forks/peertube
1
0
Fork 0
Code Releases Activity

Handle HTTP signature draft 11

Browse source
This commit is contained in:
Chocobozzz 2022-05-06 15:11:54 +02:00
parent 822f50fa81
commit e08ec7a723
No known key found for this signature in database
GPG key ID: 583A612D890159BE
3 changed files with 23 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
server/helpers/peertube-crypto.ts
View file

@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
} }
function parseHTTPSignature (req: Request, clockSkew?: number) { function parseHTTPSignature (req: Request, clockSkew?: number) {
const headers = req.method === 'POST' const requiredHeaders = req.method === 'POST'
? HTTP_SIGNATURE.REQUIRED_HEADERS.POST ? [ '(request-target)', 'host', 'digest' ]
: HTTP_SIGNATURE.REQUIRED_HEADERS.ALL : [ '(request-target)', 'host' ]
return httpSignature.parse(req, { clockSkew, headers }) const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders })
const parsedHeaders = parsed.params.headers
if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) {
throw new Error(`date or (created) must be included in signature`)
}
return parsed
} }
// JSONLD // JSONLD

6
server/initializers/constants.ts
View file

@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = {
const HTTP_SIGNATURE = { const HTTP_SIGNATURE = {
HEADER_NAME: 'signature', HEADER_NAME: 'signature',
ALGORITHM: 'rsa-sha256', ALGORITHM: 'rsa-sha256',
HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ], HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ],
REQUIRED_HEADERS: {
ALL: [ '(request-target)', 'host', 'date' ],
POST: [ '(request-target)', 'host', 'date', 'digest' ]
},
CLOCK_SKEW_SECONDS: 1800 CLOCK_SKEW_SECONDS: 1800
} }

11
server/tests/api/activitypub/security.ts
View file

@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () {
} }
}) })
it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
const headers = buildGlobalHeaders(body)
const signatureOptions = baseHttpSignature()
signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]
const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
})
it('Should succeed with a valid HTTP signature', async function () { it('Should succeed with a valid HTTP signature', async function () {
const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
const headers = buildGlobalHeaders(body) const headers = buildGlobalHeaders(body)