try to make authorized fetch work lol

LICENSE

@@ -1,21 +1,21 @@
-The MIT License
-
-Copyright © 2017 fenwick67
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+The MIT License
+
+Copyright © 2024 fenwick67
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -48,7 +48,19 @@ Querystring options:
 
 ## Server Installation
 
-This is a straightforward node project with zero databases or anything, you should just be able to run `npm install` and then `npm start` to get up and running.  Set your `PORT` environment variable to change the port it listens on.
+This is a straightforward node project with zero databases or anything, you should just be able to run `npm install` and then `npm start` to get up and running.
+
+### ENV VARS
+
+
+then set em
+
+you need to set:
+
+`AP_PRIVATE_KEY_BASE64=asdfsd` Run utils/make-keys.js to make a key
+`AP_PUBLIC_KEY_BASE64=safasdf` Run utils/make-keys.js to make a key
+`DOMAIN_NAME=mastofeed.com` or whatever
+`PORT=80` or whatever
 
 ## Improve me
 

authorized_fetch_notes.md

@@ -0,0 +1,53 @@
+ok so here's the fucking deal...
+
+https://docs.joinmastodon.org/admin/config/#authorized_fetch
+
+when turned on:
+
+> (...) Mastodon will require HTTP signature authentication on ActivityPub representations of public posts and profiles, which are normally available without any authentication. Profiles will only return barebones technical information when no authentication is supplied.
+
+HTTP signature authentication
+
+> HTTP Signatures is a specification for signing HTTP messages by using a Signature: header with your HTTP request. Mastodon requires the use of HTTP Signatures in order to validate that any activity received was authored by the actor generating it. When secure mode is enabled, all GET requests require HTTP signatures as well.
+
+---
+
+from https://docs.joinmastodon.org/spec/security/#http
+
+> For any HTTP request incoming to Mastodon, the Signature header should be attached:
+
+> Signature: keyId="https://my.example.com/actor#main-key",headers="(request-target) host date",signature="Y2FiYW...IxNGRiZDk4ZA=="
+
+> The three parts of the Signature: header can be broken down like so:
+
+```
+Signature:
+  keyId="https://my.example.com/actor#main-key",
+  headers="(request-target) host date",
+  signature="Y2FiYW...IxNGRiZDk4ZA=="
+```
+
+> The keyId should correspond to the actor and the key being used to generate the signature, whose value is equal to all parameters in headers concatenated together and signed by the key, then Base64-encoded. See ActivityPub > Public key for more information on actor keys. An example key looks like this:
+
+```json
+"publicKey": {
+    "id": "https://my.example.com/actor#main-key",
+    "owner": "https://my.example.com/actor",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXc4vkECU2/CeuSo1wtn\nFoim94Ne1jBMYxTZ9wm2YTdJq1oiZKif06I2fOqDzY/4q/S9uccrE9Bkajv1dnkO\nVm31QjWlhVpSKynVxEWjVBO5Ienue8gND0xvHIuXf87o61poqjEoepvsQFElA5ym\novljWGSA/jpj7ozygUZhCXtaS2W5AD5tnBQUpcO0lhItYPYTjnmzcc4y2NbJV8hz\n2s2G8qKv8fyimE23gY1XrPJg+cRF+g4PqFXujjlJ7MihD9oqtLGxbu7o1cifTn3x\nBfIdPythWu5b4cujNsB3m3awJjVmx+MHQ9SugkSIYXV0Ina77cTNS0M2PYiH1PFR\nTwIDAQAB\n-----END PUBLIC KEY-----\n"
+ },
+```
+
+
+
+-------
+
+so for me...
+
+[x] make a key (what kind? RSA SHA256)
+[x] reimplement `https://mastodon.social/actor`
+[x] sign the headers when making a request (done?)
+[ ] test
+
+test by pushing it out and seeing if it works. 
+
+NOTE that you can run a local copy AND the remote copy and do local debugging as long as the keys are the same, the remote server won't care about the actual request comes from!

