Merge pull request '[PR]: Add signature to remote note lookups' (#10374) from e2net/calckey:fix/authenticated-remote-note-lookups into develop
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/10374
This commit is contained in:
commit
06f569756b
5 changed files with 86 additions and 4 deletions
|
@ -7,6 +7,8 @@ import DbResolver from "@/remote/activitypub/db-resolver.js";
|
|||
import { getApId } from "@/remote/activitypub/type.js";
|
||||
import { shouldBlockInstance } from "@/misc/should-block-instance.js";
|
||||
import type { IncomingMessage } from "http";
|
||||
import type { CacheableRemoteUser } from "@/models/entities/user.js";
|
||||
import type { UserPublickey } from "@/models/entities/user-publickey.js";
|
||||
|
||||
export async function hasSignature(req: IncomingMessage): Promise<string> {
|
||||
const meta = await fetchMeta();
|
||||
|
@ -95,3 +97,22 @@ export async function checkFetch(req: IncomingMessage): Promise<number> {
|
|||
}
|
||||
return 200;
|
||||
}
|
||||
|
||||
export async function getSignatureUser(req: IncomingMessage): Promise<{
|
||||
user: CacheableRemoteUser;
|
||||
key: UserPublickey | null;
|
||||
} | null> {
|
||||
const signature = httpSignature.parseRequest(req, { headers: [] });
|
||||
const keyId = new URL(signature.keyId);
|
||||
const dbResolver = new DbResolver();
|
||||
|
||||
// Retrieve from DB by HTTP-Signature keyId
|
||||
const authUser = await dbResolver.getAuthUserFromKeyId(signature.keyId);
|
||||
if (authUser) {
|
||||
return authUser;
|
||||
}
|
||||
|
||||
// Resolve if failed to retrieve by keyId
|
||||
keyId.hash = "";
|
||||
return await dbResolver.getAuthUserFromApId(getApId(keyId.toString()));
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@ import { getUserKeypair } from "@/misc/keypair-store.js";
|
|||
import type { User } from "@/models/entities/user.js";
|
||||
import { getResponse } from "../../misc/fetch.js";
|
||||
import { createSignedPost, createSignedGet } from "./ap-request.js";
|
||||
import { apLogger } from "@/remote/activitypub/logger.js";
|
||||
|
||||
export default async (user: { id: User["id"] }, url: string, object: any) => {
|
||||
const body = JSON.stringify(object);
|
||||
|
@ -35,6 +36,7 @@ export default async (user: { id: User["id"] }, url: string, object: any) => {
|
|||
* @param url URL to fetch
|
||||
*/
|
||||
export async function signedGet(url: string, user: { id: User["id"] }) {
|
||||
apLogger.debug(`Running signedGet on url: ${url}`);
|
||||
const keypair = await getUserKeypair(user.id);
|
||||
|
||||
const req = createSignedGet({
|
||||
|
|
|
@ -23,6 +23,7 @@ import renderCreate from "@/remote/activitypub/renderer/create.js";
|
|||
import { renderActivity } from "@/remote/activitypub/renderer/index.js";
|
||||
import renderFollow from "@/remote/activitypub/renderer/follow.js";
|
||||
import { shouldBlockInstance } from "@/misc/should-block-instance.js";
|
||||
import { apLogger } from "@/remote/activitypub/logger.js";
|
||||
|
||||
export default class Resolver {
|
||||
private history: Set<string>;
|
||||
|
@ -34,6 +35,15 @@ export default class Resolver {
|
|||
this.recursionLimit = recursionLimit;
|
||||
}
|
||||
|
||||
public setUser(user) {
|
||||
this.user = user;
|
||||
}
|
||||
|
||||
public reset(): Resolver {
|
||||
this.history = new Set();
|
||||
return this;
|
||||
}
|
||||
|
||||
public getHistory(): string[] {
|
||||
return Array.from(this.history);
|
||||
}
|
||||
|
@ -56,15 +66,20 @@ export default class Resolver {
|
|||
}
|
||||
|
||||
if (typeof value !== "string") {
|
||||
apLogger.debug("Object to resolve is not a string");
|
||||
if (typeof value.id !== "undefined") {
|
||||
const host = extractDbHost(getApId(value));
|
||||
if (await shouldBlockInstance(host)) {
|
||||
throw new Error("instance is blocked");
|
||||
}
|
||||
}
|
||||
apLogger.debug("Returning existing object:");
|
||||
apLogger.debug(JSON.stringify(value, null, 2));
|
||||
return value;
|
||||
}
|
||||
|
||||
apLogger.debug(`Resolving: ${value}`);
|
||||
|
||||
if (value.includes("#")) {
|
||||
// URLs with fragment parts cannot be resolved correctly because
|
||||
// the fragment part does not get transmitted over HTTP(S).
