gancio-upstream/server/federation/helpers.js

const fetch = require('axios')
// const request = require('request')
const crypto = require('crypto')
const config = require('config')
const httpSignature = require('http-signature')
const debug = require('debug')('federation:helpers')
const { ap_user: APUser, instance: Instance } = require('../api/models')
const url = require('url')
const settingsController = require('../api/controller/settings')

const Helpers = {

  // ignore unimplemented ping url from fediverse
  spamFilter (req, res, next) {
    const urlToIgnore = [
      '/api/v1/instance',
      '/api/meta',
      '/api/statusnet/version.json',
      '/api/gnusocial/version.json',
      '/api/statusnet/config.json',
      '/poco'
    ]
    if (urlToIgnore.includes(req.path)) { return res.status(404).send('Not Found') }
    next()
  },

  async signAndSend (message, inbox) {
    // get the URI of the actor object and append 'inbox' to it
    const inboxUrl = new url.URL(inbox)
    const privkey = settingsController.secretSettings.privateKey
    const signer = crypto.createSign('sha256')
    const d = new Date()
    const stringToSign = `(request-target): post ${inboxUrl.pathname}\nhost: ${inboxUrl.hostname}\ndate: ${d.toUTCString()}`
    signer.update(stringToSign)
    signer.end()
    const signature = signer.sign(privkey)
    const signature_b64 = signature.toString('base64')
    const header = `keyId="${config.baseurl}/federation/u/${settingsController.settings.instance_name}",headers="(request-target) host date",signature="${signature_b64}"`
    try {
      const ret = await fetch(inbox, {
        headers: {
          Host: inboxUrl.hostname,
          Date: d.toUTCString(),
          Signature: header,
          'Content-Type': 'application/activity+json; charset=utf-8',
          Accept: 'application/activity+json, application/json; chartset=utf-8'
        },
        method: 'POST',
        body: JSON.stringify(message)
      })
      debug('sign %s => %s', ret.status, await ret.text())
    } catch (e) {
      debug('ERROR ', e.toString())
    }
  },

  async sendEvent (event, type = 'Create') {
    if (!settingsController.settings.enable_federation) {
      debug('event not send, federation disabled')
      return
    }

    const followers = await APUser.findAll({ where: { follower: true } })
    const recipients = {}
    followers.forEach(follower => {
      const sharedInbox = follower.object.endpoints.sharedInbox
      if (!recipients[sharedInbox]) { recipients[sharedInbox] = [] }
      recipients[sharedInbox].push(follower.ap_id)
    })

    for (const sharedInbox in recipients) {
      debug('Notify %s with event %s cc => %d', sharedInbox, event.title, recipients[sharedInbox].length)
      const body = {
        id: `${config.baseurl}/federation/m/${event.id}#create`,
        type,
        to: ['https://www.w3.org/ns/activitystreams#Public'],
        cc: [`${config.baseurl}/federation/u/${settingsController.settings.instance_name}/followers`, ...recipients[sharedInbox]],
        // cc: recipients[sharedInbox],
        actor: `${config.baseurl}/federation/u/${settingsController.settings.instance_name}`,
        // object: event.toNoteAP(instanceAdmin.username, [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]])
        object: event.toNoteAP(settingsController.settings.instance_name, recipients[sharedInbox])
      }
      body['@context'] = [
        'https://www.w3.org/ns/activitystreams',
        'https://w3id.org/security/v1',
        { Hashtag: 'as:Hashtag' }]
      Helpers.signAndSend(body, sharedInbox)
    }
  },

  async getActor (URL, instance, force = false) {
    let fedi_user

    // try with cache first
    if (!force) {
      fedi_user = await APUser.findByPk(URL, { include: Instance })
      if (fedi_user) {
        if (!fedi_user.instances) {
          fedi_user.setInstance(instance)
        }
        return fedi_user
      }
    }

    fedi_user = await fetch(URL, { headers: { Accept: 'application/jrd+json, application/json' } })
      .then(res => {
        if (!res.ok) {
          debug('[ERR] Actor %s => %s', URL, res.statusText)
          return false
        }
        return res.json()
      })

    if (fedi_user) {
      fedi_user = await APUser.create({ ap_id: URL, object: fedi_user })
    }
    return fedi_user
  },

