fix verification of http-signature in federation msg

2019-08-08 17:48:12 +02:00 · 2019-08-08 17:48:12 +02:00 · bb32611e73
commit bb32611e73
parent ca83f1c675
3 changed files with 14 additions and 12 deletions
--- a/config/default.json
+++ b/config/default.json
@ -8,7 +8,8 @@
  },
  "db": {
    "dialect": "sqlite",
-    "storage": "./db.sqlite"
+    "storage": "./db.sqlite",
+    "logging": false
  },
  "upload_path": "./",
  "smtp": {
--- a/server/federation/helpers.js
+++ b/server/federation/helpers.js
@ -69,10 +69,12 @@ const Helpers = {
  async getActor(url, force=false) {
    // try with cache first if not forced
    if (!force && actorCache[url]) return actorCache[url]
-    debug('getActor %s', url)
    const user = await fetch(url, { headers: {'Accept': 'application/jrd+json, application/json'} })
      .then(res => res.json())
-      .catch(debug)
+      .catch(e => {
+        debug(e)
+        return false
+      })
    actorCache[url] = user
    return user
  },
@ -80,21 +82,23 @@ const Helpers = {
  // ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/
  async verifySignature(req, res, next) {
    let user = await Helpers.getActor(req.body.actor)
+    if (!user) res.send('Actor not found', 401)

-    console.error(req.headers)
    // little hack -> https://github.com/joyent/node-http-signature/pull/83
    req.headers.authorization = 'Signature ' + req.headers.signature
+
+    // another little hack :/ 
+    // https://github.com/joyent/node-http-signature/issues/87
+    req.url = '/federation' + req.url
    const parsed = httpSignature.parseRequest(req)
-    let ret = httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)
+    if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) return next()
    
    // signature not valid, try without cache
    user = await Helpers.getActor(req.body.actor, true)
    if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) return next()

-    // ehm, TOFIX!!
-    return next()
    // still not valid
-    // res.send('Request signature could not be verified', 401)
+    res.send('Request signature could not be verified', 401)
  }
 }

--- a/server/federation/index.js
+++ b/server/federation/index.js
@ -32,9 +32,6 @@ router.get('/m/:event_id', async (req, res) => {
 router.post('/u/:name/inbox', Helpers.verifySignature, async (req, res) => {

  const b = req.body
-  console.error('> INBOX ', b.type, b)
-  const targetOrigin = new URL(b.actor).origin
-  const domain = new URL(config.baseurl).host

  switch(b.type) {
    case 'Follow':
@ -43,7 +40,7 @@ router.post('/u/:name/inbox', Helpers.verifySignature, async (req, res) => {
    case 'Undo':
      // unfollow || unlike
      if (b.object.type === 'Follow') {
-        Follows.unfollow(req, res, b, targetOrigin, domain)
+        Follows.unfollow(req, res)
      } else if (b.object.type === 'Like') {
        Ego.unbookmark(req, res)
      } else if (b.object.type === 'Announce') {