mirror of
https://github.com/versia-pub/server.git
synced 2025-12-06 08:28:19 +01:00
fix(federation): 🚑 Don't always try to use instance key when an instance is not the request signer
This commit is contained in:
Jesse Wierzbinski
parent
34370a082a
commit
005a3a2721
|
|
@ -123,7 +123,10 @@ describe("InboxProcessor", () => {
|
||||||
processor = new InboxProcessor(
|
processor = new InboxProcessor(
|
||||||
mockRequest,
|
mockRequest,
|
||||||
mockBody,
|
mockBody,
|
||||||
mockSenderInstance,
|
{
|
||||||
|
instance: mockSenderInstance,
|
||||||
|
key: "test-key",
|
||||||
|
},
|
||||||
mockHeaders,
|
mockHeaders,
|
||||||
undefined,
|
undefined,
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,7 @@ export class InboxProcessor {
|
||||||
*
|
*
|
||||||
* @param request Request object.
|
* @param request Request object.
|
||||||
* @param body Entity JSON body.
|
* @param body Entity JSON body.
|
||||||
* @param senderInstance Sender of the request's instance (from X-Signed-By header). Null if request is from a bridge.
|
* @param sender Sender of the request's instance and key (from X-Signed-By header). Null if request is from a bridge.
|
||||||
* @param headers Various request headers.
|
* @param headers Various request headers.
|
||||||
* @param logger LogTape logger instance.
|
* @param logger LogTape logger instance.
|
||||||
* @param requestIp Request IP address. Grabs it from the Hono context if not provided.
|
* @param requestIp Request IP address. Grabs it from the Hono context if not provided.
|
||||||
|
|
@ -82,7 +82,10 @@ export class InboxProcessor {
|
||||||
body: string;
|
body: string;
|
||||||
},
|
},
|
||||||
private body: Entity,
|
private body: Entity,
|
||||||
private senderInstance: Instance | null,
|
private sender: {
|
||||||
|
instance: Instance;
|
||||||
|
key: string;
|
||||||
|
} | null,
|
||||||
private headers: {
|
private headers: {
|
||||||
signature?: string;
|
signature?: string;
|
||||||
nonce?: string;
|
nonce?: string;
|
||||||
|
|
@ -98,20 +101,18 @@ export class InboxProcessor {
|
||||||
* @returns {Promise<boolean>} - Whether the signature is valid.
|
* @returns {Promise<boolean>} - Whether the signature is valid.
|
||||||
*/
|
*/
|
||||||
private async isSignatureValid(): Promise<boolean> {
|
private async isSignatureValid(): Promise<boolean> {
|
||||||
if (!this.senderInstance?.data.publicKey?.key) {
|
if (!this.sender) {
|
||||||
throw new Error(
|
throw new Error("Sender is not defined");
|
||||||
`Instance ${this.senderInstance?.data.baseUrl} has no public key stored in database`,
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config.debug.federation) {
|
if (config.debug.federation) {
|
||||||
this.logger.debug`Sender public key: ${chalk.gray(
|
this.logger.debug`Sender public key: ${chalk.gray(
|
||||||
this.senderInstance.data.publicKey.key,
|
this.sender.key,
|
||||||
)}`;
|
)}`;
|
||||||
}
|
}
|
||||||
|
|
||||||
const validator = await SignatureValidator.fromStringKey(
|
const validator = await SignatureValidator.fromStringKey(
|
||||||
this.senderInstance.data.publicKey.key,
|
this.sender.key,
|
||||||
);
|
);
|
||||||
|
|
||||||
if (!(this.headers.signature && this.headers.nonce)) {
|
if (!(this.headers.signature && this.headers.nonce)) {
|
||||||
|
|
@ -201,13 +202,10 @@ export class InboxProcessor {
|
||||||
* @returns {Promise<Response>} - HTTP response to send back.
|
* @returns {Promise<Response>} - HTTP response to send back.
|
||||||
*/
|
*/
|
||||||
public async process(): Promise<Response> {
|
public async process(): Promise<Response> {
|
||||||
!this.senderInstance &&
|
!this.sender &&
|
||||||
this.logger.debug`Processing request from potential bridge`;
|
this.logger.debug`Processing request from potential bridge`;
|
||||||
|
|
||||||
if (
|
if (this.sender && isDefederated(this.sender.instance.data.baseUrl)) {
|
||||||
this.senderInstance &&
|
|
||||||
isDefederated(this.senderInstance.data.baseUrl)
|
|
||||||
) {
|
|
||||||
// Return 201 to avoid
|
// Return 201 to avoid
|
||||||
// 1. Leaking defederated instance information
|
// 1. Leaking defederated instance information
|
||||||
// 2. Preventing the sender from thinking the message was not delivered and retrying
|
// 2. Preventing the sender from thinking the message was not delivered and retrying
|
||||||
|
|
@ -217,7 +215,7 @@ export class InboxProcessor {
|
||||||
}
|
}
|
||||||
|
|
||||||
this.logger.debug`Instance ${chalk.gray(
|
this.logger.debug`Instance ${chalk.gray(
|
||||||
this.senderInstance?.data.baseUrl,
|
this.sender?.instance.data.baseUrl,
|
||||||
)} is not defederated`;
|
)} is not defederated`;
|
||||||
|
|
||||||
const shouldCheckSignature = this.shouldCheckSignature();
|
const shouldCheckSignature = this.shouldCheckSignature();
|
||||||
|
|
|
||||||
13
worker.ts
13
worker.ts
|
|
@ -177,10 +177,21 @@ export const inboxWorker = new Worker<InboxJobData, Response, InboxJobType>(
|
||||||
remoteInstance.data.baseUrl,
|
remoteInstance.data.baseUrl,
|
||||||
)}`;
|
)}`;
|
||||||
|
|
||||||
|
if (!remoteInstance.data.publicKey?.key) {
|
||||||
|
throw new Error(
|
||||||
|
`Instance ${remoteInstance.data.baseUrl} has no public key stored in database`,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
const processor = new InboxProcessor(
|
const processor = new InboxProcessor(
|
||||||
request,
|
request,
|
||||||
data,
|
data,
|
||||||
remoteInstance,
|
{
|
||||||
|
instance: remoteInstance,
|
||||||
|
key:
|
||||||
|
sender?.data.publicKey ??
|
||||||
|
remoteInstance.data.publicKey.key,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
signature,
|
signature,
|
||||||
nonce,
|
nonce,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue