gancio-upstream/server/federation/helpers.js

const fetch = require('node-fetch')
// const request = require('request')
const crypto = require('crypto')
const config = require('config')
const httpSignature = require('http-signature')
const debug = require('debug')('federation:helpers')
const { user: User, fed_users: FedUsers } = require('../api/models')
const url = require('url')
const settingsController = require('../api/controller/settings')

const Helpers = {

  // ignore unimplemented ping url from fediverse
  spamFilter (req, res, next) {
    const urlToIgnore = [
      '/api/v1/instance',
      '/api/meta',
      '/api/statusnet/version.json',
      '/api/gnusocial/version.json',
      '/api/statusnet/config.json',
      '/poco'
    ]
    if (urlToIgnore.includes(req.path)) { return res.status(404).send('Not Found') }
    next()
  },

  async signAndSend (message, user, inbox) {
    // get the URI of the actor object and append 'inbox' to it
    const inboxUrl = url.parse(inbox)
    // const toPath = toOrigin.path + '/inbox'
    // get the private key
    const privkey = user.rsa.privateKey
    const signer = crypto.createSign('sha256')
    const d = new Date()
    const stringToSign = `(request-target): post ${inboxUrl.path}\nhost: ${inboxUrl.hostname}\ndate: ${d.toUTCString()}`
    debug('Sign and send', user.username, inbox)
    signer.update(stringToSign)
    signer.end()
    const signature = signer.sign(privkey)
    const signature_b64 = signature.toString('base64')
    const header = `keyId="${config.baseurl}/federation/u/${user.username}",headers="(request-target) host date",signature="${signature_b64}"`
    const ret = await fetch(inbox, {
      headers: {
        'Host': inboxUrl.hostname,
        'Date': d.toUTCString(),
        'Signature': header,
        'Content-Type': 'application/activity+json; charset=utf-8',
        'Accept': 'application/activity+json, application/json; chartset=utf-8'
      },
      method: 'POST',
      body: JSON.stringify(message) })
    debug('sign %s => %s', ret.status, await ret.text())
  },

  async sendEvent (event, user, type = 'Create') {
    if (!settingsController.settings.enable_federation) {
      debug('event not send, federation disabled')
      return
    }

    // event is sent by user that published it and by the admin instance
    // collect followers from admin and user
    const instanceAdmin = await User.findOne({ where: { email: config.admin_email }, include: { model: FedUsers, as: 'followers' } })
    if (!instanceAdmin || !instanceAdmin.username) {
      debug('Instance admin not found (there is no user with email => %s)', config.admin_email)
      return
    }

    let recipients = {}
    instanceAdmin.followers.forEach(follower => {
      const sharedInbox = follower.object.endpoints.sharedInbox
      if (!recipients[sharedInbox]) { recipients[sharedInbox] = [] }
      recipients[sharedInbox].push(follower.ap_id)
    })

    for (const sharedInbox in recipients) {
      debug('Notify %s with event %s (from admin %s) cc => %d', sharedInbox, event.title, instanceAdmin.username, recipients[sharedInbox].length)
      const body = {
        id: `${config.baseurl}/federation/m/${event.id}#create`,
        type,
        to: ['https://www.w3.org/ns/activitystreams#Public'],
        cc: [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]],
        // cc: recipients[sharedInbox],
        actor: `${config.baseurl}/federation/u/${instanceAdmin.username}`,
        // object: event.toAP(instanceAdmin.username, [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]])
        object: event.toAP(instanceAdmin.username, recipients[sharedInbox])
      }
      body['@context'] = [
        'https://www.w3.org/ns/activitystreams',
        'https://w3id.org/security/v1',
        { Hashtag: 'as:Hashtag' } ]
      Helpers.signAndSend(body, instanceAdmin, sharedInbox)
    }

    return 
    // TODO
    // in case the event is published by the Admin itself do not add user
    if (instanceAdmin.id === user.id) {
      debug('Event published by instance Admin')
      return
    } 
    if (!user.settings.enable_federation || !user.username) {
      debug('Federation disabled for user %d (%s)', user.id, user.username)
      return
    }

    debug('Sending to user followers => ', user.username)
    user = await User.findByPk( user.id, { include: { model: FedUsers, as: 'followers' }})
    debug('Sending to user followers => ', user.followers.length)
    recipients = {}
    user.followers.forEach(follower => {
      const sharedInbox = follower.object.endpoints.sharedInbox
      if (!recipients[sharedInbox]) recipients[sharedInbox] = []
      recipients[sharedInbox].push(follower.ap_id)
    })

