verifying outbox activity requests with signature integration

author: FChannel <> 2021-06-06 14:28:27 -0700
committer: FChannel <> 2021-06-06 14:28:27 -0700
commit: 96f71a374a9b7f7982a1ca750a33b87034aad46c (patch)
tree: a1b08b317443a3335caadc7c170a3f2219e5c43d
parent: 42cf749f7923ac33194ab87b8dce060f46a220bc (diff)
3 files changed, 84 insertions, 167 deletions
diff --git a/database.go b/database.go
index 0898876..948bb38 100644
--- a/database.go
+++ b/database.go
@@ -105,21 +105,22 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
 		nverify.Board = actor.Id
 		nverify.Identifier = "post"
 		nverify.Type = "post"
-		CreateBoardMod(db, nverify)					
+		CreateBoardMod(db, nverify)
 
+		CreatePem(db, actor)
+		
 		if actor.Name != "main" {
-			var nActor Actor
 			var nObject ObjectBase
 			var nActivity Activity
 
+			nActor := GetActorFromDB(db, Domain)
 			nActivity.AtContext.Context = "https://www.w3.org/ns/activitystreams"
 			nActivity.Type = "Follow"
 			nActivity.Actor = &nActor
 			nActivity.Object = &nObject
-			nActivity.Actor.Id = Domain
-			var mActor Actor
+
+			mActor := GetActorFromDB(db, actor.Id)
 			nActivity.Object.Actor = &mActor
-			nActivity.Object.Actor.Id = actor.Id			
 			nActivity.To = append(nActivity.To, actor.Id)
 
 			response := AcceptFollow(nActivity)
@@ -127,7 +128,6 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
 			MakeActivityRequest(db, nActivity)
 		}
 
-		CreatePem(db, actor)
 	}
 
 	return actor
diff --git a/main.go b/main.go
index 34c8186..9e34264 100644
--- a/main.go
+++ b/main.go
@@ -435,11 +435,11 @@ func main() {
 			followActivity.AtContext.Context = "https://www.w3.org/ns/activitystreams"
 			followActivity.Type = "Follow"
 			
-			var nactor Actor
-			var obj ObjectBase 
+
+			var obj ObjectBase
+			nactor := FingerActor(r.FormValue("actor"))			
 			followActivity.Actor = &nactor
 			followActivity.Object = &obj
-			followActivity.Actor.Id = r.FormValue("actor")
 
 			var mactor Actor
 			followActivity.Object.Actor = &mactor
@@ -451,36 +451,14 @@ func main() {
 				return
 			}
 
-			enc, _ := json.Marshal(followActivity)
-
-			req, err := http.NewRequest("POST", actor.Outbox, bytes.NewBuffer(enc))
-
-			CheckError(err, "error with follow req")		
-
-			_, pass := GetPasswordFromSession(r)
-
-			pass = CreateTripCode(pass)
-			pass = CreateTripCode(pass)			
-
-			req.Header.Set("Authorization", "Basic " + pass)
-			
-			req.Header.Set("Content-Type", activitystreams)
-
-			resp, err := http.DefaultClient.Do(req)
-
-			if err != nil && resp.StatusCode != 200 {
-				fmt.Println("error with add board follow resp")
-			} else {
-				FollowingBoards = GetActorFollowingDB(db, Domain)
-				Boards = GetBoardCollection(db)
-			}
+			MakeActivityRequestOutbox(db, followActivity)
 
 			var redirect string
 			if(actor.Name != "main") {
 				redirect = "/" + actor.Name
 			}
 
-			http.Redirect(w, r, "/" + *Key + "/" + redirect, http.StatusSeeOther)
+			http.Redirect(w, r, "/" + *Key + "/" + redirect, http.StatusSeeOther)							
 			
 		} else if manage && actor.Name != "" {
 			t := template.Must(template.ParseFiles("./static/main.html", "./static/manage.html"))
@@ -592,67 +570,14 @@ func main() {
 
 		newActorActivity.AtContext.Context = "https://www.w3.org/ns/activitystreams"
 		newActorActivity.Type = "New"
-		var nactor Actor
+
 		var nobj ObjectBase
-		newActorActivity.Actor = &nactor
+		newActorActivity.Actor = &actor
 		newActorActivity.Object = &nobj		
-		newActorActivity.Actor.Id = actor.Id
 		newActorActivity.Object.Actor = &board
 
