@commonpub/layer 0.43.3 → 0.45.0

package/server/api/admin/federation/refederate.post.ts

@@ -1,15 +1,27 @@
 import { contentItems, hubs, hubPosts } from '@commonpub/schema';
 import { federateContent, federateHubPost, federateHubActor } from '@commonpub/server';
-import { eq, isNull } from 'drizzle-orm';
+import { eq, and, gte, desc, isNull } from 'drizzle-orm';
 import { z } from 'zod';
 import { extractDomain } from '../../../utils/inbox';
 
+/** Default re-federation window when neither `all` nor `since` is given — avoids a delivery storm. */
+const DEFAULT_SINCE_DAYS = 30;
+/** Hard cap on a bounded (non-`all`) re-federation run. */
+const DEFAULT_LIMIT = 1000;
+
 /**
  * POST /api/admin/federation/refederate
- * Queue all published content AND hub posts for federation delivery.
+ * Re-queue published content (Create) + hub posts (Announce) for delivery to current followers.
  * Useful after establishing new mirrors or enabling federation.
  *
- * Body: { contentId?: string, hubsOnly?: boolean } — if omitted, re-federates ALL
+ * BOUNDED BY DEFAULT to avoid blasting every follower with thousands of activities:
+ *  - `contentId` — re-federate a single item.
+ *  - `all: true` — re-federate everything (explicit opt-in; no date/limit bound).
+ *  - `sinceDays` — only items published within the last N days.
+ *  - `limit` — cap the number of items.
+ * With none of these, defaults to the last 30 days, capped at 1000 items, newest-first.
+ * `federateContent` is idempotent (skips an already-pending Create for the same object), so
+ * repeated runs don't duplicate the queue.
  */
 export default defineEventHandler(async (event) => {
   // Allow CLI trigger via AUTH_SECRET header (for server-side automation)
@@ -29,9 +41,13 @@ export default defineEventHandler(async (event) => {
   const body = await parseBody(event, z.object({
     contentId: z.string().uuid().optional(),
     hubsOnly: z.boolean().optional(),
+    all: z.boolean().optional(),
+    sinceDays: z.number().int().positive().max(3650).optional(),
+    limit: z.number().int().positive().max(10000).optional(),
   }));
   const contentId = body.contentId;
   const hubsOnly = body.hubsOnly === true;
+  const all = body.all === true;
 
   const db = useDB();
   const domain = extractDomain((runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`);
@@ -45,12 +61,25 @@ export default defineEventHandler(async (event) => {
   let hubsQueued = 0;
   let hubPostsQueued = 0;
 
-  // Re-federate published content (unless hubsOnly)
+  // Re-federate published content (unless hubsOnly), bounded unless `all` is set.
   if (!hubsOnly) {
-    const published = await db
+    const since = all
+      ? null
+      : new Date(Date.now() - (body.sinceDays ?? DEFAULT_SINCE_DAYS) * 24 * 60 * 60 * 1000);
+    const limit = all ? undefined : (body.limit ?? DEFAULT_LIMIT);
+
+    let q = db
       .select({ id: contentItems.id })
       .from(contentItems)
-      .where(eq(contentItems.status, 'published'));
+      .where(
+        since
+          ? and(eq(contentItems.status, 'published'), gte(contentItems.publishedAt, since))
+          : eq(contentItems.status, 'published'),
+      )
+      .orderBy(desc(contentItems.publishedAt))
+      .$dynamic();
+    if (limit != null) q = q.limit(limit);
+    const published = await q;
 
     for (const item of published) {
       try {

package/server/api/admin/registry/instances/[id]/status.post.ts

@@ -0,0 +1,18 @@
+import { setRegistryInstanceStatus } from '@commonpub/server';
+import { setRegistryInstanceStatusSchema } from '@commonpub/schema';
+
+/**
+ * POST /api/admin/registry/instances/[id]/status (Phase 4)
+ * Admin sets a directory entry's status: active (visible) | hidden (tracked, not shown) |
+ * blocked (future pings ignored). Admin only.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('actAsRegistry');
+  requirePermission(event, 'federation.manage');
+  const { id } = parseParams(event, { id: 'uuid' });
+  const { status } = await parseBody(event, setRegistryInstanceStatusSchema);
+
+  const updated = await setRegistryInstanceStatus(useDB(), id, status);
+  if (!updated) throw createError({ statusCode: 404, statusMessage: 'Instance not found' });
+  return updated;
+});

package/server/api/admin/registry/instances.get.ts

@@ -0,0 +1,19 @@
+import { listRegistryInstances } from '@commonpub/server';
+import { registryInstanceQuerySchema } from '@commonpub/schema';
+
+/**
+ * GET /api/admin/registry/instances (Phase 4)
+ * Admin view of the registry directory — ALL entries incl. hidden/blocked, with status.
+ * Admin only.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('actAsRegistry');
+  requirePermission(event, 'federation.manage');
+  const q = registryInstanceQuerySchema.parse(getQuery(event));
+  return listRegistryInstances(useDB(), {
+    search: q.search,
+    limit: q.limit,
+    offset: q.offset,
+    includeNonActive: true,
+  });
+});

package/server/api/registry/instances.get.ts

@@ -0,0 +1,37 @@
+import { listRegistryInstances, type RegistryInstanceView } from '@commonpub/server';
+import { registryInstanceQuerySchema } from '@commonpub/schema';
+
+/**
+ * GET /api/registry/instances (Phase 4)
+ * Public directory of CommonPub instances registered with this registry. Gated on
+ * `features.actAsRegistry`. Returns ACTIVE entries only, through an explicit allow-list (no
+ * internal id/status). Other instances/clients can consume this to discover peers.
+ */
+function toPublicRegistryInstance(v: RegistryInstanceView) {
+  return {
+    domain: v.domain,
+    actorUri: v.actorUri,
+    name: v.name,
+    description: v.description,
+    userCount: v.userCount,
+    activeMonthCount: v.activeMonthCount,
+    localPostCount: v.localPostCount,
+    features: v.features,
+    softwareName: v.softwareName,
+    softwareVersion: v.softwareVersion,
+    online: v.online,
+    lastPingAt: v.lastPingAt,
+  };
+}
+
+export default defineEventHandler(async (event) => {
+  requireFeature('actAsRegistry');
+  const q = registryInstanceQuerySchema.parse(getQuery(event));
+  const { instances, total } = await listRegistryInstances(useDB(), {
+    search: q.search,
+    limit: q.limit,
+    offset: q.offset,
+    includeNonActive: false,
+  });
+  return { instances: instances.map(toPublicRegistryInstance), total, limit: q.limit, offset: q.offset };
+});

package/server/api/registry/ping.post.ts

@@ -0,0 +1,44 @@
+import { recordRegistryPing, createRateLimitStore, getClientIp } from '@commonpub/server';
+import { verifyInboxRequest, extractDomain } from '../../utils/inbox';
+
+/**
+ * POST /api/registry/ping (Phase 4)
+ * A signed heartbeat from another CommonPub instance announcing itself to this registry.
+ * Gated on `features.actAsRegistry`. Identity is proven by the HTTP signature (the keyId domain
+ * must match the resolved actor) — so a domain can only register itself. We derive the domain from
+ * the verified actor, then `recordRegistryPing` pulls the instance's public NodeInfo for stats.
+ *
+ * Defence in depth: the global IP rate-limit middleware caps pre-verification floods; here we add a
+ * per-source-domain limit so a verified instance can't spam updates.
+ */
+const store = createRateLimitStore({ redisUrl: process.env.NUXT_REDIS_URL });
+const PRE_TIER = { limit: 20, windowMs: 60_000 }; // coarse per-IP cap BEFORE signature verification
+const PING_TIER = { limit: 3, windowMs: 5 * 60 * 1000 }; // 3 pings / 5 min per verified domain
+
+export default defineEventHandler(async (event) => {
+  requireFeature('actAsRegistry');
+  if (getMethod(event) !== 'POST') {
+    throw createError({ statusCode: 405, statusMessage: 'Method Not Allowed' });
+  }
+
+  // h3 types the well-known `Retry-After` header as a number (seconds).
+  const reject429 = (resetAt: number): never => {
+    setResponseHeader(event, 'Retry-After', Math.max(1, Math.ceil((resetAt - Date.now()) / 1000)));
+    throw createError({ statusCode: 429, statusMessage: 'Too Many Requests' });
+  };
+
+  // Coarse per-IP cap BEFORE verification: `verifyInboxRequest` resolves the (attacker-controlled)
+  // keyId actor over the network, so an unauthenticated caller must not fan that out unbounded.
+  const preRl = await store.check(`registry:ping:ip:${getClientIp(event)}`, PRE_TIER);
+  if (!preRl.allowed) reject429(preRl.resetAt);
+
+  const { actorUri } = await verifyInboxRequest(event, 'registry-ping');
+  const domain = extractDomain(actorUri);
+
+  // Per-verified-domain cap (the signer is now cryptographically known).
+  const rl = await store.check(`registry:ping:${domain}`, PING_TIER);
+  if (!rl.allowed) reject429(rl.resetAt);
+
+  const result = await recordRegistryPing(useDB(), domain, actorUri);
+  return { status: result };
+});

package/server/middleware/auth.ts

@@ -1,7 +1,7 @@
 // Nitro middleware for authentication using @commonpub/auth
 import { createAuthMiddleware, type AuthLocals } from '@commonpub/auth';
 import { createAuth } from '@commonpub/auth';
-import { emailTemplates } from '@commonpub/server';
+import { emailTemplates, emitHook } from '@commonpub/server';
 
 let authMiddleware: ReturnType<typeof createAuthMiddleware> | null = null;
 