  async getInstance (actor_url, force = false) {
    actor_url = new url.URL(actor_url)
    const domain = actor_url.host
    const instance_url = `${actor_url.protocol}//${actor_url.host}`
    debug('getInstance %s', domain)
    let instance
    if (!force) {
      instance = await Instance.findByPk(domain)
      if (instance) { return instance }
    }

    instance = await fetch(`${instance_url}/api/v1/instance`, { headers: { Accept: 'application/json' } })
      .then(res => res.json())
      .then(instance => {
        const data = {
          stats: instance.stats,
          thumbnail: instance.thumbnail
        }
        return Instance.create({ name: instance.title, domain, data, blocked: false })
      })
      .catch(e => {
        debug(e)
        return false
      })
    return instance
  },

  // ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/
  async verifySignature (req, res, next) {
    const instance = await Helpers.getInstance(req.body.actor)
    if (!instance) { return res.status(401).send('Instance not found') }
    if (instance.blocked) {
      debug('Instance %s blocked', instance.domain)
      return res.status(401).send('Instance blocked')
    }

    let user = await Helpers.getActor(req.body.actor, instance)
    if (!user) { return res.status(401).send('Actor not found') }
    if (user.blocked) {
      debug('User %s blocked', user.ap_id)
      return res.status(401).send('User blocked')
    }

    // little hack -> https://github.com/joyent/node-http-signature/pull/83
    req.headers.authorization = 'Signature ' + req.headers.signature

    req.fedi_user = user

    // another little hack :/
    // https://github.com/joyent/node-http-signature/issues/87
    req.url = '/federation' + req.url
    const parsed = httpSignature.parseRequest(req)
    if (httpSignature.verifySignature(parsed, user.object.publicKey.publicKeyPem)) { return next() }

    // signature not valid, try without cache
    user = await Helpers.getActor(req.body.actor, instance, true)
    if (!user) { return res.status(401).send('Actor not found') }
    if (httpSignature.verifySignature(parsed, user.object.publicKey.publicKeyPem)) { return next() }

    // still not valid
    debug('Invalid signature from user %s', req.body.actor)
    res.send('Request signature could not be verified', 401)
  }
}

module.exports = Helpers
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`const fetch = require('axios')`
send emails with less spam points 2019-08-10 15:00:08 +02:00			`// const request = require('request')`
. 2019-07-31 02:01:21 +02:00			`const crypto = require('crypto')`
minor 2019-07-30 18:57:45 +02:00			`const config = require('config')`
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`const httpSignature = require('http-signature')`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`const debug = require('debug')('federation:helpers')`
[fix] fedi followers 2019-12-06 00:49:44 +01:00			`const { ap_user: APUser, instance: Instance } = require('../api/models')`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`const url = require('url')`
refactorin docker files 2019-09-25 14:38:16 +02:00			`const settingsController = require('../api/controller/settings')`
cleaning federation 2019-07-30 18:32:26 +02:00
			`const Helpers = {`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00
			`// ignore unimplemented ping url from fediverse`
[lint] linting 2019-10-28 17:33:20 +01:00			`spamFilter (req, res, next) {`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`const urlToIgnore = [`
			`'/api/v1/instance',`
			`'/api/meta',`
better SEO 2019-09-18 12:55:33 +02:00			`'/api/statusnet/version.json',`
			`'/api/gnusocial/version.json',`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`'/api/statusnet/config.json',`
[lint] linting 2019-10-28 17:33:20 +01:00			`'/poco'`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`]`
[lint] linting 2019-10-28 17:33:20 +01:00			`if (urlToIgnore.includes(req.path)) { return res.status(404).send('Not Found') }`
ignore unimplemented ping url from fediverse 2019-09-13 11:08:18 +02:00			`next()`
			`},`

