From 918f8bba132eb27feb0a9175ff20d8ce83419ce6 Mon Sep 17 00:00:00 2001 From: Gaspard Wierzbinski Date: Sat, 5 Oct 2024 12:10:19 +0200 Subject: [PATCH 1/2] fix: bug: Remove old replay attack text --- app/signatures/page.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/signatures/page.mdx b/app/signatures/page.mdx index 0efbbdb..dacf888 100644 --- a/app/signatures/page.mdx +++ b/app/signatures/page.mdx @@ -19,7 +19,7 @@ Versia uses cryptographic signatures to ensure the integrity and authenticity of A signature consists of a series of headers in an HTTP request. The following headers are used: - **`X-Signature`**: The signature itself, encoded in base64. - **`X-Signed-By`**: URI of the user who signed the request, [or the string `instance $1`, to represent the instance, where `$1` is the instance's host](/entities/instance-metadata#the-null-author). -- **`X-Nonce`**: A random string generated by the client. This is used to prevent replay attacks. +- **`X-Nonce`**: A random string generated by the client. Signatures are **required on ALL federation traffic**. If a request does not have a signature, it **MUST** be rejected. Specifically, signatures must be put on: - **All POST requests**. @@ -155,4 +155,4 @@ const isVerified = await crypto.subtle.verify( if (!isVerified) { return new Response("Signature verification failed", { status: 401 }); } -``` \ No newline at end of file +``` From a04f2017841aeb49dcd1f680eac42107f786a918 Mon Sep 17 00:00:00 2001 From: Jesse Wierzbinski Date: Sat, 2 Nov 2024 16:06:53 +0100 Subject: [PATCH 2/2] fix: :bug: Some entities can have a null author, but not all --- app/entities/instance-metadata/page.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/entities/instance-metadata/page.mdx b/app/entities/instance-metadata/page.mdx index 51dd14e..07b3a5e 100644 --- a/app/entities/instance-metadata/page.mdx +++ b/app/entities/instance-metadata/page.mdx @@ -9,7 +9,9 @@ Contains metadata about a Versia instance, such as capabilities and endpoints. { ## The `null` Author -On all entities that have an `author` field, the `author` can be `null` to represent the instance itself as the author (like ActivityPub's Server Actors). In this case, the instance's public key should be used to verify the entity. To know which instance's public key to use, the entity signature should be used. +On some entities that have an `author` field, the `author` can be `null` to represent the instance itself as the author (like ActivityPub's Server Actors). In this case, the instance's public key should be used to verify the entity. To know which instance's public key to use, the entity signature should be used. + +Check the entity's documentation page to see if it supports this (it will be noted in the `author` field). ## Entity Definition