localhost:9001/accounts/root')
+    expect(object.name).to.equal('root')
+    expect(object.preferredUsername).to.equal('root')
+  })
+
+  it('Should return the video object', async function () {
+    const res = await makeActivityPubGetRequest(servers[0].url, '/videos/watch/' + videoUUID)
+    const object = res.body
+
+    expect(object.type).to.equal('Video')
+    expect(object.id).to.equal('http://localhost:9001/videos/watch/' + videoUUID)
+    expect(object.name).to.equal('video')
+  })
+
+  it('Should redirect to the origin video object', async function () {
+    const res = await makeActivityPubGetRequest(servers[1].url, '/videos/watch/' + videoUUID, 302)
+
+    expect(res.header.location).to.equal('http://localhost:9001/videos/watch/' + videoUUID)
+  })
+
+  after(async function () {
+    killallServers(servers)
+  })
+})
diff --git a/server/tests/api/activitypub/fetch.ts b/server/tests/api/activitypub/fetch.ts
new file mode 100644
index 000000000..03609c1a9
--- /dev/null
+++ b/server/tests/api/activitypub/fetch.ts
@@ -0,0 +1,87 @@
+/* tslint:disable:no-unused-expression */
+
+import 'mocha'
+
+import {
+  createUser,
+  doubleFollow,
+  flushAndRunMultipleServers,
+  flushTests,
+  getVideosListSort,
+  killallServers,
+  ServerInfo,
+  setAccessTokensToServers,
+  setActorField,
+  setVideoField,
+  uploadVideo,
+  userLogin,
+  waitJobs
+} from '../../../../shared/utils'
+import * as chai from 'chai'
+import { Video } from '../../../../shared/models/videos'
+
+const expect = chai.expect
+
+describe('Test ActivityPub fetcher', function () {
+  let servers: ServerInfo[]
+
+  // ---------------------------------------------------------------
+
+  before(async function () {
+    this.timeout(60000)
+
+    servers = await flushAndRunMultipleServers(3)
+
+    // Get the access tokens
+    await setAccessTokensToServers(servers)
+
+    const user = { username: 'user1', password: 'password' }
+    for (const server of servers) {
+      await createUser(server.url, server.accessToken, user.username, user.password)
+    }
+
+    const userAccessToken = await userLogin(servers[0], user)
+
+    await uploadVideo(servers[0].url, servers[0].accessToken, { name: 'video root' })
+    const res = await uploadVideo(servers[0].url, servers[0].accessToken, { name: 'bad video root' })
+    const badVideoUUID = res.body.video.uuid
+    await uploadVideo(servers[0].url, userAccessToken, { name: 'video user' })
+
+    await setActorField(1, 'http://localhost:9001/accounts/user1', 'url', 'http://localhost:9002/accounts/user1')
+    await setVideoField(1, badVideoUUID, 'url', 'http://localhost:9003/videos/watch/' + badVideoUUID)
+  })
+
+  it('Should add only the video with a valid actor URL', async function () {
+    this.timeout(60000)
+
+    await doubleFollow(servers[0], servers[1])
+    await waitJobs(servers)
+
+    {
+      const res = await getVideosListSort(servers[0].url, 'createdAt')
+      expect(res.body.total).to.equal(3)
+
+      const data: Video[] = res.body.data
+      expect(data[0].name).to.equal('video root')
+      expect(data[1].name).to.equal('bad video root')
+      expect(data[2].name).to.equal('video user')
+    }
+
+    {
+      const res = await getVideosListSort(servers[1].url, 'createdAt')
+      expect(res.body.total).to.equal(1)
+
+      const data: Video[] = res.body.data
+      expect(data[0].name).to.equal('video root')
+    }
+  })
+
+  after(async function () {
+    killallServers(servers)
+
+    // Keep the logs if the test failed
+    if (this['ok']) {
+      await flushTests()
+    }
+  })
+})
diff --git a/server/tests/api/activitypub/helpers.ts b/server/tests/api/activitypub/helpers.ts
new file mode 100644
index 000000000..ac6e755c3
--- /dev/null
+++ b/server/tests/api/activitypub/helpers.ts
@@ -0,0 +1,182 @@
+/* tslint:disable:no-unused-expression */
+
+import 'mocha'
+import { expect } from 'chai'
+import { buildRequestStub } from '../../../../shared/utils/miscs/stubs'
+import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../../../helpers/peertube-crypto'
+import { cloneDeep } from 'lodash'
+import { buildSignedActivity } from '../../../helpers/activitypub'
+
+describe('Test activity pub helpers', function () {
+  describe('When checking the Linked Signature', function () {
+
+    it('Should fail with an invalid Mastodon signature', async function () {
+      const body = require('./json/mastodon/create-bad-signature.json')
+      const publicKey = require('./json/mastodon/public-key.json').publicKey
+      const fromActor = { publicKey, url: 'http://localhost:9002/accounts/peertube' }
+
+      const result = await isJsonLDSignatureVerified(fromActor as any, body)
+
+      expect(result).to.be.false
+    })
+
+    it('Should fail with an invalid public key', async function () {
+      const body = require('./json/mastodon/create.json')
+      const publicKey = require('./json/mastodon/bad-public-key.json').publicKey
+      const fromActor = { publicKey, url: 'http://localhost:9002/accounts/peertube' }
+
+      const result = await isJsonLDSignatureVerified(fromActor as any, body)
+
+      expect(result).to.be.false
+    })
+
+    it('Should succeed with a valid Mastodon signature', async function () {
+      const body = require('./json/mastodon/create.json')
+      const publicKey = require('./json/mastodon/public-key.json').publicKey
+      const fromActor = { publicKey, url: 'http://localhost:9002/accounts/peertube' }
+
+      const result = await isJsonLDSignatureVerified(fromActor as any, body)
+
+      expect(result).to.be.true
+    })
+
+    it('Should fail with an invalid PeerTube signature', async function () {
+      const keys = require('./json/peertube/invalid-keys.json')
+      const body = require('./json/peertube/announce-without-context.json')
+
