aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/tests/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2020-11-12 10:42:25 +0100
committerChocobozzz <me@florianbigard.com>2020-11-12 16:29:32 +0100
commit797d05bdd99b63104522051d0f61f1e0f003e780 (patch)
treea0e356958e03aa62c4539afacbf7715eba305954 /server/tests/api
parent2a9562fc5894509e63016b1fe09f6dce0c4b6e5e (diff)
downloadPeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.gz
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.zst
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.zip
Force signed headers in http signatures
Thanks Roger
Diffstat (limited to 'server/tests/api')
-rw-r--r--server/tests/api/activitypub/security.ts21
1 files changed, 20 insertions, 1 deletions
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts
index ac4bc7c6a..e6002b661 100644
--- a/server/tests/api/activitypub/security.ts
+++ b/server/tests/api/activitypub/security.ts
@@ -99,13 +99,32 @@ describe('Test ActivityPub security', function () {
99 expect(response.statusCode).to.equal(403) 99 expect(response.statusCode).to.equal(403)
100 }) 100 })
101 101
102 it('Should succeed with a valid HTTP signature', async function () { 102 it('Should reject requests without appropriate signed headers', async function () {
103 await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) 103 await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
104 await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) 104 await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
105 105
106 const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) 106 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
107 const headers = buildGlobalHeaders(body) 107 const headers = buildGlobalHeaders(body)
108 108
109 const signatureOptions = baseHttpSignature()
110 const badHeadersMatrix = [
111 [ '(request-target)', 'date', 'digest' ],
112 [ 'host', 'date', 'digest' ],
113 [ '(request-target)', 'host', 'digest' ]
114 ]
115
116 for (const badHeaders of badHeadersMatrix) {
117 signatureOptions.headers = badHeaders
118
119 const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
120 expect(response.statusCode).to.equal(403)
121 }
122 })
123
124 it('Should succeed with a valid HTTP signature', async function () {
125 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
126 const headers = buildGlobalHeaders(body)
127
109 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) 128 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
110 129
111 expect(response.statusCode).to.equal(204) 130 expect(response.statusCode).to.equal(204)