summaryrefslogtreecommitdiff
path: root/packages/backend/src/server
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server')
-rw-r--r--packages/backend/src/server/ActivityPubServerService.ts129
1 files changed, 129 insertions, 0 deletions
diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts
index 68e426b5bc..a0ad4a134f 100644
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@@ -5,6 +5,7 @@
import * as crypto from 'node:crypto';
import { IncomingMessage } from 'node:http';
+import { format as formatURL } from 'node:url';
import { Inject, Injectable } from '@nestjs/common';
import fastifyAccepts from '@fastify/accepts';
import httpSignature from '@peertube/http-signature';
@@ -17,9 +18,13 @@ import type { FollowingsRepository, NotesRepository, EmojisRepository, NoteReact
import * as url from '@/misc/prelude/url.js';
import type { Config } from '@/config.js';
import { ApRendererService } from '@/core/activitypub/ApRendererService.js';
+import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js';
import { QueueService } from '@/core/QueueService.js';
import type { MiLocalUser, MiRemoteUser, MiUser } from '@/models/User.js';
+import { MetaService } from '@/core/MetaService.js';
import { UserKeypairService } from '@/core/UserKeypairService.js';
+import { InstanceActorService } from '@/core/InstanceActorService.js';
+import type { MiUserPublickey } from '@/models/UserPublickey.js';
import type { MiFollowing } from '@/models/Following.js';
import { countIf } from '@/misc/prelude/array.js';
import type { MiNote } from '@/models/Note.js';
@@ -65,9 +70,12 @@ export class ActivityPubServerService {
@Inject(DI.followRequestsRepository)
private followRequestsRepository: FollowRequestsRepository,
+ private metaService: MetaService,
private utilityService: UtilityService,
private userEntityService: UserEntityService,
+ private instanceActorService: InstanceActorService,
private apRendererService: ApRendererService,
+ private apDbResolverService: ApDbResolverService,
private queueService: QueueService,
private userKeypairService: UserKeypairService,
private queryService: QueryService,
@@ -100,6 +108,101 @@ export class ActivityPubServerService {
}
@bindThis
+ private async shouldRefuseGetRequest(request: FastifyRequest, reply: FastifyReply, userId: string | undefined = undefined): Promise<boolean> {
+ if (!this.config.checkActivityPubGetSignature) return false;
+
+ /* this code is inspired from the `inbox` function below, and
+ `queue/processors/InboxProcessorService`
+
+ those pieces of code also check `digest`, and various bits from the
+ request body, but that only makes sense for requests with a body:
+ here we're validating GET requests
+
+ this is also inspired by FireFish's `checkFetch`
+ */
+
+ /* we always allow requests about our instance actor, because when
+ a remote instance needs to check our signature on a request we
+ sent, it will need to fetch information about the user that
+ signed it (which is our instance actor), and if we try to check
+ their signature on *that* request, we'll fetch *their* instance
+ actor... leading to an infinite recursion */
+ if (userId) {
+ const instanceActor = await this.instanceActorService.getInstanceActor();
+
+ if (userId === instanceActor.id) return false;
+ }
+
+ let signature;
+
+ try {
+ signature = httpSignature.parseRequest(request.raw, { 'headers': [] });
+ } catch (e) {
+ // not signed, or malformed signature: refuse
+ reply.code(401);
+ return true;
+ }
+
+ if (signature.params.headers.indexOf('host') === -1
+ || request.headers.host !== this.config.host) {
+ // no destination host, or not us: refuse
+ reply.code(401);
+ return true;
+ }
+
+ const keyId = new URL(signature.keyId);
+ const keyHost = this.utilityService.toPuny(keyId.hostname);
+
+ const meta = await this.metaService.fetch();
+ if (this.utilityService.isBlockedHost(meta.blockedHosts, keyHost)) {
+ /* blocked instance: refuse (we don't care if the signature is
+ good, if they even pretend to be from a blocked instance,
+ they're out) */
+ reply.code(401);
+ return true;
+ }
+
+ // do we know the signer already?