+      const actorSignature = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
+      const signedBody = await buildSignedActivity(actorSignature as any, body)
+
+      const fromActor = { publicKey: keys.publicKey, url: 'http://localhost:9002/accounts/peertube' }
+      const result = await isJsonLDSignatureVerified(fromActor as any, signedBody)
+
+      expect(result).to.be.false
+    })
+
+    it('Should fail with an invalid PeerTube URL', async function () {
+      const keys = require('./json/peertube/keys.json')
+      const body = require('./json/peertube/announce-without-context.json')
+
+      const actorSignature = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
+      const signedBody = await buildSignedActivity(actorSignature as any, body)
+
+      const fromActor = { publicKey: keys.publicKey, url: 'http://localhost:9003/accounts/peertube' }
+      const result = await isJsonLDSignatureVerified(fromActor as any, signedBody)
+
+      expect(result).to.be.false
+    })
+
+    it('Should succeed with a valid PeerTube signature', async function () {
+      const keys = require('./json/peertube/keys.json')
+      const body = require('./json/peertube/announce-without-context.json')
+
+      const actorSignature = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
+      const signedBody = await buildSignedActivity(actorSignature as any, body)
+
+      const fromActor = { publicKey: keys.publicKey, url: 'http://localhost:9002/accounts/peertube' }
+      const result = await isJsonLDSignatureVerified(fromActor as any, signedBody)
+
+      expect(result).to.be.true
+    })
+  })
+
+  describe('When checking HTTP signature', function () {
+    it('Should fail with an invalid http signature', async function () {
+      const req = buildRequestStub()
+      req.method = 'POST'
+      req.url = '/accounts/ronan/inbox'
+
+      const mastodonObject = cloneDeep(require('./json/mastodon/bad-http-signature.json'))
+      req.body = mastodonObject.body
+      req.headers = mastodonObject.headers
+      req.headers.signature = 'Signature ' + req.headers.signature
+
+      const parsed = parseHTTPSignature(req, 3600 * 1000 * 365 * 10)
+      const publicKey = require('./json/mastodon/public-key.json').publicKey
+
+      const actor = { publicKey }
+      const verified = isHTTPSignatureVerified(parsed, actor as any)
+
+      expect(verified).to.be.false
+    })
+
+    it('Should fail with an invalid public key', async function () {
+      const req = buildRequestStub()
+      req.method = 'POST'
+      req.url = '/accounts/ronan/inbox'
+
+      const mastodonObject = cloneDeep(require('./json/mastodon/http-signature.json'))
+      req.body = mastodonObject.body
+      req.headers = mastodonObject.headers
+      req.headers.signature = 'Signature ' + req.headers.signature
+
+      const parsed = parseHTTPSignature(req, 3600 * 1000 * 365 * 10)
+      const publicKey = require('./json/mastodon/bad-public-key.json').publicKey
+
+      const actor = { publicKey }
+      const verified = isHTTPSignatureVerified(parsed, actor as any)
+
+      expect(verified).to.be.false
+    })
+
+    it('Should fail because of clock skew', async function () {
+      const req = buildRequestStub()
+      req.method = 'POST'
+      req.url = '/accounts/ronan/inbox'
+
+      const mastodonObject = cloneDeep(require('./json/mastodon/http-signature.json'))
+      req.body = mastodonObject.body
+      req.headers = mastodonObject.headers
+      req.headers.signature = 'Signature ' + req.headers.signature
+
+      let errored = false
+      try {
+        parseHTTPSignature(req)
+      } catch {
+        errored = true
+      }
+
+      expect(errored).to.be.true
+    })
+
+    it('Should fail without scheme', async function () {
+      const req = buildRequestStub()
+      req.method = 'POST'
+      req.url = '/accounts/ronan/inbox'
+
+      const mastodonObject = cloneDeep(require('./json/mastodon/http-signature.json'))
+      req.body = mastodonObject.body
+      req.headers = mastodonObject.headers
+
+      let errored = false
+      try {
+        parseHTTPSignature(req, 3600 * 1000 * 365 * 10)
+      } catch {
+        errored = true
+      }
+
+      expect(errored).to.be.true
+    })
+
+    it('Should succeed with a valid signature', async function () {
+      const req = buildRequestStub()
+      req.method = 'POST'
+      req.url = '/accounts/ronan/inbox'
+
+      const mastodonObject = cloneDeep(require('./json/mastodon/http-signature.json'))
+      req.body = mastodonObject.body
+      req.headers = mastodonObject.headers
+      req.headers.signature = 'Signature ' + req.headers.signature
+
+      const parsed = parseHTTPSignature(req, 3600 * 1000 * 365 * 10)
+      const publicKey = require('./json/mastodon/public-key.json').publicKey
+
+      const actor = { publicKey }
+      const verified = isHTTPSignatureVerified(parsed, actor as any)
+
+      expect(verified).to.be.true
+    })
+
+  })
+
+})
diff --git a/server/tests/api/activitypub/index.ts b/server/tests/api/activitypub/index.ts
new file mode 100644
index 000000000..450053309
--- /dev/null
+++ b/server/tests/api/activitypub/index.ts
@@ -0,0 +1,5 @@
+import './client'
+import './fetch'
+import './helpers'
+import './refresher'
+import './security'
diff --git a/server/tests/api/activitypub/json/mastodon/bad-body-http-signature.json b/server/tests/api/activitypub/json/mastodon/bad-body-http-signature.json
new file mode 100644
index 000000000..4e7bc3af5
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/bad-body-http-signature.json
@@ -0,0 +1,93 @@
+{
+  "headers": {
+    "user-agent": "http.rb/3.3.0 (Mastodon/2.5.0; +http://localhost:3000/)",
+    "host": "localhost",
+    "date": "Mon, 22 Oct 2018 13:34:22 GMT",
+    "accept-encoding": "gzip",
