@commonpub/layer 0.1.0

package/server/api/federation/hub-follow.post.ts

@@ -0,0 +1,27 @@
+import { sendHubFollow, getFederatedHub } from '@commonpub/server';
+import { z } from 'zod';
+
+const schema = z.object({
+  federatedHubId: z.string().uuid(),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean; status: string }> => {
+  requireFeature('federation');
+  requireFeature('federateHubs');
+  requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { federatedHubId } = await parseBody(event, schema);
+
+  const hub = await getFederatedHub(db, federatedHubId);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Federated hub not found' });
+  }
+
+  if (hub.followStatus === 'accepted') {
+    return { success: true, status: 'accepted' };
+  }
+
+  await sendHubFollow(db, hub.actorUri, config.instance.domain);
+  return { success: true, status: 'pending' };
+});

package/server/api/federation/hub-post-like.post.ts

@@ -0,0 +1,115 @@
+import { likeFederatedHubPost, unlikeFederatedHubPost } from '@commonpub/server';
+import { federatedHubPosts, federatedHubPostLikes, activities, remoteActors } from '@commonpub/schema';
+import { eq, and } from 'drizzle-orm';
+import { AP_CONTEXT, AP_PUBLIC } from '@commonpub/protocol';
+import { z } from 'zod';
+
+const schema = z.object({
+  federatedHubPostId: z.string().uuid(),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean; liked: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { federatedHubPostId } = await parseBody(event, schema);
+
+  // Get the post's objectUri (the remote Note's AP URI) and author
+  const [post] = await db
+    .select({
+      objectUri: federatedHubPosts.objectUri,
+      actorUri: federatedHubPosts.actorUri,
+    })
+    .from(federatedHubPosts)
+    .where(eq(federatedHubPosts.id, federatedHubPostId))
+    .limit(1);
+
+  if (!post) {
+    throw createError({ statusCode: 404, statusMessage: 'Post not found' });
+  }
+
+  // Check if user already liked this post
+  const [existing] = await db
+    .select({ id: federatedHubPostLikes.id })
+    .from(federatedHubPostLikes)
+    .where(and(
+      eq(federatedHubPostLikes.postId, federatedHubPostId),
+      eq(federatedHubPostLikes.userId, user.id),
+    ))
+    .limit(1);
+
+  const localActorUri = `https://${config.instance.domain}/users/${user.username}`;
+
+  if (existing) {
+    // Unlike: remove like record, decrement counter, send Undo(Like)
+    await db.delete(federatedHubPostLikes).where(eq(federatedHubPostLikes.id, existing.id));
+    await unlikeFederatedHubPost(db, federatedHubPostId);
+
+    // Find the original Like activity to reference in Undo
+    const [likeAct] = await db
+      .select({ id: activities.id, payload: activities.payload })
+      .from(activities)
+      .where(and(
+        eq(activities.type, 'Like'),
+        eq(activities.actorUri, localActorUri),
+        eq(activities.objectUri, post.objectUri),
+        eq(activities.direction, 'outbound'),
+      ))
+      .limit(1);
+
+    const undoActivity = {
+      '@context': AP_CONTEXT,
+      type: 'Undo',
+      id: `${localActorUri}/undo/${crypto.randomUUID()}`,
+      actor: localActorUri,
+      object: likeAct?.payload ?? {
+        type: 'Like',
+        actor: localActorUri,
+        object: post.objectUri,
+      },
+      to: [post.actorUri],
+      cc: [AP_PUBLIC],
+    };
+
+    await db.insert(activities).values({
+      type: 'Undo',
+      actorUri: localActorUri,
+      objectUri: post.objectUri,
+      payload: undoActivity,
+      direction: 'outbound',
+      status: 'pending',
+    });
+
+    return { success: true, liked: false };
+  }
+
+  // Like: insert like record, increment counter, send Like
+  await db.insert(federatedHubPostLikes).values({
+    postId: federatedHubPostId,
+    userId: user.id,
+  }).onConflictDoNothing();
+
+  await likeFederatedHubPost(db, federatedHubPostId);
+
+  const likeActivity = {
+    '@context': AP_CONTEXT,
+    type: 'Like',
+    id: `${localActorUri}/likes/${crypto.randomUUID()}`,
+    actor: localActorUri,
+    object: post.objectUri,
+    to: [post.actorUri],
+    cc: [AP_PUBLIC],
+  };
+
+  await db.insert(activities).values({
+    type: 'Like',
+    actorUri: localActorUri,
+    objectUri: post.objectUri,
+    payload: likeActivity,
+    direction: 'outbound',
+    status: 'pending',
+  });
+
+  return { success: true, liked: true };
+});

