54 lines
2.9 KiB
JavaScript
54 lines
2.9 KiB
JavaScript
'use strict';
|
|
|
|
var db = require('../lib/db');
|
|
var express = require('express');
|
|
var jsonld = require('jsonld');
|
|
var crypto = require('crypto');
|
|
|
|
module.exports = {
|
|
/**
|
|
* @param {express.IRoute} routeObj
|
|
*/
|
|
route: (routeObj) => {
|
|
routeObj.post(async (req, res, _next) => {
|
|
// So, inbox only cares about the request. So what do we care about on the request?
|
|
var take_at_face_value = false;
|
|
// 1. If it is signed...
|
|
if ( req.header("signature") ) {
|
|
// ... and said signature is valid...
|
|
var signature_split = req.header("signature").split(/,/);
|
|
var signature_elements = {};
|
|
signature_split.forEach((obj) => {
|
|
signature_elements[obj.split('"')[1].split(/=/)[0]] = obj.split('"')[1].split(/=/)[1];
|
|
});
|
|
var headers_to_check = signature_elements["headers"].split(/ /);
|
|
if ( headers_to_check.includes("host") && headers_to_check.includes("date") && headers_to_check.includes("digest") && headers_to_check.includes("(request-target)")) {
|
|
// ... and checks all the correct headers...
|
|
var digest = crypto.createHash("sha256").update(req.body).end().digest("hex");
|
|
if ( digest === req.header("digest") ) {
|
|
// ... and the body is un-tampered...
|
|
var signed_block = headers_to_check.map((header) => {
|
|
if ( header === "(request-target)" ) {
|
|
return `(request-target): ${req.method.toLowerCase()} ${req.originalUrl}`;
|
|
} else {
|
|
return `${header}: ${req.header(header)}`;
|
|
}
|
|
}).join('\n');
|
|
// ... then lets dump this in the queue for now.
|
|
// TODO: This'll probably be a bug someday: https://stackoverflow.com/a/69299910
|
|
await db("queue").insert({task: "verify_inbox", data: JSON.stringify({sig_header: req.header("signature"), signed_block, body: req.rawBody.toString("UTF-8"), date: (new Date()).toISOString(), actor: `${req.hostname}@${req.hostname}`})});
|
|
res.status(204);
|
|
return res.end();
|
|
}
|
|
}
|
|
}
|
|
if ( !take_at_face_value ) {
|
|
// 2. If the signature is not valid, or non-existant, then we fetch the resource manually.
|
|
var bodyParsed = await jsonld.compact(req.body, 'https://www.w3.org/ns/activitystreams');
|
|
await db("queue").insert({task: "fetch_object", data: JSON.stringify({object: bodyParsed.id, actor: `${req.hostname}@${req.hostname}`})});
|
|
res.status(204);
|
|
return res.end();
|
|
}
|
|
});
|
|
}
|
|
};
|