Server: remove encryption when seending requests to other pods

We don't need it anymore since HTTPS is mandatory now

server/controllers/api/remote.js

@@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
 
 router.post('/videos',
   validators.signature,
-  validators.dataToDecrypt,
   secureMiddleware.checkSignature,
-  secureMiddleware.decryptBody,
   validators.remoteVideos,
   remoteVideos
 )

server/helpers/peertube-crypto.js

@@ -16,8 +16,6 @@ const peertubeCrypto = {
   comparePassword,
   createCertsIfNotExist,
   cryptPassword,
-  decrypt,
-  encrypt,
   sign
 }
 
@@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
   })
 }
 
-function decrypt (key, data, callback) {
-  fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
-    if (err) return callback(err)
-
-    const myPrivateKey = ursa.createPrivateKey(file)
-    const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
-    const decryptedData = symetricDecrypt(data, decryptedKey)
-
-    return callback(null, decryptedData)
-  })
-}
-
-function encrypt (publicKey, data, callback) {
-  const crt = ursa.createPublicKey(publicKey)
-
-  symetricEncrypt(data, function (err, dataEncrypted) {
-    if (err) return callback(err)
-
-    const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
-    const encrypted = {
-      data: dataEncrypted.crypted,
-      key: key
-    }
-
-    callback(null, encrypted)
-  })
-}
-
 function sign (data) {
   const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
   const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
@@ -151,21 +121,3 @@ function generatePassword (callback) {
     callback(null, buf.toString('utf8'))
   })
 }
-
-function symetricDecrypt (text, password) {
-  const decipher = crypto.createDecipher(algorithm, password)
-  let dec = decipher.update(text, 'hex', 'utf8')
-  dec += decipher.final('utf8')
-  return dec
-}
-
-function symetricEncrypt (text, callback) {
-  generatePassword(function (err, password) {
-    if (err) return callback(err)
-
-    const cipher = crypto.createCipher(algorithm, password)
-    let crypted = cipher.update(text, 'utf8', 'hex')
-    crypted += cipher.final('hex')
-    callback(null, { crypted: crypted, password: password })
-  })
-}

server/helpers/requests.js

@@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
 
     // If there are data informations
     if (params.data) {
-      // Encrypt data
-      if (params.encrypt === true) {
-        peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
-          if (err) return callback(err)
-
-          requestParams.json.data = encrypted.data
-          requestParams.json.key = encrypted.key
-
-          request.post(requestParams, callback)
-        })
-      } else {
-        // No encryption
-        requestParams.json.data = params.data
-        request.post(requestParams, callback)
-      }
+      requestParams.json.data = params.data
+      request.post(requestParams, callback)
     } else {
       // No data
       request.post(requestParams, callback)

server/middlewares/secure.js

@@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
 const Pod = mongoose.model('Pod')
 
 const secureMiddleware = {
-  checkSignature,
-  decryptBody
+  checkSignature
 }
 
 function checkSignature (req, res, next) {
   const host = req.body.signature.host
   Pod.loadByHost(host, function (err, pod) {
     if (err) {
-      logger.error('Cannot get signed host in decryptBody.', { error: err })
+      logger.error('Cannot get signed host in body.', { error: err })
       return res.sendStatus(500)
     }
 
@@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
       return res.sendStatus(403)
     }
 
-    logger.debug('Decrypting body from %s.', host)
+    logger.debug('Checking signature from %s.', host)
 
     const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
 
@@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
       return next()
     }
 
-    logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)
+    logger.error('Signature is not okay in body for %s.', req.body.signature.host)
     return res.sendStatus(403)
   })
 }
 
-function decryptBody (req, res, next) {
-  peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
-    if (err) {
-      logger.error('Cannot decrypt data.', { error: err })
-      return res.sendStatus(500)
-    }
-
-    try {
-      req.body.data = JSON.parse(decrypted)
-      delete req.body.key
-    } catch (err) {
-      logger.error('Error in JSON.parse', { error: err })
-      return res.sendStatus(500)
-    }
-
-    next()
-  })
-}
-
 // ---------------------------------------------------------------------------
 
 module.exports = secureMiddleware

server/middlewares/validators/remote.js

@@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
 const logger = require('../../helpers/logger')
 
 const validatorsRemote = {
-  dataToDecrypt,
   remoteVideos,
   signature
 }
 
-function dataToDecrypt (req, res, next) {
-  req.checkBody('key', 'Should have a key').notEmpty()
-  req.checkBody('data', 'Should have data').notEmpty()
-
-  logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
-
-  checkErrors(req, res, next)
-}
-
 function remoteVideos (req, res, next) {
   req.checkBody('data').isEachRemoteVideosValid()
 

server/models/request.js

@@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
 
   const params = {
     toPod: toPod,
-    encrypt: true, // Security
-    sign: true, // To prove our identity
+    sign: true, // Prove our identity
     method: 'POST',
     path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
     data: requestsToMake // Requests we need to make