mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-20 19:52:04 +00:00 
			
		
		
		
	Fix parts of issue #8221 and part of PR #4767
Is linked to https://codeberg.org/forgejo/forgejo/pulls/8274
The commit 555f6e57ad fixes timeout forgejo/forgejo#8274 (Kommentar)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8708
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
		
	
			
		
			
				
	
	
		
			94 lines
		
	
	
	
		
			2.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			94 lines
		
	
	
	
		
			2.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2022 The Gitea Authors. All rights reserved.
 | |
| // SPDX-License-Identifier: MIT
 | |
| 
 | |
| package activitypub
 | |
| 
 | |
| import (
 | |
| 	"net/http"
 | |
| 
 | |
| 	"forgejo.org/modules/log"
 | |
| 	"forgejo.org/modules/setting"
 | |
| 	services_context "forgejo.org/services/context"
 | |
| 	"forgejo.org/services/federation"
 | |
| 
 | |
| 	"github.com/42wim/httpsig"
 | |
| )
 | |
| 
 | |
| func verifyHTTPUserOrInstanceSignature(ctx services_context.APIContext) (authenticated bool, err error) {
 | |
| 	if !setting.Federation.SignatureEnforced {
 | |
| 		return true, nil
 | |
| 	}
 | |
| 
 | |
| 	r := ctx.Req
 | |
| 
 | |
| 	// 1. Figure out what key we need to verify
 | |
| 	v, err := httpsig.NewVerifier(r)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 
 | |
| 	signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
 | |
| 	pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
 | |
| 	if err != nil || pubKey == nil {
 | |
| 		pubKey, err = federation.FindOrCreateFederationHostKey(ctx, v.KeyId())
 | |
| 		if err != nil {
 | |
| 			return false, err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	err = v.Verify(pubKey, signatureAlgorithm)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 	return true, nil
 | |
| }
 | |
| 
 | |
| func verifyHTTPUserSignature(ctx services_context.APIContext) (authenticated bool, err error) {
 | |
| 	if !setting.Federation.SignatureEnforced {
 | |
| 		return true, nil
 | |
| 	}
 | |
| 
 | |
| 	r := ctx.Req
 | |
| 
 | |
| 	// 1. Figure out what key we need to verify
 | |
| 	v, err := httpsig.NewVerifier(r)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 
 | |
| 	signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
 | |
| 	pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 
 | |
| 	err = v.Verify(pubKey, signatureAlgorithm)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 	return true, nil
 | |
| }
 | |
| 
 | |
| // ReqHTTPSignature function
 | |
| func ReqHTTPUserOrInstanceSignature() func(ctx *services_context.APIContext) {
 | |
| 	return func(ctx *services_context.APIContext) {
 | |
| 		if authenticated, err := verifyHTTPUserOrInstanceSignature(*ctx); err != nil {
 | |
| 			log.Warn("verifyHttpSignatures failed: %v", err)
 | |
| 			ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
 | |
| 		} else if !authenticated {
 | |
| 			ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // ReqHTTPUserSignature function
 | |
| func ReqHTTPUserSignature() func(ctx *services_context.APIContext) {
 | |
| 	return func(ctx *services_context.APIContext) {
 | |
| 		if authenticated, err := verifyHTTPUserSignature(*ctx); err != nil {
 | |
| 			log.Warn("verifyHttpSignatures failed: %v", err)
 | |
| 			ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
 | |
| 		} else if !authenticated {
 | |
| 			ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
 | |
| 		}
 | |
| 	}
 | |
| }
 |