git.squeep.com Git - akkoma/blob - lib/pleroma/plugs/http_signature.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
   6   import Plug.Conn
   7   require Logger
   8
   9   def init(options) do
  10     options
  11   end
  12
  13   def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
  14     conn
  15   end
  16
  17   def call(conn, _opts) do
  18     conn
  19     |> maybe_assign_valid_signature()
  20     |> maybe_require_signature()
  21   end
  22
  23   defp maybe_assign_valid_signature(conn) do
  24     if has_signature_header?(conn) do
  25       # set (request-target) header to the appropriate value
  26       # we also replace the digest header with the one we computed
  27       request_target = String.downcase("#{conn.method}") <> " #{conn.request_path}"
  28
  29       conn =
  30         conn
  31         |> put_req_header("(request-target)", request_target)
  32         |> case do
  33           %{assigns: %{digest: digest}} = conn -> put_req_header(conn, "digest", digest)
  34           conn -> conn
  35         end
  36
  37       assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
  38     else
  39       Logger.debug("No signature header!")
  40       conn
  41     end
  42   end
  43
  44   defp has_signature_header?(conn) do
  45     conn |> get_req_header("signature") |> Enum.at(0, false)
  46   end
  47
  48   defp maybe_require_signature(%{assigns: %{valid_signature: true}} = conn), do: conn
  49
  50   defp maybe_require_signature(conn) do
  51     if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do
  52       conn
  53       |> put_status(:unauthorized)
  54       |> Phoenix.Controller.text("Request not signed")
  55       |> halt()
  56     else
  57       conn
  58     end
  59   end
  60 end