Server: do not forget to check the signature when another pod wants to

quit us
This commit is contained in:
Chocobozzz 2016-10-01 09:09:07 +02:00
parent c60f2212fd
commit 0eb78d5303
3 changed files with 32 additions and 21 deletions
server
controllers/api/v1
middlewares

View File

@ -10,6 +10,7 @@ const friends = require('../../../lib/friends')
const middlewares = require('../../../middlewares')
const admin = middlewares.admin
const oAuth = middlewares.oauth
const checkSignature = middlewares.secure.checkSignature
const validators = middlewares.validators.pods
const signatureValidator = middlewares.validators.remote.signature
@ -31,7 +32,11 @@ router.get('/quitfriends',
quitFriends
)
// Post because this is a secured request
router.post('/remove', signatureValidator, removePods)
router.post('/remove',
signatureValidator,
checkSignature,
removePods
)
// ---------------------------------------------------------------------------

View File

@ -16,6 +16,7 @@ const Video = mongoose.model('Video')
router.post('/videos',
validators.signature,
validators.dataToDecrypt,
secureMiddleware.checkSignature,
secureMiddleware.decryptBody,
validators.remoteVideos,
remoteVideos

View File

@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
const Pod = mongoose.model('Pod')
const secureMiddleware = {
checkSignature: checkSignature,
decryptBody: decryptBody
}
function decryptBody (req, res, next) {
function checkSignature (req, res, next) {
const url = req.body.signature.url
Pod.loadByUrl(url, function (err, pod) {
if (err) {
@ -28,26 +29,30 @@ function decryptBody (req, res, next) {
const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
if (signatureOk === true) {
peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
if (err) {
logger.error('Cannot decrypt data.', { error: err })
return res.sendStatus(500)
}
try {
req.body.data = JSON.parse(decrypted)
delete req.body.key
} catch (err) {
logger.error('Error in JSON.parse', { error: err })
return res.sendStatus(500)
}
next()
})
} else {
logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
return res.sendStatus(403)
return next()
}
logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
return res.sendStatus(403)
})
}
function decryptBody (req, res, next) {
peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
if (err) {
logger.error('Cannot decrypt data.', { error: err })
return res.sendStatus(500)
}
try {
req.body.data = JSON.parse(decrypted)
delete req.body.key
} catch (err) {
logger.error('Error in JSON.parse', { error: err })
return res.sendStatus(500)
}
next()
})
}