From 580c684f792d6fab16c58b9a08d566cd03c72ca4 Mon Sep 17 00:00:00 2001
From: pdp8 <pdp8@pdp8.info>
Date: Fri, 6 Oct 2023 15:02:59 +0200
Subject: announce to fixed, find_file replaced with find_object,
 CONTENT_LENGHT included in signature verification

---
 .gitignore       |  1 +
 client.rb        | 11 +++++------
 helpers.rb       | 10 +++++-----
 server.rb        | 22 +++++++++++++---------
 update           |  2 +-
 views/outbox.erb |  5 ++---
 6 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/.gitignore b/.gitignore
index da487b4..416d49a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 generate-digest.rb
 watch
+update
 *.pem
 .usr
 .pwd
diff --git a/client.rb b/client.rb
index 7b93c83..01124bc 100644
--- a/client.rb
+++ b/client.rb
@@ -41,12 +41,11 @@ end
 
 post '/share' do # TODO
   protected!
-  src = find_file params['id']
+  src, object = find_object params['id']
   object = JSON.load_file(src)
-  recipients = ['https://www.w3.org/ns/activitystreams#Public']
-  recipients += JSON.load_file(FOLLOWERS)['orderedItems']
-  recipients << object['attributedTo']
-  create_activity 'Announce', object, recipients
+  to = ['https://www.w3.org/ns/activitystreams#Public', FOLLOWERS_URL]
+  to << object['attributedTo']
+  create_activity 'Announce', object, to
   dest = src.sub('inbox/', 'outbox/')
   FileUtils.mkdir_p File.dirname(dest)
   FileUtils.mv src, dest
@@ -59,7 +58,7 @@ post '/undo' do # TODO: generalize for announce
     activity = JSON.load_file(activity_file)
     next unless activity['id'] == params['id']
 
-    object_file = find_file activity['object']['id']
+    object_file, object = find_object activity['object']['id']
     create_activity 'Undo', params['id'], activity['to']
     FileUtils.rm(activity_file)
     FileUtils.rm(object_file)
diff --git a/helpers.rb b/helpers.rb
index 0a7f829..1f106a7 100644
--- a/helpers.rb
+++ b/helpers.rb
@@ -201,11 +201,11 @@ helpers do
     "#{type[0]}/#{ext}"
   end
 
-  def find_file(id)
-    Dir[File.join('*', 'object', '*', '*.json')].find do |f|
-      JSON.load_file(f)['id'] == id
-    end
-  end
+  #   def find_file(id)
+  #     Dir[File.join('*', 'object', '*', '*.json')].find do |f|
+  #       JSON.load_file(f)['id'] == id
+  #     end
+  #   end
 
   def find_object(id)
     Dir[File.join('*', '**', '*.json')].each do |file|
diff --git a/server.rb b/server.rb
index 41663cb..e2d4896 100644
--- a/server.rb
+++ b/server.rb
@@ -10,7 +10,7 @@ post '/inbox' do
   end
   # deleted actors return 403 => verification error
   halt 200 if @activity['type'] == 'Delete' and @activity['actor'] == @activity['object']
-  verify! # pixelfed sends unsigned activities???
+  verify!
   handle_activity
   200
 end
@@ -103,7 +103,7 @@ helpers do
     when 'Follow'
       update_collection FOLLOWERS, @activity['object']['actor'], 'delete'
     when 'Create', 'Announce'
-      file = find_file @activity['object']['object']
+      file, object = find_object @activity['object']['object']
       FileUtils.rm(file) if file and File.exist? file
     else
       p "Cannot undo @activity['object']['type']"
@@ -113,13 +113,13 @@ helpers do
   end
 
   def update
-    file = find_file(@activity['object']['id'])
+    file, object = find_object(@activity['object']['id'])
     FileUtils.rm(file) if file and File.exist? file
     create
   end
 
   def delete
-    file = find_file(@activity['object']['id'])
+    file, object = find_object(@activity['object']['id'])
     FileUtils.rm(file) if file and File.exist? file
   end
 
@@ -204,18 +204,22 @@ helpers do
         '(request-target): post /inbox'
       elsif signed_params_name == 'content-type'
         "#{signed_params_name}: #{request.env['CONTENT_TYPE']}"
+      elsif signed_params_name == 'content-length'
+        "#{signed_params_name}: #{request.env['CONTENT_LENGTH']}"
       else
-        "#{signed_params_name}: #{request.env["HTTP_#{signed_params_name.upcase}"]}"
+        "#{signed_params_name}: #{request.env["HTTP_#{signed_params_name.upcase.gsub('-', '_')}"]}"
       end
     end.join("\n")
 
     return if key.verify(OpenSSL::Digest.new('SHA256'), signature, comparison)
 
     p 'verification failed'
-    p signature_params
-    p actor['publicKey']
-    p signature, comparison
-    jj @activity
+    jj signature_params
+    jj request.env.select { |k, _v| k.start_with? 'HTTP_' }.to_h
+    # jj actor['publicKey']
+    # p signature
+    puts comparison
+    # jj @activity
     # halt 403
   end
 end
diff --git a/update b/update
index 24eebb5..e74928c 100755
--- a/update
+++ b/update
@@ -1,3 +1,3 @@
 #!/bin/sh
-rsync -a --exclude='.git/' --exclude='watch' --exclude='generate-digest.rb' --exclude='update '--exclude='.gitignore' --exclude='TODO' --filter=":- .gitignore" ./ /srv/social/
+rsync -a --exclude='.git/' --exclude='clean-inbox' --exclude='.gitignore' --exclude='TODO' --filter=":- .gitignore" ./ /srv/social/
 sudo systemctl restart social.service
diff --git a/views/outbox.erb b/views/outbox.erb
index db840f4..7b95439 100644
--- a/views/outbox.erb
+++ b/views/outbox.erb
@@ -3,15 +3,14 @@
   <head>
     <meta charset="UTF-8">
     <title>pdp8 social</title>
-    <link rel="icon" type="image/png" href="/pdp8.png">
+    <link rel="icon" type="image/png" href="https://pdp8.info/pdp8.png">
     <link rel='stylesheet' type='text/css' href='/style.css'>
   </head>
   <body>
     <h1><a href="https://social.pdp8.info/pdp8">pdp8@social.pdp8.info</a></h1>
     music, pictures and videos: <a href="https://pdp8.info">https://pdp8.info</a>
     <% @activities.each do |activity| 
-      file = find_file activity['object']['id']
-      @object = JSON.load_file file if file and File.exists? file
+      file, @object = find_object activity['object']['id']
       if @object
         mention = mention @object['attributedTo'] %>
         <div class='pdp8'>
-- 
cgit v1.2.3