npm - @evanp/activitypub-bot - Versions diffs - 0.39.4 → 0.39.6 - Mend

@evanp/activitypub-bot 0.39.4 → 0.39.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/httpmessagesignature.js +33 -11
package/package.json +1 -1

package/lib/httpmessagesignature.js CHANGED Viewed

@@ -41,16 +41,10 @@ export class HTTPMessageSignature {
   async sign ({ privateKey, keyId, url, method, headers }) {
     this.#logger.debug({ privateKey, keyId, url, method, headers }, 'signing')
-    const parsed = new URL(url)
     const signatureInput = []
     signatureInput.push(['@method', method.toUpperCase()])
-    signatureInput.push(['@authority', parsed.host])
-    signatureInput.push(['@path', parsed.pathname])
-    if (parsed.search) {
-      signatureInput.push(['@query', parsed.search])
-    }
+    signatureInput.push(['@target-uri', url])
     for (const name in headers) {
       const lcname = name.toLowerCase()
@@ -92,9 +86,12 @@ export class HTTPMessageSignature {
     this.#logger.debug(
       { inputs }, 'validating signature'
     )
-    const input = this.#bestInput(inputs)
+    const input = this.#bestInput(inputs, url, method)
     if (!input) {
-      throw new Error('No input with supported algorithms')
+      throw new Error(
+        `Signatures must have one of these algorithms: [${HTTPMessageSignature.#preferredAlgs.join(',')}], @method, either @target-uri or
+        @scheme + @authority + @path + @query (if there is a query), and content-digest for POST`
+      )
     }
     this.#logger.debug(
       { input }, 'best input'
@@ -139,9 +136,12 @@ export class HTTPMessageSignature {
     return signatures
   }
-  #bestInput (inputs) {
+  #bestInput (inputs, url, method) {
     for (const alg of HTTPMessageSignature.#preferredAlgs) {
-      const entry = Object.values(inputs).find(sig => sig.alg === alg)
+      const entry = Object.values(inputs).find(
+        input => input.alg === alg &&
+        this.#sufficientInput(input, url, method)
+      )
       if (entry) {
         return entry
       }
@@ -149,6 +149,28 @@ export class HTTPMessageSignature {
     return null
   }
+  #sufficientInput (input, url, method) {
+    assert.ok(input)
+    assert.strictEqual(typeof input, 'object')
+    assert.ok(Array.isArray(input.params))
+    const params = new Set(input.params)
+    if (!params.has('@method')) {
+      return false
+    }
+    if (method?.toUpperCase() === 'POST' && !params.has('content-digest')) {
+      return false
+    }
+    if (params.has('@target-uri')) {
+      return true
+    }
+    return (
+      params.has('@scheme') &&
+      params.has('@authority') &&
+      params.has('@path') &&
+      (!url || !URL.parse(url).query || params.has('@query'))
+    )
+  }
   #inputData (input, method, url, headers) {
     const signatureParams = []
     const parsed = URL.parse(url)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.39.4",
+  "version": "0.39.6",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",