diff options
-rw-r--r-- | server/controllers/api/v1/pods.js | 7 | ||||
-rw-r--r-- | server/controllers/api/v1/remote.js | 1 | ||||
-rw-r--r-- | server/middlewares/secure.js | 45 |
3 files changed, 32 insertions, 21 deletions
diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js index 2bdfe0c92..d509db964 100644 --- a/server/controllers/api/v1/pods.js +++ b/server/controllers/api/v1/pods.js | |||
@@ -10,6 +10,7 @@ const friends = require('../../../lib/friends') | |||
10 | const middlewares = require('../../../middlewares') | 10 | const middlewares = require('../../../middlewares') |
11 | const admin = middlewares.admin | 11 | const admin = middlewares.admin |
12 | const oAuth = middlewares.oauth | 12 | const oAuth = middlewares.oauth |
13 | const checkSignature = middlewares.secure.checkSignature | ||
13 | const validators = middlewares.validators.pods | 14 | const validators = middlewares.validators.pods |
14 | const signatureValidator = middlewares.validators.remote.signature | 15 | const signatureValidator = middlewares.validators.remote.signature |
15 | 16 | ||
@@ -31,7 +32,11 @@ router.get('/quitfriends', | |||
31 | quitFriends | 32 | quitFriends |
32 | ) | 33 | ) |
33 | // Post because this is a secured request | 34 | // Post because this is a secured request |
34 | router.post('/remove', signatureValidator, removePods) | 35 | router.post('/remove', |
36 | signatureValidator, | ||
37 | checkSignature, | ||
38 | removePods | ||
39 | ) | ||
35 | 40 | ||
36 | // --------------------------------------------------------------------------- | 41 | // --------------------------------------------------------------------------- |
37 | 42 | ||
diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js index f452986b8..a22c5d151 100644 --- a/server/controllers/api/v1/remote.js +++ b/server/controllers/api/v1/remote.js | |||
@@ -16,6 +16,7 @@ const Video = mongoose.model('Video') | |||
16 | router.post('/videos', | 16 | router.post('/videos', |
17 | validators.signature, | 17 | validators.signature, |
18 | validators.dataToDecrypt, | 18 | validators.dataToDecrypt, |
19 | secureMiddleware.checkSignature, | ||
19 | secureMiddleware.decryptBody, | 20 | secureMiddleware.decryptBody, |
20 | validators.remoteVideos, | 21 | validators.remoteVideos, |
21 | remoteVideos | 22 | remoteVideos |
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index fa000c6f0..33a52e8d9 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js | |||
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto') | |||
7 | const Pod = mongoose.model('Pod') | 7 | const Pod = mongoose.model('Pod') |
8 | 8 | ||
9 | const secureMiddleware = { | 9 | const secureMiddleware = { |
10 | checkSignature: checkSignature, | ||
10 | decryptBody: decryptBody | 11 | decryptBody: decryptBody |
11 | } | 12 | } |
12 | 13 | ||
13 | function decryptBody (req, res, next) { | 14 | function checkSignature (req, res, next) { |
14 | const url = req.body.signature.url | 15 | const url = req.body.signature.url |
15 | Pod.loadByUrl(url, function (err, pod) { | 16 | Pod.loadByUrl(url, function (err, pod) { |
16 | if (err) { | 17 | if (err) { |
@@ -28,26 +29,30 @@ function decryptBody (req, res, next) { | |||
28 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature) | 29 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature) |
29 | 30 | ||
30 | if (signatureOk === true) { | 31 | if (signatureOk === true) { |
31 | peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) { | 32 | return next() |
32 | if (err) { | 33 | } |
33 | logger.error('Cannot decrypt data.', { error: err }) | 34 | |
34 | return res.sendStatus(500) | 35 | logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url) |
35 | } | 36 | return res.sendStatus(403) |
36 | 37 | }) | |
37 | try { | 38 | } |
38 | req.body.data = JSON.parse(decrypted) | 39 | |
39 | delete req.body.key | 40 | function decryptBody (req, res, next) { |
40 | } catch (err) { | 41 | peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) { |
41 | logger.error('Error in JSON.parse', { error: err }) | 42 | if (err) { |
42 | return res.sendStatus(500) | 43 | logger.error('Cannot decrypt data.', { error: err }) |
43 | } | 44 | return res.sendStatus(500) |
44 | |||
45 | next() | ||
46 | }) | ||
47 | } else { | ||
48 | logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url) | ||
49 | return res.sendStatus(403) | ||
50 | } | 45 | } |
46 | |||
47 | try { | ||
48 | req.body.data = JSON.parse(decrypted) | ||
49 | delete req.body.key | ||
50 | } catch (err) { | ||
51 | logger.error('Error in JSON.parse', { error: err }) | ||
52 | return res.sendStatus(500) | ||
53 | } | ||
54 | |||
55 | next() | ||
51 | }) | 56 | }) |
52 | } | 57 | } |
53 | 58 | ||