src/middleware/activitypub.js

'use strict';

const db = require('../database');
const meta = require('../meta');
const activitypub = require('../activitypub');

const middleware = module.exports;

middleware.enabled = async (req, res, next) => next(!meta.config.activitypubEnabled ? 'route' : undefined);

middleware.assertS2S = async function (req, res, next) {
	// For whatever reason, express accepts does not recognize "profile" as a valid differentiator
	// Therefore, manual header parsing is used here.
	const { accept, 'content-type': contentType } = req.headers;
	if (!(accept || contentType)) {
		return next('route');
	}

	const pass = (accept && accept.split(',').some((value) => {
		const parts = value.split(';').map(v => v.trim());
		return activitypub._constants.acceptableTypes.includes(value || parts[0]);
	})) || (contentType && activitypub._constants.acceptableTypes.includes(contentType));

	if (!pass) {
		return next('route');
	}

	next();
};

middleware.validate = async function (req, res, next) {
	// winston.verbose('[middleware/activitypub] Validating incoming payload...');

	// Sanity-check payload schema
	const required = ['id', 'type', 'actor', 'object'];
	if (!required.every(prop => req.body.hasOwnProperty(prop))) {
		// winston.verbose('[middleware/activitypub] Request body missing required properties.');
		return res.sendStatus(400);
	}
	// winston.verbose('[middleware/activitypub] Request body check passed.');

	// History check
	/*
	const seen = await db.isSortedSetMember('activities:datetime', req.body.id);
	if (seen) {
		// winston.verbose(`[middleware/activitypub] Activity already seen, ignoring (${req.body.id}).`);
		return res.sendStatus(200);
	}
	*/

	// Checks the validity of the incoming payload against the sender and rejects on failure
	const verified = await activitypub.verify(req);
	if (!verified) {
		// winston.verbose('[middleware/activitypub] HTTP signature verification failed.');
		return res.sendStatus(400);
	}
	// winston.verbose('[middleware/activitypub] HTTP signature verification passed.');

	let { actor, object } = req.body;

	// Actor normalization
	if (typeof actor === 'object' && actor.hasOwnProperty('id')) {
		actor = actor.id;
		req.body.actor = actor;
	}
	if (Array.isArray(actor)) {
		actor = actor.map(a => (typeof a === 'string' ? a : a.id));
		req.body.actor = actor;
	}

	// Domain check
	const { hostname } = new URL(actor);
	await db.sortedSetAdd('instances:lastSeen', Date.now(), hostname);

	// Origin checking
	if (typeof object !== 'string' && object.hasOwnProperty('id')) {
		const actorHostnames = Array.isArray(actor) ? actor.map(a => new URL(a).hostname) : [new URL(actor).hostname];
		const objectHostname = new URL(object.id).hostname;
		// require that all actors have the same hostname as the object for now
		if (!actorHostnames.every(actorHostname => actorHostname === objectHostname)) {
			// winston.verbose('[middleware/activitypub] Origin check failed, stripping object down to id.');
			req.body.object = [object.id];
		}
		// winston.verbose('[middleware/activitypub] Origin check passed.');
	}

	// Cross-check key ownership against received actor
	await activitypub.actors.assert(actor);
	const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id');
	const { signature } = req.headers;
	const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
		const index = v.indexOf('=');
		return [v.substring(0, index), v.slice(index + 1)];
	})).get('keyId');
	if (`"${compare}"` !== keyId) {
		// winston.verbose('[middleware/activitypub] Key ownership cross-check failed.');
		return res.sendStatus(403);
	}
	// winston.verbose('[middleware/activitypub] Key ownership cross-check passed.');

	next();
};

middleware.resolveObjects = async function (req, res, next) {
	const { type, object } = req.body;
	if (type !== 'Delete' && (typeof object === 'string' || (Array.isArray(object) && object.every(o => typeof o === 'string')))) {
		// winston.verbose('[middleware/activitypub] Resolving object(s)...');
		try {
			req.body.object = await activitypub.helpers.resolveObjects(object);
			// winston.verbose('[middleware/activitypub] Object(s) successfully resolved.');
		} catch (e) {
			// winston.verbose('[middleware/activitypub] Failed to resolve object(s).');
			return res.sendStatus(424);
		}
	}
	next();
};

middleware.configureResponse = async function (req, res, next) {
	res.header('Content-Type', 'application/activity+json');
	next();
};
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00			`'use strict';`

feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00			`const db = require('../database');`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00			`const meta = require('../meta');`
			`const activitypub = require('../activitypub');`

			`const middleware = module.exports;`

			`middleware.enabled = async (req, res, next) => next(!meta.config.activitypubEnabled ? 'route' : undefined);`

			`middleware.assertS2S = async function (req, res, next) {`
			`// For whatever reason, express accepts does not recognize "profile" as a valid differentiator`
			`// Therefore, manual header parsing is used here.`
			`const { accept, 'content-type': contentType } = req.headers;`
			`if (!(accept \|\| contentType)) {`
			`return next('route');`
			`}`

			`const pass = (accept && accept.split(',').some((value) => {`
			`const parts = value.split(';').map(v => v.trim());`
fix: support ldjson with ActivityStreams profile in actor queries 2024-04-08 20:06:26 +02:00			`return activitypub._constants.acceptableTypes.includes(value \|\| parts[0]);`
			`})) \|\| (contentType && activitypub._constants.acceptableTypes.includes(contentType));`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00
			`if (!pass) {`
			`return next('route');`
			`}`