package/server/api/federation/hub-post-likes.get.ts

@@ -0,0 +1,24 @@
+import { federatedHubPostLikes } from '@commonpub/schema';
+import { eq, and, inArray } from 'drizzle-orm';
+import { z } from 'zod';
+
+export default defineEventHandler(async (event): Promise<{ likedPostIds: string[] }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+
+  const query = getQuery(event);
+  const postIds = z.string().parse(query.postIds ?? '').split(',').filter(Boolean);
+
+  if (postIds.length === 0) return { likedPostIds: [] };
+
+  const liked = await db
+    .select({ postId: federatedHubPostLikes.postId })
+    .from(federatedHubPostLikes)
+    .where(and(
+      eq(federatedHubPostLikes.userId, user.id),
+      inArray(federatedHubPostLikes.postId, postIds),
+    ));
+
+  return { likedPostIds: liked.map(l => l.postId) };
+});

package/server/api/federation/hub-post-reply.post.ts

@@ -0,0 +1,42 @@
+import { sendPostToRemoteHub, getFederatedHubPost, getFederatedHub } from '@commonpub/server';
+import { z } from 'zod';
+
+const replySchema = z.object({
+  federatedHubPostId: z.string().uuid(),
+  content: z.string().min(1).max(10000),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { federatedHubPostId, content } = await parseBody(event, replySchema);
+
+  const post = await getFederatedHubPost(db, federatedHubPostId);
+  if (!post) {
+    throw createError({ statusCode: 404, statusMessage: 'Post not found' });
+  }
+
+  const hub = await getFederatedHub(db, post.federatedHubId);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  const success = await sendPostToRemoteHub(
+    db,
+    user.id,
+    user.username,
+    hub.actorUri,
+    content,
+    config.instance.domain,
+    'text',
+    post.objectUri,
+  );
+
+  if (!success) {
+    throw createError({ statusCode: 502, statusMessage: 'Could not reach remote hub' });
+  }
+
+  return { success };
+});

package/server/api/federation/hub-post.post.ts

@@ -0,0 +1,33 @@
+import { sendPostToRemoteHub } from '@commonpub/server';
+import { z } from 'zod';
+
+const hubPostSchema = z.object({
+  federatedHubId: z.string().uuid(),
+  hubActorUri: z.string().url(),
+  content: z.string().min(1).max(10000),
+  type: z.string().optional().default('text'),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const body = await parseBody(event, hubPostSchema);
+
+  const success = await sendPostToRemoteHub(
+    db,
+    user.id,
+    user.username,
+    body.hubActorUri,
+    body.content,
+    config.instance.domain,
+    body.type,
+  );
+
+  if (!success) {
+    throw createError({ statusCode: 502, statusMessage: 'Could not reach remote hub' });
+  }
+
+  return { success };
+});

package/server/api/federation/like.post.ts

@@ -0,0 +1,21 @@
+import { likeRemoteContent } from '@commonpub/server';
+import { z } from 'zod';
+
+const likeSchema = z.object({
+  federatedContentId: z.string().uuid(),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { federatedContentId } = await parseBody(event, likeSchema);
+
+  const success = await likeRemoteContent(db, user.id, federatedContentId, config.instance.domain);
+  if (!success) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found' });
+  }
+
+  return { success };
+});

package/server/api/federation/remote-actor.get.ts

@@ -0,0 +1,22 @@
+import { getRemoteActorProfile } from '@commonpub/server';
+import type { RemoteActorProfile } from '@commonpub/server';
+import { z } from 'zod';
+
+const querySchema = z.object({
+  uri: z.string().url(),
+});
+
+export default defineEventHandler(async (event): Promise<RemoteActorProfile> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { uri } = parseQueryParams(event, querySchema);
+
+  const profile = await getRemoteActorProfile(db, uri, config.instance.domain, user.id);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'Remote actor not found' });
+  }
+
+  return profile;
+});