[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`async signAndSend (message, inbox) {`
cleaning federation 2019-07-30 18:32:26 +02:00			`// get the URI of the actor object and append 'inbox' to it`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`const inboxUrl = new url.URL(inbox)`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`const privkey = settingsController.secretSettings.privateKey`
cleaning federation 2019-07-30 18:32:26 +02:00			`const signer = crypto.createSign('sha256')`
.. 2019-07-31 01:43:08 +02:00			`const d = new Date()`
[fix] fediverse signature 2019-11-09 15:06:25 +01:00			const stringToSign = `(request-target): post ${inboxUrl.pathname}\nhost: ${inboxUrl.hostname}\ndate: ${d.toUTCString()}`
cleaning federation 2019-07-30 18:32:26 +02:00			`signer.update(stringToSign)`
			`signer.end()`
			`const signature = signer.sign(privkey)`
			`const signature_b64 = signature.toString('base64')`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			const header = `keyId="${config.baseurl}/federation/u/${settingsController.settings.instance_name}",headers="(request-target) host date",signature="${signature_b64}"`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`try {`
			`const ret = await fetch(inbox, {`
			`headers: {`
			`Host: inboxUrl.hostname,`
			`Date: d.toUTCString(),`
			`Signature: header,`
			`'Content-Type': 'application/activity+json; charset=utf-8',`
			`Accept: 'application/activity+json, application/json; chartset=utf-8'`
			`},`
			`method: 'POST',`
			`body: JSON.stringify(message)`
			`})`
			`debug('sign %s => %s', ret.status, await ret.text())`
			`} catch (e) {`
			`debug('ERROR ', e.toString())`
			`}`
.. 2019-07-31 01:43:08 +02:00			`},`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`async sendEvent (event, type = 'Create') {`
refactorin docker files 2019-09-25 14:38:16 +02:00			`if (!settingsController.settings.enable_federation) {`
better SEO 2019-09-18 12:55:33 +02:00			`debug('event not send, federation disabled')`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`return`
			`}`

[fix] fedi followers 2019-12-06 00:49:44 +01:00			`const followers = await APUser.findAll({ where: { follower: true } })`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`const recipients = {}`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`followers.forEach(follower => {`
better SEO 2019-09-18 12:55:33 +02:00			`const sharedInbox = follower.object.endpoints.sharedInbox`
[lint] linting 2019-10-28 17:33:20 +01:00			`if (!recipients[sharedInbox]) { recipients[sharedInbox] = [] }`
better SEO 2019-09-18 12:55:33 +02:00			`recipients[sharedInbox].push(follower.ap_id)`
use sharedInbox to send events, fix #19 2019-09-13 10:17:44 +02:00			`})`

[lint] linting 2019-10-28 17:33:20 +01:00			`for (const sharedInbox in recipients) {`
[ui] add admin in mobile / fix #63 2019-12-10 22:58:10 +01:00			`debug('Notify %s with event %s cc => %d', sharedInbox, event.title, recipients[sharedInbox].length)`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`const body = {`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			id: `${config.baseurl}/federation/m/${event.id}#create`,
[feat] add actions to notifications (add/del/update) 2019-10-02 21:04:03 +02:00			`type,`
debugging fedi & upgrade 2019-09-11 21:20:44 +02:00			`to: ['https://www.w3.org/ns/activitystreams#Public'],`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			cc: [`${config.baseurl}/federation/u/${settingsController.settings.instance_name}/followers`, ...recipients[sharedInbox]],
[lint] linting 2019-10-28 17:33:20 +01:00			`// cc: recipients[sharedInbox],`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			actor: `${config.baseurl}/federation/u/${settingsController.settings.instance_name}`,
			// object: event.toNoteAP(instanceAdmin.username, [`${config.baseurl}/federation/u/${instanceAdmin.username}/followers`, ...recipients[sharedInbox]])
			`object: event.toNoteAP(settingsController.settings.instance_name, recipients[sharedInbox])`
[AP] cleaner add and remove comments 2019-09-11 13:12:05 +02:00			`}`
[fedi] toot as admin only 2019-09-26 22:46:04 +02:00			`body['@context'] = [`
			`'https://www.w3.org/ns/activitystreams',`
			`'https://w3id.org/security/v1',`
[ui] add admin in mobile / fix #63 2019-12-10 22:58:10 +01:00			`{ Hashtag: 'as:Hashtag' }]`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`Helpers.signAndSend(body, sharedInbox)`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`}`
ego 2019-08-02 13:43:28 +02:00			`},`

