2019-09-22 05:05:30 +00:00
|
|
|
'use strict'
|
|
|
|
const httpSignature = require('http-signature')
|
|
|
|
const pub = require('../pub')
|
|
|
|
// http communication middleware
|
|
|
|
module.exports = {
|
2019-09-24 03:18:35 +00:00
|
|
|
auth,
|
2019-09-22 05:20:37 +00:00
|
|
|
verifySignature
|
2019-09-22 05:05:30 +00:00
|
|
|
}
|
|
|
|
|
2019-09-24 03:18:35 +00:00
|
|
|
function auth (req, res, next) {
|
|
|
|
// no client-to-server support at this time
|
|
|
|
if (req.app.get('env') !== 'development') {
|
|
|
|
return res.status(405).send()
|
|
|
|
}
|
|
|
|
next()
|
|
|
|
}
|
|
|
|
|
2019-09-22 05:05:30 +00:00
|
|
|
async function verifySignature (req, res, next) {
|
2019-09-22 05:20:37 +00:00
|
|
|
if (!req.get('authorization')) {
|
|
|
|
// support for apps not using signature extension to ActivityPub
|
2019-09-24 03:18:35 +00:00
|
|
|
const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
|
|
|
|
if (actor.publicKey && req.app.get('env') !== 'development') {
|
|
|
|
return res.status(400).send('Missing http signature')
|
|
|
|
}
|
2019-09-22 05:20:37 +00:00
|
|
|
return next()
|
|
|
|
}
|
|
|
|
// workaround for node-http-signature#87
|
|
|
|
const tempUrl = req.url
|
|
|
|
req.url = req.originalUrl
|
|
|
|
const sigHead = httpSignature.parse(req)
|
|
|
|
req.url = tempUrl
|
|
|
|
const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
|
|
|
|
const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
|
|
|
|
console.log('signature validation', valid)
|
|
|
|
if (!valid) {
|
|
|
|
return res.status(400).send('Invalid http signature')
|
|
|
|
}
|
|
|
|
next()
|
2019-09-22 05:05:30 +00:00
|
|
|
}
|