diff options
| author | Alex Gleason <alex@alexgleason.me> | 2022-01-03 13:40:19 -0600 |
|---|---|---|
| committer | Alex Gleason <alex@alexgleason.me> | 2022-01-03 13:40:19 -0600 |
| commit | 4081be0001332bac402faec7565807df088b0117 (patch) | |
| tree | a5305404e9bb31b3613dbc9631d36f8827be81c2 /lib/pleroma/web/plugs/http_signature_plug.ex | |
| parent | d00f74e036735c1c238f661076f2925b39daa6ac (diff) | |
| parent | a3094b64df344622f1bcb03091ef2ff4dce6da82 (diff) | |
| download | pleroma-matrix.tar.gz | |
Merge remote-tracking branch 'origin/develop' into matrixmatrix
Diffstat (limited to 'lib/pleroma/web/plugs/http_signature_plug.ex')
| -rw-r--r-- | lib/pleroma/web/plugs/http_signature_plug.ex | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex new file mode 100644 index 000000000..0f7550516 --- /dev/null +++ b/lib/pleroma/web/plugs/http_signature_plug.ex @@ -0,0 +1,65 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/> +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do + import Plug.Conn + import Phoenix.Controller, only: [get_format: 1, text: 2] + require Logger + + def init(options) do + options + end + + def call(%{assigns: %{valid_signature: true}} = conn, _opts) do + conn + end + + def call(conn, _opts) do + if get_format(conn) == "activity+json" do + conn + |> maybe_assign_valid_signature() + |> maybe_require_signature() + else + conn + end + end + + defp maybe_assign_valid_signature(conn) do + if has_signature_header?(conn) do + # set (request-target) header to the appropriate value + # we also replace the digest header with the one we computed + request_target = String.downcase("#{conn.method}") <> " #{conn.request_path}" + + conn = + conn + |> put_req_header("(request-target)", request_target) + |> case do + %{assigns: %{digest: digest}} = conn -> put_req_header(conn, "digest", digest) + conn -> conn + end + + assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) + else + Logger.debug("No signature header!") + conn + end + end + + defp has_signature_header?(conn) do + conn |> get_req_header("signature") |> Enum.at(0, false) + end + + defp maybe_require_signature(%{assigns: %{valid_signature: true}} = conn), do: conn + + defp maybe_require_signature(conn) do + if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do + conn + |> put_status(:unauthorized) + |> text("Request not signed") + |> halt() + else + conn + end + end +end |