activitypub: verify remote http signature digests by recomputing the digest and replacing the digest header
This commit is contained in:
parent
2890aef9e8
commit
8da406afa2
3 changed files with 22 additions and 1 deletions
10
lib/pleroma/plugs/digest.ex
Normal file
10
lib/pleroma/plugs/digest.ex
Normal file
|
@ -0,0 +1,10 @@
|
|||
defmodule Pleroma.Web.Plugs.DigestPlug do
|
||||
alias Plug.Conn
|
||||
require Logger
|
||||
|
||||
def read_body(conn, opts) do
|
||||
{:ok, body, conn} = Conn.read_body(conn, opts)
|
||||
digest = "SHA-256=" <> (:crypto.hash(:sha256, body) |> Base.encode64())
|
||||
{:ok, body, Conn.assign(conn, :digest, digest)}
|
||||
end
|
||||
end
|
|
@ -19,6 +19,8 @@ def call(conn, _opts) do
|
|||
|
||||
cond do
|
||||
signature && String.contains?(signature, user) ->
|
||||
# set (request-target) header to the appropriate value
|
||||
# we also replace the digest header with the one we computed
|
||||
conn =
|
||||
conn
|
||||
|> put_req_header(
|
||||
|
@ -26,6 +28,14 @@ def call(conn, _opts) do
|
|||
String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
||||
)
|
||||
|
||||
conn =
|
||||
if conn.assigns[:digest] do
|
||||
conn
|
||||
|> put_req_header("digest", conn.assigns[:digest])
|
||||
else
|
||||
conn
|
||||
end
|
||||
|
||||
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
|
||||
|
||||
signature ->
|
||||
|
|
|
@ -35,7 +35,8 @@ defmodule Pleroma.Web.Endpoint do
|
|||
parsers: [:urlencoded, :multipart, :json],
|
||||
pass: ["*/*"],
|
||||
json_decoder: Jason,
|
||||
length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit)
|
||||
length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
|
||||
body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
|
||||
)
|
||||
|
||||
plug(Plug.MethodOverride)
|
||||
|
|
Loading…
Reference in a new issue