1 files changed, 78 insertions, 19 deletions
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts
index d7f59be8c..01e5dd24e 100644
--- a/server/middlewares/activitypub.ts
+++ b/server/middlewares/activitypub.ts
@@ -2,34 +2,32 @@ import { eachSeries } from 'async'
 import { NextFunction, Request, RequestHandler, Response } from 'express'
 import { ActivityPubSignature } from '../../shared'
 import { logger } from '../helpers/logger'
-import { isSignatureVerified } from '../helpers/peertube-crypto'
+import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
-import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers'
+import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
 import { ActorModel } from '../models/activitypub/actor'
+import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
 async function checkSignature (req: Request, res: Response, next: NextFunction) {
-  const signatureObject: ActivityPubSignature = req.body.signature
+  try {
+    const httpSignatureChecked = await checkHttpSignature(req, res)
+    if (httpSignatureChecked !== true) return
-  const [ creator ] = signatureObject.creator.split('#')
+    const actor: ActorModel = res.locals.signature.actor
-  logger.debug('Checking signature of actor %s...', creator)
+    // Forwarded activity
+    const bodyActor = req.body.actor
+    const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
+    if (bodyActorId && bodyActorId !== actor.url) {
+      const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
+      if (jsonLDSignatureChecked !== true) return
+    }
-  let actor: ActorModel
+    return next()
-  try {
-    actor = await getOrCreateActorAndServerAndModel(creator)
  } catch (err) {
-    logger.warn('Cannot create remote actor %s and check signature.', creator, { err })
+    logger.error('Error in ActivityPub signature checker.', err)
    return res.sendStatus(403)
  }
-  const verified = await isSignatureVerified(actor, req.body)
-  if (verified === false) return res.sendStatus(403)
-  res.locals.signature = {
-    actor
-  }
-  return next()
 }
 function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) {
@@ -55,5 +53,66 @@ function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) {
 export {
  checkSignature,
-  executeIfActivityPub
+  executeIfActivityPub,
+  checkHttpSignature
+}
+// ---------------------------------------------------------------------------
+async function checkHttpSignature (req: Request, res: Response) {
+  // FIXME: mastodon does not include the Signature scheme
+  const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
+  if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
+  const parsed = parseHTTPSignature(req)
+  const keyId = parsed.keyId
+  if (!keyId) {
+    res.sendStatus(403)
+    return false
+  }
+  logger.debug('Checking HTTP signature of actor %s...', keyId)
+  let [ actorUrl ] = keyId.split('#')
+  if (actorUrl.startsWith('acct:')) {
+    actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
+  }
+  const actor = await getOrCreateActorAndServerAndModel(actorUrl)
+  const verified = isHTTPSignatureVerified(parsed, actor)
+  if (verified !== true) {
+    res.sendStatus(403)
+    return false
+  }
+  res.locals.signature = { actor }
+  return true
+}
+async function checkJsonLDSignature (req: Request, res: Response) {
+  const signatureObject: ActivityPubSignature = req.body.signature
+  if (!signatureObject || !signatureObject.creator) {
+    res.sendStatus(403)
+    return false
+  }
+  const [ creator ] = signatureObject.creator.split('#')
+  logger.debug('Checking JsonLD signature of actor %s...', creator)
+  const actor = await getOrCreateActorAndServerAndModel(creator)
+  const verified = await isJsonLDSignatureVerified(actor, req.body)
+  if (verified !== true) {
+    res.sendStatus(403)
+    return false
+  }
+  res.locals.signature = { actor }
+  return true
 }

diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index d7f59be8c..01e5dd24e 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts
@@ -2,34 +2,32 @@ import { eachSeries } from 'async'
2	import { NextFunction, Request, RequestHandler, Response } from 'express'	2	import { NextFunction, Request, RequestHandler, Response } from 'express'
3	import { ActivityPubSignature } from '../../shared'	3	import { ActivityPubSignature } from '../../shared'
