router.post('/videos',
validators.signature,
- validators.dataToDecrypt,
secureMiddleware.checkSignature,
- secureMiddleware.decryptBody,
validators.remoteVideos,
remoteVideos
)
comparePassword,
createCertsIfNotExist,
cryptPassword,
- decrypt,
- encrypt,
sign
}
})
}
-function decrypt (key, data, callback) {
- fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
- if (err) return callback(err)
-
- const myPrivateKey = ursa.createPrivateKey(file)
- const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
- const decryptedData = symetricDecrypt(data, decryptedKey)
-
- return callback(null, decryptedData)
- })
-}
-
-function encrypt (publicKey, data, callback) {
- const crt = ursa.createPublicKey(publicKey)
-
- symetricEncrypt(data, function (err, dataEncrypted) {
- if (err) return callback(err)
-
- const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
- const encrypted = {
- data: dataEncrypted.crypted,
- key: key
- }
-
- callback(null, encrypted)
- })
-}
-
function sign (data) {
const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
callback(null, buf.toString('utf8'))
})
}
-
-function symetricDecrypt (text, password) {
- const decipher = crypto.createDecipher(algorithm, password)
- let dec = decipher.update(text, 'hex', 'utf8')
- dec += decipher.final('utf8')
- return dec
-}
-
-function symetricEncrypt (text, callback) {
- generatePassword(function (err, password) {
- if (err) return callback(err)
-
- const cipher = crypto.createCipher(algorithm, password)
- let crypted = cipher.update(text, 'utf8', 'hex')
- crypted += cipher.final('hex')
- callback(null, { crypted: crypted, password: password })
- })
-}
// If there are data informations
if (params.data) {
- // Encrypt data
- if (params.encrypt === true) {
- peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
- if (err) return callback(err)
-
- requestParams.json.data = encrypted.data
- requestParams.json.key = encrypted.key
-
- request.post(requestParams, callback)
- })
- } else {
- // No encryption
- requestParams.json.data = params.data
- request.post(requestParams, callback)
- }
+ requestParams.json.data = params.data
+ request.post(requestParams, callback)
} else {
// No data
request.post(requestParams, callback)
const Pod = mongoose.model('Pod')
const secureMiddleware = {
- checkSignature,
- decryptBody
+ checkSignature
}
function checkSignature (req, res, next) {
const host = req.body.signature.host
Pod.loadByHost(host, function (err, pod) {
if (err) {
- logger.error('Cannot get signed host in decryptBody.', { error: err })
+ logger.error('Cannot get signed host in body.', { error: err })
return res.sendStatus(500)
}
return res.sendStatus(403)
}
- logger.debug('Decrypting body from %s.', host)
+ logger.debug('Checking signature from %s.', host)
const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
return next()
}
- logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)
+ logger.error('Signature is not okay in body for %s.', req.body.signature.host)
return res.sendStatus(403)
})
}
-function decryptBody (req, res, next) {
- peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
- if (err) {
- logger.error('Cannot decrypt data.', { error: err })
- return res.sendStatus(500)
- }
-
- try {
- req.body.data = JSON.parse(decrypted)
- delete req.body.key
- } catch (err) {
- logger.error('Error in JSON.parse', { error: err })
- return res.sendStatus(500)
- }
-
- next()
- })
-}
-
// ---------------------------------------------------------------------------
module.exports = secureMiddleware
const logger = require('../../helpers/logger')
const validatorsRemote = {
- dataToDecrypt,
remoteVideos,
signature
}
-function dataToDecrypt (req, res, next) {
- req.checkBody('key', 'Should have a key').notEmpty()
- req.checkBody('data', 'Should have data').notEmpty()
-
- logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
-
- checkErrors(req, res, next)
-}
-
function remoteVideos (req, res, next) {
req.checkBody('data').isEachRemoteVideosValid()
const params = {
toPod: toPod,
- encrypt: true, // Security
- sign: true, // To prove our identity
+ sign: true, // Prove our identity
method: 'POST',
path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
data: requestsToMake // Requests we need to make
projects / oweals / peertube.git / commitdiff