+    "digest": "SHA-256=FEr5j2WSSfdEMcG3NTOXuGU0lUchfTJx4+BtUlWOwDk=",
+    "content-type": "application/activity+json",
+    "signature": "keyId=\"http://localhost:3000/users/ronan2#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"oLKbgxdFXdXsHJ3x/UsG9Svu7oa8Dyqiy6Jif4wqNuhAqRVMRaG18f+dd2OcfFX3XRGF8p8flZkU6vvoEQBauTwGRGcgXAJuKC1zYIWGk+PeiW8lNUnE4qGapWcTiFnIo7FKauNdsgqg/tvgs1pQIdHkDDjZMI64twP7sTN/4vG1PCq+kyqi/DM+ORLi/W7vFuLVHt2Iz7ikfw/R3/mMtS4FwLops+tVYBQ2iQ9DVRhTwLKVbeL/LLVB/tdGzNZ4F4nImBAQQ9I7WpPM6J/k+cBmoEbrUKs8ptx9gbX3OSsl5wlvPVMNzU9F9yb2MrB/Y/J4qssKz+LbiaktKGj7OQ==\"",
+    "content-length": "2815"
+  },
+  "body": {
+    "@context": [
+      "https://www.w3.org/ns/activitystreams",
+      "https://w3id.org/security/v1",
+      {
+        "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+        "sensitive": "as:sensitive",
+        "movedTo": {
+          "@id": "as:movedTo",
+          "@type": "@id"
+        },
+        "Hashtag": "as:Hashtag",
+        "ostatus": "http://ostatus.org#",
+        "atomUri": "ostatus:atomUri",
+        "inReplyToAtomUri": "ostatus:inReplyToAtomUri",
+        "conversation": "ostatus:conversation",
+        "toot": "http://joinmastodon.org/ns#",
+        "Emoji": "toot:Emoji",
+        "focalPoint": {
+          "@container": "@list",
+          "@id": "toot:focalPoint"
+        },
+        "featured": {
+          "@id": "toot:featured",
+          "@type": "@id"
+        },
+        "schema": "http://schema.org#",
+        "PropertyValue": "schema:PropertyValue",
+        "value": "schema:value"
+      }
+    ],
+    "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948/activity",
+    "type": "Create",
+    "actor": "http://localhost:3000/users/ronan2",
+    "published": "2018-10-22T13:34:18Z",
+    "to": [
+      "https://www.w3.org/ns/activitystreams#Public"
+    ],
+    "cc": [
+      "http://localhost:3000/users/ronan2/followers",
+      "http://localhost:9000/accounts/ronan"
+    ],
+    "object": {
+      "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "type": "Note",
+      "summary": null,
+      "inReplyTo": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "published": "2018-10-22T13:34:18Z",
+      "url": "http://localhost:3000/@ronan2/100939547203370948",
+      "attributedTo": "http://localhost:3000/users/ronan2",
+      "to": [
+        "https://www.w3.org/ns/activitystreams#Public"
+      ],
+      "cc": [
+        "http://localhost:3000/users/ronan2/followers",
+        "http://localhost:9000/accounts/ronan"
+      ],
+      "sensitive": false,
+      "atomUri": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "inReplyToAtomUri": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "conversation": "tag:localhost:3000,2018-10-19:objectId=72:objectType=Conversation",
+      "content": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>",
+      "contentMap": {
+        "en": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>"
+      },
+      "attachment": [],
+      "tag": [
+        {
+          "type": "Mention",
+          "href": "http://localhost:9000/accounts/ronan",
+          "name": "@ronan@localhost:9000"
+        }
+      ]
+    },
+    "signature": {
+      "type": "RsaSignature2017",
+      "creator": "http://localhost:3000/users/ronan2#main-key",
+      "created": "2018-10-22T13:34:19Z",
+      "signatureValue": "x+xL4l8ERziYVhwEafHJyBQOInvNZ0gV4ccYd9AtFYeGJagc8fY6jjjhbDRCD7yMhgTjBX69z20MXnDuwpmM6wej3dt1wLKdIyXVViO84nAlqFz7KmNxtk5lDnAVX/vttscT5YUFvw4dbPT2mQiEd1lKbaLftRiIPEomZpQ37+fUkQdcPrnhruPAISO/Sof1n1LFW4mYIffozteQSZBH6HaCVp+MRMIhdMi5e8w7PD48/cZz8D/EU8Vqi91FM76/3tMqg6nLqQ+8bq74Jvt2kzwZlIufe+I55QMpZOmF6hGIJEt+R0JXdjQbtgcELONmNj2dr8sAlzu7zKlAGuJ24Q=="
+    }
+  }
+}
diff --git a/server/tests/api/activitypub/json/mastodon/bad-http-signature.json b/server/tests/api/activitypub/json/mastodon/bad-http-signature.json
new file mode 100644
index 000000000..098597db0
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/bad-http-signature.json
@@ -0,0 +1,93 @@
+{
+  "headers": {
+    "user-agent": "http.rb/3.3.0 (Mastodon/2.5.0; +http://localhost:3000/)",
+    "host": "localhost",
+    "date": "Mon, 22 Oct 2018 13:34:22 GMT",
+    "accept-encoding": "gzip",
+    "digest": "SHA-256=FEr5j2WSSfdEMcG3NTOXuGU0lUchfTJx4+BtUlWOwDk=",
+    "content-type": "application/activity+json",
+    "signature": "keyId=\"http://localhost:3000/users/ronan2#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"oLKbgxdFXdXsHJ3x/UsG9Svu7oa8Dyqiy6Jif4wqNuhAqRVMRaG18f+dd2OcfFX3XRGF8p8flZkU6vvoEQBauTwGRGcgXAJuKC1zYIWGk+PeiW8lNUnE4qGapWcTiFnIo7FKauNdsgqg/tvgs1pQIdHkDDjZMI64twP7sTN/4vG1PCq+kyqi/DM+ORLi/W7vFuLVHt2Iz7ikfw/R3/mMtS4FwLops+tVYBQ2iQ9DVRhTwLKVbeL/LLVB/tdGzNZ4F4nImBAQQ9I7WpPM6J/k+cBmoEbrUKs8ptx9gbX3OSsl4wlvPVMNzU9F9yb2MrB/Y/J4qssKz+LbiaktKGj7OQ==\"",
+    "content-length": "2815"
+  },
+  "body": {
+    "@context": [
+      "https://www.w3.org/ns/activitystreams",
+      "https://w3id.org/security/v1",
+      {
+        "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+        "sensitive": "as:sensitive",
+        "movedTo": {
+          "@id": "as:movedTo",
+          "@type": "@id"
+        },
+        "Hashtag": "as:Hashtag",
+        "ostatus": "http://ostatus.org#",
+        "atomUri": "ostatus:atomUri",
+        "inReplyToAtomUri": "ostatus:inReplyToAtomUri",
+        "conversation": "ostatus:conversation",
+        "toot": "http://joinmastodon.org/ns#",
+        "Emoji": "toot:Emoji",
+        "focalPoint": {
+          "@container": "@list",
+          "@id": "toot:focalPoint"
+        },
+        "featured": {
+          "@id": "toot:featured",
+          "@type": "@id"
+        },
+        "schema": "http://schema.org#",
+        "PropertyValue": "schema:PropertyValue",
+        "value": "schema:value"
+      }
+    ],
