@evanp/activitypub-bot 0.39.5 → 0.39.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/httpmessagesignature.js +32 -4
- package/package.json +1 -1
|
@@ -86,9 +86,12 @@ export class HTTPMessageSignature {
|
|
|
86
86
|
this.#logger.debug(
|
|
87
87
|
{ inputs }, 'validating signature'
|
|
88
88
|
)
|
|
89
|
-
const input = this.#bestInput(inputs)
|
|
89
|
+
const input = this.#bestInput(inputs, url, method)
|
|
90
90
|
if (!input) {
|
|
91
|
-
throw new Error(
|
|
91
|
+
throw new Error(
|
|
92
|
+
`Signatures must have one of these algorithms: [${HTTPMessageSignature.#preferredAlgs.join(',')}], @method, either @target-uri or
|
|
93
|
+
@scheme + @authority + @path + @query (if there is a query), and content-digest for POST`
|
|
94
|
+
)
|
|
92
95
|
}
|
|
93
96
|
this.#logger.debug(
|
|
94
97
|
{ input }, 'best input'
|
|
@@ -133,9 +136,12 @@ export class HTTPMessageSignature {
|
|
|
133
136
|
return signatures
|
|
134
137
|
}
|
|
135
138
|
|
|
136
|
-
#bestInput (inputs) {
|
|
139
|
+
#bestInput (inputs, url, method) {
|
|
137
140
|
for (const alg of HTTPMessageSignature.#preferredAlgs) {
|
|
138
|
-
const entry = Object.values(inputs).find(
|
|
141
|
+
const entry = Object.values(inputs).find(
|
|
142
|
+
input => input.alg === alg &&
|
|
143
|
+
this.#sufficientInput(input, url, method)
|
|
144
|
+
)
|
|
139
145
|
if (entry) {
|
|
140
146
|
return entry
|
|
141
147
|
}
|
|
@@ -143,6 +149,28 @@ export class HTTPMessageSignature {
|
|
|
143
149
|
return null
|
|
144
150
|
}
|
|
145
151
|
|
|
152
|
+
#sufficientInput (input, url, method) {
|
|
153
|
+
assert.ok(input)
|
|
154
|
+
assert.strictEqual(typeof input, 'object')
|
|
155
|
+
assert.ok(Array.isArray(input.params))
|
|
156
|
+
const params = new Set(input.params)
|
|
157
|
+
if (!params.has('@method')) {
|
|
158
|
+
return false
|
|
159
|
+
}
|
|
160
|
+
if (method?.toUpperCase() === 'POST' && !params.has('content-digest')) {
|
|
161
|
+
return false
|
|
162
|
+
}
|
|
163
|
+
if (params.has('@target-uri')) {
|
|
164
|
+
return true
|
|
165
|
+
}
|
|
166
|
+
return (
|
|
167
|
+
params.has('@scheme') &&
|
|
168
|
+
params.has('@authority') &&
|
|
169
|
+
params.has('@path') &&
|
|
170
|
+
(!url || !URL.parse(url).query || params.has('@query'))
|
|
171
|
+
)
|
|
172
|
+
}
|
|
173
|
+
|
|
146
174
|
#inputData (input, method, url, headers) {
|
|
147
175
|
const signatureParams = []
|
|
148
176
|
const parsed = URL.parse(url)
|