Add support for signature verification on pseudo header

Add support for pseudo-header '(request-target)' Add some logging for denied request
2018-10-10 21:10:43 +02:00 · 2018-10-10 21:10:43 +02:00 · ba4695f490
parent 0d6a2af851
commit ba4695f490
3 changed files with 15 additions and 3 deletions
--- a/plume-models/src/headers.rs
+++ b/plume-models/src/headers.rs
@ -1,5 +1,5 @@
 use rocket::request::{self, FromRequest, Request};
-use rocket::{http::HeaderMap, Outcome};
+use rocket::{http::{Header, HeaderMap}, Outcome};


 pub struct Headers<'r>(pub HeaderMap<'r>);
@ -12,6 +12,16 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers<'r> {
        for header in request.headers().clone().into_iter() {
            headers.add(header);
        }
+        let ori = request.uri();
+        let uri = if let Some(query) = ori.query() {
+            format!("{}?{}", ori.path(), query)
+        } else {
+            ori.path().to_owned()
+        };
+        headers.add(Header::new("(request-target)",
+                                format!("{} {}",
+                                        request.method().as_str().to_lowercase(),
+                                        uri.to_lowercase())));
        Outcome::Success(Headers(headers))
    }
 }
--- a/src/routes/instance.rs
+++ b/src/routes/instance.rs
@ -200,8 +200,9 @@ fn shared_inbox(conn: DbConn, data: String, headers: Headers) -> String {
        .unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));

    let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
-    if !verify_http_headers(&actor, headers.0, data).is_secure() &&
+    if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
        !act.clone().verify(&actor) {
+        println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
        return "invalid signature".to_owned();
    }

--- a/src/routes/user.rs
+++ b/src/routes/user.rs
@ -306,8 +306,9 @@ fn inbox(name: String, conn: DbConn, data: String, headers: Headers) -> String {
        .unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));

    let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
-    if !verify_http_headers(&actor, headers.0, data).is_secure() &&
+    if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
        !act.clone().verify(&actor) {
+        println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
        return "invalid signature".to_owned();
    }