package/server/api/federation/reply.post.ts

@@ -0,0 +1,22 @@
+import { federateReply } from '@commonpub/server';
+import { z } from 'zod';
+
+const replySchema = z.object({
+  federatedContentId: z.string().uuid(),
+  content: z.string().min(1).max(10000),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { federatedContentId, content } = await parseBody(event, replySchema);
+
+  const success = await federateReply(db, user.id, federatedContentId, content, config.instance.domain);
+  if (!success) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found' });
+  }
+
+  return { success };
+});

package/server/api/federation/search.post.ts

@@ -0,0 +1,17 @@
+import { searchRemoteActor } from '@commonpub/server';
+import type { RemoteActorProfile } from '@commonpub/server';
+import { z } from 'zod';
+
+const searchSchema = z.object({
+  query: z.string().min(3).max(256),
+});
+
+export default defineEventHandler(async (event): Promise<RemoteActorProfile | null> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { query } = await parseBody(event, searchSchema);
+
+  return searchRemoteActor(db, query, config.instance.domain, user.id);
+});

package/server/api/federation/timeline.get.ts

@@ -0,0 +1,22 @@
+import { listFederatedTimeline } from '@commonpub/server';
+import type { FederatedContentItem } from '@commonpub/server';
+import { z } from 'zod';
+
+const querySchema = z.object({
+  limit: z.coerce.number().int().min(1).max(100).default(20),
+  offset: z.coerce.number().int().min(0).default(0),
+  apType: z.string().optional(),
+  cpubType: z.string().optional(),
+  originDomain: z.string().optional(),
+});
+
+export default defineEventHandler(
+  async (event): Promise<{ items: FederatedContentItem[]; total: number }> => {
+    requireFeature('federation');
+    requireAuth(event);
+    const db = useDB();
+    const opts = parseQueryParams(event, querySchema);
+
+    return listFederatedTimeline(db, opts);
+  },
+);

package/server/api/federation/unfollow.post.ts

@@ -0,0 +1,17 @@
+import { unfollowRemote } from '@commonpub/server';
+import { z } from 'zod';
+
+const unfollowSchema = z.object({
+  actorUri: z.string().url(),
+});
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { actorUri } = await parseBody(event, unfollowSchema);
+
+  await unfollowRemote(db, user.id, actorUri, config.instance.domain);
+  return { success: true };
+});

package/server/api/files/[id].delete.ts

@@ -0,0 +1,35 @@
+import { eq, and } from 'drizzle-orm';
+import { files } from '@commonpub/schema';
+import { createStorageFromEnv } from '@commonpub/server';
+
+let storage: ReturnType<typeof createStorageFromEnv> | null = null;
+function getStorage(): ReturnType<typeof createStorageFromEnv> {
+  if (!storage) storage = createStorageFromEnv();
+  return storage;
+}
+
+export default defineEventHandler(async (event): Promise<{ deleted: boolean }> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  const result = await db
+    .delete(files)
+    .where(and(eq(files.id, id), eq(files.uploaderId, user.id)))
+    .returning({ id: files.id, storageKey: files.storageKey });
+
+  if (result.length === 0) {
+    throw createError({ statusCode: 404, statusMessage: 'File not found or not owned by you' });
+  }
+
+  // Delete from storage (best-effort, don't fail the request if storage delete fails)
+  try {
+    const adapter = getStorage();
+    await adapter.delete(result[0]!.storageKey);
+  } catch {
+    // Log but don't fail — the DB record is already deleted
+    console.warn(`[files] Failed to delete storage key: ${result[0]!.storageKey}`);
+  }
+
+  return { deleted: true };
+});

