fixup! BREAKING: activitypub: validate fetch signatures

2023-06-23 19:53:47 +02:00 · 2023-06-23 19:53:47 +02:00 · fe0dde38c3
commit fe0dde38c3
parent f89a374e5f
6 changed files with 21 additions and 32 deletions
--- a/packages/backend/migration/1687460719276-allow-unsigned-fetches.js
+++ b/packages/backend/migration/1687460719276-allow-unsigned-fetches.js
@ -1,11 +0,0 @@
-export class allowUnsignedFetches1687460719276 {
-    name = 'allowUnsignedFetches1687460719276'
-
-    async up(queryRunner) {
-        await queryRunner.query(`ALTER TABLE "meta" ADD "allowUnsignedFetches" bool default false`);
-    }
-
-    async down(queryRunner) {
-        await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "allowUnsignedFetches"`);
-    }
-}
--- a/packages/backend/src/config/load.ts
+++ b/packages/backend/src/config/load.ts
@ -61,6 +61,7 @@ export function loadConfig(): Config {
 		proxyRemoteFiles: false,
 		maxFileSize: 262144000, // 250 MiB
 		maxNoteTextLength: 3000,
+		allowUnsignedFetches: false,
 	}, config);

 	mixin.version = meta.version;
--- a/packages/backend/src/config/types.ts
+++ b/packages/backend/src/config/types.ts
@ -68,6 +68,8 @@ export type Source = {
 		notFound?: string;
 		error?: string;
 	};
+
+	allowUnsignedFetches?: boolean;
 };

 /**
--- a/packages/backend/src/models/entities/meta.ts
+++ b/packages/backend/src/models/entities/meta.ts
@ -82,11 +82,6 @@ export class Meta {
 	})
 	public blockedHosts: string[];

-	@Column('boolean', {
-		default: false
-	})
-	public allowUnsignedFetches: boolean;
-
 	@Column('varchar', {
 		length: 512,
 		nullable: true,
--- a/packages/backend/src/server/activitypub.ts
+++ b/packages/backend/src/server/activitypub.ts
@ -61,11 +61,14 @@ export function setResponseType(ctx: Router.RouterContext): void {
 	}
 }

-export function handleSignatureResult(ctx: Router.RouterContext, result: SignatureValidationResult): boolean {
+async function handleSignature(ctx: Router.RouterContext): Promise<boolean> {
+	const result = await validateFetchSignature(ctx.req);
 	switch (result) {
+		// Fetch signature verification is disabled.
 		case 'always':
 			ctx.set('Cache-Control', 'public, max-age=180');
 			return true;
+		// Fetch signature verification succeeded.
 		case 'valid':
 			ctx.set('Cache-Control', 'no-store');
 			return true;
@ -92,7 +95,7 @@ router.post('/users/:user/inbox', json(), inbox);
 // note
 router.get('/notes/:note', async (ctx, next) => {
 	if (!isActivityPubReq(ctx)) return await next();
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;

 	const note = await Notes.findOneBy({
 		id: ctx.params.note,
@ -129,7 +132,7 @@ router.get('/notes/:note/activity', async ctx => {
 		ctx.redirect(`/notes/${ctx.params.note}`);
 		return;
 	}
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;

 	const note = await Notes.findOneBy({
 		id: ctx.params.note,
@ -149,25 +152,25 @@ router.get('/notes/:note/activity', async ctx => {

 // outbox
 router.get('/users/:user/outbox', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	return await Outbox(ctx);
 });

 // followers
 router.get('/users/:user/followers', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	return await Followers(ctx);
 });

 // following
 router.get('/users/:user/following', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	return await Following(ctx);
 });

 // featured
 router.get('/users/:user/collections/featured', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	return await Featured(ctx);
 });

@ -224,7 +227,7 @@ router.get('/users/:user', async (ctx, next) => {
 	// validate and enforce signatures.
 	if (user == null || !isInstanceActor(user))
 	{
-		if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+		if (!(await handleSignature(ctx))) return;
 	}
 	else if (isInstanceActor(user))
 	{
@ -237,7 +240,7 @@ router.get('/users/:user', async (ctx, next) => {

 router.get('/@:user', async (ctx, next) => {
 	if (!isActivityPubReq(ctx)) return await next();
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;

 	const user = await Users.findOneBy({
 		usernameLower: ctx.params.user.toLowerCase(),
@ -270,7 +273,7 @@ router.get('/emojis/:emoji', async ctx => {

 // like
 router.get('/likes/:like', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	const reaction = await NoteReactions.findOneBy({ id: ctx.params.like });

 	if (reaction == null) {
@ -294,7 +297,7 @@ router.get('/likes/:like', async ctx => {

 // follow
 router.get('/follows/:follower/:followee', async ctx => {
-	if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return;
+	if (!(await handleSignature(ctx))) return;
 	// This may be used before the follow is completed, so we do not
 	// check if the following exists.

--- a/packages/backend/src/server/activitypub/fetch-signature.ts
+++ b/packages/backend/src/server/activitypub/fetch-signature.ts
@ -1,12 +1,12 @@
 import httpSignature from '@peertube/http-signature';
-import { toPuny } from '@/misc/convert-host.js';
-import { fetchMeta } from '@/misc/fetch-meta.js';
+import { extractDbHost } from '@/misc/convert-host.js'; 
 import { shouldBlockInstance } from '@/misc/should-block-instance.js';
 import { authUserFromKeyId, getAuthUser } from '@/remote/activitypub/misc/auth-user.js';
 import { getApId, isActor } from '@/remote/activitypub/type.js';
 import { StatusError } from '@/misc/fetch.js';
 import { Resolver } from '@/remote/activitypub/resolver.js';
 import { createPerson } from '@/remote/activitypub/models/person.js';
+import config from '@/config/index.js';

 export type SignatureValidationResult = 'missing' | 'invalid' | 'rejected' | 'valid' | 'always';

@ -39,10 +39,9 @@ async function resolveKeyId(keyId: string, resolver: Resolver): Promise<AuthUser
 }

 export async function validateFetchSignature(req: IncomingMessage): Promise<SignatureValidationResult> {
-	const meta = await fetchMeta();
 	let signature;

-	if (meta.allowUnsignedFetches === true)
+	if (config.allowUnsignedFetches === true)
 		return 'always';

 	try {
@ -60,7 +59,7 @@ export async function validateFetchSignature(req: IncomingMessage): Promise<Sign
 	if (keyIdLower.startsWith('acct:'))
 		return 'invalid';

-	const host = toPuny(new URL(keyIdLower).hostname);
+	const host = extractDbHost(keyIdLower);

 	// Reject if the host is blocked.
 	if (await shouldBlockInstance(host))