+    "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948/activity",
+    "type": "Create",
+    "actor": "http://localhost:3000/users/ronan2",
+    "published": "2018-10-22T13:34:18Z",
+    "to": [
+      "https://www.w3.org/ns/activitystreams#Public"
+    ],
+    "cc": [
+      "http://localhost:3000/users/ronan2/followers",
+      "http://localhost:9000/accounts/ronan"
+    ],
+    "object": {
+      "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "type": "Note",
+      "summary": null,
+      "inReplyTo": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "published": "2018-10-22T13:34:18Z",
+      "url": "http://localhost:3000/@ronan2/100939547203370948",
+      "attributedTo": "http://localhost:3000/users/ronan2",
+      "to": [
+        "https://www.w3.org/ns/activitystreams#Public"
+      ],
+      "cc": [
+        "http://localhost:3000/users/ronan2/followers",
+        "http://localhost:9000/accounts/ronan"
+      ],
+      "sensitive": false,
+      "atomUri": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "inReplyToAtomUri": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "conversation": "tag:localhost:3000,2018-10-19:objectId=72:objectType=Conversation",
+      "content": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>",
+      "contentMap": {
+        "en": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>"
+      },
+      "attachment": [],
+      "tag": [
+        {
+          "type": "Mention",
+          "href": "http://localhost:9000/accounts/ronan",
+          "name": "@ronan@localhost:9000"
+        }
+      ]
+    },
+    "signature": {
+      "type": "RsaSignature2017",
+      "creator": "http://localhost:3000/users/ronan2#main-key",
+      "created": "2018-10-22T13:34:19Z",
+      "signatureValue": "x+xL4l8ERziYVhwEafHJyBQOInvNZ0gV4ccYd9AtFYeGJagc8fY6jjjhbDRCD7yMhgTjBX69z20MXnDuwpmM6wej3dt1wLKdIyXVViO84nAlqFz7KmNxtk5lDnAVX/vttscT5YUFvw4dbPT2mQiEd1lKbaLftRiIPEomZpQ37+fUkQdcPrnhruPAISO/Sof1n1LFW4mYIffozteQSZBH6HaCVp+MRMIhdMi5e8w7PD48/cZz8D/EU8Vqi91FM76/3tMqg6nLqQ+8bq74Jvt2kzwZlIufe+I55QMpZOmF6hGIJEt+R0JXdjQbtgcELONmNj2dr8sAlzu7zKlAGuJ24Q=="
+    }
+  }
+}
diff --git a/server/tests/api/activitypub/json/mastodon/bad-public-key.json b/server/tests/api/activitypub/json/mastodon/bad-public-key.json
new file mode 100644
index 000000000..73d18b3ad
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/bad-public-key.json
@@ -0,0 +1,3 @@
+{
+  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YyuthHtWWgDe0Fdgdp2\ndC5dTJsRqW6pFw5omIYYYjoES/WRewhVxEA54BhmxD3L1zChfx131N1TS8jVowhW\nm999jpUffKCCvLgYKIXETJDHiDeMONVx8wp7v9fS1HiFXo/E5und39gUMs14CMFZ\n6PE5jRV3r4XIKQJHQl7/X5n5FOb2934K+1TKUeBkbft/AushlKatYQakt3qHxpwx\nFvE+JjGo7QTnzdjaOx/e5QvojdGi2Kx4+jl77j2WVcSo5lOBz04OAVJtChtn82vS\nulPdDh3hZcDn+WK67yAhGP6AnzvOybZZS4zowlKiQ3kqjVVXKdl8gAsL4Y7MZ40R\nJQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
diff --git a/server/tests/api/activitypub/json/mastodon/create-bad-signature.json b/server/tests/api/activitypub/json/mastodon/create-bad-signature.json
new file mode 100644
index 000000000..2cd037241
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/create-bad-signature.json
@@ -0,0 +1,81 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/v1",
+    {
+      "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+      "sensitive": "as:sensitive",
+      "movedTo": {
+        "@id": "as:movedTo",
+        "@type": "@id"
+      },
+      "Hashtag": "as:Hashtag",
+      "ostatus": "http://ostatus.org#",
+      "atomUri": "ostatus:atomUri",
+      "inReplyToAtomUri": "ostatus:inReplyToAtomUri",
+      "conversation": "ostatus:conversation",
+      "toot": "http://joinmastodon.org/ns#",
+      "Emoji": "toot:Emoji",
+      "focalPoint": {
+        "@container": "@list",
+        "@id": "toot:focalPoint"
+      },
+      "featured": {
+        "@id": "toot:featured",
+        "@type": "@id"
+      },
+      "schema": "http://schema.org#",
+      "PropertyValue": "schema:PropertyValue",
+      "value": "schema:value"
+    }
+  ],
+  "id": "http://localhost:3000/users/ronan2/statuses/100939345950887698/activity",
+  "type": "Create",
+  "actor": "http://localhost:3000/users/ronan2",
+  "published": "2018-10-22T12:43:07Z",
+  "to": [
+    "https://www.w3.org/ns/activitystreams#Public"
+  ],
+  "cc": [
+    "http://localhost:3000/users/ronan2/followers",
+    "http://localhost:9000/accounts/ronan"
+  ],
+  "object": {
+    "id": "http://localhost:3000/users/ronan2/statuses/100939345950887698",
+    "type": "Note",
+    "summary": null,
+    "inReplyTo": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+    "published": "2018-10-22T12:43:07Z",
+    "url": "http://localhost:3000/@ronan2/100939345950887698",
+    "attributedTo": "http://localhost:3000/users/ronan2",
+    "to": [
+      "https://www.w3.org/ns/activitystreams#Public"
+    ],
+    "cc": [
+      "http://localhost:3000/users/ronan2/followers",
+      "http://localhost:9000/accounts/ronan"
+    ],
+    "sensitive": false,
+    "atomUri": "http://localhost:3000/users/ronan2/statuses/100939345950887698",
+    "inReplyToAtomUri": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+    "conversation": "tag:localhost:3000,2018-10-19:objectId=72:objectType=Conversation",
+    "content": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zerg</p>",
+    "contentMap": {
+      "en": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zerg</p>"
+    },
+    "attachment": [],
+    "tag": [
+      {
+        "type": "Mention",
+        "href": "http://localhost:9000/accounts/ronan",
+        "name": "@ronan@localhost:9000"
+      }
+    ]
+  },
+  "signature": {
+    "type": "RsaSignature2017",
+    "creator": "http://localhost:3000/users/ronan2#main-key",
+    "created": "2018-10-22T12:43:08Z",
