Fix signature verification

srosset81 · srosset81 · commit a683b01d61de · 2026-04-03T11:13:25.000+02:00
diff --git a/tools/bazar/controllers/ApiController.php b/tools/bazar/controllers/ApiController.php
@@ -134,7 +134,7 @@ public function postFormActorInbox($formId, Request $request)
         if ($activityPubService->isEnabled($form)) {
             $activity = json_decode($request->getContent(), true);
 
-            // $httpSignatureService->verifySignature($request);
+            $httpSignatureService->verifySignature($request);
             $activityPubService->processActivity($activity, $form);
 
             return new ApiResponse(null, Response::HTTP_OK, ['Content-Type' => 'application/activity+json']);
diff --git a/tools/bazar/services/HttpSignatureService.php b/tools/bazar/services/HttpSignatureService.php
@@ -112,10 +112,13 @@ public function verifySignature(Request $request) {
             throw new Exception('Malformed public key');
         }
 
+        // We cannot use getRequestUri() because it returns the real URI, eg. /?api/forms/2/actor
+        $requestUri = $request->getScriptName();
+
         $sigParts = [];
         foreach (explode(' ', $sigConf['headers']) as $headerKey) {
             if ($headerKey === '(request-target)') {
-                $sigParts[] = sprintf('%s: %s %s', $headerKey, strtolower($request->getMethod()), $request->getRequestUri());
+                $sigParts[] = sprintf('%s: %s %s', $headerKey, strtolower($request->getMethod()), $requestUri);
             } else {
                 if (!$request->headers->has($headerKey)) {
                     throw new Exception('Missing signature part: ' . $headerKey);
@@ -129,8 +132,6 @@ public function verifySignature(Request $request) {
         }
 
         if ($request->headers->get('Digest') !== $this->getDigest($request->getContent())) {
-            var_dump('DIGEST1', $request->headers->get($headerKey));
-            var_dump('DIGEST2', $this->getDigest($request->getContent()));
             throw new Exception('Digest mismatch');
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -112,10 +112,13 @@ public function verifySignature(Request $request) {`
`112`	`112`	`throw new Exception('Malformed public key');`
`113`	`113`	`}`
`114`	`114`
	`115`	`+ // We cannot use getRequestUri() because it returns the real URI, eg. /?api/forms/2/actor`
	`116`	`+ $requestUri = $request->getScriptName();`
	`117`	`+`
`115`	`118`	`$sigParts = [];`
`116`	`119`	`foreach (explode(' ', $sigConf['headers']) as $headerKey) {`
`117`	`120`	`if ($headerKey === '(request-target)') {`
`118`		`- $sigParts[] = sprintf('%s: %s %s', $headerKey, strtolower($request->getMethod()), $request->getRequestUri());`
	`121`	`+ $sigParts[] = sprintf('%s: %s %s', $headerKey, strtolower($request->getMethod()), $requestUri);`
`119`	`122`	`} else {`
`120`	`123`	`if (!$request->headers->has($headerKey)) {`
`121`	`124`	`throw new Exception('Missing signature part: ' . $headerKey);`
`@@ -129,8 +132,6 @@ public function verifySignature(Request $request) {`
`129`	`132`	`}`
`130`	`133`
`131`	`134`	`if ($request->headers->get('Digest') !== $this->getDigest($request->getContent())) {`
`132`		`- var_dump('DIGEST1', $request->headers->get($headerKey));`
`133`		`- var_dump('DIGEST2', $this->getDigest($request->getContent()));`
`134`	`135`	`throw new Exception('Digest mismatch');`
`135`	`136`	`}`
`136`	`137`	`}`