Handle HTTP signature draft 11

pull/4977/head
Chocobozzz 2022-05-06 15:11:54 +02:00
parent 822f50fa81
commit e08ec7a723
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
3 changed files with 23 additions and 9 deletions

View File

@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
}
function parseHTTPSignature (req: Request, clockSkew?: number) {
const headers = req.method === 'POST'
? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
: HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
const requiredHeaders = req.method === 'POST'
? [ '(request-target)', 'host', 'digest' ]
: [ '(request-target)', 'host' ]
return httpSignature.parse(req, { clockSkew, headers })
const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders })
const parsedHeaders = parsed.params.headers
if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) {
throw new Error(`date or (created) must be included in signature`)
}
return parsed
}
// JSONLD

View File

@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = {
const HTTP_SIGNATURE = {
HEADER_NAME: 'signature',
ALGORITHM: 'rsa-sha256',
HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ],
REQUIRED_HEADERS: {
ALL: [ '(request-target)', 'host', 'date' ],
POST: [ '(request-target)', 'host', 'date', 'digest' ]
},
HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ],
CLOCK_SKEW_SECONDS: 1800
}

View File

@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () {
}
})
it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
const headers = buildGlobalHeaders(body)
const signatureOptions = baseHttpSignature()
signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]
const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
})
it('Should succeed with a valid HTTP signature', async function () {
const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
const headers = buildGlobalHeaders(body)