package/server/api/files/mine.get.ts

@@ -0,0 +1,31 @@
+import { eq, desc } from 'drizzle-orm';
+import { files } from '@commonpub/schema';
+import { z } from 'zod';
+
+const querySchema = z.object({
+  limit: z.coerce.number().int().positive().max(100).optional(),
+});
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const query = parseQueryParams(event, querySchema);
+
+  const rows = await db
+    .select()
+    .from(files)
+    .where(eq(files.uploaderId, user.id))
+    .orderBy(desc(files.createdAt))
+    .limit(query.limit ?? 50);
+
+  return rows.map((f) => ({
+    id: f.id,
+    filename: f.filename,
+    originalName: f.originalName,
+    mimeType: f.mimeType,
+    sizeBytes: f.sizeBytes,
+    url: f.publicUrl,
+    purpose: f.purpose,
+    createdAt: f.createdAt,
+  }));
+});

package/server/api/files/upload-from-url.post.ts

@@ -0,0 +1,68 @@
+import { z } from 'zod';
+import { createStorageFromEnv, generateStorageKey, validateUpload, ALLOWED_IMAGE_TYPES } from '@commonpub/server';
+
+const schema = z.object({
+  url: z.string().url(),
+  purpose: z.enum(['content', 'cover', 'avatar', 'banner']).default('content'),
+});
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event);
+  const { url, purpose } = await parseBody(event, schema);
+
+  // SSRF protection — block private IPs
+  const parsed = new URL(url);
+  const hostname = parsed.hostname;
+  if (
+    hostname === 'localhost' ||
+    hostname === '127.0.0.1' ||
+    hostname === '::1' ||
+    hostname.startsWith('10.') ||
+    hostname.startsWith('192.168.') ||
+    hostname.match(/^172\.(1[6-9]|2\d|3[01])\./) ||
+    hostname === '169.254.169.254' // AWS metadata
+  ) {
+    throw createError({ statusCode: 400, statusMessage: 'Cannot fetch from private/local addresses' });
+  }
+
+  // Download the remote image
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 10_000); // 10s timeout
+
+  let response: Response;
+  try {
+    response = await fetch(url, {
+      signal: controller.signal,
+      headers: { 'User-Agent': 'devEco.io Image Fetcher' },
+    });
+  } catch (err) {
+    throw createError({ statusCode: 400, statusMessage: 'Failed to fetch remote image' });
+  } finally {
+    clearTimeout(timeout);
+  }
+
+  if (!response.ok) {
+    throw createError({ statusCode: 400, statusMessage: `Remote server returned ${response.status}` });
+  }
+
+  const contentType = response.headers.get('content-type') || '';
+  if (![...ALLOWED_IMAGE_TYPES].some((t: string) => contentType.startsWith(t))) {
+    throw createError({ statusCode: 400, statusMessage: `Unsupported image type: ${contentType}` });
+  }
+
+  const buffer = Buffer.from(await response.arrayBuffer());
+  const maxSize = 10 * 1024 * 1024; // 10MB
+  if (buffer.length > maxSize) {
+    throw createError({ statusCode: 400, statusMessage: 'Image too large (max 10MB)' });
+  }
+
+  // Upload to storage
+  const storage = createStorageFromEnv();
+  const ext = contentType.split('/')[1] || 'jpg';
+  const key = generateStorageKey(purpose, ext);
+
+  await (storage as any).put(key, buffer, contentType);
+  const resultUrl = (storage as any).getPublicUrl(key);
+
+  return { url: resultUrl };
+});

