diff options
| -rw-r--r-- | server/helpers/peertube-crypto.ts | 15 | ||||
| -rw-r--r-- | server/initializers/constants.ts | 6 | ||||
| -rw-r--r-- | server/tests/api/activitypub/security.ts | 11 |
3 files changed, 23 insertions, 9 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index b8f7c782a..1a7ee24a7 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts | |||
| @@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool | |||
| 51 | } | 51 | } |
| 52 | 52 | ||
| 53 | function parseHTTPSignature (req: Request, clockSkew?: number) { | 53 | function parseHTTPSignature (req: Request, clockSkew?: number) { |
| 54 | const headers = req.method === 'POST' | 54 | const requiredHeaders = req.method === 'POST' |
| 55 | ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST | 55 | ? [ '(request-target)', 'host', 'digest' ] |
| 56 | : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL | 56 | : [ '(request-target)', 'host' ] |
| 57 | 57 | ||
| 58 | return httpSignature.parse(req, { clockSkew, headers }) | 58 | const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders }) |
| 59 | |||
| 60 | const parsedHeaders = parsed.params.headers | ||
| 61 | if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) { | ||
| 62 | throw new Error(`date or (created) must be included in signature`) | ||
| 63 | } | ||
| 64 | |||
| 65 | return parsed | ||
| 59 | } | 66 | } |
| 60 | 67 | ||
| 61 | // JSONLD | 68 | // JSONLD |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index dca792b1b..44f676a15 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
| @@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = { | |||
| 589 | const HTTP_SIGNATURE = { | 589 | const HTTP_SIGNATURE = { |
| 590 | HEADER_NAME: 'signature', | 590 | HEADER_NAME: 'signature', |
| 591 | ALGORITHM: 'rsa-sha256', | 591 | ALGORITHM: 'rsa-sha256', |
| 592 | HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ], | 592 | HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ], |
| 593 | REQUIRED_HEADERS: { | ||
| 594 | ALL: [ '(request-target)', 'host', 'date' ], | ||
| 595 | POST: [ '(request-target)', 'host', 'date', 'digest' ] | ||
| 596 | }, | ||
| 597 | CLOCK_SKEW_SECONDS: 1800 | 593 | CLOCK_SKEW_SECONDS: 1800 |
| 598 | } | 594 | } |
| 599 | 595 | ||
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index a070517b8..95e2aebb4 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts | |||
| @@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () { | |||
| 147 | } | 147 | } |
| 148 | }) | 148 | }) |
| 149 | 149 | ||
| 150 | it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () { | ||
| 151 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') | ||
| 152 | const headers = buildGlobalHeaders(body) | ||
| 153 | |||
| 154 | const signatureOptions = baseHttpSignature() | ||
| 155 | signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ] | ||
| 156 | |||
| 157 | const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers) | ||
| 158 | expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) | ||
| 159 | }) | ||
| 160 | |||
| 150 | it('Should succeed with a valid HTTP signature', async function () { | 161 | it('Should succeed with a valid HTTP signature', async function () { |
| 151 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') | 162 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') |
| 152 | const headers = buildGlobalHeaders(body) | 163 | const headers = buildGlobalHeaders(body) |