2 files changed, 88 insertions, 22 deletions
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts
index d7f59be8c..1ec888477 100644
--- a/server/middlewares/activitypub.ts
+++ b/server/middlewares/activitypub.ts
@@ -2,34 +2,32 @@ import { eachSeries } from 'async'
 import { NextFunction, Request, RequestHandler, Response } from 'express'
 import { ActivityPubSignature } from '../../shared'
 import { logger } from '../helpers/logger'
-import { isSignatureVerified } from '../helpers/peertube-crypto'
+import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
-import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers'
+import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
 import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
 import { ActorModel } from '../models/activitypub/actor'
+import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
 async function checkSignature (req: Request, res: Response, next: NextFunction) {
-  const signatureObject: ActivityPubSignature = req.body.signature
+  try {
+    const httpSignatureChecked = await checkHttpSignature(req, res)
+    if (httpSignatureChecked !== true) return
-  const [ creator ] = signatureObject.creator.split('#')
+    const actor: ActorModel = res.locals.signature.actor
-  logger.debug('Checking signature of actor %s...', creator)
+    // Forwarded activity
+    const bodyActor = req.body.actor
+    const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
+    if (bodyActorId && bodyActorId !== actor.url) {
+      const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
+      if (jsonLDSignatureChecked !== true) return
+    }
-  let actor: ActorModel
+    return next()
-  try {
-    actor = await getOrCreateActorAndServerAndModel(creator)
  } catch (err) {
-    logger.warn('Cannot create remote actor %s and check signature.', creator, { err })
+    logger.error('Error in ActivityPub signature checker.', err)
    return res.sendStatus(403)
  }
-  const verified = await isSignatureVerified(actor, req.body)
-  if (verified === false) return res.sendStatus(403)
-  res.locals.signature = {
-    actor
-  }
-  return next()
 }
 function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) {
@@ -57,3 +55,63 @@ export {
  checkSignature,
  executeIfActivityPub
 }
+// ---------------------------------------------------------------------------
+async function checkHttpSignature (req: Request, res: Response) {
+  // FIXME: mastodon does not include the Signature scheme
+  const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
+  if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
+  const parsed = parseHTTPSignature(req)
+  const keyId = parsed.keyId
+  if (!keyId) {
+    res.sendStatus(403)
+    return false
+  }
+  logger.debug('Checking HTTP signature of actor %s...', keyId)
+  let [ actorUrl ] = keyId.split('#')
+  if (actorUrl.startsWith('acct:')) {
+    actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
+  }
+  const actor = await getOrCreateActorAndServerAndModel(actorUrl)
+  const verified = isHTTPSignatureVerified(parsed, actor)
+  if (verified !== true) {
+    res.sendStatus(403)
+    return false
+  }
+  res.locals.signature = { actor }
+  return true
+}
+async function checkJsonLDSignature (req: Request, res: Response) {
+  const signatureObject: ActivityPubSignature = req.body.signature
+  if (!signatureObject.creator) {
+    res.sendStatus(403)
+    return false
+  }
+  const [ creator ] = signatureObject.creator.split('#')
+  logger.debug('Checking JsonLD signature of actor %s...', creator)
+  const actor = await getOrCreateActorAndServerAndModel(creator)
+  const verified = await isJsonLDSignatureVerified(actor, req.body)
+  if (verified !== true) {
+    res.sendStatus(403)
+    return false
+  }
+  res.locals.signature = { actor }
+  return true
+}
diff --git a/server/middlewares/validators/activitypub/signature.ts b/server/middlewares/validators/activitypub/signature.ts
index 4efe9aafa..be14e92ea 100644
--- a/server/middlewares/validators/activitypub/signature.ts
+++ b/server/middlewares/validators/activitypub/signature.ts
@@ -9,10 +9,18 @@ import { logger } from '../../../helpers/logger'
 import { areValidationErrors } from '../utils'
 const signatureValidator = [
-  body('signature.type').custom(isSignatureTypeValid).withMessage('Should have a valid signature type'),
+  body('signature.type')
-  body('signature.created').custom(isDateValid).withMessage('Should have a valid signature created date'),
+    .optional()
-  body('signature.creator').custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'),
+    .custom(isSignatureTypeValid).withMessage('Should have a valid signature type'),
-  body('signature.signatureValue').custom(isSignatureValueValid).withMessage('Should have a valid signature value'),
+  body('signature.created')
+    .optional()
+    .custom(isDateValid).withMessage('Should have a valid signature created date'),
+  body('signature.creator')
+    .optional()
+    .custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'),
+  body('signature.signatureValue')
+    .optional()
+    .custom(isSignatureValueValid).withMessage('Should have a valid signature value'),
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } })

diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index d7f59be8c..1ec888477 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts
@@ -2,34 +2,32 @@ import { eachSeries } from 'async'
2	import { NextFunction, Request, RequestHandler, Response } from 'express'	2	import { NextFunction, Request, RequestHandler, Response } from 'express'
3	import { ActivityPubSignature } from '../../shared'	3	import { ActivityPubSignature } from '../../shared'
4	import { logger } from '../helpers/logger'	4	import { logger } from '../helpers/logger'
