X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=88cf342ee41ec94531dff3b683138397b5290a1f;hb=74dc3bca2b14f5fd3fe80c394dfc34177a46db77;hp=489396447cbaa9a52fabdb8198291a35437b9d1c;hpb=3fd3ab2d34d512b160a5e6084d7609be7b4f4452;p=oweals%2Fpeertube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 489396447..88cf342ee 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,62 +1,109 @@ -import { eachSeries } from 'async' -import { NextFunction, Request, RequestHandler, Response } from 'express' +import { NextFunction, Request, Response } from 'express' import { ActivityPubSignature } from '../../shared' -import { isSignatureVerified, logger } from '../helpers' -import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers' -import { fetchRemoteAccount, saveAccountAndServerIfNotExist } from '../lib/activitypub' -import { AccountModel } from '../models/account/account' +import { logger } from '../helpers/logger' +import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' +import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' +import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' +import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' async function checkSignature (req: Request, res: Response, next: NextFunction) { - const signatureObject: ActivityPubSignature = req.body.signature - - logger.debug('Checking signature of account %s...', signatureObject.creator) - - let account = await AccountModel.loadByUrl(signatureObject.creator) + try { + const httpSignatureChecked = await checkHttpSignature(req, res) + if (httpSignatureChecked !== true) return - // We don't have this account in our database, fetch it on remote - if (!account) { - account = await fetchRemoteAccount(signatureObject.creator) + const actor = res.locals.signature.actor - if (!account) { - return res.sendStatus(403) + // Forwarded activity + const bodyActor = req.body.actor + const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + if (bodyActorId && bodyActorId !== actor.url) { + const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) + if (jsonLDSignatureChecked !== true) return } - // Save our new account and its server in database - await saveAccountAndServerIfNotExist(account) + return next() + } catch (err) { + logger.error('Error in ActivityPub signature checker.', err) + return res.sendStatus(403) } +} - const verified = await isSignatureVerified(account, req.body) - if (verified === false) return res.sendStatus(403) - - res.locals.signature = { - account +function executeIfActivityPub (req: Request, res: Response, next: NextFunction) { + const accepted = req.accepts(ACCEPT_HEADERS) + if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { + // Bypass this route + return next('route') } + logger.debug('ActivityPub request for %s.', req.url) + return next() } -function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { - return (req: Request, res: Response, next: NextFunction) => { - const accepted = req.accepts(ACCEPT_HEADERS) - if (accepted === false || ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS.indexOf(accepted) === -1) { - return next() - } +// --------------------------------------------------------------------------- + +export { + checkSignature, + executeIfActivityPub, + checkHttpSignature +} - logger.debug('ActivityPub request for %s.', req.url) +// --------------------------------------------------------------------------- - if (Array.isArray(fun) === true) { - return eachSeries(fun as RequestHandler[], (f, cb) => { - f(req, res, cb) - }, next) - } +async function checkHttpSignature (req: Request, res: Response) { + // FIXME: mastodon does not include the Signature scheme + const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string + if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + + const parsed = parseHTTPSignature(req) + + const keyId = parsed.keyId + if (!keyId) { + res.sendStatus(403) + return false + } + + logger.debug('Checking HTTP signature of actor %s...', keyId) - return (fun as RequestHandler)(req, res, next) + let [ actorUrl ] = keyId.split('#') + if (actorUrl.startsWith('acct:')) { + actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) } + + const actor = await getOrCreateActorAndServerAndModel(actorUrl) + + const verified = isHTTPSignatureVerified(parsed, actor) + if (verified !== true) { + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true } -// --------------------------------------------------------------------------- +async function checkJsonLDSignature (req: Request, res: Response) { + const signatureObject: ActivityPubSignature = req.body.signature -export { - checkSignature, - executeIfActivityPub + if (!signatureObject || !signatureObject.creator) { + res.sendStatus(403) + return false + } + + const [ creator ] = signatureObject.creator.split('#') + + logger.debug('Checking JsonLD signature of actor %s...', creator) + + const actor = await getOrCreateActorAndServerAndModel(creator) + const verified = await isJsonLDSignatureVerified(actor, req.body) + + if (verified !== true) { + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true }