Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-27 17:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: automatically reject unsigned POSTs to inbox

Browse Source
This commit is contained in:
Julian Lam
2024-01-19 11:43:21 -05:00
parent 2ff70fdde2
commit a3e1a666b8
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/activitypub/index.js
View File

@@ -138,6 +138,10 @@ ActivityPub.sign = async (uid, url, payload) => {
}; };
ActivityPub.verify = async (req) => { ActivityPub.verify = async (req) => {
if (!req.headers.hasOwnProperty('signature')) {
return false;
}
// Break the signature apart // Break the signature apart
const { keyId, headers, signature } = req.headers.signature.split(',').reduce((memo, cur) => { const { keyId, headers, signature } = req.headers.signature.split(',').reduce((memo, cur) => {
const split = cur.split('="'); const split = cur.split('="');
@@ -181,6 +185,7 @@ ActivityPub.get = async (uid, uri) => {
const headers = uid > 0 ? await ActivityPub.sign(uid, uri) : {}; const headers = uid > 0 ? await ActivityPub.sign(uid, uri) : {};
winston.verbose(`[activitypub/get] ${uri}`); winston.verbose(`[activitypub/get] ${uri}`);
console.log(headers);
const { response, body } = await request.get(uri, { const { response, body } = await request.get(uri, {
headers: { headers: {
...headers, ...headers,