Handle HTTP signature draft 11

author: Chocobozzz <me@florianbigard.com> 2022-05-06 15:11:54 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-05-06 15:13:59 +0200
commit: e08ec7a723724c247d9bbcdbf157da08d3ba31a7 (patch)
tree: bfa3fdc9b3a57a9ac40b8cf900f396c1ccde0215 /server
parent: 822f50fa814e945d136b8bb5a7e14e3c84889d42 (diff)
download: PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.tar.gz
PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.tar.zst
PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.zip
3 files changed, 23 insertions, 9 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index b8f7c782a..1a7ee24a7 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
 }
 function parseHTTPSignature (req: Request, clockSkew?: number) {
-  const headers = req.method === 'POST'
+  const requiredHeaders = req.method === 'POST'
-    ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
+    ? [ '(request-target)', 'host', 'digest' ]
-    : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
+    : [ '(request-target)', 'host' ]
-  return httpSignature.parse(req, { clockSkew, headers })
+  const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders })
+  const parsedHeaders = parsed.params.headers
+  if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) {
+    throw new Error(`date or (created) must be included in signature`)
+  }
+  return parsed
 }
 // JSONLD
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index dca792b1b..44f676a15 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = {
 const HTTP_SIGNATURE = {
  HEADER_NAME: 'signature',
  ALGORITHM: 'rsa-sha256',
-  HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ],
+  HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ],
-  REQUIRED_HEADERS: {
-    ALL: [ '(request-target)', 'host', 'date' ],
-    POST: [ '(request-target)', 'host', 'date', 'digest' ]
-  },
  CLOCK_SKEW_SECONDS: 1800
 }
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts
index a070517b8..95e2aebb4 100644
--- a/server/tests/api/activitypub/security.ts
+++ b/server/tests/api/activitypub/security.ts
@@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () {
      }
    })
+    it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
+      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
+      const headers = buildGlobalHeaders(body)
+      const signatureOptions = baseHttpSignature()
+      signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]
+      const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
+      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
+    })
    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)
author	Chocobozzz <me@florianbigard.com>	2022-05-06 15:11:54 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-05-06 15:13:59 +0200
commit	e08ec7a723724c247d9bbcdbf157da08d3ba31a7 (patch)
tree	bfa3fdc9b3a57a9ac40b8cf900f396c1ccde0215 /server
parent	822f50fa814e945d136b8bb5a7e14e3c84889d42 (diff)
download	PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.tar.gz PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.tar.zst PeerTube-e08ec7a723724c247d9bbcdbf157da08d3ba31a7.zip