@commonpub/layer 0.1.0

package/server/routes/inbox.ts

@@ -0,0 +1,34 @@
+import { processInboxActivity } from '@commonpub/protocol';
+import { createInboxHandlers } from '@commonpub/server';
+import { verifyInboxRequest, extractDomain } from '../utils/inbox';
+
+export default defineEventHandler(async (event) => {
+  const config = useConfig();
+  if (!config.features.federation) {
+    throw createError({ statusCode: 404, statusMessage: 'Not Found' });
+  }
+
+  if (getMethod(event) !== 'POST') {
+    throw createError({ statusCode: 405, statusMessage: 'Method Not Allowed' });
+  }
+
+  // Verify signature, domain, date freshness, body size
+  const { body } = await verifyInboxRequest(event, 'shared-inbox');
+
+  const db = useDB();
+  const runtimeConfig = useRuntimeConfig();
+  const domain = extractDomain((runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`);
+  const callbacks = createInboxHandlers({ db, domain });
+
+  try {
+    const result = await processInboxActivity(body, callbacks);
+    if (!result.success) {
+      throw createError({ statusCode: 400, statusMessage: result.error ?? 'Invalid activity' });
+    }
+    return { status: 'accepted' };
+  } catch (err: unknown) {
+    if ((err as { statusCode?: number }).statusCode) throw err;
+    console.error('[shared-inbox]', err);
+    throw createError({ statusCode: 400, statusMessage: 'Invalid activity' });
+  }
+});

package/server/routes/nodeinfo/2.1.ts

@@ -0,0 +1,27 @@
+// NodeInfo 2.1 response
+import { buildNodeInfoResponse } from '@commonpub/protocol';
+import { getPlatformStats } from '@commonpub/server';
+
+export default defineEventHandler(async () => {
+  const config = useConfig();
+  const db = useDB();
+
+  let userCount = 0;
+  let localPostCount = 0;
+
+  try {
+    const stats = await getPlatformStats(db);
+    userCount = stats.users.total ?? 0;
+    localPostCount = stats.content.total ?? 0;
+  } catch {
+    // DB may not be available, return zeros
+  }
+
+  return buildNodeInfoResponse({
+    config,
+    version: '0.0.1',
+    userCount,
+    activeMonthCount: userCount,
+    localPostCount,
+  });
+});

package/server/routes/robots.txt.ts

@@ -0,0 +1,19 @@
+export default defineEventHandler((event) => {
+  const config = useRuntimeConfig();
+  const siteUrl = config.public.siteUrl as string;
+
+  const content = `User-agent: *
+Allow: /
+Disallow: /api/
+Disallow: /admin/
+Disallow: /settings/
+Disallow: /messages/
+Disallow: /create/
+
+Sitemap: ${siteUrl}/sitemap.xml
+`;
+
+  setResponseHeader(event, 'Content-Type', 'text/plain; charset=utf-8');
+  setResponseHeader(event, 'Cache-Control', 'public, max-age=86400');
+  return content;
+});