-		
-		enc, _ := json.Marshal(newActorActivity)
-
-		req, err := http.NewRequest("POST", actor.Outbox, bytes.NewBuffer(enc))
-
-		CheckError(err, "error with add board follow req")		
-
-		_, pass := GetPasswordFromSession(r)
-
-		pass = CreateTripCode(pass)
-		pass = CreateTripCode(pass)		
-		
-		req.Header.Set("Authorization", "Basic " + pass)
-		req.Header.Set("Content-Type", activitystreams)
-		
-		resp, err := http.DefaultClient.Do(req)		
-
-		CheckError(err, "error with add board follow resp")
-
-		defer resp.Body.Close()
-
-		body, _ := ioutil.ReadAll(resp.Body)
-
-		var respActor Actor
-		
-		err = json.Unmarshal(body, &respActor)
-
-		CheckError(err, "error getting actor from body in new board")		
-
-		//update board list with new instances following
-		if resp.StatusCode == 200 {
-			var board []ObjectBase
-			var item ObjectBase			
-			var removed bool = false
-
-			item.Id = respActor.Id
-			for _, e := range FollowingBoards {
-				if e.Id != item.Id {
-					board = append(board, e)
-				} else {
-					removed = true
-				}
-			}
-
-			if !removed {
-				board = append(board, item)
-			}
-				
-			FollowingBoards = board
-
-			Boards = GetBoardCollection(db)
-		}		
-
-    http.Redirect(w, r, "/" + *Key, http.StatusSeeOther)				
+		MakeActivityRequestOutbox(db, newActorActivity)
+		http.Redirect(w, r, "/" + *Key, http.StatusSeeOther)		
 	})
 
 	http.HandleFunc("/verify", func(w http.ResponseWriter, r *http.Request){
@@ -1820,20 +1745,44 @@ func GetActorReported(w http.ResponseWriter, r *http.Request, db *sql.DB, id str
 	w.Write(enc)
 }
 
-func MakeActivityRequest(db *sql.DB, activity Activity) {
+func MakeActivityRequestOutbox(db *sql.DB, activity Activity) {
+	j, _ := json.Marshal(activity)
 
-	j, _ := json.MarshalIndent(activity, "", "\t")
+	req, err := http.NewRequest("POST", activity.Actor.Outbox, bytes.NewBuffer(j))
 
-	var verify Verify
+	CheckError(err, "error with sending activity req to outbox")		
 
-	verify.Board = activity.Actor.Id
-	verify.Identifier = "post"
+	re := regexp.MustCompile("https?://(www.)?")
+	
+	var instance string
+	if activity.Actor.Id == Domain {
+		instance = re.ReplaceAllString(Domain, "")
+	} else {
+		_, instance = GetActorInstance(activity.Actor.Id)
+	}
+
+	date := time.Now().UTC().Format(time.RFC1123)
+	path := strings.Replace(activity.Actor.Outbox, instance, "", 1)
+
+
+	path = re.ReplaceAllString(path, "")
 
-	verify = GetVerificationCode(db, verify)
+	sig := fmt.Sprintf("(request-target): %s %s\\nhost: %s\\ndate: %s", "post", path, instance, date)
+	encSig := ActivitySign(db, *activity.Actor, sig)
+	
+	req.Header.Set("Content-Type", activitystreams)			
+	req.Header.Set("Date", date)
+	req.Header.Set("Signature", encSig)
+	req.Host = instance
+
+	_, err = http.DefaultClient.Do(req)
+
+	CheckError(err, "error with sending activity resp to")	
+}
 
-	auth := CreateTripCode(verify.Code)
+func MakeActivityRequest(db *sql.DB, activity Activity) {
 
-	auth = CreateTripCode(auth)
+	j, _ := json.MarshalIndent(activity, "", "\t")
 
 	for _, e := range activity.To {
 		if e != activity.Actor.Id {
@@ -1852,14 +1801,13 @@ func MakeActivityRequest(db *sql.DB, activity Activity) {
 					re := regexp.MustCompile("https?://(www.)?")
 					path = re.ReplaceAllString(path, "")
 
-					sig := fmt.Sprintf("(request-target): %s %s\\nhost: %s\\ndate: %s", "post", path, Instance, date)
+					sig := fmt.Sprintf("(request-target): %s %s\\nhost: %s\\ndate: %s", "post", path, instance, date)
 					encSig := ActivitySign(db, *activity.Actor, sig)
 					
 					req.Header.Set("Content-Type", activitystreams)			
 					req.Header.Set("Date", date)
 					req.Header.Set("Signature", encSig)
-					req.Header.Set("Host", Instance)
-					req.Host = Instance
+					req.Host = instance
 
