Verify HTTP signatures only when request accepts "activity+json" type

This commit is contained in:
Egor Kislitsyn 2019-12-19 20:17:18 +07:00
parent 36d66d9655
commit 775212121c
No known key found for this signature in database
GPG Key ID: 1B49CB15B71E7805
2 changed files with 12 additions and 5 deletions

View File

@ -4,6 +4,7 @@
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
import Plug.Conn import Plug.Conn
import Phoenix.Controller, only: [get_format: 1, text: 2]
require Logger require Logger
def init(options) do def init(options) do
@ -15,9 +16,13 @@ def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
end end
def call(conn, _opts) do def call(conn, _opts) do
if get_format(conn) == "activity+json" do
conn conn
|> maybe_assign_valid_signature() |> maybe_assign_valid_signature()
|> maybe_require_signature() |> maybe_require_signature()
else
conn
end
end end
defp maybe_assign_valid_signature(conn) do defp maybe_assign_valid_signature(conn) do
@ -51,7 +56,7 @@ defp maybe_require_signature(conn) do
if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do
conn conn
|> put_status(:unauthorized) |> put_status(:unauthorized)
|> Phoenix.Controller.text("Request not signed") |> text("Request not signed")
|> halt() |> halt()
else else
conn conn

View File

@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
alias Pleroma.Web.Plugs.HTTPSignaturePlug alias Pleroma.Web.Plugs.HTTPSignaturePlug
import Plug.Conn import Plug.Conn
import Phoenix.Controller, only: [put_format: 2]
import Mock import Mock
test "it call HTTPSignatures to check validity if the actor sighed it" do test "it call HTTPSignatures to check validity if the actor sighed it" do
@ -20,6 +21,7 @@ test "it call HTTPSignatures to check validity if the actor sighed it" do
"signature", "signature",
"keyId=\"http://mastodon.example.org/users/admin#main-key" "keyId=\"http://mastodon.example.org/users/admin#main-key"
) )
|> put_format("activity+json")
|> HTTPSignaturePlug.call(%{}) |> HTTPSignaturePlug.call(%{})
assert conn.assigns.valid_signature == true assert conn.assigns.valid_signature == true
@ -37,7 +39,7 @@ test "it call HTTPSignatures to check validity if the actor sighed it" do
end) end)
params = %{"actor" => "http://mastodon.example.org/users/admin"} params = %{"actor" => "http://mastodon.example.org/users/admin"}
conn = build_conn(:get, "/doesntmattter", params) conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
[conn: conn] [conn: conn]
end end