mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-10-29 00:02:25 -05:00
098dbe6ff4* first commit
Signed-off-by: kim <grufwub@gmail.com>
* replace logging with our own log library
Signed-off-by: kim <grufwub@gmail.com>
* fix imports
Signed-off-by: kim <grufwub@gmail.com>
* fix log imports
Signed-off-by: kim <grufwub@gmail.com>
* add license text
Signed-off-by: kim <grufwub@gmail.com>
* fix package import cycle between config and log package
Signed-off-by: kim <grufwub@gmail.com>
* fix empty kv.Fields{} being passed to WithFields()
Signed-off-by: kim <grufwub@gmail.com>
* fix uses of log.WithFields() with whitespace issues and empty slices
Signed-off-by: kim <grufwub@gmail.com>
* *linter related grumbling*
Signed-off-by: kim <grufwub@gmail.com>
* gofmt the codebase! also fix more log.WithFields() formatting issues
Signed-off-by: kim <grufwub@gmail.com>
* update testrig code to match new changes
Signed-off-by: kim <grufwub@gmail.com>
* fix error wrapping in non fmt.Errorf function
Signed-off-by: kim <grufwub@gmail.com>
* add benchmarking of log.Caller() vs non-cached
Signed-off-by: kim <grufwub@gmail.com>
* fix syslog tests, add standard build tags to test runner to ensure consistency
Signed-off-by: kim <grufwub@gmail.com>
* make syslog tests more robust
Signed-off-by: kim <grufwub@gmail.com>
* fix caller depth arithmatic (is that how you spell it?)
Signed-off-by: kim <grufwub@gmail.com>
* update to use unkeyed fields in kv.Field{} instances
Signed-off-by: kim <grufwub@gmail.com>
* update go-kv library
Signed-off-by: kim <grufwub@gmail.com>
* update libraries list
Signed-off-by: kim <grufwub@gmail.com>
* fuck you linter get nerfed
Signed-off-by: kim <grufwub@gmail.com>
Co-authored-by: tobi <31960611+tsmethurst@users.noreply.github.com>
51 lines
1.9 KiB
Go
51 lines
1.9 KiB
Go
package security
|
|
|
|
import (
|
|
"net/http"
|
|
"net/url"
|
|
|
|
"github.com/superseriousbusiness/gotosocial/internal/ap"
|
|
"github.com/superseriousbusiness/gotosocial/internal/log"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/go-fed/httpsig"
|
|
)
|
|
|
|
// SignatureCheck checks whether an incoming http request has been signed. If so, it will check if the domain
|
|
// that signed the request is permitted to access the server. If it is permitted, the handler will set the key
|
|
// verifier and the signature in the gin context for use down the line.
|
|
func (m *Module) SignatureCheck(c *gin.Context) {
|
|
// create the verifier from the request
|
|
// if the request is signed, it will have a signature header
|
|
verifier, err := httpsig.NewVerifier(c.Request)
|
|
if err == nil {
|
|
// the request was signed!
|
|
|
|
// The key ID should be given in the signature so that we know where to fetch it from the remote server.
|
|
// This will be something like https://example.org/users/whatever_requesting_user#main-key
|
|
requestingPublicKeyID, err := url.Parse(verifier.KeyId())
|
|
if err == nil && requestingPublicKeyID != nil {
|
|
// we managed to parse the url!
|
|
|
|
// if the domain is blocked we want to bail as early as possible
|
|
blocked, err := m.db.IsURIBlocked(c.Request.Context(), requestingPublicKeyID)
|
|
if err != nil {
|
|
log.Errorf("could not tell if domain %s was blocked or not: %s", requestingPublicKeyID.Host, err)
|
|
c.AbortWithStatus(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if blocked {
|
|
log.Infof("domain %s is blocked", requestingPublicKeyID.Host)
|
|
c.AbortWithStatus(http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// set the verifier and signature on the context here to save some work further down the line
|
|
c.Set(string(ap.ContextRequestingPublicKeyVerifier), verifier)
|
|
signature := c.GetHeader("Signature")
|
|
if signature != "" {
|
|
c.Set(string(ap.ContextRequestingPublicKeySignature), signature)
|
|
}
|
|
}
|
|
}
|
|
}
|