package/server/routes/sitemap.xml.ts

@@ -0,0 +1,105 @@
+import { eq } from 'drizzle-orm';
+import { contentItems, users } from '@commonpub/schema';
+import { listHubs, listPaths } from '@commonpub/server';
+
+function escapeXml(str: string): string {
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const config = useRuntimeConfig();
+  const siteUrl = config.public.siteUrl as string;
+
+  // Published content
+  const publishedContent = await db
+    .select({
+      type: contentItems.type,
+      slug: contentItems.slug,
+      updatedAt: contentItems.updatedAt,
+    })
+    .from(contentItems)
+    .where(eq(contentItems.status, 'published'));
+
+  // Users with public profiles
+  const publicUsers = await db
+    .select({
+      username: users.username,
+      updatedAt: users.updatedAt,
+    })
+    .from(users)
+    .where(eq(users.status, 'active'));
+
+  // Hubs
+  const { items: hubs } = await listHubs(db, { limit: 100 });
+
+  // Learning paths
+  const { items: paths } = await listPaths(db, { status: 'published', limit: 100 });
+
+  const urls: Array<{ loc: string; lastmod: string; priority: string; changefreq: string }> = [];
+
+  // Static pages
+  urls.push({ loc: siteUrl, lastmod: new Date().toISOString(), priority: '1.0', changefreq: 'daily' });
+  urls.push({ loc: `${siteUrl}/search`, lastmod: new Date().toISOString(), priority: '0.5', changefreq: 'weekly' });
+
+  // Content pages
+  for (const item of publishedContent) {
+    urls.push({
+      loc: `${siteUrl}/${item.type}/${item.slug}`,
+      lastmod: new Date(item.updatedAt).toISOString(),
+      priority: '0.8',
+      changefreq: 'weekly',
+    });
+  }
+
+  // User profiles
+  for (const user of publicUsers) {
+    urls.push({
+      loc: `${siteUrl}/u/${user.username}`,
+      lastmod: new Date(user.updatedAt).toISOString(),
+      priority: '0.6',
+      changefreq: 'weekly',
+    });
+  }
+
+  // Hub pages (skip federated hubs — they have canonical URLs on the origin)
+  for (const hub of hubs) {
+    if ('source' in hub && hub.source === 'federated') continue;
+    const localHub = hub as { slug: string; createdAt: Date; updatedAt?: Date };
+    urls.push({
+      loc: `${siteUrl}/hubs/${localHub.slug}`,
+      lastmod: new Date(localHub.updatedAt ?? localHub.createdAt ?? new Date()).toISOString(),
+      priority: '0.7',
+      changefreq: 'weekly',
+    });
+  }
+
+  // Learning paths
+  for (const path of paths) {
+    urls.push({
+      loc: `${siteUrl}/learn/${path.slug}`,
+      lastmod: new Date((path as any).updatedAt ?? (path as any).createdAt ?? new Date()).toISOString(),
+      priority: '0.7',
+      changefreq: 'monthly',
+    });
+  }
+
+  const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+${urls.map((u) => `  <url>
+    <loc>${escapeXml(u.loc)}</loc>
+    <lastmod>${u.lastmod}</lastmod>
+    <changefreq>${u.changefreq}</changefreq>
+    <priority>${u.priority}</priority>
+  </url>`).join('\n')}
+</urlset>`;
+
+  setResponseHeader(event, 'Content-Type', 'application/xml; charset=utf-8');
+  setResponseHeader(event, 'Cache-Control', 'public, max-age=3600, stale-while-revalidate=1800');
+  return xml;
+});

package/server/routes/users/[username]/followers.ts

@@ -0,0 +1,33 @@
+import { getUserByUsername, getFollowers } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const username = getRouterParam(event, 'username')!;
+  const db = useDB();
+  const config = useConfig();
+
+  const profile = await getUserByUsername(db, username);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'Actor not found' });
+  }
+
+  const domain = config.instance.domain;
+  const actorUri = `https://${domain}/users/${username}`;
+
+  let followers: string[] = [];
+  try {
+    const result = await getFollowers(db, actorUri);
+    followers = result.map((f) => f.followerActorUri);
+  } catch {
+    // May not have federation tables
+  }
+
+  setResponseHeader(event, 'content-type', 'application/activity+json');
+
+  return {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    id: `${actorUri}/followers`,
+    type: 'OrderedCollection',
+    totalItems: followers.length,
+    orderedItems: followers,
+  };
+});

package/server/routes/users/[username]/following.ts

@@ -0,0 +1,33 @@
+import { getUserByUsername, getFollowing } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const username = getRouterParam(event, 'username')!;
+  const db = useDB();
+  const config = useConfig();
+
+  const profile = await getUserByUsername(db, username);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'Actor not found' });
+  }
+
+  const domain = config.instance.domain;
+  const actorUri = `https://${domain}/users/${username}`;
+
+  let following: string[] = [];
+  try {
+    const result = await getFollowing(db, actorUri);
+    following = result.map((f) => f.followingActorUri);
+  } catch {
+    // May not have federation tables
+  }
+
+  setResponseHeader(event, 'content-type', 'application/activity+json');
+
+  return {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    id: `${actorUri}/following`,
+    type: 'OrderedCollection',
+    totalItems: following.length,
+    orderedItems: following,
+  };
+});

