rubberguppe/net/security.js

'use strict'
const httpSignature = require('http-signature')
const pub = require('../pub')
// http communication middleware
module.exports = {
  auth,
  verifySignature
}

function auth (req, res, next) {
  // no client-to-server support at this time
  if (req.app.get('env') !== 'development') {
    return res.status(405).send()
  }
  next()
}

async function verifySignature (req, res, next) {
  try {
    if (!req.get('authorization') && !req.get('signature')) {
      // support for apps not using signature extension to ActivityPub
      const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
      if (actor.publicKey && req.app.get('env') !== 'development') {
        console.log('Missing http signature')
        return res.status(400).send('Missing http signature')
      }
      return next()
    }
    const sigHead = httpSignature.parse(req)
    const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
    const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
    if (!valid) {
      console.log('signature validation failure', sigHead.keyId)
      return res.status(400).send('Invalid http signature')
    }
    next()
  } catch (err) {
    if (req.body.type === 'Delete' && err.message.startsWith('410')) {
      // user delete message that can't be verified because we don't have the user cached
      console.log('Unverifiable delete')
      return res.status(200).send()
    }
    console.log('error during signature verification', err.message, req.body)
    return res.status(500).send()
  }
}
more organization, remote object resolution, signature verification as middleware 2019-09-22 05:05:30 +00:00			`'use strict'`
			`const httpSignature = require('http-signature')`
			`const pub = require('../pub')`
			`// http communication middleware`
			`module.exports = {`
production security: require signature for users with public keys, block outbox posting. Add missing routes to fetch objects and activities by id 2019-09-24 03:18:35 +00:00			`auth,`
package details, lint 2019-09-22 05:20:37 +00:00			`verifySignature`
more organization, remote object resolution, signature verification as middleware 2019-09-22 05:05:30 +00:00			`}`

production security: require signature for users with public keys, block outbox posting. Add missing routes to fetch objects and activities by id 2019-09-24 03:18:35 +00:00			`function auth (req, res, next) {`
			`// no client-to-server support at this time`
			`if (req.app.get('env') !== 'development') {`
			`return res.status(405).send()`
			`}`
			`next()`
			`}`

more organization, remote object resolution, signature verification as middleware 2019-09-22 05:05:30 +00:00			`async function verifySignature (req, res, next) {`
handle errors during signature validation. use lowercase in ids 2019-09-26 02:45:52 +00:00			`try {`
			`if (!req.get('authorization') && !req.get('signature')) {`
			`// support for apps not using signature extension to ActivityPub`
			`const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))`
			`if (actor.publicKey && req.app.get('env') !== 'development') {`
logging cleanup 2019-09-28 15:23:24 +00:00			`console.log('Missing http signature')`
handle errors during signature validation. use lowercase in ids 2019-09-26 02:45:52 +00:00			`return res.status(400).send('Missing http signature')`
			`}`
			`return next()`
production security: require signature for users with public keys, block outbox posting. Add missing routes to fetch objects and activities by id 2019-09-24 03:18:35 +00:00			`}`
handle errors during signature validation. use lowercase in ids 2019-09-26 02:45:52 +00:00			`const sigHead = httpSignature.parse(req)`
			`const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))`
			`const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)`
			`if (!valid) {`
logging cleanup 2019-09-28 15:23:24 +00:00			`console.log('signature validation failure', sigHead.keyId)`
handle errors during signature validation. use lowercase in ids 2019-09-26 02:45:52 +00:00			`return res.status(400).send('Invalid http signature')`
			`}`
			`next()`
			`} catch (err) {`
fix errors in unverifiable delete handling and include accept headerin http logs 2019-12-25 22:22:31 +00:00			`if (req.body.type === 'Delete' && err.message.startsWith('410')) {`
Add check for delete user broadcasts for unknown users (unverifiable signature) 2019-12-25 21:52:15 +00:00			`// user delete message that can't be verified because we don't have the user cached`
fix errors in unverifiable delete handling and include accept headerin http logs 2019-12-25 22:22:31 +00:00			`console.log('Unverifiable delete')`
			`return res.status(200).send()`
Add check for delete user broadcasts for unknown users (unverifiable signature) 2019-12-25 21:52:15 +00:00			`}`
			`console.log('error during signature verification', err.message, req.body)`
handle errors during signature validation. use lowercase in ids 2019-09-26 02:45:52 +00:00			`return res.status(500).send()`
package details, lint 2019-09-22 05:20:37 +00:00			`}`
more organization, remote object resolution, signature verification as middleware 2019-09-22 05:05:30 +00:00			`}`