From 018a399ee38654533c92dcae66fab7e6cb9c89ec Mon Sep 17 00:00:00 2001 From: alemi Date: Wed, 17 Jul 2024 21:32:59 +0200 Subject: [PATCH] fix: don't http sign proxy cloaks --- upub/core/src/traits/fetch.rs | 12 +++++++++--- upub/routes/src/activitypub/application.rs | 22 ++++++++++------------ 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/upub/core/src/traits/fetch.rs b/upub/core/src/traits/fetch.rs index 1764047..e44186e 100644 --- a/upub/core/src/traits/fetch.rs +++ b/upub/core/src/traits/fetch.rs @@ -99,6 +99,13 @@ pub trait Fetcher { async fn fetch_thread(&self, id: &str, tx: &impl ConnectionTrait) -> Result<(), RequestError>; + fn client(domain: &str) -> reqwest::Client { + reqwest::Client::builder() + .user_agent(format!("upub+{} ({domain})", crate::VERSION)) + .build() + .expect("failed building http client, check system tls or resolver") + } + async fn request( method: reqwest::Method, url: &str, @@ -130,11 +137,10 @@ pub trait Fetcher { .build_manually(&method.to_string().to_lowercase(), &path, headers_map) .sign(key)?; - let response = reqwest::Client::new() - .request(method.clone(), url) + let response = Self::client(domain) + .request(method, url) .header(ACCEPT, "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") .header(CONTENT_TYPE, "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") - .header(USER_AGENT, format!("upub+{} ({domain})", crate::VERSION)) .header("Host", host.clone()) .header("Date", date.clone()) .header("Digest", digest) diff --git a/upub/routes/src/activitypub/application.rs b/upub/routes/src/activitypub/application.rs index ef6b9a3..45ec290 100644 --- a/upub/routes/src/activitypub/application.rs +++ b/upub/routes/src/activitypub/application.rs @@ -3,7 +3,7 @@ use axum::{extract::{Path, Query, State}, http::HeaderMap, response::{IntoRespon use reqwest::Method; use upub::{traits::{Cloaker, Fetcher}, Context}; -use crate::{builders::JsonLD, ApiError, ApiResult, AuthIdentity, Identity}; +use crate::{builders::JsonLD, ApiError, AuthIdentity}; pub async fn view( @@ -76,20 +76,18 @@ pub async fn cloak_proxy( let uri = ctx.uncloak(&hmac, &uri) .ok_or_else(ApiError::unauthorized)?; - let resp = Context::request( - Method::GET, - &uri, - None, - ctx.base(), - ctx.pkey(), - &format!("{}+proxy", ctx.domain()), - ) - .await? - .error_for_status()?; - + let resp = Context::client(ctx.domain()) + .get(uri) + .send() + .await? + .error_for_status()?; + let headers = resp.headers().clone(); + // TODO can we stream the response body as it comes? let body = resp.bytes().await?.to_vec(); + // TODO not so great to just try parsing json, but this should be a cheap check as most things we + // proxy are not json (as in, dont start with '{') if serde_json::from_slice::(&body).is_ok() { return Err(ApiError::forbidden()); }