merge: additional authorised fetch logging (#328)
This commit is contained in:
commit
94fee180b9
1 changed files with 12 additions and 10 deletions
|
@ -162,23 +162,25 @@ export class ActivityPubServerService {
|
|||
return true;
|
||||
}
|
||||
|
||||
const keyId = new URL(signature.keyId);
|
||||
const keyHost = this.utilityService.toPuny(keyId.hostname);
|
||||
|
||||
const logPrefix = `${request.id} ${request.url} (by ${request.headers['user-agent']}) apparently from ${keyHost}:`;
|
||||
|
||||
if (signature.params.headers.indexOf('host') === -1
|
||||
|| request.headers.host !== this.config.host) {
|
||||
// no destination host, or not us: refuse
|
||||
this.authlogger.warn(`${request.id} ${request.url} no destination host, or not us: refuse`);
|
||||
this.authlogger.warn(`${logPrefix} no destination host, or not us: refuse`);
|
||||
reply.code(401);
|
||||
return true;
|
||||
}
|
||||
|
||||
const keyId = new URL(signature.keyId);
|
||||
const keyHost = this.utilityService.toPuny(keyId.hostname);
|
||||
|
||||
const meta = await this.metaService.fetch();
|
||||
if (this.utilityService.isBlockedHost(meta.blockedHosts, keyHost)) {
|
||||
/* blocked instance: refuse (we don't care if the signature is
|
||||
good, if they even pretend to be from a blocked instance,
|
||||
they're out) */
|
||||
this.authlogger.warn(`${request.id} ${request.url} instance ${keyHost} is blocked: refuse`);
|
||||
this.authlogger.warn(`${logPrefix} instance is blocked: refuse`);
|
||||
reply.code(401);
|
||||
return true;
|
||||
}
|
||||
|
@ -193,13 +195,13 @@ export class ActivityPubServerService {
|
|||
/* keyId is often in the shape `${user.uri}#${keyname}`, try
|
||||
fetching information about the remote user */
|
||||
const candidate = formatURL(keyId, { fragment: false });
|
||||
this.authlogger.info(`${request.id} ${request.url} we don't know the user for keyId ${keyId}, trying to fetch via ${candidate}`);
|
||||
this.authlogger.info(`${logPrefix} we don't know the user for keyId ${keyId}, trying to fetch via ${candidate}`);
|
||||
authUser = await this.apDbResolverService.getAuthUserFromApId(candidate);
|
||||
}
|
||||
|
||||
if (authUser?.key == null) {
|
||||
// we can't figure out who the signer is, or we can't get their key: refuse
|
||||
this.authlogger.warn(`${request.id} ${request.url} we can't figure out who the signer is, or we can't get their key: refuse`);
|
||||
this.authlogger.warn(`${logPrefix} we can't figure out who the signer is, or we can't get their key: refuse`);
|
||||
reply.code(401);
|
||||
return true;
|
||||
}
|
||||
|
@ -207,20 +209,20 @@ export class ActivityPubServerService {
|
|||
let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
|
||||
|
||||
if (!httpSignatureValidated) {
|
||||
this.authlogger.info(`${request.id} ${request.url} failed to validate signature, re-fetching the key for ${authUser.user.uri}`);
|
||||
this.authlogger.info(`${logPrefix} failed to validate signature, re-fetching the key for ${authUser.user.uri}`);
|
||||
// maybe they changed their key? refetch it
|
||||
authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user);
|
||||
|
||||
if (authUser.key != null) {
|
||||
httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
|
||||
} else {
|
||||
this.authlogger.warn(`${request.id} ${request.url} failed to re-fetch key for ${authUser.user}`);
|
||||
this.authlogger.warn(`${logPrefix} failed to re-fetch key for ${authUser.user}`);
|
||||
}
|
||||
}
|
||||
|
||||
if (!httpSignatureValidated) {
|
||||
// bad signature: refuse
|
||||
this.authlogger.info(`${request.id} ${request.url} failed to validate signature: refuse`);
|
||||
this.authlogger.info(`${logPrefix} failed to validate signature: refuse`);
|
||||
reply.code(401);
|
||||
return true;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue