ActivityPub Server - Verifying HTTP signatures

ActivityPhp server automatically verifies HTTP signatures when handling a POST to an inbox (incoming messages).

For an out-of-the-box usage, a dedicated tool is provided, it’s called HttpSignature.

Usage

use ActivityPhp\Server;
use ActivityPhp\Server\Http\HttpSignature;

// Create a server instance
$server = new Server();

// Create an HttpSignature instance
$httpSignature = new HttpSignature($server);

var_dump(
    // Verify signature
    $httpSignature->verify($request)
);

// Returns bool(true) if signature has been verified

HttpSignature receives a server instance in its constructor method. Indeed, it is useful to make some checks about actor who has sent this incoming request.


HttpSignature::verify()

It returns a boolean. true if the signature has been verified, false otherwise.

This method accepts one parameter. It must be a Symfony\Component\HttpFoundation\Request instance.

This request MUST contain a Signature header that specifies [keyId, headers, signature]. headers key is optional.

Read more about HTTP signature components.

The verification process follows the following steps:


ActivityPub conformance

As ActivityPub protocol does not specify an official mechanism for signature verification (algorithm, headers), this implementation tries to make use of good practices recommended by the Social Community Group and to be compliant with empirical implementations (Mastodon, Peertube at least).


Edit this document on GitHub