package/server/api/files/upload.post.ts

@@ -0,0 +1,105 @@
+/**
+ * File upload endpoint.
+ * Accepts multipart form data, validates file type/size, stores via configured adapter.
+ * Images are processed into WebP variants (thumb/small/medium/large).
+ */
+import { files } from '@commonpub/schema';
+import {
+  createStorageFromEnv,
+  generateStorageKey,
+  validateUpload,
+  isProcessableImage,
+  processImage,
+} from '@commonpub/server';
+
+// Lazy-init storage adapter (created once on first request)
+let storage: ReturnType<typeof createStorageFromEnv> | null = null;
+function getStorage(): ReturnType<typeof createStorageFromEnv> {
+  if (!storage) storage = createStorageFromEnv();
+  return storage;
+}
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const user = requireAuth(event);
+
+  const formData = await readMultipartFormData(event);
+  if (!formData || formData.length === 0) {
+    throw createError({ statusCode: 400, statusMessage: 'No file uploaded' });
+  }
+
+  const file = formData[0]!;
+  const filename = file.filename || `upload-${Date.now()}`;
+  const mimeType = file.type || 'application/octet-stream';
+  const sizeBytes = file.data.length;
+  const validPurposes = ['cover', 'content', 'avatar', 'banner', 'attachment'] as const;
+  type Purpose = typeof validPurposes[number];
+  const purposeRaw = formData.find((f) => f.name === 'purpose')?.data.toString() || 'content';
+  if (!validPurposes.includes(purposeRaw as Purpose)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid upload purpose' });
+  }
+  const purpose = purposeRaw as Purpose;
+
+  // Validate
+  const validation = validateUpload(mimeType, sizeBytes, purpose);
+  if (!validation.valid) {
+    throw createError({ statusCode: 400, statusMessage: validation.error ?? 'Invalid upload' });
+  }
+
+  const adapter = getStorage();
+  let publicUrl: string;
+  let storageKey: string;
+  let width: number | null = null;
+  let height: number | null = null;
+  let variants: Record<string, string> | null = null;
+
+  if (isProcessableImage(mimeType)) {
+    // Process image: generate thumbnails and convert to WebP
+    const processed = await processImage(file.data, filename, purpose, adapter, mimeType);
+    publicUrl = processed.originalUrl;
+    storageKey = processed.originalKey;
+    width = processed.width;
+    height = processed.height;
+
+    if (processed.variants.length > 0) {
+      variants = {};
+      for (const v of processed.variants) {
+        variants[v.name] = v.url;
+      }
+    }
+  } else {
+    // Non-image file: upload as-is
+    storageKey = generateStorageKey(filename, purpose);
+    publicUrl = await adapter.upload(storageKey, file.data, mimeType);
+  }
+
+  // Store metadata in DB
+  const [row] = await db
+    .insert(files)
+    .values({
+      uploaderId: user.id,
+      filename: storageKey,
+      originalName: filename,
+      mimeType,
+      sizeBytes,
+      storageKey,
+      publicUrl,
+      purpose,
+      width,
+      height,
+    })
+    .returning();
+
+  return {
+    id: row!.id,
+    filename: row!.filename,
+    originalName: filename,
+    mimeType: row!.mimeType,
+    sizeBytes: row!.sizeBytes,
+    url: publicUrl,
+    width,
+    height,
+    variants,
+    purpose: row!.purpose,
+  };
+});

package/server/api/health.get.ts

@@ -0,0 +1,4 @@
+export default defineEventHandler(() => ({
+  status: 'ok',
+  timestamp: new Date().toISOString(),
+}));

package/server/api/hubs/[slug]/bans/[userId].delete.ts

@@ -0,0 +1,13 @@
+import { unbanUser, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ unbanned: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, userId } = parseParams(event, { slug: 'string', userId: 'uuid' });
+  const community = await getHubBySlug(db, slug);
+  if (!community) {
+    throw createError({ statusCode: 404, statusMessage: 'Community not found' });
+  }
+
+  return unbanUser(db, user.id, community.id, userId);
+});

package/server/api/hubs/[slug]/bans.get.ts

@@ -0,0 +1,20 @@
+import { listBans, getHubBySlug, getMember } from '@commonpub/server';
+import type { HubBanItem } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<HubBanItem[]> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Only moderators, admins, and owners can view ban lists
+  const member = await getMember(db, hub.id, user.id);
+  if (!member || !['moderator', 'admin', 'owner'].includes(member.role)) {
+    throw createError({ statusCode: 403, statusMessage: 'Insufficient permissions' });
+  }
+
+  return listBans(db, hub.id);
+});

package/server/api/hubs/[slug]/bans.post.ts

@@ -0,0 +1,23 @@
+import { banUser, getHubBySlug } from '@commonpub/server';
+import { banUserSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<{ banned: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+  const input = await parseBody(event, banUserSchema);
+
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  return banUser(
+    db,
+    user.id,
+    hub.id,
+    input.userId,
+    input.reason,
+    input.expiresAt ? new Date(input.expiresAt) : undefined,
+  );
+});