From bf58e27748cb11d8e3601cf0f39e6141e94ff271 Mon Sep 17 00:00:00 2001
From: Will Murphy <william@datatitian.com>
Date: Wed, 25 Sep 2019 21:45:52 -0500
Subject: [PATCH] handle errors during signature validation. use lowercase in
 ids

---
 migrations/lowerCaseIds.js |  4 ++++
 net/security.js            | 35 ++++++++++++++++++++---------------
 pub/utils.js               |  6 +++---
 3 files changed, 27 insertions(+), 18 deletions(-)
 create mode 100644 migrations/lowerCaseIds.js

diff --git a/migrations/lowerCaseIds.js b/migrations/lowerCaseIds.js
new file mode 100644
index 0000000..38f3003
--- /dev/null
+++ b/migrations/lowerCaseIds.js
@@ -0,0 +1,4 @@
+db.objects.find({type: "Group"}).forEach(function(d){
+  d.id = d.id.toLowerCase();
+  db.objects.save(d);
+});
\ No newline at end of file
diff --git a/net/security.js b/net/security.js
index 7403fd7..a112f61 100644
--- a/net/security.js
+++ b/net/security.js
@@ -16,21 +16,26 @@ function auth (req, res, next) {
 }
 
 async function verifySignature (req, res, next) {
-  if (!req.get('authorization') && !req.get('signature')) {
-    // support for apps not using signature extension to ActivityPub
-    const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
-    if (actor.publicKey && req.app.get('env') !== 'development') {
-      console.log('Missing http signature', req)
-      return res.status(400).send('Missing http signature')
+  try {
+    if (!req.get('authorization') && !req.get('signature')) {
+      // support for apps not using signature extension to ActivityPub
+      const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
+      if (actor.publicKey && req.app.get('env') !== 'development') {
+        console.log('Missing http signature', req)
+        return res.status(400).send('Missing http signature')
+      }
+      return next()
     }
-    return next()
+    const sigHead = httpSignature.parse(req)
+    const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
+    const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
+    console.log('signature validation', valid)
+    if (!valid) {
+      return res.status(400).send('Invalid http signature')
+    }
+    next()
+  } catch (err) {
+    console.log('error during signature verification', err)
+    return res.status(500).send()
   }
-  const sigHead = httpSignature.parse(req)
-  const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
-  const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
-  console.log('signature validation', valid)
-  if (!valid) {
-    return res.status(400).send('Invalid http signature')
-  }
-  next()
 }
diff --git a/pub/utils.js b/pub/utils.js
index 4545f2f..945561f 100644
--- a/pub/utils.js
+++ b/pub/utils.js
@@ -38,21 +38,21 @@ function toJSONLD (obj) {
 }
 
 function usernameToIRI (user) {
-  return `https://${config.DOMAIN}/u/${user}`
+  return `https://${config.DOMAIN}/u/${user}`.toLowerCase()
 }
 
 function objectIdToIRI (oid) {
   if (oid.toHexString) {
     oid = oid.toHexString()
   }
-  return `https://${config.DOMAIN}/o/${oid}`
+  return `https://${config.DOMAIN}/o/${oid}`.toLowerCase()
 }
 
 function actvityIdToIRI (oid) {
   if (oid.toHexString) {
     oid = oid.toHexString()
   }
-  return `https://${config.DOMAIN}/s/${oid}`
+  return `https://${config.DOMAIN}/s/${oid}`.toLowerCase()
 }
 
 function validateObject (object) {