Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blog post "how-to-implement-a-basic-activitypub-server" misses the field Digest #17299

Closed
green-coder opened this issue Jan 16, 2022 · 3 comments · May be fixed by mastodon/blog#1
Closed

Blog post "how-to-implement-a-basic-activitypub-server" misses the field Digest #17299

green-coder opened this issue Jan 16, 2022 · 3 comments · May be fixed by mastodon/blog#1
Labels
bug Something isn't working

Comments

@green-coder
Copy link

Steps to reproduce the problem

  1. Read the blog article at https://blog.joinmastodon.org/2018/06/how-to-implement-a-basic-activitypub-server/
  2. Try to send a POST request to a Mastodon instance.

Expected behaviour

The POST request should be accepted by the server (code 202)

Actual behaviour

The server answers an error 401

Specifications

The blog post is missing the information about the Digest field.

See

mastodon/app/controllers/concerns/signature_verification.rb

Line 131 in c3aef49

raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')

@green-coder green-coder added the bug Something isn't working label Jan 16, 2022
@mfosterio
Copy link

How should the Digest field look?

Steps to reproduce the problem

  1. Read the blog article at https://blog.joinmastodon.org/2018/06/how-to-implement-a-basic-activitypub-server/
  2. Try to send a POST request to a Mastodon instance.

Expected behaviour

The POST request should be accepted by the server (code 202)

Actual behaviour

The server answers an error 401

Specifications

The blog post is missing the information about the Digest field.

See

mastodon/app/controllers/concerns/signature_verification.rb

Line 131 in c3aef49

raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')

@green-coder
Copy link
Author

green-coder commented Feb 17, 2022
edited

How should the Digest field look?

It's written in those lines:

mastodon/app/controllers/concerns/signature_verification.rb

Lines 134 to 142 in c3aef49

def verify_body_digest!
return unless signed_headers.include?('digest')
raise SignatureVerificationError, 'Digest header missing' unless request.headers.key?('Digest')
digests = request.headers['Digest'].split(',').map { |digest| digest.split('=', 2) }.map { |key, value| [key.downcase, value] }
sha256 = digests.assoc('sha-256')
raise SignatureVerificationError, "Mastodon only supports SHA-256 in Digest header. Offered algorithms: #{digests.map(&:first).join(', ')}" if sha256.nil?
raise SignatureVerificationError, "Invalid Digest value. Computed SHA-256 digest: #{body_digest}; given: #{sha256[1]}" if body_digest != sha256[1]
end

The digest field should be added to the "signed string" like that (in Clojure): https://codeberg.org/green-coder/the-pub/src/branch/made-in-taiwan/src/the_pub/ring_handler.clj#L95-L98

The field digest should be added in the signature field like that (in Clojure): https://codeberg.org/green-coder/the-pub/src/branch/made-in-taiwan/src/the_pub/ring_handler.clj#L103

This commit diff sums up the information missing in the blog, which I found in the Mastodon source code:
https://codeberg.org/green-coder/the-pub/commit/1da6f95efa1918efa9e9eedba929df46f591b559

@jakekara jakekara mentioned this issue Nov 13, 2022
Open
@sventiffe
Copy link

sventiffe commented Nov 26, 2022
edited

Can/will old blog posts be updated?
See PR for security.md: mastodon/documentation#1082
And issue filed: mastodon/documentation#1079 (I did not check issues in mastodon/mastodon before filing it as it's a separate repo and I didn't investigate where blog posts are defined)

@vmstan vmstan converted this issue into discussion #28009 Nov 20, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add digest to deliver.rb jakekara/mastodon-blog
3 participants
@green-coder @mfosterio @sventiffe