rubberguppe/net/security.js
2019-09-22 00:20:37 -05:00

27 lines
867 B
JavaScript

'use strict'
const httpSignature = require('http-signature')
const pub = require('../pub')
// http communication middleware
module.exports = {
verifySignature
}
async function verifySignature (req, res, next) {
if (!req.get('authorization')) {
// support for apps not using signature extension to ActivityPub
// TODO check if actor has a publicKey and require signature
return next()
}
// workaround for node-http-signature#87
const tempUrl = req.url
req.url = req.originalUrl
const sigHead = httpSignature.parse(req)
req.url = tempUrl
const signer = await pub.object.resolveObject(sigHead.keyId, req.app.get('db'))
const valid = httpSignature.verifySignature(sigHead, signer.publicKey.publicKeyPem)
console.log('signature validation', valid)
if (!valid) {
return res.status(400).send('Invalid http signature')
}
next()
}