http signature plug: remove redundant checks handled by HTTPSignatures library

the redundant checks assumed a POST request, which will not work for signed GETs.
this check was originally needed because the HTTPSignatures adapter assumed that
the requests were also POST requests.  but now, the adapter has been corrected.
This commit is contained in:
Ariadne Conill 2019-07-18 15:06:58 +00:00
parent f9a0014681
commit 88d064d80e
2 changed files with 21 additions and 48 deletions

View File

@ -3,7 +3,6 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
alias Pleroma.Web.ActivityPub.Utils
import Plug.Conn
require Logger
@ -16,12 +15,9 @@ def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
end
def call(conn, _opts) do
user = Utils.get_ap_id(conn.params["actor"])
Logger.debug("Checking sig for #{user}")
[signature | _] = get_req_header(conn, "signature")
cond do
signature && String.contains?(signature, user) ->
if signature do
# set (request-target) header to the appropriate value
# we also replace the digest header with the one we computed
conn =
@ -40,12 +36,7 @@ def call(conn, _opts) do
end
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
signature ->
Logger.debug("Signature not from actor")
assign(conn, :valid_signature, false)
true ->
else
Logger.debug("No signature header!")
conn
end

View File

@ -26,22 +26,4 @@ test "it call HTTPSignatures to check validity if the actor sighed it" do
assert called(HTTPSignatures.validate_conn(:_))
end
end
test "bails out early if the signature isn't by the activity actor" do
params = %{"actor" => "https://mst3k.interlinked.me/users/luciferMysticus"}
conn = build_conn(:get, "/doesntmattter", params)
with_mock HTTPSignatures, validate_conn: fn _ -> false end do
conn =
conn
|> put_req_header(
"signature",
"keyId=\"http://mastodon.example.org/users/admin#main-key"
)
|> HTTPSignaturePlug.call(%{})
assert conn.assigns.valid_signature == false
refute called(HTTPSignatures.validate_conn(:_))
end
end
end