# frozen_string_literal: true # server-server post '/inbox' do request.body.rewind # in case someone already read it @body = request.body.read halt 400 if @body.empty? begin @activity = JSON.parse @body rescue StandardError p @body halt 400 end halt 501 if @activity['actor'] and @activity['type'] == 'Delete' # deleted actors return 403 => verification error verify! # unless type == :accept # pixelfed sends unsigned accept activities??? complete_and_save(@activity) type = @activity['type'].downcase.to_sym send(type) if %i[follow accept undo].include? type halt 200 end # public get '/.well-known/webfinger' do halt 404 unless request['resource'] == "acct:#{MENTION}" send_file(WEBFINGER, type: 'application/jrd+json') end get '/pdp8' do send_file(File.join(PUBLIC_DIR, 'pdp8.json'), type: CONTENT_TYPE) end ['/following', '/followers'].each do |path| get path do send_file(File.join(PUBLIC_DIR, path) + '.json', type: CONTENT_TYPE) end end helpers do def follow update_collection FOLLOWERS, @activity['actor'] outbox 'Accept', @activity, [@activity['actor']] end def accept halt 501 unless @activity['object']['type'] == 'Follow' update_collection FOLLOWING, @activity['object']['object'] end def undo halt 501 unless @activity['object']['type'] == 'Follow' update_collection FOLLOWERS, @activity['object']['actor'], true end # https://github.com/mastodon/mastodon/blob/main/app/controllers/concerns/signature_verification.rb def verify! # digest sha256 = OpenSSL::Digest.new('SHA256') digest = "SHA-256=#{sha256.base64digest(@body)}" halt 403 unless digest == request.env['HTTP_DIGEST'] # signature signature_params = {} request.env['HTTP_SIGNATURE'].split(',').each do |pair| k, v = pair.split('=') signature_params[k] = v.gsub('"', '') end key_id = signature_params['keyId'] headers = signature_params['headers'] signature = Base64.decode64(signature_params['signature']) actor = fetch key_id halt 403 unless actor key = OpenSSL::PKey::RSA.new(actor['publicKey']['publicKeyPem']) comparison = headers.split(' ').map do |signed_params_name| if signed_params_name == '(request-target)' '(request-target): post /inbox' elsif signed_params_name == 'content-type' "#{signed_params_name}: #{request.env['CONTENT_TYPE']}" else "#{signed_params_name}: #{request.env["HTTP_#{signed_params_name.upcase}"]}" end end.join("\n") halt 403 unless key.verify(OpenSSL::Digest.new('SHA256'), signature, comparison) end def outbox(type, object, recipients) # add date and id, save activity = complete_and_save({ '@context' => 'https://www.w3.org/ns/activitystreams', 'type' => type, 'actor' => ACTOR, 'object' => object, 'to' => recipients }) # send # https://github.com/mastodon/mastodon/blob/main/app/lib/request.rb keypair = OpenSSL::PKey::RSA.new(File.read('private.pem')) body = activity.to_json sha256 = OpenSSL::Digest.new('SHA256') digest = "SHA-256=#{sha256.base64digest(body)}" inboxes = [] recipients.uniq.each do |url| next if [ACTOR, 'https://www.w3.org/ns/activitystreams#Public'].include? url actor = fetch url next unless actor if actor['endpoints'] and actor['endpoints']['sharedInbox'] inboxes << actor['endpoints']['sharedInbox'] elsif actor['inbox'] inboxes << actor['inbox'] end end inboxes.compact.uniq.each do |inbox| uri = URI(inbox) string = "(request-target): post #{uri.request_uri}\nhost: #{uri.host}\ndate: #{httpdate}\ndigest: #{digest}\ncontent-type: application/activity+json" signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), string)) signed_header = "keyId=\"#{ACTOR}#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"#{signature}\"" curl( "-X POST -H 'Content-Type: application/activity+json' -H 'Host: #{uri.host}' -H 'Date: #{httpdate}' -H 'Digest: #{digest}' -H 'Signature: #{signed_header}' -d '#{body}'", inbox ) end activity end end