NoLog.cz/gancio
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity

fix verification of http-signature in federation msg

Browse source
This commit is contained in:
les 2019-08-08 17:48:12 +02:00
parent ca83f1c675
commit bb32611e73
3 changed files with 14 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config/default.json
View file

@ -8,7 +8,8 @@
}, },
"db": { "db": {
"dialect": "sqlite", "dialect": "sqlite",
"storage": "./db.sqlite" "storage": "./db.sqlite",
"logging": false
}, },
"upload_path": "./", "upload_path": "./",
"smtp": { "smtp": {

18
server/federation/helpers.js
View file

@ -69,10 +69,12 @@ const Helpers = {
async getActor(url, force=false) { async getActor(url, force=false) {
// try with cache first if not forced // try with cache first if not forced
if (!force && actorCache[url]) return actorCache[url] if (!force && actorCache[url]) return actorCache[url]
debug('getActor %s', url)
const user = await fetch(url, { headers: {'Accept': 'application/jrd+json, application/json'} }) const user = await fetch(url, { headers: {'Accept': 'application/jrd+json, application/json'} })
.then(res => res.json()) .then(res => res.json())
.catch(debug) .catch(e => {
debug(e)
return false
})
actorCache[url] = user actorCache[url] = user
return user return user
}, },
@ -80,21 +82,23 @@ const Helpers = {
// ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/ // ref: https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/
async verifySignature(req, res, next) { async verifySignature(req, res, next) {
let user = await Helpers.getActor(req.body.actor) let user = await Helpers.getActor(req.body.actor)
if (!user) res.send('Actor not found', 401)
console.error(req.headers)
// little hack -> https://github.com/joyent/node-http-signature/pull/83 // little hack -> https://github.com/joyent/node-http-signature/pull/83
req.headers.authorization = 'Signature ' + req.headers.signature req.headers.authorization = 'Signature ' + req.headers.signature
// another little hack :/
// https://github.com/joyent/node-http-signature/issues/87
req.url = '/federation' + req.url
const parsed = httpSignature.parseRequest(req) const parsed = httpSignature.parseRequest(req)
let ret = httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem) if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) return next()
// signature not valid, try without cache // signature not valid, try without cache
user = await Helpers.getActor(req.body.actor, true) user = await Helpers.getActor(req.body.actor, true)
if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) return next() if (httpSignature.verifySignature(parsed, user.publicKey.publicKeyPem)) return next()
// ehm, TOFIX!!
return next()
// still not valid // still not valid
// res.send('Request signature could not be verified', 401) res.send('Request signature could not be verified', 401)
} }
} }

5
server/federation/index.js
View file

@ -32,9 +32,6 @@ router.get('/m/:event_id', async (req, res) => {
router.post('/u/:name/inbox', Helpers.verifySignature, async (req, res) => { router.post('/u/:name/inbox', Helpers.verifySignature, async (req, res) => {
const b = req.body const b = req.body
console.error('> INBOX ', b.type, b)
const targetOrigin = new URL(b.actor).origin
const domain = new URL(config.baseurl).host
switch(b.type) { switch(b.type) {
case 'Follow': case 'Follow':
@ -43,7 +40,7 @@ router.post('/u/:name/inbox', Helpers.verifySignature, async (req, res) => {
case 'Undo': case 'Undo':
// unfollow || unlike // unfollow || unlike
if (b.object.type === 'Follow') { if (b.object.type === 'Follow') {
Follows.unfollow(req, res, b, targetOrigin, domain) Follows.unfollow(req, res)
} else if (b.object.type === 'Like') { } else if (b.object.type === 'Like') {
Ego.unbookmark(req, res) Ego.unbookmark(req, res)
} else if (b.object.type === 'Announce') { } else if (b.object.type === 'Announce') {