Verify signature on Inbox requests

activitypub.go

@@ -151,6 +151,13 @@ func handleFetchInbox(app *app, w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	err = verifyRequest(app, r)
+	if err != nil {
+		logError("Unable to verify signature: %v", err)
+		return err
+	}
+	logInfo("Signature OK")
+
 	dump, err := httputil.DumpRequest(r, true)
 	if err != nil {
 		logError("Can't dump: %v", err)

app.go

@@ -87,6 +87,7 @@ func Serve() {
 		log.Fatal(err)
 	}
 
+	initFederation(app)
 	err = initKeys(app)
 	if err != nil {
 		log.Fatal(err)

data.go

@@ -223,3 +223,18 @@ func (app *app) getPost(id int64) (*Post, error) {
 	}
 	return &p, err
 }
+
+func (app *app) getActorKey(id string) ([]byte, error) {
+	k := []byte{}
+
+	stmt := "SELECT public_key FROM userkeys WHERE id = ?"
+	err := app.db.QueryRow(stmt, id).Scan(&k)
+	switch {
+	case err == sql.ErrNoRows:
+		return nil, impart.HTTPError{http.StatusNotFound, "Key not found"}
+	case err != nil:
+		return nil, err
+	}
+
+	return k, nil
+}

federation.go

@@ -13,6 +13,36 @@ import (
 	"net/http/httputil"
 )
 
+var (
+	verifier *httpsig.Verifier
+)
+
+func initFederation(app *app) {
+	verifier = httpsig.NewSigHeaderVerifier(keyGetter{app})
+}
+
+type keyGetter struct {
+	app *app
+}
+
+func (kg keyGetter) GetKey(id string) interface{} {
+	k, err := kg.app.getActorKey(id)
+	if err != nil {
+		logError("Unable to get key: %v", err)
+		return nil
+	}
+	pubKey, err := activitypub.DecodePublicKey(k)
+	if err != nil {
+		logError("Unable to decode key: %v", err)
+		return err
+	}
+	return pubKey
+}
+
+func verifyRequest(app *app, r *http.Request) error {
+	return verifier.Verify(r)
+}
+
 func makeActivityPost(p *activitystreams.Person, url string, m interface{}) error {
 	logInfo("POST %s", url)
 	b, err := json.Marshal(m)