index.js

@@ -6,6 +6,7 @@ var cors = require('cors');
 var errorPage = require('./lib/errorPage');
 var morgan = require('morgan');
 var compression = require('compression')
+const apCryptoShit = require('./lib/apCryptoShit')
 
 var app = Express();
 
@@ -115,6 +116,64 @@ app.get('/apiv2/feed',cors(),logger,function(req,res){
 	})
 })
 
+app.get('/actor', logger, function(req,res){
+	// return something like what https://mastodon.social/actor does...
+	res.status(200);
+	let j = {
+		"@context": [
+		  "https://www.w3.org/ns/activitystreams",
+		  "https://w3id.org/security/v1",
+		  {
+			"manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+			"toot": "http://joinmastodon.org/ns#",
+			"featured": {
+			  "@id": "toot:featured",
+			  "@type": "@id"
+			},
+			"featuredTags": {
+			  "@id": "toot:featuredTags",
+			  "@type": "@id"
+			},
+			"alsoKnownAs": {
+			  "@id": "as:alsoKnownAs",
+			  "@type": "@id"
+			},
+			"movedTo": {
+			  "@id": "as:movedTo",
+			  "@type": "@id"
+			},
+			"schema": "http://schema.org#",
+			"PropertyValue": "schema:PropertyValue",
+			"value": "schema:value",
+			"discoverable": "toot:discoverable",
+			"suspended": "toot:suspended",
+			"memorial": "toot:memorial",
+			"indexable": "toot:indexable",
+			"attributionDomains": {
+			  "@id": "toot:attributionDomains",
+			  "@type": "@id"
+			}
+		  }
+		],
+		"id": `https://${apCryptoShit.getDomainName()}/actor`,
+		"type": "Application",
+		"inbox": `https://${apCryptoShit.getDomainName()}/actor/inbox`,
+		"outbox": `https://${apCryptoShit.getDomainName()}/actor/outbox`,
+		"preferredUsername": `${apCryptoShit.getDomainName()}`,
+		"url": `https://${apCryptoShit.getDomainName()}`,
+		"manuallyApprovesFollowers": true,
+		"publicKey": {
+		  "id": `https://${apCryptoShit.getDomainName()}/actor#main-key`,
+		  "owner": `https://${apCryptoShit.getDomainName()}/actor`,
+		  "publicKeyPem": apCryptoShit.getPublicKey()
+		},
+		"endpoints": {
+		  "sharedInbox": `https://${apCryptoShit.getDomainName()}/inbox`
+		}
+	  };
+	res.json(j);
+})
+
 app.listen(process.env.PORT || 8000,function(){
 	console.log('Server started, listening on '+(process.env.PORT || 8000));
 });

