misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

merge: check signatures with and without query - fix #1036 (!966)

Browse source 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/966

Closes #1036

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
This commit is contained in:
Marie 2025-05-05 23:23:30 +00:00
commit 893f964def
3 changed files with 58 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

29
packages/backend/src/server/ActivityPubServerService.ts
View file

@ -177,7 +177,7 @@ export class ActivityPubServerService {
this is also inspired by FireFish's `checkFetch`
*/
let signature;
let signature: httpSignature.IParsedSignature;
try {
signature = httpSignature.parseRequest(request.raw, {
@ -230,14 +230,37 @@ export class ActivityPubServerService {
return `${logPrefix} signer is suspended: refuse`;
}
let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
// some fedi implementations include the query (`?foo=bar`) in the
// signature, some don't, so we have to handle both cases
function verifyWithOrWithoutQuery() {
const httpSignatureValidated = httpSignature.verifySignature(signature, authUser!.key!.keyPem);
if (httpSignatureValidated) return true;
const requestUrl = new URL(`http://whatever${request.raw.url}`);
if (! requestUrl.search) return false;
// verification failed, the request URL contained a query, let's try without
const semiRawRequest = request.raw;
semiRawRequest.url = requestUrl.pathname;
// no need for try/catch, if the original request parsed, this
// one will, too
const signatureWithoutQuery = httpSignature.parseRequest(semiRawRequest, {
headers: ['(request-target)', 'host', 'date'],
authorizationHeaderName: 'signature',
});
return httpSignature.verifySignature(signatureWithoutQuery, authUser!.key!.keyPem);
}
let httpSignatureValidated = verifyWithOrWithoutQuery();
// maybe they changed their key? refetch it
// TODO rate-limit this using lastFetchedAt
if (!httpSignatureValidated) {
authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
if (authUser.key != null) {
httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
httpSignatureValidated = verifyWithOrWithoutQuery();
}
}