+ let authUser: {
+ user: MiRemoteUser;
+ key: MiUserPublickey | null;
+ } | null = await this.apDbResolverService.getAuthUserFromKeyId(signature.keyId);
+
+ if (authUser == null) {
+ /* keyId is often in the shape `${user.uri}#${keyname}`, try
+ fetching information about the remote user */
+ const candidate = formatURL(keyId, { fragment: false });
+ authUser = await this.apDbResolverService.getAuthUserFromApId(candidate);
+ }
+
+ if (authUser?.key == null) {
+ // we can't figure out who the signer is, or we can't get their key: refuse
+ reply.code(401);
+ return true;
+ }
+
+ let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+
+ if (!httpSignatureValidated) {
+ // maybe they changed their key? refetch it
+ authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
+
+ if (authUser.key != null) {
+ httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
+ }
+ }
+
+ if (!httpSignatureValidated) {
+ // bad signature: refuse
+ reply.code(401);
+ return true;
+ }
+
+ // all good, don't refuse
+ return false;
+ }
+
+ @bindThis
private inbox(request: FastifyRequest, reply: FastifyReply) {
let signature;
@@ -172,6 +275,8 @@ export class ActivityPubServerService {
request: FastifyRequest<{ Params: { user: string; }; Querystring: { cursor?: string; page?: string; }; }>,
reply: FastifyReply,
) {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const cursor = request.query.cursor;
@@ -264,6 +369,8 @@ export class ActivityPubServerService {
request: FastifyRequest<{ Params: { user: string; }; Querystring: { cursor?: string; page?: string; }; }>,
reply: FastifyReply,
) {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const cursor = request.query.cursor;
@@ -353,6 +460,8 @@ export class ActivityPubServerService {
@bindThis
private async featured(request: FastifyRequest<{ Params: { user: string; }; }>, reply: FastifyReply) {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const user = await this.usersRepository.findOneBy({
@@ -397,6 +506,8 @@ export class ActivityPubServerService {
}>,
reply: FastifyReply,
) {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const sinceId = request.query.since_id;
@@ -551,6 +662,8 @@ export class ActivityPubServerService {
// note
fastify.get<{ Params: { note: string; } }>('/notes/:note', { constraints: { apOrHtml: 'ap' } }, async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
vary(reply.raw, 'Accept');
const note = await this.notesRepository.findOneBy({
@@ -581,6 +694,8 @@ export class ActivityPubServerService {
// note activity
fastify.get<{ Params: { note: string; } }>('/notes/:note/activity', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
vary(reply.raw, 'Accept');
const note = await this.notesRepository.findOneBy({
@@ -623,6 +738,8 @@ export class ActivityPubServerService {
// publickey
fastify.get<{ Params: { user: string; } }>('/users/:user/publickey', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const user = await this.usersRepository.findOneBy({
@@ -648,6 +765,8 @@ export class ActivityPubServerService {
});
fastify.get<{ Params: { user: string; } }>('/users/:user', { constraints: { apOrHtml: 'ap' } }, async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const userId = request.params.user;
const user = await this.usersRepository.findOneBy({
@@ -660,6 +779,8 @@ export class ActivityPubServerService {
});
fastify.get<{ Params: { user: string; } }>('/@:user', { constraints: { apOrHtml: 'ap' } }, async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+
const user = await this.usersRepository.findOneBy({
usernameLower: request.params.user.toLowerCase(),
host: IsNull(),
@@ -672,6 +793,8 @@ export class ActivityPubServerService {
// emoji
fastify.get<{ Params: { emoji: string; } }>('/emojis/:emoji', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
const emoji = await this.emojisRepository.findOneBy({
host: IsNull(),
name: request.params.emoji,
@@ -689,6 +812,8 @@ export class ActivityPubServerService {
// like
fastify.get<{ Params: { like: string; } }>('/likes/:like', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
const reaction = await this.noteReactionsRepository.findOneBy({ id: request.params.like });
if (reaction == null) {
@@ -710,6 +835,8 @@ export class ActivityPubServerService {
// follow
fastify.get<{ Params: { follower: string; followee: string; } }>('/follows/:follower/:followee', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
// This may be used before the follow is completed, so we do not
// check if the following exists.
@@ -736,6 +863,8 @@ export class ActivityPubServerService {
// follow
fastify.get<{ Params: { followRequestId: string ; } }>('/follows/:followRequestId', async (request, reply) => {
+ if (await this.shouldRefuseGetRequest(request, reply)) return;
+
// This may be used before the follow is completed, so we do not
// check if the following exists and only check if the follow request exists.
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 12:51:59 +0000