'use strict'
const httpSignature = require('http-signature')
const pub = require('../pub')
// http communication middleware
module.exports = {
  verifySignature
}

async function verifySignature (req, res, next) {
  if (!req.get('authorization')) {
    // support for apps not using signature extension to ActivityPub
    // TODO check if actor has a publicKey and require signature
    return next()
  }
  // workaround for node-http-signature#87
  const tempUrl = req.url
  req.url = req.originalUrl
  const sigHead = httpSignature.parse(req)
  req.url = tempUrl
  const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
  const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
  console.log('signature validation', valid)
  if (!valid) {
    return res.status(400).send('Invalid http signature')
  }
  next()
}