			`next();`
			`};`

			`middleware.validate = async function (req, res, next) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Validating incoming payload...');`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00
			`// Sanity-check payload schema`
feat: track incoming requests by id, analytics increment for some metrics, ignore repeated requests by id closes #12574 2024-05-14 12:06:59 -04:00			`const required = ['id', 'type', 'actor', 'object'];`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00			`if (!required.every(prop => req.body.hasOwnProperty(prop))) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Request body missing required properties.');`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00			`return res.sendStatus(400);`
			`}`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Request body check passed.');`
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00
feat: track incoming requests by id, analytics increment for some metrics, ignore repeated requests by id closes #12574 2024-05-14 12:06:59 -04:00			`// History check`
chore: lint 2024-06-14 11:49:25 -04:00			`/*`
			`const seen = await db.isSortedSetMember('activities:datetime', req.body.id);`
			`if (seen) {`
			// winston.verbose(`[middleware/activitypub] Activity already seen, ignoring (${req.body.id}).`);
			`return res.sendStatus(200);`
			`}`
			`*/`
feat: track incoming requests by id, analytics increment for some metrics, ignore repeated requests by id closes #12574 2024-05-14 12:06:59 -04:00
			`// Checks the validity of the incoming payload against the sender and rejects on failure`
			`const verified = await activitypub.verify(req);`
			`if (!verified) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] HTTP signature verification failed.');`
feat: track incoming requests by id, analytics increment for some metrics, ignore repeated requests by id closes #12574 2024-05-14 12:06:59 -04:00			`return res.sendStatus(400);`
			`}`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] HTTP signature verification passed.');`
feat: track incoming requests by id, analytics increment for some metrics, ignore repeated requests by id closes #12574 2024-05-14 12:06:59 -04:00
fix: save modified actor back to req.body 2024-04-12 11:08:31 -04:00			`let { actor, object } = req.body;`
feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00
feat: noremalize actor property in middleware 2024-04-12 16:42:54 +02:00			`// Actor normalization`
			`if (typeof actor === 'object' && actor.hasOwnProperty('id')) {`
fix: save modified actor back to req.body 2024-04-12 11:08:31 -04:00			`actor = actor.id;`
			`req.body.actor = actor;`
feat: noremalize actor property in middleware 2024-04-12 16:42:54 +02:00			`}`
			`if (Array.isArray(actor)) {`
fix: save modified actor back to req.body 2024-04-12 11:08:31 -04:00			`actor = actor.map(a => (typeof a === 'string' ? a : a.id));`
			`req.body.actor = actor;`
feat: noremalize actor property in middleware 2024-04-12 16:42:54 +02:00			`}`

feat: store encountered instances by last seen date 2024-06-17 15:08:22 -04:00			`// Domain check`
			`const { hostname } = new URL(actor);`
			`await db.sortedSetAdd('instances:lastSeen', Date.now(), hostname);`

feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00			`// Origin checking`
feat: fine-grained privileges integration for fediverse users and world pseudo-category 2024-02-26 11:39:32 -05:00			`if (typeof object !== 'string' && object.hasOwnProperty('id')) {`
feat: noremalize actor property in middleware 2024-04-12 16:42:54 +02:00			`const actorHostnames = Array.isArray(actor) ? actor.map(a => new URL(a).hostname) : [new URL(actor).hostname];`
fix: check origin only if object is a string 2024-02-21 14:05:54 -05:00			`const objectHostname = new URL(object.id).hostname;`
feat: noremalize actor property in middleware 2024-04-12 16:42:54 +02:00			`// require that all actors have the same hostname as the object for now`
			`if (!actorHostnames.every(actorHostname => actorHostname === objectHostname)) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Origin check failed, stripping object down to id.');`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`req.body.object = [object.id];`
fix: check origin only if object is a string 2024-02-21 14:05:54 -05:00			`}`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Origin check passed.');`
feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00			`}`

			`// Cross-check key ownership against received actor`
			`await activitypub.actors.assert(actor);`
			const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id');
			`const { signature } = req.headers;`
fix: update signature parsing logic to handle values with equal signs in them, closes #12538 2024-04-28 23:25:46 -04:00			`const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {`
			`const index = v.indexOf('=');`
			`return [v.substring(0, index), v.slice(index + 1)];`
			`})).get('keyId');`
feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00			if (`"${compare}"` !== keyId) {
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Key ownership cross-check failed.');`
feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00			`return res.sendStatus(403);`
			`}`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Key ownership cross-check passed.');`
feat: security, cross-check key ownership against received actor 2024-02-21 13:43:56 -05:00
refactor: move activitypub-related middlewares to their own file 2024-01-18 11:50:14 -05:00			`next();`
			`};`
feat: send proper content-type on AP S2S responses 2024-02-05 14:11:32 -05:00
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`middleware.resolveObjects = async function (req, res, next) {`
feat: Note deletion logic and refactoring, #12551 2024-05-09 15:48:58 -04:00			`const { type, object } = req.body;`
			`if (type !== 'Delete' && (typeof object === 'string' \|\| (Array.isArray(object) && object.every(o => typeof o === 'string')))) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Resolving object(s)...');`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`try {`
			`req.body.object = await activitypub.helpers.resolveObjects(object);`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Object(s) successfully resolved.');`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`} catch (e) {`
refactor: remove verbose logs, 2024-06-07 12:13:28 -04:00			`// winston.verbose('[middleware/activitypub] Failed to resolve object(s).');`
fix: use a slightly better error code to indicate object resolution failure 2024-04-10 18:15:50 +02:00			`return res.sendStatus(424);`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`}`
			`}`
			`next();`
			`};`

feat: send proper content-type on AP S2S responses 2024-02-05 14:11:32 -05:00			`middleware.configureResponse = async function (req, res, next) {`
			`res.header('Content-Type', 'application/activity+json');`
			`next();`
			`};`