From 520f9b87e66432115695f1695c119dd02dd7f020 Mon Sep 17 00:00:00 2001 From: umonaca Date: Mon, 26 Oct 2020 00:26:30 -0400 Subject: [PATCH] Add digest to http signature for Mastodon 3.2.1 compliance Remove logs --- routes/inbox.js | 13 +++++++++---- updateFeeds.js | 13 ++++++++----- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/routes/inbox.js b/routes/inbox.js index d90f2a5..f6221f6 100644 --- a/routes/inbox.js +++ b/routes/inbox.js @@ -16,23 +16,28 @@ function signAndSend(message, name, domain, req, res, targetDomain) { return res.status(404).send(`No record found for ${name}.`); } else { + // digest + const digest = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64'); + let privkey = result.privkey; const signer = crypto.createSign('sha256'); let d = new Date(); - let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digest}`; signer.update(stringToSign); signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; console.log('signature:',header); console.log('message:',message); + request({ url: inbox, headers: { 'Host': targetDomain, 'Date': d.toUTCString(), - 'Signature': header + 'Signature': header, + 'Digest': `SHA-256=${digest}` }, method: 'POST', json: true, @@ -47,7 +52,7 @@ function sendAcceptMessage(thebody, name, domain, req, res, targetDomain) { const guid = crypto.randomBytes(16).toString('hex'); console.log(thebody); let message = { - '@context': 'https://www.w3.org/ns/activitystreams', + '@context': ['https://www.w3.org/ns/activitystreams', 'https://w3id.org/security/v1'], 'id': `https://${domain}/${guid}`, 'type': 'Accept', 'actor': `https://${domain}/u/${name}`, diff --git a/updateFeeds.js b/updateFeeds.js index ad8ade3..a8e5a6d 100644 --- a/updateFeeds.js +++ b/updateFeeds.js @@ -171,22 +171,26 @@ function signAndSend(message, name, domain, req, res, targetDomain, inbox) { console.log(`No record found for ${name}.`); } else { + // digest + const digest = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64'); + let privkey = result.privkey; const signer = crypto.createSign('sha256'); let d = new Date(); - let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digest}`; signer.update(stringToSign); signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; //console.log('signature:',header); request({ url: inbox, headers: { 'Host': targetDomain, 'Date': d.toUTCString(), - 'Signature': header + 'Signature': header, + 'Digest': `SHA-256=${digest}` }, method: 'POST', json: true, @@ -201,8 +205,7 @@ function createMessage(text, name, domain, item, follower, guidNote) { let d = new Date(); let out = { - '@context': 'https://www.w3.org/ns/activitystreams', - + '@context': ['https://www.w3.org/ns/activitystreams', 'https://w3id.org/security/v1'], 'id': `https://${domain}/m/${guidCreate}`, 'type': 'Create', 'actor': `https://${domain}/u/${name}`,