package/server/routes/users/[username]/inbox.ts

@@ -0,0 +1,34 @@
+import { processInboxActivity } from '@commonpub/protocol';
+import { createInboxHandlers } from '@commonpub/server';
+import { verifyInboxRequest, extractDomain } from '../../../utils/inbox';
+
+export default defineEventHandler(async (event) => {
+  const config = useConfig();
+  if (!config.features.federation) {
+    throw createError({ statusCode: 404, statusMessage: 'Not Found' });
+  }
+
+  if (getMethod(event) !== 'POST') {
+    throw createError({ statusCode: 405, statusMessage: 'Method Not Allowed' });
+  }
+
+  // Verify signature, domain, date freshness, body size
+  const { body } = await verifyInboxRequest(event, 'user-inbox');
+
+  const db = useDB();
+  const runtimeConfig = useRuntimeConfig();
+  const domain = extractDomain((runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`);
+  const callbacks = createInboxHandlers({ db, domain });
+
+  try {
+    const result = await processInboxActivity(body, callbacks);
+    if (!result.success) {
+      throw createError({ statusCode: 400, statusMessage: result.error ?? 'Invalid activity' });
+    }
+    return { status: 'accepted' };
+  } catch (err: unknown) {
+    if ((err as { statusCode?: number }).statusCode) throw err;
+    console.error('[user-inbox]', err);
+    throw createError({ statusCode: 400, statusMessage: 'Invalid activity' });
+  }
+});

package/server/routes/users/[username]/outbox.ts

@@ -0,0 +1,35 @@
+import { generateOutboxCollection, generateOutboxPage } from '@commonpub/protocol';
+import { getUserByUsername, countOutboxItems, getOutboxPage } from '@commonpub/server';
+
+const PAGE_SIZE = 20;
+
+/**
+ * User actor outbox — serves paginated outbound activities for a specific user.
+ * Returns Create/Update/Delete activities that were successfully delivered.
+ */
+export default defineEventHandler(async (event) => {
+  const username = getRouterParam(event, 'username')!;
+  const db = useDB();
+  const config = useConfig();
+
+  const profile = await getUserByUsername(db, username);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'Actor not found' });
+  }
+
+  const domain = config.instance.domain;
+  const actorUri = `https://${domain}/users/${username}`;
+  const query = getQuery(event);
+  const page = query.page ? parseInt(String(query.page), 10) : 0;
+
+  setResponseHeader(event, 'content-type', 'application/activity+json');
+
+  const totalItems = await countOutboxItems(db, actorUri);
+
+  if (!page || isNaN(page)) {
+    return generateOutboxCollection(totalItems, domain, username);
+  }
+
+  const items = await getOutboxPage(db, actorUri, page, PAGE_SIZE);
+  return generateOutboxPage(items as never[], domain, username, page, PAGE_SIZE, totalItems);
+});

package/server/routes/users/[username].ts

@@ -0,0 +1,62 @@
+import { getUserByUsername, getOrCreateActorKeypair } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const username = getRouterParam(event, 'username')!;
+  const accept = getRequestHeader(event, 'accept') || '';
+
+  // Only serve AP actor for ActivityPub clients
+  if (!accept.includes('application/activity+json') && !accept.includes('application/ld+json')) {
+    // Redirect browsers to the profile page
+    return sendRedirect(event, `/u/${username}`);
+  }
+
+  const db = useDB();
+  const config = useConfig();
+  const profile = await getUserByUsername(db, username);
+
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'Actor not found' });
+  }
+
+  const domain = config.instance.domain;
+  const actorUri = `https://${domain}/users/${username}`;
+
+  let publicKeyPem = '';
+  try {
+    const keypair = await getOrCreateActorKeypair(db, profile.id);
+    publicKeyPem = keypair.publicKeyPem;
+  } catch {
+    // Key generation may fail if crypto is unavailable
+  }
+
+  setResponseHeader(event, 'content-type', 'application/activity+json');
+
+  return {
+    '@context': [
+      'https://www.w3.org/ns/activitystreams',
+      'https://w3id.org/security/v1',
+    ],
+    id: actorUri,
+    type: 'Person',
+    preferredUsername: username,
+    name: profile.displayName || username,
+    summary: profile.bio || '',
+    inbox: `${actorUri}/inbox`,
+    outbox: `${actorUri}/outbox`,
+    followers: `${actorUri}/followers`,
+    following: `${actorUri}/following`,
+    url: `https://${domain}/u/${username}`,
+    endpoints: {
+      sharedInbox: `https://${domain}/inbox`,
+    },
+    ...(publicKeyPem
+      ? {
+          publicKey: {
+            id: `${actorUri}#main-key`,
+            owner: actorUri,
+            publicKeyPem,
+          },
+        }
+      : {}),
+  };
+});