    for(const sharedInbox in recipients) {
      debug('Notify %s with event %s (from user %s) cc => %d', sharedInbox, event.title, user.username, recipients[sharedInbox].length)
      const body = {
        id: `${config.baseurl}/federation/m/${event.id}#create`,
        type: 'Create',
        to: ['https://www.w3.org/ns/activitystreams#Public'],
        cc: [`${config.baseurl}/federation/u/${user.username}/followers`, ...recipients[sharedInbox]],
        //cc: recipients[sharedInbox],
        actor: `${config.baseurl}/federation/u/${user.username}`,
        // object: event.toAP(user.username, [`${config.baseurl}/federation/u/${user.username}/followers`, ...recipients[sharedInbox]])
        object: event.toAP(user.username, recipients[sharedInbox])
      }
      body['@context'] = 'https://www.w3.org/ns/activitystreams'
      Helpers.signAndSend(body, user, sharedInbox)
    }

  },

  async getActor (url, force = false) {
    let fedi_user
    
    // try with cache first
    if (!force) fedi_user = await FedUsers.findByPk(url)

    if (fedi_user) return fedi_user.object
    fedi_user = await fetch(url, { headers: { 'Accept': 'application/jrd+json, application/json' } })
      .then(res => {
        if (!res.ok) {
          debug('[ERR] Actor %s => %s', url, res.statusText)
          return false
        }
        return res.json()
      })
    if (fedi_user) {
      await FedUsers.create({ap_id: url, object: fedi_user})
    }
    return fedi_user
  },

  // ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/
  async verifySignature (req, res, next) {
    let user = await Helpers.getActor(req.body.actor)
    if (!user) { return res.status(401).send('Actor not found') }
    
    // little hack -> https://github.com/joyent/node-http-signature/pull/83
    req.headers.authorization = 'Signature ' + req.headers.signature
    
    req.fedi_user = user

    // another little hack :/
    // https://github.com/joyent/node-http-signature/issues/87
    req.url = '/federation' + req.url
    const parsed = httpSignature.parseRequest(req)
    if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) { return next() }
    
    // signature not valid, try without cache
    user = await Helpers.getActor(req.body.actor, true)
    if (!user) { return res.status(401).send('Actor not found') }
    if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) { return next() }
    
    // still not valid
    debug('Invalid signature from user %s', req.body.actor)
    res.send('Request signature could not be verified', 401)

  }
}

module.exports = Helpers
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`const fetch = require('node-fetch')`
send emails with less spam points 2019-08-10 15:00:08 +02:00			`// const request = require('request')`
. 2019-07-31 02:01:21 +02:00			`const crypto = require('crypto')`
minor 2019-07-30 18:57:45 +02:00			`const config = require('config')`
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`const httpSignature = require('http-signature')`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`const debug = require('debug')('federation:helpers')`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`const { user: User, fed_users: FedUsers } = require('../api/models')`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`const url = require('url')`
refactorin docker files 2019-09-25 14:38:16 +02:00			`const settingsController = require('../api/controller/settings')`
cleaning federation 2019-07-30 18:32:26 +02:00
			`const Helpers = {`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00
			`// ignore unimplemented ping url from fediverse`
[lint] linting 2019-10-28 17:33:20 +01:00			`spamFilter (req, res, next) {`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`const urlToIgnore = [`
			`'/api/v1/instance',`
			`'/api/meta',`
better SEO 2019-09-18 12:55:33 +02:00			`'/api/statusnet/version.json',`
			`'/api/gnusocial/version.json',`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`'/api/statusnet/config.json',`
[lint] linting 2019-10-28 17:33:20 +01:00			`'/poco'`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`]`
[lint] linting 2019-10-28 17:33:20 +01:00			`if (urlToIgnore.includes(req.path)) { return res.status(404).send('Not Found') }`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`next()`
			`},`