+    "signatureValue": "Vgr8nA0agPr9TcA4BlX+MWhmuE+rBcoIJLpnPbm3E5SnOCXbgjEfEaTLqfuzzkKNsR3PBbkvi3YWK4/DxJ0zmpzSB7yy4NRzluQMVQHqJiFKXAX3Sr3fIrK24xkWW9/F207c1NpFajSGbgnFKBdtFE0e5VqwSrSoOJkZukZW/2ATSnsyzblieuUmvTWpD0PqpUOsynPjw+RqZnqPn0cjw1z2Dm7ZRt3trnyMTXFYZw5U/YuqMY2kpadD6vq780md8kXlJIylxG6ZrlO2jz9fJdnfuVq43d4QFNsBm1K1r2WtNqX+i+wiqh+u3PjF4pzXtl/a3hJOH18IfZnK7I21mQ=="
+  }
+}
diff --git a/server/tests/api/activitypub/json/mastodon/create.json b/server/tests/api/activitypub/json/mastodon/create.json
new file mode 100644
index 000000000..0be271bb8
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/create.json
@@ -0,0 +1,81 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/v1",
+    {
+      "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+      "sensitive": "as:sensitive",
+      "movedTo": {
+        "@id": "as:movedTo",
+        "@type": "@id"
+      },
+      "Hashtag": "as:Hashtag",
+      "ostatus": "http://ostatus.org#",
+      "atomUri": "ostatus:atomUri",
+      "inReplyToAtomUri": "ostatus:inReplyToAtomUri",
+      "conversation": "ostatus:conversation",
+      "toot": "http://joinmastodon.org/ns#",
+      "Emoji": "toot:Emoji",
+      "focalPoint": {
+        "@container": "@list",
+        "@id": "toot:focalPoint"
+      },
+      "featured": {
+        "@id": "toot:featured",
+        "@type": "@id"
+      },
+      "schema": "http://schema.org#",
+      "PropertyValue": "schema:PropertyValue",
+      "value": "schema:value"
+    }
+  ],
+  "id": "http://localhost:3000/users/ronan2/statuses/100939345950887698/activity",
+  "type": "Create",
+  "actor": "http://localhost:3000/users/ronan2",
+  "published": "2018-10-22T12:43:07Z",
+  "to": [
+    "https://www.w3.org/ns/activitystreams#Public"
+  ],
+  "cc": [
+    "http://localhost:3000/users/ronan2/followers",
+    "http://localhost:9000/accounts/ronan"
+  ],
+  "object": {
+    "id": "http://localhost:3000/users/ronan2/statuses/100939345950887698",
+    "type": "Note",
+    "summary": null,
+    "inReplyTo": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+    "published": "2018-10-22T12:43:07Z",
+    "url": "http://localhost:3000/@ronan2/100939345950887698",
+    "attributedTo": "http://localhost:3000/users/ronan2",
+    "to": [
+      "https://www.w3.org/ns/activitystreams#Public"
+    ],
+    "cc": [
+      "http://localhost:3000/users/ronan2/followers",
+      "http://localhost:9000/accounts/ronan"
+    ],
+    "sensitive": false,
+    "atomUri": "http://localhost:3000/users/ronan2/statuses/100939345950887698",
+    "inReplyToAtomUri": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+    "conversation": "tag:localhost:3000,2018-10-19:objectId=72:objectType=Conversation",
+    "content": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zerg</p>",
+    "contentMap": {
+      "en": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zerg</p>"
+    },
+    "attachment": [],
+    "tag": [
+      {
+        "type": "Mention",
+        "href": "http://localhost:9000/accounts/ronan",
+        "name": "@ronan@localhost:9000"
+      }
+    ]
+  },
+  "signature": {
+    "type": "RsaSignature2017",
+    "creator": "http://localhost:3000/users/ronan2#main-key",
+    "created": "2018-10-22T12:43:08Z",
+    "signatureValue": "VgR8nA0agPr9TcA4BlX+MWhmuE+rBcoIJLpnPbm3E5SnOCXbgjEfEaTLqfuzzkKNsR3PBbkvi3YWK4/DxJ0zmpzSB7yy4NRzluQMVQHqJiFKXAX3Sr3fIrK24xkWW9/F207c1NpFajSGbgnFKBdtFE0e5VqwSrSoOJkZukZW/2ATSnsyzblieuUmvTWpD0PqpUOsynPjw+RqZnqPn0cjw1z2Dm7ZRt3trnyMTXFYZw5U/YuqMY2kpadD6vq780md8kXlJIylxG6ZrlO2jz9fJdnfuVq43d4QFNsBm1K1r2WtNqX+i+wiqh+u3PjF4pzXtl/a3hJOH18IfZnK7I21mQ=="
+  }
+}
diff --git a/server/tests/api/activitypub/json/mastodon/http-signature.json b/server/tests/api/activitypub/json/mastodon/http-signature.json
new file mode 100644
index 000000000..4e7bc3af5
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/http-signature.json
@@ -0,0 +1,93 @@
+{
+  "headers": {
+    "user-agent": "http.rb/3.3.0 (Mastodon/2.5.0; +http://localhost:3000/)",
+    "host": "localhost",
+    "date": "Mon, 22 Oct 2018 13:34:22 GMT",
+    "accept-encoding": "gzip",
+    "digest": "SHA-256=FEr5j2WSSfdEMcG3NTOXuGU0lUchfTJx4+BtUlWOwDk=",
+    "content-type": "application/activity+json",
+    "signature": "keyId=\"http://localhost:3000/users/ronan2#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"oLKbgxdFXdXsHJ3x/UsG9Svu7oa8Dyqiy6Jif4wqNuhAqRVMRaG18f+dd2OcfFX3XRGF8p8flZkU6vvoEQBauTwGRGcgXAJuKC1zYIWGk+PeiW8lNUnE4qGapWcTiFnIo7FKauNdsgqg/tvgs1pQIdHkDDjZMI64twP7sTN/4vG1PCq+kyqi/DM+ORLi/W7vFuLVHt2Iz7ikfw/R3/mMtS4FwLops+tVYBQ2iQ9DVRhTwLKVbeL/LLVB/tdGzNZ4F4nImBAQQ9I7WpPM6J/k+cBmoEbrUKs8ptx9gbX3OSsl5wlvPVMNzU9F9yb2MrB/Y/J4qssKz+LbiaktKGj7OQ==\"",
+    "content-length": "2815"
+  },
+  "body": {
+    "@context": [
+      "https://www.w3.org/ns/activitystreams",
+      "https://w3id.org/security/v1",
+      {
+        "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+        "sensitive": "as:sensitive",
+        "movedTo": {
+          "@id": "as:movedTo",
+          "@type": "@id"
+        },
+        "Hashtag": "as:Hashtag",
+        "ostatus": "http://ostatus.org#",
+        "atomUri": "ostatus:atomUri",
+        "inReplyToAtomUri": "ostatus:inReplyToAtomUri",
+        "conversation": "ostatus:conversation",
+        "toot": "http://joinmastodon.org/ns#",
+        "Emoji": "toot:Emoji",
+        "focalPoint": {
+          "@container": "@list",
+          "@id": "toot:focalPoint"
+        },
+        "featured": {
+          "@id": "toot:featured",
+          "@type": "@id"
+        },
+        "schema": "http://schema.org#",
+        "PropertyValue": "schema:PropertyValue",
+        "value": "schema:value"
+      }
+    ],
+    "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948/activity",
+    "type": "Create",
+    "actor": "http://localhost:3000/users/ronan2",