lib/apCryptoShit.js

@@ -0,0 +1,70 @@
+const crypto = require('crypto')
+
+// public methods
+
+function getPublicKey(){
+    _precheck()
+    return _pubKey
+}
+function getPrivateKey(){
+    _precheck()
+    return _privKey
+}
+function getDomainName(){
+    _precheck();
+    return _domainName;
+}
+function getKeyId(){
+    _precheck();
+    return _keyId;
+}
+
+function sign(str){
+    _precheck()
+    var signerObject = crypto.createSign("RSA-SHA256");
+    signerObject.update(str);
+    return signerObject.sign({key:getPrivateKey(),padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, "base64");
+}
+
+function verify(str,signature){
+    _precheck();
+    var verifierObject = crypto.createVerify("RSA-SHA256");
+    verifierObject.update(str);
+    var verified = verifierObject.verify({key:_pubKey, padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, signature, "base64");
+}
+
+// private
+let _precheckOk=false;
+let _privKey=""
+let _pubKey="";
+let _keyId=""
+let _domainName=""
+
+function _precheck(){
+    if (_precheckOk){return;}
+    if (!process.env.AP_PRIVATE_KEY_BASE64 || !process.env.AP_PUBLIC_KEY_BASE64){
+        console.error("you dumb shit, set AP_PRIVATE_KEY_BASE64 / AP_PUBLIC_KEY_BASE64 ")
+        process.exit(1)
+    }
+    _pubKey=atob(process.env.AP_PUBLIC_KEY_BASE64);
+    _privKey=atob(process.env.AP_PRIVATE_KEY_BASE64);
+
+    // actually check it lol
+    var signerObject = crypto.createSign("RSA-SHA256");
+    signerObject.update("hello world");
+    let signature = signerObject.sign({key:_privKey, padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, "base64");
+    var verifierObject = crypto.createVerify("RSA-SHA256");
+    verifierObject.update("hello world");
+    var verified = verifierObject.verify({key:_pubKey, padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, signature, "base64");
+    if (!verified){
+        console.error("idk what the fuck you did but the private and public keys dont fucking uhh work???")
+        console.error('probably fix your AP_PRIVATE_KEY_BASE64 and AP_PUBLIC_KEY_BASE64')
+        process.exit(1)
+    }
+    _domainName = process.env.DOMAIN_NAME || "mastofeed.com"
+
+    _keyId=`https://${_domainName}/actor#main-key`
+    _precheckOk=true;
+}
+
+module.exports={sign,verify,getPublicKey,getPrivateKey,getDomainName,getKeyId}

lib/apGet.js

@@ -1,6 +1,10 @@
 const axios = require('axios')
 const NanoCache = require('nano-cache')
 const hour = 3600000;
+const apCryptoShit = require('./apCryptoShit')
+
+let createAuthzHeader=null;
+let createSignatureString=null;
 
 const cache = new NanoCache({
     ttl: 24 * hour
@@ -15,40 +19,59 @@ cache.on('del',key=>console.log(key,'deleted'))
 
 // note: rejects on HTTP 4xx or 5xx
 module.exports = async function apGet(url,ttl) {
-    
-    return new Promise(function(resolve,reject){
 
         // fail early
         if (!url){
-            return reject(new Error('URL is invalid'));
+            throw new Error('URL is invalid');
         }
 
         var cachedResponse = cache.get(url);
         if (cachedResponse){
-            return resolve(cachedResponse);
+            return cachedResponse;
         }
 
-        axios( {
+        // import the signature module if we haven't already
+        if (!createAuthzHeader || !createSignatureString){
+            const module = await import('@digitalbazaar/http-signature-header');
+            createAuthzHeader=module.createAuthzHeader;
+            createSignatureString=module.createSignatureString;
+        }
+
+        let axiosOpts = {
             method:'get',
             url:url,
             headers: {
                 "accept": "application/activity+json",
-                "User-Agent": "mastofeed.com"
+                "User-Agent": "mastofeed.com",
+                "date":new Date().toUTCString()
             },
             responseType: 'json',
+        };
+        
+        const includeHeaders = ['(request-target)', 'host', 'date'];
+        const plaintext = createSignatureString({
+            includeHeaders,
+            requestOptions: axiosOpts
+        });
 
-        })
-        .then((response)=>{
-            // axios would have rejected if we got a 4xx or 5xx or not json
-            cache.set(url, response.data, {
-                ttl:  ttl || 24 * hour
-            });
-            return response.data
-        })
-        .then(resolve)
-        .catch(reject)
+        const signature = apCryptoShit.sign(plaintext);
+                
+        const Authorization = createAuthzHeader({
+            includeHeaders,
+            keyId: apCryptoShit.getKeyId(),
+            signature
+        });
+        
+        axiosOpts.headers.Authorization=Authorization;
 
-    })
+        console.log("axios request info: \n"+JSON.stringify(axiosOpts,null,2))
+        
+        let response = await axios(axiosOpts)
+        // axios would have rejected if we got a 4xx or 5xx or not json
+        cache.set(url, response.data, {
+            ttl:  ttl || 24 * hour
+        });
+        return response.data
 
