handle errors during signature validation. use lowercase in ids

2019-09-25 21:45:52 -05:00 · 2019-09-25 21:45:52 -05:00 · bf58e27748
commit bf58e27748
parent e47dd9286f
3 changed files with 27 additions and 18 deletions
--- a/migrations/lowerCaseIds.js
+++ b/migrations/lowerCaseIds.js
@ -0,0 +1,4 @@
+db.objects.find({type: "Group"}).forEach(function(d){
+  d.id = d.id.toLowerCase();
+  db.objects.save(d);
+});
--- a/net/security.js
+++ b/net/security.js
@ -16,21 +16,26 @@ function auth (req, res, next) {
 }

 async function verifySignature (req, res, next) {
-  if (!req.get('authorization') && !req.get('signature')) {
-    // support for apps not using signature extension to ActivityPub
-    const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
-    if (actor.publicKey && req.app.get('env') !== 'development') {
-      console.log('Missing http signature', req)
-      return res.status(400).send('Missing http signature')
+  try {
+    if (!req.get('authorization') && !req.get('signature')) {
+      // support for apps not using signature extension to ActivityPub
+      const actor = await pub.object.resolveObject(pub.utils.actorFromActivity(req.body))
+      if (actor.publicKey && req.app.get('env') !== 'development') {
+        console.log('Missing http signature', req)
+        return res.status(400).send('Missing http signature')
+      }
+      return next()
    }
-    return next()
+    const sigHead = httpSignature.parse(req)
+    const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
+    const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
+    console.log('signature validation', valid)
+    if (!valid) {
+      return res.status(400).send('Invalid http signature')
+    }
+    next()
+  } catch (err) {
+    console.log('error during signature verification', err)
+    return res.status(500).send()
  }
-  const sigHead = httpSignature.parse(req)
-  const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
-  const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
-  console.log('signature validation', valid)
-  if (!valid) {
-    return res.status(400).send('Invalid http signature')
-  }
-  next()
 }
--- a/pub/utils.js
+++ b/pub/utils.js
@ -38,21 +38,21 @@ function toJSONLD (obj) {
 }

 function usernameToIRI (user) {
-  return `https://${config.DOMAIN}/u/${user}`
+  return `https://${config.DOMAIN}/u/${user}`.toLowerCase()
 }

 function objectIdToIRI (oid) {
  if (oid.toHexString) {
    oid = oid.toHexString()
  }
-  return `https://${config.DOMAIN}/o/${oid}`
+  return `https://${config.DOMAIN}/o/${oid}`.toLowerCase()
 }

 function actvityIdToIRI (oid) {
  if (oid.toHexString) {
    oid = oid.toHexString()
  }
-  return `https://${config.DOMAIN}/s/${oid}`
+  return `https://${config.DOMAIN}/s/${oid}`.toLowerCase()
 }

 function validateObject (object) {