Add host/digest to HTTP signature

1 files changed, 12 insertions, 3 deletions

diff --git a/src/remote/activitypub/request.ts b/src/remote/activitypub/request.ts
index 6238d3acb1..d739d08e15 100644
--- a/src/remote/activitypub/request.ts
+++ b/src/remote/activitypub/request.ts
@@ -2,6 +2,7 @@ import { request } from 'https';
 const { sign } = require('http-signature');
 import { URL } from 'url';
 import * as debug from 'debug';
+const crypto = require('crypto');
 
 import config from '../../config';
 import { ILocalUser } from '../../models/user';
@@ -13,6 +14,12 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
 
 	const { protocol, hostname, port, pathname, search } = new URL(url);
 
+	const data = JSON.stringify(object);
+
+	const sha256 = crypto.createHash('sha256');
+	sha256.update(data);
+	const hash = sha256.digest('base64');
+
 	const req = request({
 		protocol,
 		hostname,
@@ -20,7 +27,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
 		method: 'POST',
 		path: pathname + search,
 		headers: {
-			'Content-Type': 'application/activity+json'
+			'Content-Type': 'application/activity+json',
+			'Digest': `SHA-256=${hash}`
 		}
 	}, res => {
 		log(`${url} --> ${res.statusCode}`);
@@ -35,7 +43,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
 	sign(req, {
 		authorizationHeaderName: 'Signature',
 		key: user.keypair,
-		keyId: `${config.url}/users/${user._id}/publickey`
+		keyId: `${config.url}/users/${user._id}/publickey`,
+		headers: ['date', 'host', 'digest']
 	});
 
 	// Signature: Signature ... => Signature: ...
@@ -43,5 +52,5 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
 	sig = sig.replace(/^Signature /, '');
 	req.setHeader('Signature', sig);
 
-	req.end(JSON.stringify(object));
+	req.end(data);
 });