diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/helpers/peertube-crypto.ts | 15 | ||||
-rw-r--r-- | server/initializers/constants.ts | 6 | ||||
-rw-r--r-- | server/tests/api/activitypub/security.ts | 11 |
3 files changed, 23 insertions, 9 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index b8f7c782a..1a7ee24a7 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts | |||
@@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool | |||
51 | } | 51 | } |
52 | 52 | ||
53 | function parseHTTPSignature (req: Request, clockSkew?: number) { | 53 | function parseHTTPSignature (req: Request, clockSkew?: number) { |
54 | const headers = req.method === 'POST' | 54 | const requiredHeaders = req.method === 'POST' |
55 | ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST | 55 | ? [ '(request-target)', 'host', 'digest' ] |
56 | : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL | 56 | : [ '(request-target)', 'host' ] |
57 | 57 | ||
58 | return httpSignature.parse(req, { clockSkew, headers }) | 58 | const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders }) |
59 | |||
60 | const parsedHeaders = parsed.params.headers | ||
61 | if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) { | ||
62 | throw new Error(`date or (created) must be included in signature`) | ||
63 | } | ||
64 | |||
65 | return parsed | ||
59 | } | 66 | } |
60 | 67 | ||
61 | // JSONLD | 68 | // JSONLD |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index dca792b1b..44f676a15 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
@@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = { | |||
589 | const HTTP_SIGNATURE = { | 589 | const HTTP_SIGNATURE = { |
590 | HEADER_NAME: 'signature', | 590 | HEADER_NAME: 'signature', |
591 | ALGORITHM: 'rsa-sha256', | 591 | ALGORITHM: 'rsa-sha256', |
592 | HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ], | 592 | HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ], |
593 | REQUIRED_HEADERS: { | ||
594 | ALL: [ '(request-target)', 'host', 'date' ], | ||
595 | POST: [ '(request-target)', 'host', 'date', 'digest' ] | ||
596 | }, | ||
597 | CLOCK_SKEW_SECONDS: 1800 | 593 | CLOCK_SKEW_SECONDS: 1800 |
598 | } | 594 | } |
599 | 595 | ||
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index a070517b8..95e2aebb4 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts | |||
@@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () { | |||
147 | } | 147 | } |
148 | }) | 148 | }) |
149 | 149 | ||
150 | it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () { | ||
151 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') | ||
152 | const headers = buildGlobalHeaders(body) | ||
153 | |||
154 | const signatureOptions = baseHttpSignature() | ||
155 | signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ] | ||
156 | |||
157 | const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers) | ||
158 | expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) | ||
159 | }) | ||
160 | |||
150 | it('Should succeed with a valid HTTP signature', async function () { | 161 | it('Should succeed with a valid HTTP signature', async function () { |
151 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') | 162 | const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') |
152 | const headers = buildGlobalHeaders(body) | 163 | const headers = buildGlobalHeaders(body) |