From 6dc1c48518a4f458412347ca5c73eb7846229a0d Mon Sep 17 00:00:00 2001 From: FChannel <=> Date: Thu, 28 Jan 2021 15:07:33 -0800 Subject: need to verify remote post auth to save to cache --- Database.go | 15 +++++++++++-- OutboxPost.go | 32 +++++++++++++++++++++----- main.go | 70 ++++++++++++++++++++++++++++++--------------------------- verification.go | 23 +++++++++++++++++++ 4 files changed, 100 insertions(+), 40 deletions(-) diff --git a/Database.go b/Database.go index ac9ee27..80f62fe 100644 --- a/Database.go +++ b/Database.go @@ -78,6 +78,12 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{ CreateVerification(db, verify) + verify.Identifier = actor.Id + verify.Code = CreateKey(50) + verify.Type = "post" + + CreateVerification(db, verify) + var nverify Verify nverify.Board = actor.Id nverify.Identifier = "admin" @@ -87,7 +93,12 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{ nverify.Board = actor.Id nverify.Identifier = "janitor" nverify.Type = "janitor" - CreateBoardMod(db, nverify) + CreateBoardMod(db, nverify) + + nverify.Board = actor.Id + nverify.Identifier = "post" + nverify.Type = "post" + CreateBoardMod(db, nverify) if actor.Name != "main" { var nActor Actor @@ -106,7 +117,7 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{ response := AcceptFollow(nActivity) SetActorFollowingDB(db, response) - MakeActivityRequest(nActivity) + MakeActivityRequest(db, nActivity) } } diff --git a/OutboxPost.go b/OutboxPost.go index 9b10ab7..aae2d45 100644 --- a/OutboxPost.go +++ b/OutboxPost.go @@ -50,7 +50,7 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { nObj = writeObjectToDB(db, nObj) activity := CreateActivity("Create", nObj) activity = AddFollowersToActivity(db, activity) - MakeActivityRequest(activity) + MakeActivityRequest(db, activity) var id string op := len(nObj.InReplyTo) - 1 @@ -107,7 +107,7 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { if validActor && validLocalActor && verification.Board == activity.Actor.Id || verification.Board == Domain { rActivity = AcceptFollow(activity) SetActorFollowingDB(db, rActivity) - MakeActivityRequest(activity) + MakeActivityRequest(db, activity) } w.Write([]byte("")) @@ -503,11 +503,15 @@ func CheckCaptcha(db *sql.DB, captcha string) bool { func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { activity := GetActivityFromJson(r, db) + + header := r.Header.Get("Authorization") + + auth := strings.Split(header, " ") switch(activity.Type) { case "Create": for _, e := range activity.To { if IsActorLocal(db, e) { - if !IsActorLocal(db, activity.Actor.Id) { + if !IsActorLocal(db, activity.Actor.Id) && len(auth) > 1 && RemoteActorHasAuth(activity.Actor.Id, auth[1]){ WriteObjectToCache(db, *activity.Object) } } @@ -532,11 +536,11 @@ func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { if GetActorFromDB(db, e).Id != "" { response := AcceptFollow(activity) response = SetActorFollowerDB(db, response) - MakeActivityRequest(response) + MakeActivityRequest(db, response) } else { fmt.Println("follow request for rejected") response := RejectFollow(activity) - MakeActivityRequest(response) + MakeActivityRequest(db, response) } } break @@ -571,3 +575,21 @@ func MakeActivityFollowingReq(w http.ResponseWriter, r *http.Request, activity A return false } + +func RemoteActorHasAuth(actor string, code string) bool { + req, err := http.NewRequest("GET", actor + "/verification&code=" + code, nil) + + CheckError(err, "could not make remote actor auth req") + + resp, err := http.DefaultClient.Do(req) + + CheckError(err, "could not make remote actor auth resp") + + defer resp.Body.Close() + + if resp.StatusCode == 200 { + return true + } + + return false +} diff --git a/main.go b/main.go index 551fce9..f6ed5f0 100644 --- a/main.go +++ b/main.go @@ -4,7 +4,6 @@ import "fmt" import "strings" import "strconv" import "net/http" -import "net/url" import "database/sql" import _ "github.com/lib/pq" import "math/rand" @@ -225,35 +224,28 @@ func main() { } if actorVerification { - if method == "POST" { - p, _ := url.ParseQuery(r.URL.RawQuery) - if len(p["email"]) > 0 { - email := p["email"][0] - verify := GetVerificationByEmail(db, email) - if verify.Identifier != "" || !IsEmailSetup() { - w.WriteHeader(http.StatusForbidden) - w.Write([]byte("400 no path")) - } else { - var nVerify Verify - nVerify.Type = "email" - nVerify.Identifier = email - nVerify.Code = CreateKey(32) - nVerify.Board = actor.Id - CreateVerification(db, nVerify) - SendVerification(nVerify) - w.WriteHeader(http.StatusCreated) - w.Write([]byte("Verification added")) - } + r.ParseForm() - } else { - w.WriteHeader(http.StatusForbidden) - w.Write([]byte("400 no path")) - } + code := r.FormValue("code") + + var verify Verify + + verify.Board = actor.Id + verify.Identifier = "post" + + verify = GetVerificationCode(db, verify) + + auth := CreateTripCode(verify.Code) + auth = CreateTripCode(auth) + + + if CreateTripCode(auth) == code { + w.WriteHeader(http.StatusOK) } else { - w.WriteHeader(http.StatusForbidden) - w.Write([]byte("400 no path")) + w.WriteHeader(http.StatusUnauthorized) } - return + + w.Write([]byte("")) } //catch all @@ -344,7 +336,7 @@ func main() { CheckError(err, "error with post form req") req.Header.Set("Content-Type", we.FormDataContentType()) - req.Header.Set("Authorization", "basic: " + *Key) + req.Header.Set("Authorization", "Basic " + *Key) resp, err := http.DefaultClient.Do(req) @@ -1595,9 +1587,20 @@ func GetActorReported(w http.ResponseWriter, r *http.Request, db *sql.DB, id str w.Write(enc) } -func MakeActivityRequest(activity Activity) { +func MakeActivityRequest(db *sql.DB, activity Activity) { j, _ := json.MarshalIndent(activity, "", "\t") + + var verify Verify + + verify.Board = activity.Actor.Id + verify.Identifier = "post" + + verify = GetVerificationCode(db, verify) + + auth := CreateTripCode(verify.Code) + + auth = CreateTripCode(auth) for _, e := range activity.To { @@ -1605,8 +1608,9 @@ func MakeActivityRequest(activity Activity) { if actor.Inbox != "" { req, err := http.NewRequest("POST", actor.Inbox, bytes.NewBuffer(j)) - - req.Header.Set("Content-Type", activitystreams) + + req.Header.Set("Content-Type", activitystreams) + req.Header.Set("Authorization", "Basic " + auth) CheckError(err, "error with sending activity req to") @@ -1748,7 +1752,7 @@ func DeleteObjectRequest(db *sql.DB, id string) { activity.To = append(activity.To, e.Id) } - MakeActivityRequest(activity) + MakeActivityRequest(db, activity) } func DeleteObjectAndRepliesRequest(db *sql.DB, id string) { @@ -1764,7 +1768,7 @@ func DeleteObjectAndRepliesRequest(db *sql.DB, id string) { activity.To = append(activity.To, e.Id) } - MakeActivityRequest(activity) + MakeActivityRequest(db, activity) } func ResizeAttachmentToPreview(db *sql.DB) { diff --git a/verification.go b/verification.go index b1ebe13..e0d94b8 100644 --- a/verification.go +++ b/verification.go @@ -170,6 +170,29 @@ func GetVerificationByCode(db *sql.DB, code string) Verify { return verify } +func GetVerificationCode(db *sql.DB, verify Verify) Verify { + var nVerify Verify + + query := `select type, identifier, code, board from boardaccess where identifier=$1 and board=$2` + + rows, err := db.Query(query, verify.Identifier, verify.Board) + + defer rows.Close() + + if err != nil { + CheckError(err, "error getting verify by code query") + return verify + } + + for rows.Next() { + err := rows.Scan(&nVerify.Type, &nVerify.Identifier, &nVerify.Code, &nVerify.Board) + + CheckError(err, "error getting verify by code scan") + } + + return verify +} + func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown { var current VerifyCooldown -- cgit v1.2.3