3 files changed, 32 insertions, 21 deletions
diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js
index 2bdfe0c92..d509db964 100644
--- a/server/controllers/api/v1/pods.js
+++ b/server/controllers/api/v1/pods.js
@@ -10,6 +10,7 @@ const friends = require('../../../lib/friends')
 const middlewares = require('../../../middlewares')
 const admin = middlewares.admin
 const oAuth = middlewares.oauth
+const checkSignature = middlewares.secure.checkSignature
 const validators = middlewares.validators.pods
 const signatureValidator = middlewares.validators.remote.signature
@@ -31,7 +32,11 @@ router.get('/quitfriends',
  quitFriends
 )
 // Post because this is a secured request
-router.post('/remove', signatureValidator, removePods)
+router.post('/remove',
+  signatureValidator,
+  checkSignature,
+  removePods
+)
 // ---------------------------------------------------------------------------
diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js
index f452986b8..a22c5d151 100644
--- a/server/controllers/api/v1/remote.js
+++ b/server/controllers/api/v1/remote.js
@@ -16,6 +16,7 @@ const Video = mongoose.model('Video')
 router.post('/videos',
  validators.signature,
  validators.dataToDecrypt,
+  secureMiddleware.checkSignature,
  secureMiddleware.decryptBody,
  validators.remoteVideos,
  remoteVideos
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index fa000c6f0..33a52e8d9 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
 const Pod = mongoose.model('Pod')
 const secureMiddleware = {
+  checkSignature: checkSignature,
  decryptBody: decryptBody
 }
-function decryptBody (req, res, next) {
+function checkSignature (req, res, next) {
  const url = req.body.signature.url
  Pod.loadByUrl(url, function (err, pod) {
    if (err) {
@@ -28,26 +29,30 @@ function decryptBody (req, res, next) {
    const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
    if (signatureOk === true) {
-      peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
+      return next()
-        if (err) {
+    }
-          logger.error('Cannot decrypt data.', { error: err })
-          return res.sendStatus(500)
+    logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
-        }
+    return res.sendStatus(403)
+  })
-        try {
+}
-          req.body.data = JSON.parse(decrypted)
-          delete req.body.key
+function decryptBody (req, res, next) {
-        } catch (err) {
+  peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
-          logger.error('Error in JSON.parse', { error: err })
+    if (err) {
-          return res.sendStatus(500)
+      logger.error('Cannot decrypt data.', { error: err })
-        }
+      return res.sendStatus(500)
-        next()
-      })
-    } else {
-      logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
-      return res.sendStatus(403)
    }
+    try {
+      req.body.data = JSON.parse(decrypted)
+      delete req.body.key
+    } catch (err) {
+      logger.error('Error in JSON.parse', { error: err })
+      return res.sendStatus(500)
+    }
+    next()
  })
 }

diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js index 2bdfe0c92..d509db964 100644 --- a/server/controllers/api/v1/pods.js +++ b/server/controllers/api/v1/pods.js
@@ -10,6 +10,7 @@ const friends = require('../../../lib/friends')
10	const middlewares = require('../../../middlewares')	10	const middlewares = require('../../../middlewares')
11	const admin = middlewares.admin	11	const admin = middlewares.admin
12	const oAuth = middlewares.oauth	12	const oAuth = middlewares.oauth
		13	const checkSignature = middlewares.secure.checkSignature
13	const validators = middlewares.validators.pods	14	const validators = middlewares.validators.pods
14	const signatureValidator = middlewares.validators.remote.signature	15	const signatureValidator = middlewares.validators.remote.signature
15		16
@@ -31,7 +32,11 @@ router.get('/quitfriends',
31	quitFriends	32	quitFriends
32	)	33	)
33	// Post because this is a secured request	34	// Post because this is a secured request
34	router.post('/remove', signatureValidator, removePods)	35	router.post('/remove',
		36	signatureValidator,
		37	checkSignature,
		38	removePods
		39	)
35		40
36	// ---------------------------------------------------------------------------	41	// ---------------------------------------------------------------------------
37		42


diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js index f452986b8..a22c5d151 100644 --- a/server/controllers/api/v1/remote.js +++ b/server/controllers/api/v1/remote.js
@@ -16,6 +16,7 @@ const Video = mongoose.model('Video')
16	router.post('/videos',	16	router.post('/videos',
17	validators.signature,	17	validators.signature,
18	validators.dataToDecrypt,	18	validators.dataToDecrypt,
		19	secureMiddleware.checkSignature,
19	secureMiddleware.decryptBody,	20	secureMiddleware.decryptBody,
20	validators.remoteVideos,	21	validators.remoteVideos,
21	remoteVideos	22	remoteVideos


diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index fa000c6f0..33a52e8d9 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
7	const Pod = mongoose.model('Pod')	7	const Pod = mongoose.model('Pod')
8		8
9	const secureMiddleware = {	9	const secureMiddleware = {
		10	checkSignature: checkSignature,
10	decryptBody: decryptBody	11	decryptBody: decryptBody
11	}	12	}
12		13
13	function decryptBody (req, res, next) {	14	function checkSignature (req, res, next) {
14	const url = req.body.signature.url	15	const url = req.body.signature.url
15	Pod.loadByUrl(url, function (err, pod) {	16	Pod.loadByUrl(url, function (err, pod) {
16	if (err) {	17	if (err) {
@@ -28,26 +29,30 @@ function decryptBody (req, res, next) {
28	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)	29	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
29		30
30	if (signatureOk === true) {	31	if (signatureOk === true) {
31	peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {	32	return next()
32	if (err) {	33	}
33	logger.error('Cannot decrypt data.', { error: err })	34
34	return res.sendStatus(500)	35	logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
35	}	36	return res.sendStatus(403)
36		37	})
37	try {	38	}
38	req.body.data = JSON.parse(decrypted)	39
39	delete req.body.key	40	function decryptBody (req, res, next) {
40	} catch (err) {	41	peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
41	logger.error('Error in JSON.parse', { error: err })	42	if (err) {
42	return res.sendStatus(500)	43	logger.error('Cannot decrypt data.', { error: err })
43	}	44	return res.sendStatus(500)
44
45	next()
46	})
47	} else {
48	logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
49	return res.sendStatus(403)
50	}	45	}
		46
		47	try {
		48	req.body.data = JSON.parse(decrypted)
		49	delete req.body.key
		50	} catch (err) {
		51	logger.error('Error in JSON.parse', { error: err })
		52	return res.sendStatus(500)
		53	}
		54
		55	next()
51	})	56	})
52	}	57	}
53		58