+    "published": "2018-10-22T13:34:18Z",
+    "to": [
+      "https://www.w3.org/ns/activitystreams#Public"
+    ],
+    "cc": [
+      "http://localhost:3000/users/ronan2/followers",
+      "http://localhost:9000/accounts/ronan"
+    ],
+    "object": {
+      "id": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "type": "Note",
+      "summary": null,
+      "inReplyTo": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "published": "2018-10-22T13:34:18Z",
+      "url": "http://localhost:3000/@ronan2/100939547203370948",
+      "attributedTo": "http://localhost:3000/users/ronan2",
+      "to": [
+        "https://www.w3.org/ns/activitystreams#Public"
+      ],
+      "cc": [
+        "http://localhost:3000/users/ronan2/followers",
+        "http://localhost:9000/accounts/ronan"
+      ],
+      "sensitive": false,
+      "atomUri": "http://localhost:3000/users/ronan2/statuses/100939547203370948",
+      "inReplyToAtomUri": "http://localhost:9000/videos/watch/90e6f8ed-b369-423c-b0c8-f44e5350c752",
+      "conversation": "tag:localhost:3000,2018-10-19:objectId=72:objectType=Conversation",
+      "content": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>",
+      "contentMap": {
+        "en": "<p><span class=\"h-card\"><a href=\"http://localhost:9000/accounts/ronan\" class=\"u-url mention\">@<span>ronan</span></a></span> zergzerg</p>"
+      },
+      "attachment": [],
+      "tag": [
+        {
+          "type": "Mention",
+          "href": "http://localhost:9000/accounts/ronan",
+          "name": "@ronan@localhost:9000"
+        }
+      ]
+    },
+    "signature": {
+      "type": "RsaSignature2017",
+      "creator": "http://localhost:3000/users/ronan2#main-key",
+      "created": "2018-10-22T13:34:19Z",
+      "signatureValue": "x+xL4l8ERziYVhwEafHJyBQOInvNZ0gV4ccYd9AtFYeGJagc8fY6jjjhbDRCD7yMhgTjBX69z20MXnDuwpmM6wej3dt1wLKdIyXVViO84nAlqFz7KmNxtk5lDnAVX/vttscT5YUFvw4dbPT2mQiEd1lKbaLftRiIPEomZpQ37+fUkQdcPrnhruPAISO/Sof1n1LFW4mYIffozteQSZBH6HaCVp+MRMIhdMi5e8w7PD48/cZz8D/EU8Vqi91FM76/3tMqg6nLqQ+8bq74Jvt2kzwZlIufe+I55QMpZOmF6hGIJEt+R0JXdjQbtgcELONmNj2dr8sAlzu7zKlAGuJ24Q=="
+    }
+  }
+}
diff --git a/server/tests/api/activitypub/json/mastodon/public-key.json b/server/tests/api/activitypub/json/mastodon/public-key.json
new file mode 100644
index 000000000..b7b9b8308
--- /dev/null
+++ b/server/tests/api/activitypub/json/mastodon/public-key.json
@@ -0,0 +1,3 @@
+{
+  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YyuthHtWWgDe0Fdgdp2\ndC5dTJsRqW6pFw5omIYYYjoES/WRewhVxEA54BhmxD3L1zChfx131N1TS8jVowhW\nm999jpUffKCCvLgYKIXETJDHiDeMONVx8wp7v9fS1HiFXo/E5und39gUMs14CMFZ\n6PE5jRV3r4XIKQJHQl7/X5n5FOb2934K+1TKUeBkbft/AushlKatYQakt3qHxpwx\nFvE+JjGo7QTnzdjaOx/e5QvojdGi2Kx4+jl87j2WVcSo5lOBz04OAVJtChtn82vS\nulPdDh3hZcDn+WK67yAhGP6AnzvOybZZS4zowlKiQ3kqjVVXKdl8gAsL4Y7MZ40R\nJQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
diff --git a/server/tests/api/activitypub/json/peertube/announce-without-context.json b/server/tests/api/activitypub/json/peertube/announce-without-context.json
new file mode 100644
index 000000000..5f2af0cde
--- /dev/null
+++ b/server/tests/api/activitypub/json/peertube/announce-without-context.json
@@ -0,0 +1,13 @@
+{
+  "type": "Announce",
+  "id": "http://localhost:9002/videos/watch/997111d4-e8d8-4f45-99d3-857905785d05/announces/1",
+  "actor": "http://localhost:9002/accounts/peertube",
+  "object": "http://localhost:9002/videos/watch/997111d4-e8d8-4f45-99d3-857905785d05",
+  "to": [
+    "https://www.w3.org/ns/activitystreams#Public",
+    "http://localhost:9002/accounts/peertube/followers",
+    "http://localhost:9002/video-channels/root_channel/followers",
+    "http://localhost:9002/accounts/root/followers"
+  ],
+  "cc": []
+}
diff --git a/server/tests/api/activitypub/json/peertube/invalid-keys.json b/server/tests/api/activitypub/json/peertube/invalid-keys.json
new file mode 100644
index 000000000..0544e96b9
--- /dev/null
+++ b/server/tests/api/activitypub/json/peertube/invalid-keys.json
@@ -0,0 +1,6 @@
+{
+  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjQGdH6D3naKmSbbr/Df\nEh1H42F3WlHYXuxKLkm5Bemjdde+GwHYdz5m3fcIWw3HTzfA+y9Of8epGdfSrtYO\nwAyc3Zoy7afPNa4bZXqhJ1Im41rMGieiCuUn4uTPPucIjC0gCkVwvuQr3Elbk55s\nIkczDkseJuadTvG+A1e4uNY2lnRmVhf4g5B90u6CLe2KdbPpifRoKlw9zaUBj4/F\npP5S75TS5l1DfJQIq2lp8RwrH6FvGKLnWlbGeNYX96DDvlA5Sxoxz6a+bTV9OopM\n7mS7eP8zF8lKXYUu8cjIscKm+XqGmyRoPyw2Pp53tew29idRUocVQHGBnlNbpKdd\naQIDAQAB\n-----END PUBLIC KEY-----\n",
+  "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAqjQGdH6D3naKmSbbr/DfEh1H42F3WlHYXuxKLkm5Bemjdde+\nGwHYdz5m3fcIWw3HTzfA+y9Of8epGdfSrtYOwAyc3Zoy7afPNa4bZXqhJ1Im41rM\nGieiCuUn4uTPPucIjC0gCkVwvuQr3Elbk55sIkczDkseJuadTvG+A1e4uNY2lnRm\nVhf4g5B90u6CLe2KdbPpifRoKlw9zaUBj4/FpP5S75TS5l1DfJQIq2lp8RwrH6Fv\nGKLnWlbGeNYX96DDvlA5Sxoxz6a+bTV9OopM7mS7eP8zF8lKXYUu8cjIscKm+XqG\nmyRoPyw3Pp53tew29idRUocVQHGBnlNbpKddaQIDAQABAoIBAQCnBZawCtbtH/ay\ng+dhqEW/SOyavbKZ92cU/1tsQPxISRYXNjdf2VfK7HmVqC2S7NqBanz+AVZPHmda\n7OfamkSvQbFN5VvEy8ATNV+9HbG3HG78/MT9hZcGigmyJkcZuy4wILgoXCxfpxlD\netla60PB/4yioiRcmEIWjjOgpByphDJ7RuuuptyEvgjUjpPtvHK47O/loaD2HFJk\nbIYbRirbjUjITRjQxGVIvanqiwPG9pB26YDLxDOoXEumcnzRcEFWNdvoleaLgquS\nn/zVsXWEq4+1i7t44DDstWUt/2Bw5ksIkSdayQ6oy3vzre3YFHwvbVZ7qtQQgpru\nx+NIolZhAoGBAN1RgNj8zy9Py3SJdsoXtnuCItfD7eo7LWXUa06cM/NS695Q+/to\naa5i3cJnRlv+b+b3VvnhkhIBLfFQW+hWwPnnxJEehcm09ddN9zbWrZ4Yv9yYu+8d\nTLGyWL8kPFF1dz+29DcrSv3tXEOwxByX/O4U/X/i3wl2WhkybxVFnCuvAoGBAMTf\n91BgLzvcYKOxH+vRPOJY7g2HKGFe35R91M4E+9Eq1rq4LUQHBb3fhRh4+scNu0yb\nNfN1Zdx2nbgCXdTKomF1Ahxp58/A2iU65vVzL6hYfWXEGSmoBqsGCIpIxQ9jgB9k\nCl7t/Ban8Z/ORHTjI9fpHlSZyCWJ3ajepiM2a1ZnAoGAPpDO6wi1DXvyWVSPF1yS\nwuGsNfD2rjPihpoBZ+yypwP3GBcu1QjUb28Vn+KQOmt4eQPNO8DwCVT6BvEfulPk\nJAHISPom+jnFEgPBcmhIFpyKiLNI1bUjvExd2FNHFgQuHP38ligQAC782Un8dtTk\ntO2MKH4bbVJe8CaYzpuqJZMCgYABZyMpBHZxs8FQiUuT75rCdiXEHOlxwC5RrY/d\no/VzaR28mOFhsbcdwkD9iqcm0fc6tYRt5rFCH+pBzGqEwKjljuLj9vE67sHfMAtD\nRn3Zcj/6gKo5PMRHZbSb36bf1DKuhpT4VjPMqYe0PtEIEDJKMJQRwELH2bKlqGiA\nqbucEwKBgQCkS85JnpHEV/tSylsEEn2W3CQCx58zl7iZNV7h/tWMR4AyrcI0HqP6\nllJ7V/Cfw66MgelPnosKgagwLVI6gsqDtjnzYo3XuMRVlYIySJ/jV3eiUNkV2Ky2\nfp/gA9sVgp38QSr+xB9E0LNStcbqDzoCCcDRws/SK7PbkQH9KV47tQ==\n-----END RSA PRIVATE KEY-----"
