summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/ActivityPubServerService.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server/ActivityPubServerService.ts')
-rw-r--r--packages/backend/src/server/ActivityPubServerService.ts30
1 files changed, 27 insertions, 3 deletions
diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts
index ea534af458..f40fbe8245 100644
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@@ -177,7 +177,7 @@ export class ActivityPubServerService {
this is also inspired by FireFish's `checkFetch`
*/
- let signature;
+ let signature: httpSignature.IParsedSignature;
try {
signature = httpSignature.parseRequest(request.raw, {
@@ -230,14 +230,38 @@ export class ActivityPubServerService {
return `${logPrefix} signer is suspended: refuse`;
}
- let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+ // some fedi implementations include the query (`?foo=bar`) in the
+ // signature, some don't, so we have to handle both cases
+ function verifyWithOrWithoutQuery() {
+ const httpSignatureValidated = httpSignature.verifySignature(signature, authUser!.key!.keyPem);
+ if (httpSignatureValidated) return true;
+
+ const requestUrl = new URL(`http://whatever${request.raw.url}`);
+ if (! requestUrl.search) return false;
+
+ // verification failed, the request URL contained a query, let's try without
+ const semiRawRequest = request.raw;
+ semiRawRequest.url = requestUrl.pathname;
+
+ // no need for try/catch, if the original request parsed, this
+ // one will, too
+ const signatureWithoutQuery = httpSignature.parseRequest(semiRawRequest, {
+ headers: ['(request-target)', 'host', 'date'],
+ authorizationHeaderName: 'signature',
+ });
+
+ return httpSignature.verifySignature(signatureWithoutQuery, authUser!.key!.keyPem);
+ }
+
+ console.warn('starting verification');
+ let httpSignatureValidated = verifyWithOrWithoutQuery();
// maybe they changed their key? refetch it
// TODO rate-limit this using lastFetchedAt
if (!httpSignatureValidated) {
authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
if (authUser.key != null) {
- httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+ httpSignatureValidated = verifyWithOrWithoutQuery();
}
}
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 13:43:18 +0000