HTTP Signature verification: bug fix, use actual HTTP method

2023-02-15 22:05:14 -08:00 · 2023-02-15 22:05:14 -08:00 · 65bbc6751e
commit 65bbc6751e
--- a/activitypub.py
+++ b/activitypub.py
@ -162,9 +162,10 @@ def inbox(domain=None):
        else:
            key_actor = json_loads(common.get_object(keyId, user=user).as2)
            key = key_actor.get("publicKey", {}).get('publicKeyPem')
+            logger.info(f'Verifying signature for {request.path} with key {key}')
            try:
-                if HeaderVerifier(request.headers, key, method='GET', path=request.path,
-                                  required_headers=common.HTTP_SIG_HEADERS,
+                if HeaderVerifier(request.headers, key, required_headers=['Digest'],
+                                  method=request.method, path=request.path,
                                  sign_header='signature').verify():
                    logger.info('HTTP Signature verified!')
                else:
--- a/common.py
+++ b/common.py
@ -29,11 +29,8 @@ from models import Follower, Object, Target, User
 logger = logging.getLogger(__name__)

 DOMAIN_RE = r'[^/:]+\.[^/:]+'
-ACCT_RE = f'(?:acct:)?([^@]+)@({DOMAIN_RE})'
 TLD_BLOCKLIST = ('7z', 'asp', 'aspx', 'gif', 'html', 'ico', 'jpg', 'jpeg', 'js',
                 'json', 'php', 'png', 'rar', 'txt', 'yaml', 'yml', 'zip')
-XML_UTF8 = "<?xml version='1.0' encoding='UTF-8'?>\n"
-LINK_HEADER_RE = re.compile(r""" *< *([^ >]+) *> *; *rel=['"]([^'"]+)['"] *""")

 CONTENT_TYPE_LD_PLAIN = 'application/ld+json'
 CONTENT_TYPE_HTML = 'text/html; charset=utf-8'
--- a/tests/test_activitypub.py
+++ b/tests/test_activitypub.py
@ -9,7 +9,7 @@ from unittest.mock import ANY, call, patch

 from google.cloud import ndb
 from granary import as2
-from httpsig import HeaderSigner, HeaderVerifier
+from httpsig import HeaderSigner
 from oauth_dropins.webutil import util
 from oauth_dropins.webutil.testutil import requests_response
 from oauth_dropins.webutil.util import json_dumps, json_loads
@ -726,7 +726,7 @@ class ActivityPubTest(testutil.TestCase):
        hs = HeaderSigner('http://my/key/id#unused', self.user.private_pem().decode(),
                          algorithm='rsa-sha256', sign_header='signature',
                          headers=('Date', 'Host', 'Digest', '(request-target)'))
-        headers = hs.sign(headers, method='GET', path='/inbox')
+        headers = hs.sign(headers, method='POST', path='/inbox')

        # valid signature
        resp = self.client.post('/inbox', data=body, headers=headers)