+}
+
+
diff --git a/server/tests/api/activitypub/json/peertube/keys.json b/server/tests/api/activitypub/json/peertube/keys.json
new file mode 100644
index 000000000..1a7700865
--- /dev/null
+++ b/server/tests/api/activitypub/json/peertube/keys.json
@@ -0,0 +1,4 @@
+{
+  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjQGdH6D3naKmSbbr/Df\nEh1H42F3WlHYXuxKLkm5Bemjdde+GwHYdz5m3fcIWw3HTzfA+y9Of8epGdfSrtYO\nwAyc3Zoy7afPNa4bZXqhJ1Im41rMGieiCuUn4uTPPucIjC0gCkVwvuQr3Elbk55s\nIkczDkseJuadTvG+A1e4uNY2lnRmVhf4g5B90u6CLe2KdbPpifRoKlw9zaUBj4/F\npP5S75TS5l1DfJQIq2lp8RwrH6FvGKLnWlbGeNYX96DDvlA5Sxoxz6a+bTV9OopM\n7mS7eP8zF8lKXYUu8cjIscKm+XqGmyRoPyw3Pp53tew29idRUocVQHGBnlNbpKdd\naQIDAQAB\n-----END PUBLIC KEY-----\n",
+  "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAqjQGdH6D3naKmSbbr/DfEh1H42F3WlHYXuxKLkm5Bemjdde+\nGwHYdz5m3fcIWw3HTzfA+y9Of8epGdfSrtYOwAyc3Zoy7afPNa4bZXqhJ1Im41rM\nGieiCuUn4uTPPucIjC0gCkVwvuQr3Elbk55sIkczDkseJuadTvG+A1e4uNY2lnRm\nVhf4g5B90u6CLe2KdbPpifRoKlw9zaUBj4/FpP5S75TS5l1DfJQIq2lp8RwrH6Fv\nGKLnWlbGeNYX96DDvlA5Sxoxz6a+bTV9OopM7mS7eP8zF8lKXYUu8cjIscKm+XqG\nmyRoPyw3Pp53tew29idRUocVQHGBnlNbpKddaQIDAQABAoIBAQCnBZawCtbtH/ay\ng+dhqEW/SOyavbKZ92cU/1tsQPxISRYXNjdf2VfK7HmVqC2S7NqBanz+AVZPHmda\n7OfamkSvQbFN5VvEy8ATNV+9HbG3HG78/MT9hZcGigmyJkcZuy4wILgoXCxfpxlD\netla60PB/4yioiRcmEIWjjOgpByphDJ7RuuuptyEvgjUjpPtvHK47O/loaD2HFJk\nbIYbRirbjUjITRjQxGVIvanqiwPG9pB26YDLxDOoXEumcnzRcEFWNdvoleaLgquS\nn/zVsXWEq4+1i7t44DDstWUt/2Bw5ksIkSdayQ6oy3vzre3YFHwvbVZ7qtQQgpru\nx+NIolZhAoGBAN1RgNj8zy9Py3SJdsoXtnuCItfD7eo7LWXUa06cM/NS695Q+/to\naa5i3cJnRlv+b+b3VvnhkhIBLfFQW+hWwPnnxJEehcm09ddN9zbWrZ4Yv9yYu+8d\nTLGyWL8kPFF1dz+29DcrSv3tXEOwxByX/O4U/X/i3wl2WhkybxVFnCuvAoGBAMTf\n91BgLzvcYKOxH+vRPOJY7g2HKGFe35R91M4E+9Eq1rq4LUQHBb3fhRh4+scNu0yb\nNfN1Zdx2nbgCXdTKomF1Ahxp58/A2iU65vVzL6hYfWXEGSmoBqsGCIpIxQ9jgB9k\nCl7t/Ban8Z/ORHTjI9fpHlSZyCWJ3ajepiM2a1ZnAoGAPpDO6wi1DXvyWVSPF1yS\nwuGsNfD2rjPihpoBZ+yypwP3GBcu1QjUb28Vn+KQOmt4eQPNO8DwCVT6BvEfulPk\nJAHISPom+jnFEgPBcmhIFpyKiLNI1bUjvExd2FNHFgQuHP38ligQAC782Un8dtTk\ntO2MKH4bbVJe8CaYzpuqJZMCgYABZyMpBHZxs8FQiUuT75rCdiXEHOlxwC5RrY/d\no/VzaR28mOFhsbcdwkD9iqcm0fc6tYRt5rFCH+pBzGqEwKjljuLj9vE67sHfMAtD\nRn3Zcj/6gKo5PMRHZbSb36bf1DKuhpT4VjPMqYe0PtEIEDJKMJQRwELH2bKlqGiA\nqbucEwKBgQCkS85JnpHEV/tSylsEEn2W3CQCx58zl7iZNV7h/tWMR4AyrcI0HqP6\nllJ7V/Cfw66MgelPnosKgagwLVI6gsqDtjnzYo3XuMRVlYIySJ/jV3eiUNkV2Ky2\nfp/gA9sVgp38QSr+xB9E0LNStcbqDzoCCcDRws/SK7PbkQH9KV47tQ==\n-----END RSA PRIVATE KEY-----"
+}
diff --git a/server/tests/api/activitypub/refresher.ts b/server/tests/api/activitypub/refresher.ts
new file mode 100644
index 000000000..62ad8a0b5
--- /dev/null
+++ b/server/tests/api/activitypub/refresher.ts
@@ -0,0 +1,93 @@
+/* tslint:disable:no-unused-expression */
+
+import 'mocha'
+import {
+  doubleFollow,
+  flushAndRunMultipleServers,
+  getVideo,
+  killallServers,
+  reRunServer,
+  ServerInfo,
+  setAccessTokensToServers,
+  uploadVideo,
+  wait,
+  setVideoField,
+  waitJobs
+} from '../../../../shared/utils'
+
+describe('Test AP refresher', function () {
+  let servers: ServerInfo[] = []
+  let videoUUID1: string
+  let videoUUID2: string
+  let videoUUID3: string
+
+  before(async function () {
+    this.timeout(60000)
+
+    servers = await flushAndRunMultipleServers(2)
+
+    // Get the access tokens
+    await setAccessTokensToServers(servers)
+
+    {
+      const res = await uploadVideo(servers[1].url, servers[1].accessToken, { name: 'video1' })
+      videoUUID1 = res.body.video.uuid
+    }
+
+    {
+      const res = await uploadVideo(servers[1].url, servers[1].accessToken, { name: 'video2' })
+      videoUUID2 = res.body.video.uuid
+    }
+
+    {
+      const res = await uploadVideo(servers[1].url, servers[1].accessToken, { name: 'video3' })
+      videoUUID3 = res.body.video.uuid
+    }
+
+    await doubleFollow(servers[0], servers[1])
+  })
+
+  it('Should remove a deleted remote video', async function () {
+    this.timeout(60000)
+
+    await wait(10000)
+
+    // Change UUID so the remote server returns a 404
+    await setVideoField(2, videoUUID1, 'uuid', '304afe4f-39f9-4d49-8ed7-ac57b86b174f')
+
+    await getVideo(servers[0].url, videoUUID1)
+    await getVideo(servers[0].url, videoUUID2)
+
+    await waitJobs(servers)
+
+    await getVideo(servers[0].url, videoUUID1, 404)
+    await getVideo(servers[0].url, videoUUID2, 200)
+  })
+
+  it('Should not update a remote video if the remote instance is down', async function () {
+    this.timeout(60000)
+
+    killallServers([ servers[1] ])
+
+    await setVideoField(2, videoUUID3, 'uuid', '304afe4f-39f9-4d49-8ed7-ac57b86b174e')
+
+    // Video will need a refresh
+    await wait(10000)
+
+    await getVideo(servers[0].url, videoUUID3)
+    // The refresh should fail
+    await waitJobs([ servers[0] ])
+
+    await reRunServer(servers[1])
+
+    // Should not refresh the video, even if the last refresh failed (to avoir a loop on dead instances)
+    await getVideo(servers[0].url, videoUUID3)
+    await waitJobs(servers)
+
+    await getVideo(servers[0].url, videoUUID3, 200)
+  })
+
+  after(async function () {
+    killallServers(servers)
+  })
+})
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts
new file mode 100644
index 000000000..342ae0fa1
--- /dev/null
+++ b/server/tests/api/activitypub/security.ts
@@ -0,0 +1,187 @@
+/* tslint:disable:no-unused-expression */
+
+import 'mocha'
+
+import {
+  flushAndRunMultipleServers,
+  flushTests,
+  killallServers,
+  makeFollowRequest,