|
||||
|
@ -102,6 +117,9 @@ export default class Resolver {
|
|||
this.user = await getInstanceActor();
|
||||
}
|
||||
|
||||
apLogger.debug("Getting object from remote, authenticated as user:");
|
||||
apLogger.debug(JSON.stringify(this.user, null, 2));
|
||||
|
||||
const object = (
|
||||
this.user
|
||||
? await signedGet(value, this.user)
|
||||
|
|
|
@ -20,7 +20,11 @@ import {
|
|||
import type { ILocalUser, User } from "@/models/entities/user.js";
|
||||
import { renderLike } from "@/remote/activitypub/renderer/like.js";
|
||||
import { getUserKeypair } from "@/misc/keypair-store.js";
|
||||
import { checkFetch, hasSignature } from "@/remote/activitypub/check-fetch.js";
|
||||
import {
|
||||
checkFetch,
|
||||
hasSignature,
|
||||
getSignatureUser,
|
||||
} from "@/remote/activitypub/check-fetch.js";
|
||||
import { getInstanceActor } from "@/services/instance-actor.js";
|
||||
import { fetchMeta } from "@/misc/fetch-meta.js";
|
||||
import renderFollow from "@/remote/activitypub/renderer/follow.js";
|
||||
|
@ -28,6 +32,7 @@ import Featured from "./activitypub/featured.js";
|
|||
import Following from "./activitypub/following.js";
|
||||
import Followers from "./activitypub/followers.js";
|
||||
import Outbox, { packActivity } from "./activitypub/outbox.js";
|
||||
import { serverLogger } from "./index.js";
|
||||
|
||||
// Init router
|
||||
const router = new Router();
|
||||
|
@ -84,7 +89,7 @@ router.get("/notes/:note", async (ctx, next) => {
|
|||
|
||||
const note = await Notes.findOneBy({
|
||||
id: ctx.params.note,
|
||||
visibility: In(["public" as const, "home" as const]),
|
||||
visibility: In(["public" as const, "home" as const, "followers" as const]),
|
||||
localOnly: false,
|
||||
});
|
||||
|
||||
|
@ -103,6 +108,37 @@ router.get("/notes/:note", async (ctx, next) => {
|
|||
return;
|
||||
}
|
||||
|
||||
if (note.visibility === "followers") {
|
||||
serverLogger.debug(
|
||||
"Responding to request for follower-only note, validating access...",
|
||||
);
|
||||
const remoteUser = await getSignatureUser(ctx.req);
|
||||
serverLogger.debug("Local note author user:");
|
||||
serverLogger.debug(JSON.stringify(note, null, 2));
|
||||
serverLogger.debug("Authenticated remote user:");
|
||||
serverLogger.debug(JSON.stringify(remoteUser, null, 2));
|
||||
|
||||
if (remoteUser == null) {
|
||||
serverLogger.debug("Rejecting: no user");
|
||||
ctx.status = 401;
|
||||
return;
|
||||
}
|
||||
|
||||
const relation = await Users.getRelation(remoteUser.user.id, note.userId);
|
||||
serverLogger.debug("Relation:");
|
||||
serverLogger.debug(JSON.stringify(relation, null, 2));
|
||||
|
||||
if (!relation.isFollowing || relation.isBlocked) {
|
||||
serverLogger.debug(
|
||||
"Rejecting: authenticated user is not following us or was blocked by us",
|
||||
);
|
||||
ctx.status = 403;
|
||||
return;
|
||||
}
|
||||
|
||||
serverLogger.debug("Accepting: access criteria met");
|
||||
}
|
||||
|
||||
ctx.body = renderActivity(await renderNote(note, false));
|
||||
|
||||
const meta = await fetchMeta();
|
||||
|
|
|
@ -127,6 +127,7 @@ async function fetchAny(
|
|||
|
||||
// fetching Object once from remote
|
||||
const resolver = new Resolver();
|
||||
resolver.setUser(me);
|
||||
const object = await resolver.resolve(uri);
|
||||
|
||||
// /@user If a URI other than the id is specified,
|
||||
|
@ -144,8 +145,12 @@ async function fetchAny(
|
|||
|
||||
return await mergePack(
|
||||
me,
|
||||
isActor(object) ? await createPerson(getApId(object)) : null,
|
||||
isPost(object) ? await createNote(getApId(object), undefined, true) : null,
|
||||
isActor(object)
|
||||
? await createPerson(getApId(object), resolver.reset())
|
||||
: null,
|
||||
isPost(object)
|
||||
? await createNote(getApId(object), resolver.reset(), true)
|
||||
: null,
|
||||
);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue