Update FederationController, move signature validation to InboxValidator job

app/Http/Controllers/FederationController.php

@@ -100,22 +100,22 @@ class FederationController extends Controller
         abort_if(!config('federation.activitypub.enabled'), 404);
         abort_if(!config('federation.activitypub.inbox'), 404);
 
-        // $headers = $request->headers->all();
+        $headers = $request->headers->all();
-        // $payload = $request->getContent();
+        $payload = $request->getContent();
-        // InboxValidator::dispatch($username, $headers, $payload);
+        InboxValidator::dispatch($username, $headers, $payload);
-        $profile = Profile::whereNull('domain')->whereUsername($username)->firstOrFail();
+        // $profile = Profile::whereNull('domain')->whereUsername($username)->firstOrFail();
-        if($profile->status != null) {
+        // if($profile->status != null) {
-            return ProfileController::accountCheck($profile);
+        //     return ProfileController::accountCheck($profile);
-        }
+        // }
-        $body = $request->getContent();
+        // $body = $request->getContent();
-        $bodyDecoded = json_decode($body, true, 12);
+        // $bodyDecoded = json_decode($body, true, 12);
-        if($this->verifySignature($request, $profile) == true) {
+        // if($this->verifySignature($request, $profile) == true) {
-            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        //     InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
-        } else if($this->blindKeyRotation($request, $profile) == true) {
+        // } else if($this->blindKeyRotation($request, $profile) == true) {
-            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        //     InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
-        } else {
+        // } else {
-            abort(400, 'Bad Signature');
+        //     abort(400, 'Bad Signature');
-        }
+        // }
         return;
     }
 

app/Jobs/InboxPipeline/InboxValidator.php

@@ -48,12 +48,16 @@ class InboxValidator implements ShouldQueue
 
         $profile = Profile::whereNull('domain')->whereUsername($username)->first();
 
+        if(!isset($headers['signature']) || !isset($headers['date'])) {
+            return;
+        }
+
         if(empty($profile) || empty($headers) || empty($payload)) {
-            return true;
+            return;
         }
 
         if($profile->status != null) {
-            return true;
+            return;
         }
 
         if($this->verifySignature($headers, $profile, $payload) == true) {
@@ -73,13 +77,15 @@ class InboxValidator implements ShouldQueue
         $signature = is_array($headers['signature']) ? $headers['signature'][0] : $headers['signature'];
         $date = is_array($headers['date']) ? $headers['date'][0] : $headers['date'];
         if(!$signature) {
-            abort(400, 'Missing signature header');
+            return;
         }
         if(!$date) {
-            abort(400, 'Missing date header');
+            return;
         }
-        if(!now()->parse($date)->gt(now()->subDays(1)) || !now()->parse($date)->lt(now()->addDays(1))) {
+        if(!now()->parse($date)->gt(now()->subDays(1)) || 
-            abort(400, 'Invalid date');
+           !now()->parse($date)->lt(now()->addDays(1))
+       ) {
+            return;
         }
         $signatureData = HttpSignature::parseSignatureHeader($signature);
         $keyId = Helpers::validateUrl($signatureData['keyId']);
@@ -91,10 +97,12 @@ class InboxValidator implements ShouldQueue
             && isset($bodyDecoded['object']['attributedTo'])
         ) {
             if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) {
+                return;
                 abort(400, 'Invalid request');
             }
         }
         if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) {
+            return;
             abort(400, 'Invalid request');
         }
         $actor = Profile::whereKeyId($keyId)->first();
@@ -103,7 +111,7 @@ class InboxValidator implements ShouldQueue
             $actor = Helpers::profileFirstOrNew($actorUrl);
         }
         if(!$actor) {
-            return false;
+            return;
         }
         $pkey = openssl_pkey_get_public($actor->public_key);
         $inboxPath = "/users/{$profile->username}/inbox";
@@ -120,22 +128,24 @@ class InboxValidator implements ShouldQueue
         $signature = is_array($headers['signature']) ? $headers['signature'][0] : $headers['signature'];
         $date = is_array($headers['date']) ? $headers['date'][0] : $headers['date'];
         if(!$signature) {
-            return false;
+            return;
         }
         if(!$date) {
-            return false;
+            return;
         }
-        if(!now()->parse($date)->gt(now()->subDays(1)) || !now()->parse($date)->lt(now()->addDays(1))) {
+        if(!now()->parse($date)->gt(now()->subDays(1)) || 
-            return false;
+           !now()->parse($date)->lt(now()->addDays(1))
+       ) {
+            return;
         }
         $signatureData = HttpSignature::parseSignatureHeader($signature);
         $keyId = Helpers::validateUrl($signatureData['keyId']);
         $actor = Profile::whereKeyId($keyId)->whereNotNull('remote_url')->first();
         if(!$actor) {
-            return false;
+            return;
         }
         if(Helpers::validateUrl($actor->remote_url) == false) {
-            return false;
+            return;
         }
         $res = Zttp::timeout(5)->withHeaders([
           'Accept'     => 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
@@ -143,7 +153,7 @@ class InboxValidator implements ShouldQueue
         ])->get($actor->remote_url);
         $res = json_decode($res->body(), true, 8);
         if($res['publicKey']['id'] !== $actor->key_id) {
-            return false;
+            return;
         }
         $actor->public_key = $res['publicKey']['publicKeyPem'];
         $actor->save();