5	import { isSignatureVerified } from '../helpers/peertube-crypto'	5	import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto'
6	import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers'	6	import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers'
7	import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'	7	import { getOrCreateActorAndServerAndModel } from '../lib/activitypub'
8	import { ActorModel } from '../models/activitypub/actor'	8	import { ActorModel } from '../models/activitypub/actor'
		9	import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger'
9		10
10	async function checkSignature (req: Request, res: Response, next: NextFunction) {	11	async function checkSignature (req: Request, res: Response, next: NextFunction) {
11	const signatureObject: ActivityPubSignature = req.body.signature	12	try {
		13	const httpSignatureChecked = await checkHttpSignature(req, res)
		14	if (httpSignatureChecked !== true) return
12		15
13	const [ creator ] = signatureObject.creator.split('#')	16	const actor: ActorModel = res.locals.signature.actor
14		17
15	logger.debug('Checking signature of actor %s...', creator)	18	// Forwarded activity
		19	const bodyActor = req.body.actor
		20	const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor
		21	if (bodyActorId && bodyActorId !== actor.url) {
		22	const jsonLDSignatureChecked = await checkJsonLDSignature(req, res)
		23	if (jsonLDSignatureChecked !== true) return
		24	}
16		25
17	let actor: ActorModel	26	return next()
18	try {
19	actor = await getOrCreateActorAndServerAndModel(creator)
20	} catch (err) {	27	} catch (err) {
21	logger.warn('Cannot create remote actor %s and check signature.', creator, { err })	28	logger.error('Error in ActivityPub signature checker.', err)
22	return res.sendStatus(403)	29	return res.sendStatus(403)
23	}	30	}
24
25	const verified = await isSignatureVerified(actor, req.body)
26	if (verified === false) return res.sendStatus(403)
27
28	res.locals.signature = {
29	actor
30	}
31
32	return next()
33	}	31	}
34		32
35	function executeIfActivityPub (fun: RequestHandler \| RequestHandler[]) {	33	function executeIfActivityPub (fun: RequestHandler \| RequestHandler[]) {
@@ -57,3 +55,63 @@ export {
57	checkSignature,	55	checkSignature,
58	executeIfActivityPub	56	executeIfActivityPub
59	}	57	}
		58
		59	// ---------------------------------------------------------------------------
		60
		61	async function checkHttpSignature (req: Request, res: Response) {
		62	// FIXME: mastodon does not include the Signature scheme
		63	const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
		64	if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig
		65
		66	const parsed = parseHTTPSignature(req)
		67
		68	const keyId = parsed.keyId
		69	if (!keyId) {
		70	res.sendStatus(403)
		71	return false
		72	}
		73
		74	logger.debug('Checking HTTP signature of actor %s...', keyId)
		75
		76	let [ actorUrl ] = keyId.split('#')
		77	if (actorUrl.startsWith('acct:')) {
		78	actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
		79	}
		80
		81	const actor = await getOrCreateActorAndServerAndModel(actorUrl)
		82
		83	const verified = isHTTPSignatureVerified(parsed, actor)
		84	if (verified !== true) {
		85	res.sendStatus(403)
		86	return false
		87	}
		88
		89	res.locals.signature = { actor }
		90
		91	return true
		92	}
		93
		94	async function checkJsonLDSignature (req: Request, res: Response) {
		95	const signatureObject: ActivityPubSignature = req.body.signature
		96
		97	if (!signatureObject.creator) {
		98	res.sendStatus(403)
		99	return false
		100	}
		101
		102	const [ creator ] = signatureObject.creator.split('#')
		103
		104	logger.debug('Checking JsonLD signature of actor %s...', creator)
		105
		106	const actor = await getOrCreateActorAndServerAndModel(creator)
		107	const verified = await isJsonLDSignatureVerified(actor, req.body)
		108
		109	if (verified !== true) {
		110	res.sendStatus(403)
		111	return false
		112	}
		113
		114	res.locals.signature = { actor }
		115
		116	return true
		117	}


diff --git a/server/middlewares/validators/activitypub/signature.ts b/server/middlewares/validators/activitypub/signature.ts index 4efe9aafa..be14e92ea 100644 --- a/server/middlewares/validators/activitypub/signature.ts +++ b/server/middlewares/validators/activitypub/signature.ts
@@ -9,10 +9,18 @@ import { logger } from '../../../helpers/logger'
9	import { areValidationErrors } from '../utils'	9	import { areValidationErrors } from '../utils'
10		10
11	const signatureValidator = [	11	const signatureValidator = [
12	body('signature.type').custom(isSignatureTypeValid).withMessage('Should have a valid signature type'),	12	body('signature.type')
13	body('signature.created').custom(isDateValid).withMessage('Should have a valid signature created date'),	13	.optional()
14	body('signature.creator').custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'),	14	.custom(isSignatureTypeValid).withMessage('Should have a valid signature type'),
15	body('signature.signatureValue').custom(isSignatureValueValid).withMessage('Should have a valid signature value'),	15	body('signature.created')
		16	.optional()
		17	.custom(isDateValid).withMessage('Should have a valid signature created date'),
		18	body('signature.creator')
		19	.optional()
		20	.custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'),
		21	body('signature.signatureValue')
		22	.optional()
		23	.custom(isSignatureValueValid).withMessage('Should have a valid signature value'),
16		24
17	(req: express.Request, res: express.Response, next: express.NextFunction) => {	25	(req: express.Request, res: express.Response, next: express.NextFunction) => {
18	logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } })	26	logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } })