aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2016-10-01 09:09:07 +0200
committerChocobozzz <florian.bigard@gmail.com>2016-10-01 09:09:07 +0200
commit0eb78d530376c43d228e3e071e032fe9849149ed (patch)
treee4a81e9de1267e8e316cfe27de65f4cb450ae8b7 /server
parentc60f2212fd326c323dc2d145ba64080612b655d3 (diff)
downloadPeerTube-0eb78d530376c43d228e3e071e032fe9849149ed.tar.gz
PeerTube-0eb78d530376c43d228e3e071e032fe9849149ed.tar.zst
PeerTube-0eb78d530376c43d228e3e071e032fe9849149ed.zip
Server: do not forget to check the signature when another pod wants to
quit us
Diffstat (limited to 'server')
-rw-r--r--server/controllers/api/v1/pods.js7
-rw-r--r--server/controllers/api/v1/remote.js1
-rw-r--r--server/middlewares/secure.js45
3 files changed, 32 insertions, 21 deletions
diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js
index 2bdfe0c92..d509db964 100644
--- a/server/controllers/api/v1/pods.js
+++ b/server/controllers/api/v1/pods.js
@@ -10,6 +10,7 @@ const friends = require('../../../lib/friends')
10const middlewares = require('../../../middlewares') 10const middlewares = require('../../../middlewares')
11const admin = middlewares.admin 11const admin = middlewares.admin
12const oAuth = middlewares.oauth 12const oAuth = middlewares.oauth
13const checkSignature = middlewares.secure.checkSignature
13const validators = middlewares.validators.pods 14const validators = middlewares.validators.pods
14const signatureValidator = middlewares.validators.remote.signature 15const signatureValidator = middlewares.validators.remote.signature
15 16
@@ -31,7 +32,11 @@ router.get('/quitfriends',
31 quitFriends 32 quitFriends
32) 33)
33// Post because this is a secured request 34// Post because this is a secured request
34router.post('/remove', signatureValidator, removePods) 35router.post('/remove',
36 signatureValidator,
37 checkSignature,
38 removePods
39)
35 40
36// --------------------------------------------------------------------------- 41// ---------------------------------------------------------------------------
37 42
diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js
index f452986b8..a22c5d151 100644
--- a/server/controllers/api/v1/remote.js
+++ b/server/controllers/api/v1/remote.js
@@ -16,6 +16,7 @@ const Video = mongoose.model('Video')
16router.post('/videos', 16router.post('/videos',
17 validators.signature, 17 validators.signature,
18 validators.dataToDecrypt, 18 validators.dataToDecrypt,
19 secureMiddleware.checkSignature,
19 secureMiddleware.decryptBody, 20 secureMiddleware.decryptBody,
20 validators.remoteVideos, 21 validators.remoteVideos,
21 remoteVideos 22 remoteVideos
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index fa000c6f0..33a52e8d9 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
7const Pod = mongoose.model('Pod') 7const Pod = mongoose.model('Pod')
8 8
9const secureMiddleware = { 9const secureMiddleware = {
10 checkSignature: checkSignature,
10 decryptBody: decryptBody 11 decryptBody: decryptBody
11} 12}
12 13
13function decryptBody (req, res, next) { 14function checkSignature (req, res, next) {
14 const url = req.body.signature.url 15 const url = req.body.signature.url
15 Pod.loadByUrl(url, function (err, pod) { 16 Pod.loadByUrl(url, function (err, pod) {
16 if (err) { 17 if (err) {
@@ -28,26 +29,30 @@ function decryptBody (req, res, next) {
28 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature) 29 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
29 30
30 if (signatureOk === true) { 31 if (signatureOk === true) {
31 peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) { 32 return next()
32 if (err) { 33 }
33 logger.error('Cannot decrypt data.', { error: err }) 34
34 return res.sendStatus(500) 35 logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
35 } 36 return res.sendStatus(403)
36 37 })
37 try { 38}
38 req.body.data = JSON.parse(decrypted) 39
39 delete req.body.key 40function decryptBody (req, res, next) {
40 } catch (err) { 41 peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
41 logger.error('Error in JSON.parse', { error: err }) 42 if (err) {
42 return res.sendStatus(500) 43 logger.error('Cannot decrypt data.', { error: err })
43 } 44 return res.sendStatus(500)
44
45 next()
46 })
47 } else {
48 logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
49 return res.sendStatus(403)
50 } 45 }
46
47 try {
48 req.body.data = JSON.parse(decrypted)
49 delete req.body.key
50 } catch (err) {
51 logger.error('Error in JSON.parse', { error: err })
52 return res.sendStatus(500)
53 }
54
55 next()
51 }) 56 })
52} 57}
53 58