package/server/utils/auth.ts

@@ -0,0 +1,36 @@
+// Auth helper — extracts authenticated user from event context
+import type { H3Event } from 'h3';
+
+export interface AuthUser {
+  id: string;
+  username: string;
+  role: string;
+}
+
+export function requireAuth(event: H3Event): AuthUser {
+  const auth = event.context.auth;
+  if (!auth?.user) {
+    const cookie = getRequestHeader(event, 'cookie') || '';
+    const hasSessionCookie = cookie.includes('better-auth.session_token');
+    throw createError({
+      statusCode: 401,
+      statusMessage: hasSessionCookie
+        ? 'Session expired or invalid. Please log in again.'
+        : 'Not logged in. Please log in to continue.',
+    });
+  }
+  return auth.user as AuthUser;
+}
+
+export function requireAdmin(event: H3Event): AuthUser {
+  const user = requireAuth(event);
+  if (user.role !== 'admin') {
+    throw createError({ statusCode: 403, statusMessage: 'Admin access required' });
+  }
+  return user;
+}
+
+export function getOptionalUser(event: H3Event): AuthUser | null {
+  const auth = event.context.auth;
+  return (auth?.user as AuthUser) ?? null;
+}

package/server/utils/db.ts

@@ -0,0 +1,34 @@
+// Singleton Drizzle DB instance for Nitro server
+import { drizzle } from 'drizzle-orm/node-postgres';
+// @ts-expect-error no types for pg
+import pg from 'pg';
+import * as schema from '@commonpub/schema';
+import type { DB } from '@commonpub/server';
+
+let db: DB | null = null;
+
+export function useDB(): DB {
+  if (db) return db;
+
+  const config = useRuntimeConfig();
+  const databaseUrl = config.databaseUrl as string;
+
+  if (!databaseUrl) {
+    throw new Error('DATABASE_URL is not configured. Set NUXT_DATABASE_URL environment variable.');
+  }
+
+  // Guard against default auth secret in production
+  if (process.env.NODE_ENV === 'production' && config.authSecret === 'dev-secret-change-me') {
+    throw new Error('NUXT_AUTH_SECRET must be set in production. Do not use the default dev secret.');
+  }
+
+  const pool = new pg.Pool({
+    connectionString: databaseUrl,
+    max: 20,
+    idleTimeoutMillis: 30_000,
+    connectionTimeoutMillis: 5_000,
+  });
+  db = drizzle(pool, { schema });
+
+  return db;
+}

package/server/utils/errors.ts

@@ -0,0 +1,24 @@
+// Consistent error helpers for Nitro API routes
+
+export function validationError(errors: Record<string, string[]>): never {
+  throw createError({
+    statusCode: 400,
+    statusMessage: 'Validation failed',
+    data: { errors },
+  });
+}
+
+export function notFound(entity: string): never {
+  throw createError({
+    statusCode: 404,
+    statusMessage: `${entity} not found`,
+  });
+}
+
+export function forbidden(message = 'Permission denied'): never {
+  throw createError({ statusCode: 403, statusMessage: message });
+}
+
+export function badRequest(message: string): never {
+  throw createError({ statusCode: 400, statusMessage: message });
+}

