diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts index 8fa8320c8c..24f33fd609 100644 --- a/packages/backend/src/server/ActivityPubServerService.ts +++ b/packages/backend/src/server/ActivityPubServerService.ts @@ -162,23 +162,25 @@ export class ActivityPubServerService { return true; } + const keyId = new URL(signature.keyId); + const keyHost = this.utilityService.toPuny(keyId.hostname); + + const logPrefix = `${request.id} ${request.url} (by ${request.headers['user-agent']}) apparently from ${keyHost}:`; + if (signature.params.headers.indexOf('host') === -1 || request.headers.host !== this.config.host) { // no destination host, or not us: refuse - this.authlogger.warn(`${request.id} ${request.url} no destination host, or not us: refuse`); + this.authlogger.warn(`${logPrefix} no destination host, or not us: refuse`); reply.code(401); return true; } - const keyId = new URL(signature.keyId); - const keyHost = this.utilityService.toPuny(keyId.hostname); - const meta = await this.metaService.fetch(); if (this.utilityService.isBlockedHost(meta.blockedHosts, keyHost)) { /* blocked instance: refuse (we don't care if the signature is good, if they even pretend to be from a blocked instance, they're out) */ - this.authlogger.warn(`${request.id} ${request.url} instance ${keyHost} is blocked: refuse`); + this.authlogger.warn(`${logPrefix} instance is blocked: refuse`); reply.code(401); return true; } @@ -193,13 +195,13 @@ export class ActivityPubServerService { /* keyId is often in the shape `${user.uri}#${keyname}`, try fetching information about the remote user */ const candidate = formatURL(keyId, { fragment: false }); - this.authlogger.info(`${request.id} ${request.url} we don't know the user for keyId ${keyId}, trying to fetch via ${candidate}`); + this.authlogger.info(`${logPrefix} we don't know the user for keyId ${keyId}, trying to fetch via ${candidate}`); authUser = await this.apDbResolverService.getAuthUserFromApId(candidate); } if (authUser?.key == null) { // we can't figure out who the signer is, or we can't get their key: refuse - this.authlogger.warn(`${request.id} ${request.url} we can't figure out who the signer is, or we can't get their key: refuse`); + this.authlogger.warn(`${logPrefix} we can't figure out who the signer is, or we can't get their key: refuse`); reply.code(401); return true; } @@ -207,20 +209,20 @@ export class ActivityPubServerService { let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); if (!httpSignatureValidated) { - this.authlogger.info(`${request.id} ${request.url} failed to validate signature, re-fetching the key for ${authUser.user.uri}`); + this.authlogger.info(`${logPrefix} failed to validate signature, re-fetching the key for ${authUser.user.uri}`); // maybe they changed their key? refetch it authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user); if (authUser.key != null) { httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); } else { - this.authlogger.warn(`${request.id} ${request.url} failed to re-fetch key for ${authUser.user}`); + this.authlogger.warn(`${logPrefix} failed to re-fetch key for ${authUser.user}`); } } if (!httpSignatureValidated) { // bad signature: refuse - this.authlogger.info(`${request.id} ${request.url} failed to validate signature: refuse`); + this.authlogger.info(`${logPrefix} failed to validate signature: refuse`); reply.code(401); return true; }