From 3d5aad4aa7cc758b969736f56b37f89a3a60bb59 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 21 Jan 2021 15:37:03 +0000 Subject: [PATCH] Sign the header for returned actors --- daemon.py | 21 +++++++++++++++++++-- posts.py | 8 ++++---- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/daemon.py b/daemon.py index 28c1bd6a9..121f303ec 100644 --- a/daemon.py +++ b/daemon.py @@ -10,6 +10,7 @@ from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer, HTTPServer import sys import json import time +from time import gmtime, strftime import locale import urllib.parse import datetime @@ -65,6 +66,7 @@ from person import removeAccount from person import canRemovePost from person import personSnooze from person import personUnsnooze +from posts import getPersonKey from posts import isModerator from posts import mutePost from posts import unmutePost @@ -221,6 +223,7 @@ from media import removeMetaData from cache import storePersonInCache from cache import getPersonFromCache from httpsig import verifyPostHeaders +from httpsig import signPostHeaders from theme import setNewsAvatar from theme import setTheme from theme import getTheme @@ -9065,13 +9068,27 @@ class PubServer(BaseHTTPRequestHandler): 'show profile posts') else: if self._fetchAuthenticated(): - if atPath: - print('@ detected actor ' + str(actorJson)) msg = json.dumps(actorJson, ensure_ascii=False).encode('utf-8') msglen = len(msg) self._set_headers('application/json', msglen, None, callingDomain) + nickname = path.split('/users/')[1] + if '/' in nickname: + nickname = nickname.split('/')[0] + privateKeyPem = \ + getPersonKey(nickname, domain, baseDir, 'private', debug) + if len(privateKeyPem) > 0: + dateStr = strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime()) + boxpath = '/inbox' + signatureHeader = \ + signPostHeaders(dateStr, privateKeyPem, nickname, + domain, port, + callingDomain, 443, + boxpath, httpPrefix, None) + self.headers['signature'] = signatureHeader + if atPath: + print('@ detected actor ' + str(actorJson)) self._write(msg) else: self._404() diff --git a/posts.py b/posts.py index 6c22f1ca5..65299a2be 100644 --- a/posts.py +++ b/posts.py @@ -118,8 +118,8 @@ def noOfFollowersOnDomain(baseDir: str, handle: str, return ctr -def _getPersonKey(nickname: str, domain: str, baseDir: str, keyType='public', - debug=False): +def getPersonKey(nickname: str, domain: str, baseDir: str, keyType='public', + debug=False): """Returns the public or private key of a person """ handle = nickname + '@' + domain @@ -1837,7 +1837,7 @@ def sendPost(projectVersion: str, None, None, None, None, None) # get the senders private key - privateKeyPem = _getPersonKey(nickname, domain, baseDir, 'private') + privateKeyPem = getPersonKey(nickname, domain, baseDir, 'private') if len(privateKeyPem) == 0: return 6 @@ -2159,7 +2159,7 @@ def sendSignedJson(postJsonObject: {}, session, baseDir: str, # sharedInbox is optional # get the senders private key - privateKeyPem = _getPersonKey(nickname, domain, baseDir, 'private', debug) + privateKeyPem = getPersonKey(nickname, domain, baseDir, 'private', debug) if len(privateKeyPem) == 0: if debug: print('DEBUG: Private key not found for ' +