activitypub: publisher: add (request-target) to http signature when POSTing

2019-08-14 19:00:48 +00:00 · 2019-08-14 19:00:48 +00:00 · 974488a52e
parent acc3c0ed58
commit 974488a52e
2 changed files with 5 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## [1.0.6] - 2019-08-14
 ### Fixed
 - MRF: fix use of unserializable keyword lists in describe() implementations
+- ActivityPub S2S: POST requests are now signed with `(request-target)` pseudo-header.

 ## [1.0.5] - 2019-08-13
 ### Fixed
--- a/lib/pleroma/web/activity_pub/publisher.ex
+++ b/lib/pleroma/web/activity_pub/publisher.ex
@ -44,7 +44,9 @@ defmodule Pleroma.Web.ActivityPub.Publisher do
  """
  def publish_one(%{inbox: inbox, json: json, actor: %User{} = actor, id: id} = params) do
    Logger.info("Federating #{id} to #{inbox}")
-    host = URI.parse(inbox).host
+    uri = URI.parse(inbox)
+    host = uri.host
+    path = uri.path

    digest = "SHA-256=" <> (:crypto.hash(:sha256, json) |> Base.encode64())

@ -54,6 +56,7 @@ defmodule Pleroma.Web.ActivityPub.Publisher do

    signature =
      Pleroma.Signature.sign(actor, %{
+        "(request-target)": "post #{path}",
        host: host,
        "content-length": byte_size(json),
        digest: digest,