Compare commits

...

2 Commits

Author SHA1 Message Date
Erin 8f4b87fbfe
Merge 5641b0b3ad into f1eb17f66c 2024-11-07 10:07:57 +09:00
Erin Shepherd 5641b0b3ad fix: Refetch user keys when HTTP Signature validation fails
If a user has had a key rotation, and nobody on this server follows
that user, we will not receive the Update activity with the new key

Therefore, when we encounter key validation errors we should check
for an up-to-date key.

References (other implementations):

 * [Mastodon](fc9ab61448/app/controllers/concerns/signature_verification.rb (L96))
 * [Akkoma](https://akkoma.dev/AkkomaGang/http_signatures/src/branch/main/lib/http_signatures/http_signatures.ex#L46)
2023-10-17 15:00:26 +02:00
2 changed files with 25 additions and 1 deletions

View File

@ -169,6 +169,19 @@ export class ApDbResolverService implements OnApplicationShutdown {
};
}
/**
* Miskey User -> Refetched Key
*/
@bindThis
public async refetchPublicKeyForApId(user: MiRemoteUser): Promise<MiUserPublickey | null> {
await this.apPersonService.updatePerson(user.uri!);
const key = this.userPublickeysRepository.findOneBy({ userId: user.id });
if (key != null) {
await this.publicKeyByUserIdCache.set(user.id, key);
}
return key;
}
@bindThis
public dispose(): void {
this.publicKeyCache.dispose();

View File

@ -116,7 +116,18 @@ export class InboxProcessorService implements OnApplicationShutdown {
}
// HTTP-Signatureの検証
const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
// If signature validation failed, try refetching the actor
if (!httpSignatureValidated) {
authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
if (authUser.key == null) {
throw new Bull.UnrecoverableError('skip: failed to re-resolve user publicKey');
}
httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
}
// また、signatureのsignerは、activity.actorと一致する必要がある
if (!httpSignatureValidated || authUser.user.uri !== activity.actor) {