[fedi] minor 2019-09-26 15:22:02 +02:00			`async signAndSend (message, user, inbox) {`
cleaning federation 2019-07-30 18:32:26 +02:00			`// get the URI of the actor object and append 'inbox' to it`
[fedi] minor 2019-09-26 15:22:02 +02:00			`const inboxUrl = url.parse(inbox)`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`// const toPath = toOrigin.path + '/inbox'`
cleaning federation 2019-07-30 18:32:26 +02:00			`// get the private key`
			`const privkey = user.rsa.privateKey`
			`const signer = crypto.createSign('sha256')`
.. 2019-07-31 01:43:08 +02:00			`const d = new Date()`
[fedi] minor 2019-09-26 15:22:02 +02:00			const stringToSign = `(request-target): post ${inboxUrl.path}\nhost: ${inboxUrl.hostname}\ndate: ${d.toUTCString()}`
			`debug('Sign and send', user.username, inbox)`
cleaning federation 2019-07-30 18:32:26 +02:00			`signer.update(stringToSign)`
			`signer.end()`
			`const signature = signer.sign(privkey)`
			`const signature_b64 = signature.toString('base64')`
.. 2019-07-31 01:43:08 +02:00			const header = `keyId="${config.baseurl}/federation/u/${user.username}",headers="(request-target) host date",signature="${signature_b64}"`
[fedi] minor 2019-09-26 15:22:02 +02:00			`const ret = await fetch(inbox, {`
cleaning federation 2019-07-30 18:32:26 +02:00			`headers: {`
[fedi] minor 2019-09-26 15:22:02 +02:00			`'Host': inboxUrl.hostname,`
cleaning federation 2019-07-30 18:32:26 +02:00			`'Date': d.toUTCString(),`
commenting from federation 2019-08-01 15:18:45 +02:00			`'Signature': header,`
send emails with less spam points 2019-08-10 15:00:08 +02:00			`'Content-Type': 'application/activity+json; charset=utf-8',`
			`'Accept': 'application/activity+json, application/json; chartset=utf-8'`
cleaning federation 2019-07-30 18:32:26 +02:00			`},`
			`method: 'POST',`
send emails with less spam points 2019-08-10 15:00:08 +02:00			`body: JSON.stringify(message) })`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`debug('sign %s => %s', ret.status, await ret.text())`
.. 2019-07-31 01:43:08 +02:00			`},`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00
[lint] linting 2019-10-28 17:33:20 +01:00			`async sendEvent (event, user, type = 'Create') {`
refactorin docker files 2019-09-25 14:38:16 +02:00			`if (!settingsController.settings.enable_federation) {`
better SEO 2019-09-18 12:55:33 +02:00			`debug('event not send, federation disabled')`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`return`
			`}`

[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`// event is sent by user that published it and by the admin instance`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`// collect followers from admin and user`
[lint] linting 2019-10-28 17:33:20 +01:00			`const instanceAdmin = await User.findOne({ where: { email: config.admin_email }, include: { model: FedUsers, as: 'followers' } })`
linting 2019-09-11 19:12:24 +02:00			`if (!instanceAdmin \|\| !instanceAdmin.username) {`
cleaning documentation 2019-09-24 11:46:11 +02:00			`debug('Instance admin not found (there is no user with email => %s)', config.admin_email)`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`return`
			`}`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`let recipients = {}`
			`instanceAdmin.followers.forEach(follower => {`
better SEO 2019-09-18 12:55:33 +02:00			`const sharedInbox = follower.object.endpoints.sharedInbox`
[lint] linting 2019-10-28 17:33:20 +01:00			`if (!recipients[sharedInbox]) { recipients[sharedInbox] = [] }`
better SEO 2019-09-18 12:55:33 +02:00			`recipients[sharedInbox].push(follower.ap_id)`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`})`

[lint] linting 2019-10-28 17:33:20 +01:00			`for (const sharedInbox in recipients) {`
better SEO 2019-09-18 12:55:33 +02:00			`debug('Notify %s with event %s (from admin %s) cc => %d', sharedInbox, event.title, instanceAdmin.username, recipients[sharedInbox].length)`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`const body = {`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			id: `${config.baseurl}/federation/m/${event.id}#create`,
[feat] add actions to notifications (add/del/update) 2019-10-02 21:04:03 +02:00			`type,`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`to: ['https://www.w3.org/ns/activitystreams#Public'],`
[fedi] minor 2019-09-26 00:24:05 +02:00			cc: [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]],
[lint] linting 2019-10-28 17:33:20 +01:00			`// cc: recipients[sharedInbox],`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			actor: `${config.baseurl}/federation/u/${instanceAdmin.username}`,
better SEO 2019-09-18 12:55:33 +02:00			// object: event.toAP(instanceAdmin.username, [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]])
			`object: event.toAP(instanceAdmin.username, recipients[sharedInbox])`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`}`
[fedi] toot as admin only 2019-09-26 22:46:04 +02:00			`body['@context'] = [`
			`'https://www.w3.org/ns/activitystreams',`
			`'https://w3id.org/security/v1',`
			`{ Hashtag: 'as:Hashtag' } ]`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`Helpers.signAndSend(body, instanceAdmin, sharedInbox)`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`}`
linting 2019-09-11 19:12:24 +02:00
[fedi] toot as admin only 2019-09-26 22:46:04 +02:00			`return`
			`// TODO`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`// in case the event is published by the Admin itself do not add user`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`if (instanceAdmin.id === user.id) {`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`debug('Event published by instance Admin')`
			`return`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`}`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`if (!user.settings.enable_federation \|\| !user.username) {`
			`debug('Federation disabled for user %d (%s)', user.id, user.username)`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`return`
			`}`