[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`async getActor (URL, instance, force = false) {`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`let fedi_user`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
cleaning and use nuxt-express 2019-08-09 01:58:11 +02:00			`// try with cache first`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`if (!force) {`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`fedi_user = await APUser.findByPk(URL, { include: Instance })`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`if (fedi_user) {`
			`if (!fedi_user.instances) {`
			`fedi_user.setInstance(instance)`
			`}`
[fedi] comment/instance/user moderation 2019-11-13 10:56:01 +01:00			`return fedi_user`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`}`
			`}`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00
update dependencies 2019-12-06 11:30:41 +01:00			`fedi_user = await fetch(URL, { headers: { Accept: 'application/jrd+json, application/json' } })`
cleaning 2019-08-09 00:19:57 +02:00			`.then(res => {`
			`if (!res.ok) {`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`debug('[ERR] Actor %s => %s', URL, res.statusText)`
cleaning 2019-08-09 00:19:57 +02:00			`return false`
			`}`
			`return res.json()`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`})`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`if (fedi_user) {`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`fedi_user = await APUser.create({ ap_id: URL, object: fedi_user })`
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`}`
			`return fedi_user`
ego 2019-08-02 13:43:28 +02:00			`},`

[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`async getInstance (actor_url, force = false) {`
			`actor_url = new url.URL(actor_url)`
			`const domain = actor_url.host`
			const instance_url = `${actor_url.protocol}//${actor_url.host}`
			`debug('getInstance %s', domain)`
			`let instance`
			`if (!force) {`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`instance = await Instance.findByPk(domain)`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`if (instance) { return instance }`
			`}`

update dependencies 2019-12-06 11:30:41 +01:00			instance = await fetch(`${instance_url}/api/v1/instance`, { headers: { Accept: 'application/json' } })
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`.then(res => res.json())`
			`.then(instance => {`
			`const data = {`
			`stats: instance.stats,`
			`thumbnail: instance.thumbnail`
			`}`
[refactor] remove `username` field and let instance_name be the only AP Actor 2019-12-04 00:50:15 +01:00			`return Instance.create({ name: instance.title, domain, data, blocked: false })`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`})`
			`.catch(e => {`
			`debug(e)`
			`return false`
			`})`
			`return instance`
			`},`

correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/`
linting 2019-09-11 19:12:24 +02:00			`async verifySignature (req, res, next) {`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`const instance = await Helpers.getInstance(req.body.actor)`
			`if (!instance) { return res.status(401).send('Instance not found') }`
			`if (instance.blocked) {`
			`debug('Instance %s blocked', instance.domain)`
			`return res.status(401).send('Instance blocked')`
			`}`

			`let user = await Helpers.getActor(req.body.actor, instance)`
linting 2019-09-11 19:12:24 +02:00			`if (!user) { return res.status(401).send('Actor not found') }`
[fedi] comment/instance/user moderation 2019-11-13 10:56:01 +01:00			`if (user.blocked) {`
			`debug('User %s blocked', user.ap_id)`
			`return res.status(401).send('User blocked')`
			`}`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// little hack -> https://github.com/joyent/node-http-signature/pull/83`
			`req.headers.authorization = 'Signature ' + req.headers.signature`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
fix #18, cache users from fediverse 2019-09-12 14:59:51 +02:00			`req.fedi_user = user`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00
linting 2019-09-11 19:12:24 +02:00			`// another little hack :/`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`// https://github.com/joyent/node-http-signature/issues/87`
			`req.url = '/federation' + req.url`
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`const parsed = httpSignature.parseRequest(req)`
[fedi] comment/instance/user moderation 2019-11-13 10:56:01 +01:00			`if (httpSignature.verifySignature(parsed, user.object.publicKey.publicKeyPem)) { return next() }`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// signature not valid, try without cache`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00			`user = await Helpers.getActor(req.body.actor, instance, true)`
linting 2019-09-11 19:12:24 +02:00			`if (!user) { return res.status(401).send('Actor not found') }`
[fedi] comment/instance/user moderation 2019-11-13 10:56:01 +01:00			`if (httpSignature.verifySignature(parsed, user.object.publicKey.publicKeyPem)) { return next() }`
[fedi] instances moderation 2019-10-30 15:01:15 +01:00
correctly verify http-signature 2019-08-02 17:29:55 +02:00			`// still not valid`
[AP] unfollow, tags, attachment, sign 2019-09-11 12:00:13 +02:00			`debug('Invalid signature from user %s', req.body.actor)`
fix verification of http-signature in federation msg 2019-08-08 17:48:12 +02:00			`res.send('Request signature could not be verified', 401)`
cleaning federation 2019-07-30 18:32:26 +02:00			`}`
			`}`

minor 2019-07-30 18:57:45 +02:00			`module.exports = Helpers`