27 lines
912 B
JavaScript
27 lines
912 B
JavaScript
'use strict'
|
|
const httpSignature = require('http-signature')
|
|
const pub = require('../pub')
|
|
// http communication middleware
|
|
module.exports = {
|
|
verifySignature,
|
|
}
|
|
|
|
async function verifySignature (req, res, next) {
|
|
if (!req.get('authorization')) {
|
|
// support for apps not using signature extension to ActivityPub
|
|
// TODO check if actor has a publicKey and require signature
|
|
return next()
|
|
}
|
|
// workaround for node-http-signature#87
|
|
const tempUrl = req.url
|
|
req.url = req.originalUrl
|
|
const sigHead = httpSignature.parse(req)
|
|
req.url = tempUrl
|
|
const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
|
|
const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
|
|
console.log('signature validation', valid)
|
|
if (!valid) {
|
|
return res.status(400).send('Invalid http signature')
|
|
}
|
|
next()
|
|
}
|