 					CheckError(err, "error with sending activity req to")
 
diff --git a/outboxPost.go b/outboxPost.go
index 83859ad..03e79ff 100644
--- a/outboxPost.go
+++ b/outboxPost.go
@@ -71,113 +71,83 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 		w.Write([]byte("captcha could not auth"))
 	} else {
 		activity = GetActivityFromJson(r, db)
-
 		if IsActivityLocal(db, activity) {
+			if !VerifyHeaderSignature(r, *activity.Actor) {
+				w.WriteHeader(http.StatusBadRequest)										
+				w.Write([]byte(""))					
+				return
+			}
+			
 			switch activity.Type {
 			case "Create":
 				w.WriteHeader(http.StatusBadRequest)
 				w.Write([]byte(""))
 				break
+				
 			case "Follow":
-
 				var validActor bool
 				var validLocalActor bool
 
-				header := r.Header.Get("Authorization")
-
-				auth := strings.Split(header, " ")
-
-				if len(auth) < 2 {
-					w.WriteHeader(http.StatusBadRequest)										
-					w.Write([]byte(""))					
-					return
-				}
-
-				validActor = (FingerActor(activity.Object.Actor.Id).Id != "")
+				validActor = (activity.Object.Actor.Id != "")
 				validLocalActor = (activity.Actor.Id == actor.Id)
 				
-				var verify Verify
-				verify.Identifier = "admin"
-				verify.Board = activity.Actor.Id
-
-				verify = GetVerificationCode(db, verify)
-
-				code := verify.Code
-				code = CreateTripCode(code)
-				code = CreateTripCode(code)
-
-				if code != auth[1] {
-					verify.Identifier = "admin"
-					verify.Board = Domain
-
-					verify = GetVerificationCode(db, verify)
-					code = verify.Code
-					code = CreateTripCode(code)
-					code = CreateTripCode(code)					
-				}
-
 				var rActivity Activity
-				if validActor && validLocalActor && code == auth[1] {
+				if validActor && validLocalActor {
 					rActivity = AcceptFollow(activity)
 					SetActorFollowingDB(db, rActivity)
 					MakeActivityRequest(db, activity)
 				}
-				
+
+				FollowingBoards = GetActorFollowingDB(db, Domain)
+				Boards = GetBoardCollection(db)
 				break
+				
 			case "Delete":
 				fmt.Println("This is a delete")
 				w.WriteHeader(http.StatusBadRequest)
 				w.Write([]byte("could not process activity"))										
 				break
+				
 			case "Note":
 				w.WriteHeader(http.StatusBadRequest)
 				w.Write([]byte("could not process activity"))
 				break
 
 			case "New":
-
-				header := r.Header.Get("Authorization")
-
-				auth := strings.Split(header, " ")
-
-				if len(auth) < 2 {
-					w.WriteHeader(http.StatusBadRequest)					
-					w.Write([]byte(""))					
-					return
-				}
-
-				var verify Verify
-				verify.Identifier = "admin"
-				verify.Board = Domain
-				
-				verify = GetVerificationCode(db, verify)
-				
-				code := verify.Code
-				code = CreateTripCode(code)
-				code = CreateTripCode(code)								
-
-				if code != auth[1] {
-					w.WriteHeader(http.StatusBadRequest)					
-					w.Write([]byte(""))					
-					return
-				}
-
 				name := activity.Object.Actor.Name
 				prefname := activity.Object.Actor.PreferredUsername
 				summary := activity.Object.Actor.Summary
 				restricted := activity.Object.Actor.Restricted
 
 				actor := CreateNewBoardDB(db, *CreateNewActor(name, prefname, summary, authReq, restricted))
-
+				
 				if actor.Id != "" {
-					j, _ := json.Marshal(&actor)
-					w.Write([]byte(j))
+					var board []ObjectBase
+					var item ObjectBase			
+					var removed bool = false
+
+					item.Id = actor.Id
+					for _, e := range FollowingBoards {
+						if e.Id != item.Id {
+							board = append(board, e)
+						} else {
+							removed = true
+						}
+					}
+
+					if !removed {
+						board = append(board, item)
+					}
+
+					FollowingBoards = board
+					Boards = GetBoardCollection(db)
 					return
 				}
 				
 				w.WriteHeader(http.StatusBadRequest)
 				w.Write([]byte(""))
 				break
+				
 			default:
 				w.WriteHeader(http.StatusBadRequest)
 				w.Write([]byte("could not process activity"))			
@@ -545,7 +515,6 @@ func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
 	activity := GetActivityFromJson(r, db)
 
 	if !VerifyHeaderSignature(r, *activity.Actor) {
-		fmt.Println(*activity.Actor)
 		response := RejectActivity(activity)
 		MakeActivityRequest(db, response)				
 		return
author	FChannel <>	2021-06-06 14:28:27 -0700
committer	FChannel <>	2021-06-06 14:28:27 -0700
commit	96f71a374a9b7f7982a1ca750a33b87034aad46c (patch)
tree	a1b08b317443a3335caadc7c170a3f2219e5c43d
parent	42cf749f7923ac33194ab87b8dce060f46a220bc (diff)