+  makePOSTAPRequest,
+  ServerInfo,
+  setActorField
+} from '../../../../shared/utils'
+import { HTTP_SIGNATURE } from '../../../initializers'
+import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
+import * as chai from 'chai'
+import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
+
+const expect = chai.expect
+
+function setKeysOfServer2 (serverNumber: number, publicKey: string, privateKey: string) {
+  return Promise.all([
+    setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'publicKey', publicKey),
+    setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'privateKey', privateKey)
+  ])
+}
+
+function setKeysOfServer3 (serverNumber: number, publicKey: string, privateKey: string) {
+  return Promise.all([
+    setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'publicKey', publicKey),
+    setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'privateKey', privateKey)
+  ])
+}
+
+describe('Test ActivityPub security', function () {
+  let servers: ServerInfo[]
+  let url: string
+
+  const keys = require('./json/peertube/keys.json')
+  const invalidKeys = require('./json/peertube/invalid-keys.json')
+  const baseHttpSignature = {
+    algorithm: HTTP_SIGNATURE.ALGORITHM,
+    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
+    keyId: 'acct:peertube@localhost:9002',
+    key: keys.privateKey,
+    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
+  }
+
+  // ---------------------------------------------------------------
+
+  before(async function () {
+    this.timeout(60000)
+
+    servers = await flushAndRunMultipleServers(3)
+
+    url = servers[0].url + '/inbox'
+
+    await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
+
+    const to = { url: 'http://localhost:9001/accounts/peertube' }
+    const by = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
+    await makeFollowRequest(to, by)
+  })
+
+  describe('When checking HTTP signature', function () {
+
+    it('Should fail with an invalid digest', async function () {
+      const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
+      const headers = {
+        Digest: buildDigest({ hello: 'coucou' })
+      }
+
+      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(403)
+    })
+
+    it('Should fail with an invalid date', async function () {
+      const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
+      const headers = buildGlobalHeaders(body)
+      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
+
+      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(403)
+    })
+
+    it('Should fail with bad keys', async function () {
+      await setKeysOfServer2(1, invalidKeys.publicKey, invalidKeys.privateKey)
+      await setKeysOfServer2(2, invalidKeys.publicKey, invalidKeys.privateKey)
+
+      const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
+      const headers = buildGlobalHeaders(body)
+
+      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(403)
+    })
+
+    it('Should succeed with a valid HTTP signature', async function () {
+      await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
+      await setKeysOfServer2(2, keys.publicKey, keys.privateKey)
+
+      const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
+      const headers = buildGlobalHeaders(body)
+
+      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(204)
+    })
+  })
+
+  describe('When checking Linked Data Signature', function () {
+    before(async () => {
+      await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
+
+      const to = { url: 'http://localhost:9001/accounts/peertube' }
+      const by = { url: 'http://localhost:9003/accounts/peertube', privateKey: keys.privateKey }
+      await makeFollowRequest(to, by)
+    })
+
+    it('Should fail with bad keys', async function () {
+      this.timeout(10000)
+
+      await setKeysOfServer3(1, invalidKeys.publicKey, invalidKeys.privateKey)
+      await setKeysOfServer3(3, invalidKeys.publicKey, invalidKeys.privateKey)
+
+      const body = require('./json/peertube/announce-without-context.json')
+      body.actor = 'http://localhost:9003/accounts/peertube'
+
+      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
+      const signedBody = await buildSignedActivity(signer, body)
+
+      const headers = buildGlobalHeaders(signedBody)
+
+      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(403)
+    })
+
+    it('Should fail with an altered body', async function () {
+      this.timeout(10000)
+
+      await setKeysOfServer3(1, keys.publicKey, keys.privateKey)
+      await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
+
+      const body = require('./json/peertube/announce-without-context.json')
+      body.actor = 'http://localhost:9003/accounts/peertube'
+
+      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
+      const signedBody = await buildSignedActivity(signer, body)
+
+      signedBody.actor = 'http://localhost:9003/account/peertube'
+
+      const headers = buildGlobalHeaders(signedBody)
+
+      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(403)
+    })
+
+    it('Should succeed with a valid signature', async function () {
+      this.timeout(10000)
+
+      const body = require('./json/peertube/announce-without-context.json')
+      body.actor = 'http://localhost:9003/accounts/peertube'
+
+      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
+      const signedBody = await buildSignedActivity(signer, body)
+
+      const headers = buildGlobalHeaders(signedBody)
+
+      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
+
+      expect(response.statusCode).to.equal(204)
+    })
+  })
+
+  after(async function () {
+    killallServers(servers)
+
+    // Keep the logs if the test failed
+    if (this['ok']) {
+      await flushTests()
+    }
+  })
+})