diff options
Diffstat (limited to 'server/middlewares/activitypub.ts')
-rw-r--r-- | server/middlewares/activitypub.ts | 97 |
1 files changed, 78 insertions, 19 deletions
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index d7f59be8c..01e5dd24e 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts | |||
@@ -2,34 +2,32 @@ import { eachSeries } from 'async' | |||
2 | import { NextFunction, Request, RequestHandler, Response } from 'express' | 2 | import { NextFunction, Request, RequestHandler, Response } from 'express' |
3 | import { ActivityPubSignature } from '../../shared' | 3 | import { ActivityPubSignature } from '../../shared' |
4 | import { logger } from '../helpers/logger' | 4 | import { logger } from '../helpers/logger' |
5 | import { isSignatureVerified } from '../helpers/peertube-crypto' | 5 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
6 | import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers' | 6 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers' |
7 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' | 7 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' |
8 | import { ActorModel } from '../models/activitypub/actor' | 8 | import { ActorModel } from '../models/activitypub/actor' |
9 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' | ||
9 | 10 | ||
10 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | 11 | async function checkSignature (req: Request, res: Response, next: NextFunction) { |
11 | const signatureObject: ActivityPubSignature = req.body.signature | 12 | try { |
13 | const httpSignatureChecked = await checkHttpSignature(req, res) | ||
14 | if (httpSignatureChecked !== true) return | ||
12 | 15 | ||
13 | const [ creator ] = signatureObject.creator.split('#') | 16 | const actor: ActorModel = res.locals.signature.actor |
14 | 17 | ||
15 | logger.debug('Checking signature of actor %s...', creator) | 18 | // Forwarded activity |
19 | const bodyActor = req.body.actor | ||
20 | const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor | ||
21 | if (bodyActorId && bodyActorId !== actor.url) { | ||
22 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | ||
23 | if (jsonLDSignatureChecked !== true) return | ||
24 | } | ||
16 | 25 | ||
17 | let actor: ActorModel | 26 | return next() |
18 | try { | ||
19 | actor = await getOrCreateActorAndServerAndModel(creator) | ||
20 | } catch (err) { | 27 | } catch (err) { |
21 | logger.warn('Cannot create remote actor %s and check signature.', creator, { err }) | 28 | logger.error('Error in ActivityPub signature checker.', err) |
22 | return res.sendStatus(403) | 29 | return res.sendStatus(403) |
23 | } | 30 | } |
24 | |||
25 | const verified = await isSignatureVerified(actor, req.body) | ||
26 | if (verified === false) return res.sendStatus(403) | ||
27 | |||
28 | res.locals.signature = { | ||
29 | actor | ||
30 | } | ||
31 | |||
32 | return next() | ||
33 | } | 31 | } |
34 | 32 | ||
35 | function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { | 33 | function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { |
@@ -55,5 +53,66 @@ function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { | |||
55 | 53 | ||
56 | export { | 54 | export { |
57 | checkSignature, | 55 | checkSignature, |
58 | executeIfActivityPub | 56 | executeIfActivityPub, |
57 | checkHttpSignature | ||
58 | } | ||
59 | |||
60 | // --------------------------------------------------------------------------- | ||
61 | |||
62 | async function checkHttpSignature (req: Request, res: Response) { | ||
63 | // FIXME: mastodon does not include the Signature scheme | ||
64 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | ||
65 | if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig | ||
66 | |||
67 | const parsed = parseHTTPSignature(req) | ||
68 | |||
69 | const keyId = parsed.keyId | ||
70 | if (!keyId) { | ||
71 | res.sendStatus(403) | ||
72 | return false | ||
73 | } | ||
74 | |||
75 | logger.debug('Checking HTTP signature of actor %s...', keyId) | ||
76 | |||
77 | let [ actorUrl ] = keyId.split('#') | ||
78 | if (actorUrl.startsWith('acct:')) { | ||
79 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | ||
80 | } | ||
81 | |||
82 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | ||
83 | |||
84 | const verified = isHTTPSignatureVerified(parsed, actor) | ||
85 | if (verified !== true) { | ||
86 | res.sendStatus(403) | ||
87 | return false | ||
88 | } | ||
89 | |||
90 | res.locals.signature = { actor } | ||
91 | |||
92 | return true | ||
93 | } | ||
94 | |||
95 | async function checkJsonLDSignature (req: Request, res: Response) { | ||
96 | const signatureObject: ActivityPubSignature = req.body.signature | ||
97 | |||
98 | if (!signatureObject || !signatureObject.creator) { | ||
99 | res.sendStatus(403) | ||
100 | return false | ||
101 | } | ||
102 | |||
103 | const [ creator ] = signatureObject.creator.split('#') | ||
104 | |||
105 | logger.debug('Checking JsonLD signature of actor %s...', creator) | ||
106 | |||
107 | const actor = await getOrCreateActorAndServerAndModel(creator) | ||
108 | const verified = await isJsonLDSignatureVerified(actor, req.body) | ||
109 | |||
110 | if (verified !== true) { | ||
111 | res.sendStatus(403) | ||
112 | return false | ||
113 | } | ||
114 | |||
115 | res.locals.signature = { actor } | ||
116 | |||
117 | return true | ||
59 | } | 118 | } |