From 0eadad84cd13d5cd4fbd4d225ccf4d48649aa696 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 22 Dec 2023 12:58:46 -0500
Subject: [PATCH] fix: accidental double-hash in sign/verify

---
 src/activitypub/index.js | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/src/activitypub/index.js b/src/activitypub/index.js
index 6331abf5cc..c439821680 100644
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -113,14 +113,10 @@ ActivityPub.sign = async (uid, url, payload) => {
 	}
 
 	// Sign string using private key
-	const signatureHash = createHash('sha256');
-	signatureHash.update(signed_string);
-	const signatureDigest = signatureHash.digest('hex');
 	let signature = createSign('sha256');
-	signature.update(signatureDigest);
+	signature.update(signed_string);
 	signature.end();
-	signature = signature.sign(key, 'hex');
-	signature = btoa(signature);
+	signature = signature.sign(key, 'base64');
 
 	// Construct signature header
 	return {
@@ -156,13 +152,10 @@ ActivityPub.verify = async (req) => {
 
 	// Verify the signature string via public key
 	try {
-		const signatureHash = createHash('sha256');
-		signatureHash.update(signed_string);
-		const signatureDigest = signatureHash.digest('hex');
 		const verify = createVerify('sha256');
-		verify.update(signatureDigest);
+		verify.update(signed_string);
 		verify.end();
-		const verified = verify.verify(publicKeyPem, atob(signature), 'hex');
+		const verified = verify.verify(publicKeyPem, signature, 'base64');
 		return verified;
 	} catch (e) {
 		return false;