diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/activitypub.ts | 147 |
1 files changed, 76 insertions, 71 deletions
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 2a2d86a24..0064a4760 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts | |||
@@ -1,6 +1,7 @@ | |||
1 | import { NextFunction, Request, Response } from 'express' | 1 | import { NextFunction, Request, Response } from 'express' |
2 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' | 2 | import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' |
3 | import { getAPId } from '@server/lib/activitypub/activity' | 3 | import { getAPId } from '@server/lib/activitypub/activity' |
4 | import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing' | ||
4 | import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models' | 5 | import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models' |
5 | import { logger } from '../helpers/logger' | 6 | import { logger } from '../helpers/logger' |
6 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' | 7 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
@@ -61,91 +62,95 @@ export { | |||
61 | // --------------------------------------------------------------------------- | 62 | // --------------------------------------------------------------------------- |
62 | 63 | ||
63 | async function checkHttpSignature (req: Request, res: Response) { | 64 | async function checkHttpSignature (req: Request, res: Response) { |
64 | // FIXME: compatibility with http-signature < v1.3 | 65 | return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => { |
65 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | 66 | // FIXME: compatibility with http-signature < v1.3 |
66 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') | 67 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string |
67 | 68 | if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') | |
68 | let parsed: any | 69 | |
69 | 70 | let parsed: any | |
70 | try { | 71 | |
71 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) | 72 | try { |
72 | } catch (err) { | 73 | parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) |
73 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) | 74 | } catch (err) { |
74 | 75 | logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) | |
75 | res.fail({ | 76 | |
76 | status: HttpStatusCode.FORBIDDEN_403, | 77 | res.fail({ |
77 | message: err.message | 78 | status: HttpStatusCode.FORBIDDEN_403, |
78 | }) | 79 | message: err.message |
79 | return false | 80 | }) |
80 | } | 81 | return false |
82 | } | ||
81 | 83 | ||
82 | const keyId = parsed.keyId | 84 | const keyId = parsed.keyId |
83 | if (!keyId) { | 85 | if (!keyId) { |
84 | res.fail({ | 86 | res.fail({ |
85 | status: HttpStatusCode.FORBIDDEN_403, | 87 | status: HttpStatusCode.FORBIDDEN_403, |
86 | message: 'Invalid key ID', | 88 | message: 'Invalid key ID', |
87 | data: { | 89 | data: { |
88 | keyId | 90 | keyId |
89 | } | 91 | } |
90 | }) | 92 | }) |
91 | return false | 93 | return false |
92 | } | 94 | } |
93 | 95 | ||
94 | logger.debug('Checking HTTP signature of actor %s...', keyId) | 96 | logger.debug('Checking HTTP signature of actor %s...', keyId) |
95 | 97 | ||
96 | let [ actorUrl ] = keyId.split('#') | 98 | let [ actorUrl ] = keyId.split('#') |
97 | if (actorUrl.startsWith('acct:')) { | 99 | if (actorUrl.startsWith('acct:')) { |
98 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | 100 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) |
99 | } | 101 | } |
100 | 102 | ||
101 | const actor = await getOrCreateAPActor(actorUrl) | 103 | const actor = await getOrCreateAPActor(actorUrl) |
102 | 104 | ||
103 | const verified = isHTTPSignatureVerified(parsed, actor) | 105 | const verified = isHTTPSignatureVerified(parsed, actor) |
104 | if (verified !== true) { | 106 | if (verified !== true) { |
105 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) | 107 | logger.warn('Signature from %s is invalid', actorUrl, { parsed }) |
106 | 108 | ||
107 | res.fail({ | 109 | res.fail({ |
108 | status: HttpStatusCode.FORBIDDEN_403, | 110 | status: HttpStatusCode.FORBIDDEN_403, |
109 | message: 'Invalid signature', | 111 | message: 'Invalid signature', |
110 | data: { | 112 | data: { |
111 | actorUrl | 113 | actorUrl |
112 | } | 114 | } |
113 | }) | 115 | }) |
114 | return false | 116 | return false |
115 | } | 117 | } |
116 | 118 | ||
117 | res.locals.signature = { actor } | 119 | res.locals.signature = { actor } |
118 | return true | 120 | return true |
121 | }) | ||
119 | } | 122 | } |
120 | 123 | ||
121 | async function checkJsonLDSignature (req: Request, res: Response) { | 124 | async function checkJsonLDSignature (req: Request, res: Response) { |
122 | const signatureObject: ActivityPubSignature = req.body.signature | 125 | return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => { |
123 | 126 | const signatureObject: ActivityPubSignature = req.body.signature | |
124 | if (!signatureObject || !signatureObject.creator) { | 127 | |
125 | res.fail({ | 128 | if (!signatureObject || !signatureObject.creator) { |
126 | status: HttpStatusCode.FORBIDDEN_403, | 129 | res.fail({ |
127 | message: 'Object and creator signature do not match' | 130 | status: HttpStatusCode.FORBIDDEN_403, |
128 | }) | 131 | message: 'Object and creator signature do not match' |
129 | return false | 132 | }) |
130 | } | 133 | return false |
134 | } | ||
131 | 135 | ||
132 | const [ creator ] = signatureObject.creator.split('#') | 136 | const [ creator ] = signatureObject.creator.split('#') |
133 | 137 | ||
134 | logger.debug('Checking JsonLD signature of actor %s...', creator) | 138 | logger.debug('Checking JsonLD signature of actor %s...', creator) |
135 | 139 | ||
136 | const actor = await getOrCreateAPActor(creator) | 140 | const actor = await getOrCreateAPActor(creator) |
137 | const verified = await isJsonLDSignatureVerified(actor, req.body) | 141 | const verified = await isJsonLDSignatureVerified(actor, req.body) |
138 | 142 | ||
139 | if (verified !== true) { | 143 | if (verified !== true) { |
140 | logger.warn('Signature not verified.', req.body) | 144 | logger.warn('Signature not verified.', req.body) |
141 | 145 | ||
142 | res.fail({ | 146 | res.fail({ |
143 | status: HttpStatusCode.FORBIDDEN_403, | 147 | status: HttpStatusCode.FORBIDDEN_403, |
144 | message: 'Signature could not be verified' | 148 | message: 'Signature could not be verified' |
145 | }) | 149 | }) |
146 | return false | 150 | return false |
147 | } | 151 | } |
148 | 152 | ||
149 | res.locals.signature = { actor } | 153 | res.locals.signature = { actor } |
150 | return true | 154 | return true |
155 | }) | ||
151 | } | 156 | } |