4	import { logger } from '../helpers/logger'	4	import { logger } from '../helpers/logger'
5	import { isSignatureVerified } from '../helpers/peertube-crypto'	5	import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
6	import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers'	6	import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
7	import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'	7	import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
8	import { ActorModel } from '../models/activitypub/actor'	8	import { ActorModel } from '../models/activitypub/actor'
		9	import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
9		10
10	async function checkSignature (req: Request, res: Response, next: NextFunction) {	11	async function checkSignature (req: Request, res: Response, next: NextFunction) {
11	const signatureObject: ActivityPubSignature = req.body.signature	12	try {
		13	const httpSignatureChecked = await checkHttpSignature(req, res)
		14	if (httpSignatureChecked !== true) return
12		15
13	const [ creator ] = signatureObject.creator.split('#')	16	const actor: ActorModel = res.locals.signature.actor
14		17
15	logger.debug('Checking signature of actor %s...', creator)	18	// Forwarded activity
		19	const bodyActor = req.body.actor
		20	const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
		21	if (bodyActorId && bodyActorId !== actor.url) {
		22	const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
		23	if (jsonLDSignatureChecked !== true) return
		24	}
16		25
17	let actor: ActorModel	26	return next()
18	try {
19	actor = await getOrCreateActorAndServerAndModel(creator)
20	} catch (err) {	27	} catch (err) {
21	logger.warn('Cannot create remote actor %s and check signature.', creator, { err })	28	logger.error('Error in ActivityPub signature checker.', err)
22	return res.sendStatus(403)	29	return res.sendStatus(403)
23	}	30	}
24
25	const verified = await isSignatureVerified(actor, req.body)
26	if (verified === false) return res.sendStatus(403)
27
28	res.locals.signature = {
29	actor
30	}
31
32	return next()
33	}	31	}
34		32
35	function executeIfActivityPub (fun: RequestHandler \| RequestHandler[]) {	33	function executeIfActivityPub (fun: RequestHandler \| RequestHandler[]) {
@@ -55,5 +53,66 @@ function executeIfActivityPub (fun: RequestHandler \| RequestHandler[]) {
55		53
56	export {	54	export {
57	checkSignature,	55	checkSignature,
58	executeIfActivityPub	56	executeIfActivityPub,
		57	checkHttpSignature
		58	}
		59
		60	// ---------------------------------------------------------------------------
		61
		62	async function checkHttpSignature (req: Request, res: Response) {
		63	// FIXME: mastodon does not include the Signature scheme
		64	const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
		65	if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
		66
		67	const parsed = parseHTTPSignature(req)
		68
		69	const keyId = parsed.keyId
		70	if (!keyId) {
		71	res.sendStatus(403)
		72	return false
		73	}
		74
		75	logger.debug('Checking HTTP signature of actor %s...', keyId)
		76
		77	let [ actorUrl ] = keyId.split('#')
		78	if (actorUrl.startsWith('acct:')) {
		79	actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
		80	}
		81
		82	const actor = await getOrCreateActorAndServerAndModel(actorUrl)
		83
		84	const verified = isHTTPSignatureVerified(parsed, actor)
		85	if (verified !== true) {
		86	res.sendStatus(403)
		87	return false
		88	}
		89
		90	res.locals.signature = { actor }
		91
		92	return true
		93	}
		94
		95	async function checkJsonLDSignature (req: Request, res: Response) {
		96	const signatureObject: ActivityPubSignature = req.body.signature
		97
		98	if (!signatureObject \|\| !signatureObject.creator) {
		99	res.sendStatus(403)
		100	return false
		101	}
		102
		103	const [ creator ] = signatureObject.creator.split('#')
		104
		105	logger.debug('Checking JsonLD signature of actor %s...', creator)
		106
		107	const actor = await getOrCreateActorAndServerAndModel(creator)
		108	const verified = await isJsonLDSignatureVerified(actor, req.body)
		109
		110	if (verified !== true) {
		111	res.sendStatus(403)
		112	return false
		113	}
		114
		115	res.locals.signature = { actor }
		116
		117	return true
59	}	118	}