     
 }

package.json

@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "@digitalbazaar/http-signature-header": "^5.0.1",
     "axios": "^1.2.2",
     "compression": "^1.7.4",
     "cors": "^2.8.5",

utils/ensure-keys-work.js

@@ -0,0 +1,11 @@
+const crypto = require('crypto')
+const cryptoShit = require('../lib/apCryptoShit.js')
+
+var signature = cryptoShit.sign("hello world")
+
+console.info("signature: %s", signature);
+//verify String
+var verifierObject = crypto.createVerify("RSA-SHA256");
+verifierObject.update("hello world");
+var verified = verifierObject.verify({key:cryptoShit.getPublicKey(), padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, signature, "base64");
+console.info("is signature ok?: %s", verified);

utils/make-keys.js

@@ -0,0 +1,38 @@
+
+const crypto = require('crypto')
+const cryptoShit = require('../lib/apCryptoShit.js')
+
+crypto.generateKeyPair('rsa', {
+    modulusLength: 1024,
+    publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem'
+    },
+    privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem'
+    }
+}, (err, pub, priv)=>{
+    if (err){
+        console.error(err);
+        process.exit(1);
+    }
+    console.log('your public key (base64), set AP_PUBLIC_KEY_BASE64 in your environment :\n'+btoa(pub));
+    console.log('your private key (base64), set AP_PRIVATE_KEY_BASE64 in your environment:\n'+btoa(priv));
+
+    process.env.AP_PRIVATE_KEY_BASE64=btoa(priv);
+    process.env.AP_PUBLIC_KEY_BASE64=btoa(pub);
+
+    var signature = cryptoShit.sign("hello world")
+    var verifierObject = crypto.createVerify("RSA-SHA256");
+    verifierObject.update("hello world");
+    var verified = verifierObject.verify({key:pub, padding:crypto.constants.RSA_PKCS1_PSS_PADDING}, signature, "base64");
+
+    if (verified){
+        process.exit(0);
+    }
+    else {
+        console.error("FUCK IT DIDNT WORK OH GOD")
+        process.exit(1)
+    }
+});

yarn.lock

@@ -23,6 +23,13 @@
     chalk "^2.0.0"
     js-tokens "^4.0.0"
 
+"@digitalbazaar/http-signature-header@^5.0.1":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/@digitalbazaar/http-signature-header/-/http-signature-header-5.0.1.tgz#7847a8e0b19c898548b4b190b7ff0560fa2f659f"
+  integrity sha512-c7U6KYLEcAv1lh6QdBocOzuqmE5HKT2BAwn+0roiIPv527c+6qUh7rPHMrbVavWYTgk9kWBhCPba+Ql7gwG57g==
+  dependencies:
+    assert-plus "^1.0.0"
+
 "@gar/promisify@^1.0.1", "@gar/promisify@^1.1.3":
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/@gar/promisify/-/promisify-1.1.3.tgz#555193ab2e3bb3b6adc3d551c9c030d9e860daf6"
@@ -164,6 +171,11 @@ arrify@^1.0.1:
   resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d"
   integrity sha512-3CYzex9M9FGQjCGMGyi6/31c8GJbgb0qGyrx5HWxPd0aCwh4cB2YjMb2Xf9UuoogrMrlO9cTqnB5rI5GHZTcUA==
 
+assert-plus@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/assert-plus/-/assert-plus-1.0.0.tgz#f12e0f3c5d77b0b1cdd9146942e4e96c1e4dd525"
+  integrity sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==
+
 async-foreach@^0.1.3:
   version "0.1.3"
   resolved "https://registry.yarnpkg.com/async-foreach/-/async-foreach-0.1.3.tgz#36121f845c0578172de419a97dbeb1d16ec34542"