better SEO 2019-09-18 12:55:33 +02:00			`debug('Sending to user followers => ', user.username)`
			`user = await User.findByPk( user.id, { include: { model: FedUsers, as: 'followers' }})`
			`debug('Sending to user followers => ', user.followers.length)`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`recipients = {}`
			`user.followers.forEach(follower => {`
			`const sharedInbox = follower.object.endpoints.sharedInbox`
			`if (!recipients[sharedInbox]) recipients[sharedInbox] = []`
better SEO 2019-09-18 12:55:33 +02:00			`recipients[sharedInbox].push(follower.ap_id)`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`})`

			`for(const sharedInbox in recipients) {`
better SEO 2019-09-18 12:55:33 +02:00			`debug('Notify %s with event %s (from user %s) cc => %d', sharedInbox, event.title, user.username, recipients[sharedInbox].length)`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`const body = {`
linting 2019-09-11 19:12:24 +02:00			id: `${config.baseurl}/federation/m/${event.id}#create`,
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`type: 'Create',`
linting 2019-09-11 19:12:24 +02:00			`to: ['https://www.w3.org/ns/activitystreams#Public'],`
[fedi] minor 2019-09-26 00:24:05 +02:00			cc: [`${config.baseurl}/federation/u/${user.username}/followers`, ...recipients[sharedInbox]],
			`//cc: recipients[sharedInbox],`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			actor: `${config.baseurl}/federation/u/${user.username}`,
better SEO 2019-09-18 12:55:33 +02:00			// object: event.toAP(user.username, [`${config.baseurl}/federation/u/${user.username}/followers`, ...recipients[sharedInbox]])
			`object: event.toAP(user.username, recipients[sharedInbox])`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`}`
. 2019-07-31 02:08:46 +02:00			`body['@context'] = 'https://www.w3.org/ns/activitystreams'`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`Helpers.signAndSend(body, user, sharedInbox)`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`}`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00
ego 2019-08-02 13:43:28 +02:00			`},`

linting 2019-09-11 19:12:24 +02:00			`async getActor (url, force = false) {`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`let fedi_user`

cleaning and use nuxt-express 2019-08-09 01:58:11 +02:00			`// try with cache first`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`if (!force) fedi_user = await FedUsers.findByPk(url)`

			`if (fedi_user) return fedi_user.object`
			`fedi_user = await fetch(url, { headers: { 'Accept': 'application/jrd+json, application/json' } })`
cleaning 2019-08-09 00:19:57 +02:00			`.then(res => {`
			`if (!res.ok) {`
			`debug('[ERR] Actor %s => %s', url, res.statusText)`
			`return false`
			`}`
			`return res.json()`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`})`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`if (fedi_user) {`
			`await FedUsers.create({ap_id: url, object: fedi_user})`
			`}`
			`return fedi_user`
ego 2019-08-02 13:43:28 +02:00			`},`

correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/`
linting 2019-09-11 19:12:24 +02:00			`async verifySignature (req, res, next) {`
keep going with federation 2019-08-03 00:48:48 +02:00			`let user = await Helpers.getActor(req.body.actor)`
linting 2019-09-11 19:12:24 +02:00			`if (!user) { return res.status(401).send('Actor not found') }`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// little hack -> https://github.com/joyent/node-http-signature/pull/83`
			`req.headers.authorization = 'Signature ' + req.headers.signature`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
			`req.fedi_user = user`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00
linting 2019-09-11 19:12:24 +02:00			`// another little hack :/`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`// https://github.com/joyent/node-http-signature/issues/87`
			`req.url = '/federation' + req.url`
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`const parsed = httpSignature.parseRequest(req)`
linting 2019-09-11 19:12:24 +02:00			`if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) { return next() }`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// signature not valid, try without cache`
keep going with federation 2019-08-03 00:48:48 +02:00			`user = await Helpers.getActor(req.body.actor, true)`
linting 2019-09-11 19:12:24 +02:00			`if (!user) { return res.status(401).send('Actor not found') }`
			`if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) { return next() }`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// still not valid`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`debug('Invalid signature from user %s', req.body.actor)`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`res.send('Request signature could not be verified', 401)`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
cleaning federation 2019-07-30 18:32:26 +02:00			`}`
			`}`

minor 2019-07-30 18:57:45 +02:00			`module.exports = Helpers`