mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-19 08:51:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
forgejo/routers/api/v1/activitypub/reqsignature.go
Michael Jerger e271c24100 fix: assorted ActivityPub code only refactors (#8274) 
Fix parts of issue https://codeberg.org/forgejo/forgejo/issues/8221
and PR https://codeberg.org/forgejo/forgejo/pulls/4767

- PostgreSQL
- TestActivityPubPerson/SignedRequestValidation

```
    --- FAIL: TestActivityPubPerson/SignedRequestValidation (5.01s)
        api_activitypub_person_test.go:51:
            	Error Trace:	/workspace/forgejo/forgejo/tests/integration/api_activitypub_person_test.go:51
            	Error:      	Received unexpected error:
            	            	Get "http://127.0.0.1:3002/api/v1/activitypub/user-id/2": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
            	Test:       	TestActivityPubPerson/SignedRequestValidation
    testlogger.go:411: 2025/06/24 00:12:27 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/activitypub/user-id/2 for 127.0.0.1:50456, 200 OK in 5032.2ms @ activitypub/person.go:21(activitypub.Person)
```

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8274
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
2025-07-25 18:01:43 +02:00

94 lines
2.6 KiB
Go
Raw Blame History

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package activitypub
import (
"net/http"
"forgejo.org/modules/log"
"forgejo.org/modules/setting"
services_context "forgejo.org/services/context"
"forgejo.org/services/federation"
"github.com/42wim/httpsig"
)
func verifyHTTPUserOrInstanceSignature(ctx services_context.APIContext) (authenticated bool, err error) {
if !setting.Federation.SignatureEnforced {
return true, nil
}
r := ctx.Req
// 1. Figure out what key we need to verify
v, err := httpsig.NewVerifier(r)
if err != nil {
return false, err
}
signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
if err != nil || pubKey == nil {
pubKey, err = federation.FindOrCreateFederationHostKey(ctx, v.KeyId())
if err != nil {
return false, err
}
}
err = v.Verify(pubKey, signatureAlgorithm)
if err != nil {
return false, err
}
return true, nil
}
func verifyHTTPUserSignature(ctx services_context.APIContext) (authenticated bool, err error) {
if !setting.Federation.SignatureEnforced {
return true, nil
}
r := ctx.Req
// 1. Figure out what key we need to verify
v, err := httpsig.NewVerifier(r)
if err != nil {
return false, err
}
signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
if err != nil {
return false, err
}
err = v.Verify(pubKey, signatureAlgorithm)
if err != nil {
return false, err
}
return true, nil
}
// ReqHTTPSignature function
func ReqHTTPUserOrInstanceSignature() func(ctx *services_context.APIContext) {
return func(ctx *services_context.APIContext) {
if authenticated, err := verifyHTTPUserOrInstanceSignature(*ctx); err != nil {
log.Warn("verifyHttpSignatures failed: %v", err)
ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
} else if !authenticated {
ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
}
}
}
// ReqHTTPUserSignature function
func ReqHTTPUserSignature() func(ctx *services_context.APIContext) {
return func(ctx *services_context.APIContext) {
if authenticated, err := verifyHTTPUserSignature(*ctx); err != nil {
log.Warn("verifyHttpSignatures failed: %v", err)
ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
} else if !authenticated {
ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
}
}
}
Reference in a new issue View git blame Copy permalink