From 775212121cc3eb108bca6c4b94a3fdf6d8d8fcd1 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Thu, 19 Dec 2019 20:17:18 +0700 Subject: [PATCH] Verify HTTP signatures only when request accepts "activity+json" type --- lib/pleroma/plugs/http_signature.ex | 13 +++++++++---- test/plugs/http_signature_plug_test.exs | 4 +++- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/lib/pleroma/plugs/http_signature.ex b/lib/pleroma/plugs/http_signature.ex index ecd7a55bf..477a5b578 100644 --- a/lib/pleroma/plugs/http_signature.ex +++ b/lib/pleroma/plugs/http_signature.ex @@ -4,6 +4,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do import Plug.Conn + import Phoenix.Controller, only: [get_format: 1, text: 2] require Logger def init(options) do @@ -15,9 +16,13 @@ def call(%{assigns: %{valid_signature: true}} = conn, _opts) do end def call(conn, _opts) do - conn - |> maybe_assign_valid_signature() - |> maybe_require_signature() + if get_format(conn) == "activity+json" do + conn + |> maybe_assign_valid_signature() + |> maybe_require_signature() + else + conn + end end defp maybe_assign_valid_signature(conn) do @@ -51,7 +56,7 @@ defp maybe_require_signature(conn) do if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do conn |> put_status(:unauthorized) - |> Phoenix.Controller.text("Request not signed") + |> text("Request not signed") |> halt() else conn diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs index 77e790288..55e8bafc0 100644 --- a/test/plugs/http_signature_plug_test.exs +++ b/test/plugs/http_signature_plug_test.exs @@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do alias Pleroma.Web.Plugs.HTTPSignaturePlug import Plug.Conn + import Phoenix.Controller, only: [put_format: 2] import Mock test "it call HTTPSignatures to check validity if the actor sighed it" do @@ -20,6 +21,7 @@ test "it call HTTPSignatures to check validity if the actor sighed it" do "signature", "keyId=\"http://mastodon.example.org/users/admin#main-key" ) + |> put_format("activity+json") |> HTTPSignaturePlug.call(%{}) assert conn.assigns.valid_signature == true @@ -37,7 +39,7 @@ test "it call HTTPSignatures to check validity if the actor sighed it" do end) params = %{"actor" => "http://mastodon.example.org/users/admin"} - conn = build_conn(:get, "/doesntmattter", params) + conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json") [conn: conn] end