provide webfinger and actor info with rsa key for secure fetch

app/functions.py

@@ -1,6 +1,7 @@
 from bs4 import BeautifulSoup
 import MySQLdb
 import markovify
+from Crypto.PublicKey import RSA
 from mastodon import Mastodon, MastodonUnauthorizedError
 import html, re, json
 
@@ -175,3 +176,29 @@ def make_post(args):
 		c.execute("UPDATE bots SET last_post = CURRENT_TIMESTAMP() WHERE handle = %s", (handle,))
 		db.commit()
 	c.close()
+
+def get_key():
+	db = MySQLdb.connect(
+		host = cfg['db_host'],
+		user=cfg['db_user'],
+		passwd=cfg['db_pass'],
+		db=cfg['db_name']
+	)
+
+	dc = db.cursor(MySQLdb.cursors.DictCursor)
+	dc.execute("SELECT * FROM http_auth_key")
+	key = dc.fetchone()
+	if key == None:
+		# generate new key
+		key = {}
+		privkey = RSA.generate(4096)
+
+		key['private'] = privkey.exportKey('PEM').decode('utf-8')
+		key['public'] = privkey.publickey().exportKey('PEM').decode('utf-8')
+		
+		dc.execute("INSERT INTO http_auth_key (private, public) VALUES (%s, %s)", (key['private'], key['public']))
+	
+	dc.close()
+	db.commit()
+
+	return key

app/templates/ap/actor.json

@@ -0,0 +1,24 @@
+{
+	"@context": [
+		"https://www.w3.org/ns/activitystreams",
+		{
+			"manuallyApprovesFollowers": "as:manuallyApprovesFollowers"
+		}
+	],
+	"endpoints": {
+		"sharedInbox": "{{ base_uri }}/inbox"
+	},
+	"inbox": "{{ base_uri }}/inbox",
+	"name": "FediBooks",
+	"type": "Application",
+	"id": "{{ base_uri }}/actor",
+	"manuallyApprovesFollowers": true,
+	"publicKey": {
+		"id": "{{ base_uri }}/actor#main-key",
+		"owner": "{{ base_uri }}/actor",
+		"publicKeyPem": "{{ pubkey }}"
+	},
+	"summary": "FediBooks Actor",
+	"preferredUsername": "fedibooks",
+	"url": "{{ base_uri }}/actor"
+}

app/templates/ap/webfinger.json

@@ -0,0 +1,13 @@
+{
+	"aliases": [
+		"{{ base_uri }}/actor"
+	],
+	"links": [
+		{
+			"href": "{{ base_uri }}/actor",
+			"rel": "self",
+			"type": "application/activity+json"
+		}
+	],
+	"subject": "acct:fedibooks@{{ base_uri }}"
+}

app/webui.py

@@ -32,7 +32,11 @@ scopes_pleroma = ['read', 'write', 'push']
 
 @app.before_request
 def login_check():
-	if request.path not in ['/', '/about', '/welcome', '/login', '/signup', '/do/login', '/do/signup'] and not request.path.startswith("/push") and not request.path.startswith('/static'):
+	if request.path not in ['/', '/about', '/welcome', '/login', '/signup', '/do/login', '/do/signup'] \
+		and not request.path.startswith("/push") \
+		and not request.path.startswith('/static') \
+		and not request.path.startswith('/actor') \
+		and not request.path.startswith('/.well-known'):
 		# page requires authentication
 		if 'user_id' not in session:
 			return redirect(url_for('render_home'))
@@ -370,9 +374,14 @@ def img_bot_generic():
 def favicon():
 	return send_file("static/favicon.ico")
 
-# @app.route("/.well-known/webfinger")
-# def webfinger():
-# 	return render_template("webfinger.json", base_uri = cfg['base_uri']), 200, {'Content-type':'application/json'}
+@app.route("/.well-known/webfinger")
+def webfinger():
+	return render_template("ap/webfinger.json", base_uri = cfg['base_uri']), 200, {'Content-type':'application/json'}
+
+@app.route("/actor")
+def actor():
+	pubkey = functions.get_key()['public'].replace("\n", "\\n")
+	return render_template("ap/actor.json", base_uri = cfg['base_uri'], pubkey = pubkey), 200, {'Content-type':'application/json'}
 
 
 def bot_check(bot):

db/setup.sql

@@ -76,3 +76,7 @@ CREATE TABLE IF NOT EXISTS `contact_history` (
   `reply` BOOLEAN DEFAULT 0,
   FOREIGN KEY (`user_id`) REFERENCES users(id) ON DELETE CASCADE
 ) ENGINE = INNODB;
+CREATE TABLE IF NOT EXISTS `http_auth_key` (
+  `private` TEXT NOT NULL,
+  `public` TEXT NOT NULL
+) ENGINE = INNODB;

requirements.txt

@@ -8,3 +8,4 @@ bcrypt == 3.1.7
 requests==2.23.0
 http-ece==1.1.0
 cryptography==2.8
+pycryptodome==3.9.7