package/server/utils/inbox.ts

@@ -0,0 +1,122 @@
+/**
+ * Shared inbox verification utilities.
+ * Handles HTTP Signature verification, actor domain validation,
+ * body size limits, and Date header freshness checks.
+ */
+import { verifyHttpSignature, resolveActor } from '@commonpub/protocol';
+import type { H3Event } from 'h3';
+
+/** Maximum allowed body size for inbox POSTs (1 MB) */
+const MAX_BODY_SIZE = 1_048_576;
+
+/** Maximum allowed clock skew for Date header (5 minutes) */
+const MAX_DATE_SKEW_MS = 5 * 60 * 1000;
+
+function extractKeyId(signatureHeader: string): string | null {
+  const match = signatureHeader.match(/keyId="([^"]+)"/);
+  return match ? match[1] : null;
+}
+
+/** Extract clean domain from a URL string */
+export function extractDomain(url: string): string {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname) return parsed.hostname;
+  } catch { /* fall through */ }
+  return url.replace(/^https?:\/\//, '').replace(/[:/].*$/, '');
+}
+
+interface VerifiedInbox {
+  actorUri: string;
+  body: Record<string, unknown>;
+}
+
+/**
+ * Verify an inbound AP activity request.
+ * Checks: body size, signature presence, actor resolution, domain match,
+ * Date freshness, and HTTP Signature cryptographic verification.
+ *
+ * Throws H3Error on any failure.
+ */
+export async function verifyInboxRequest(event: H3Event, label: string): Promise<VerifiedInbox> {
+  // 1. Body size check
+  const contentLength = getHeader(event, 'content-length');
+  if (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {
+    throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
+  }
+
+  // 2. Require Signature header
+  const signatureHeader = getHeader(event, 'signature');
+  if (!signatureHeader) {
+    throw createError({ statusCode: 401, statusMessage: 'Missing HTTP Signature' });
+  }
+
+  // 3. Extract and validate keyId
+  const keyId = extractKeyId(signatureHeader);
+  if (!keyId) {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid Signature header: missing keyId' });
+  }
+
+  const actorUri = keyId.replace(/#.*$/, '');
+
+  // 4. Resolve actor and public key
+  const actor = await resolveActor(actorUri, fetch);
+  if (!actor?.publicKey?.publicKeyPem) {
+    throw createError({ statusCode: 401, statusMessage: 'Could not resolve actor public key' });
+  }
+
+  // 5. Actor domain validation — keyId domain must match resolved actor id domain
+  try {
+    const keyIdDomain = new URL(actorUri).hostname;
+    const actorIdDomain = new URL(actor.id ?? actorUri).hostname;
+    if (keyIdDomain !== actorIdDomain) {
+      console.warn(`[${label}] Domain mismatch: keyId=${keyIdDomain}, actor.id=${actorIdDomain}`);
+      throw createError({ statusCode: 401, statusMessage: 'Actor domain does not match keyId domain' });
+    }
+  } catch (err) {
+    if ((err as { statusCode?: number }).statusCode) throw err;
+    throw createError({ statusCode: 401, statusMessage: 'Invalid actor URI' });
+  }
+
+  // 6. Date header freshness check
+  const dateHeader = getHeader(event, 'date');
+  if (dateHeader) {
+    const requestDate = new Date(dateHeader).getTime();
+    if (!isNaN(requestDate)) {
+      const skew = Math.abs(Date.now() - requestDate);
+      if (skew > MAX_DATE_SKEW_MS) {
+        console.warn(`[${label}] Date header too old/new: skew=${Math.round(skew / 1000)}s from ${actorUri}`);
+        throw createError({ statusCode: 401, statusMessage: 'Request date too far from server time' });
+      }
+    }
+  }
+
+  // 7. Read body and reconstruct Request for signature verification
+  const body = await readBody(event);
+  const bodyStr = typeof body === 'string' ? body : JSON.stringify(body);
+
+  // Body size check on actual content (in case Content-Length was missing/wrong)
+  if (bodyStr.length > MAX_BODY_SIZE) {
+    throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
+  }
+
+  const url = getRequestURL(event);
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(getHeaders(event))) {
+    if (value) headers.set(key, Array.isArray(value) ? value[0]! : value);
+  }
+  const verifyRequest = new Request(url.toString(), {
+    method: 'POST',
+    headers,
+    body: bodyStr,
+  });
+
+  // 8. Verify HTTP Signature cryptographically
+  const signatureValid = await verifyHttpSignature(verifyRequest, actor.publicKey.publicKeyPem);
+  if (!signatureValid) {
+    console.warn(`[${label}] HTTP Signature verification failed for ${actorUri}`);
+    throw createError({ statusCode: 401, statusMessage: 'Invalid HTTP Signature' });
+  }
+
+  return { actorUri, body };
+}