@@ -43,6 +43,14 @@ function getAuthMiddleware(): ReturnType<typeof createAuthMiddleware> {
         await emailAdapter.send({ ...template, to: email });
       },
     },
+    onUserCreated: async (user) => {
+      await emitHook('user:registered', {
+        db,
+        userId: user.id,
+        username: user.username ?? '',
+        email: user.email,
+      });
+    },
   });
 
   authMiddleware = createAuthMiddleware({ auth });

package/server/plugins/registry-heartbeat.ts

@@ -0,0 +1,67 @@
+/**
+ * Registry heartbeat worker (Phase 4).
+ * When `features.announceToRegistry` is on, periodically sends a signed heartbeat to the configured
+ * `federation.registryUrl` so this instance appears in that registry's directory. Opt-in — nothing
+ * is sent unless the operator enables the flag.
+ */
+import { sendRegistryPing } from '@commonpub/server';
+
+export default defineNitroPlugin((nitro) => {
+  if (process.env.NODE_ENV === 'test') return;
+
+  let interval: ReturnType<typeof setInterval> | null = null;
+
+  const startupTimer = setTimeout(() => {
+    try {
+      const config = useConfig();
+      if (!config.features.announceToRegistry) {
+        return; // opt-in — silent when off
+      }
+      // The registry verifies our ping by resolving `https://{instance.domain}/actor`, which is
+      // only served when federation is on. Without it every ping 401s — warn + skip.
+      if (!config.features.federation) {
+        console.warn('[registry] announceToRegistry is on but federation is off — pings would be unverifiable (our /actor is not served). Skipping.');
+        return;
+      }
+      const registryUrl = config.federation?.registryUrl ?? 'https://commonpub.io';
+
+      // Use instance.domain — the heartbeat is signed with `https://{instance.domain}/actor#main-key`
+      // and MUST match the served actor's id host (verifyInboxRequest enforces keyId==actor.id host).
+      const domain = config.instance.domain;
+
+      // Don't announce a registry to itself.
+      const registryDomain = registryUrl.replace(/^https?:\/\//, '').replace(/[:/].*$/, '');
+      if (registryDomain === domain) {
+        console.log('[registry] Skipping heartbeat — this instance is its own registry');
+        return;
+      }
+
+      const intervalMs = config.federation?.registryPingIntervalMs ?? 21_600_000;
+      console.log(`[registry] Heartbeat worker started (registry: ${registryUrl}, interval: ${intervalMs}ms)`);
+
+      runHeartbeat(registryUrl, domain);
+      interval = setInterval(() => runHeartbeat(registryUrl, domain), intervalMs);
+    } catch (err) {
+      console.error('[registry] Heartbeat worker failed to start:', err instanceof Error ? err.message : err);
+    }
+  }, 10_000); // stagger after the delivery worker (5s)
+
+  async function runHeartbeat(registryUrl: string, domain: string) {
+    try {
+      const res = await sendRegistryPing(useDB(), registryUrl, domain);
+      if (!res.ok) {
+        console.warn(`[registry] Heartbeat to ${registryUrl} returned ${res.status}`);
+      }
+    } catch (err) {
+      console.error('[registry] Heartbeat error:', err instanceof Error ? err.message : err);
+    }
+  }
+
+  nitro.hooks.hook('close', () => {
+    clearTimeout(startupTimer);
+    if (interval) {
+      clearInterval(interval);
+      interval = null;
+    }
+  });
+});

package/server/routes/hubs/[slug]/inbox.ts

@@ -1,6 +1,6 @@
 import { processInboxActivity } from '@commonpub/protocol';
 import { createInboxHandlers } from '@commonpub/server';
-import { verifyInboxRequest } from '../../../utils/inbox';
+import { verifyInboxRequest, assertActorMatchesSigner } from '../../../utils/inbox';
 
 /**
  * Hub-specific inbox endpoint (FEP-1b12).
@@ -18,7 +18,8 @@ export default defineEventHandler(async (event) => {
   }
 
   // Verify signature, domain, date freshness, body size
-  const { body } = await verifyInboxRequest(event, 'hub-inbox');
+  const { actorUri, body } = await verifyInboxRequest(event, 'hub-inbox');
+  assertActorMatchesSigner(actorUri, body, 'hub-inbox');
 
   const db = useDB();
   const domain = config.instance.domain;

package/server/routes/inbox.ts

@@ -1,6 +1,6 @@
 import { processInboxActivity } from '@commonpub/protocol';
 import { createInboxHandlers } from '@commonpub/server';
-import { verifyInboxRequest, extractDomain } from '../utils/inbox';
+import { verifyInboxRequest, assertActorMatchesSigner, extractDomain } from '../utils/inbox';
 
 export default defineEventHandler(async (event) => {
   const config = useConfig();
@@ -13,7 +13,9 @@ export default defineEventHandler(async (event) => {
   }
 
   // Verify signature, domain, date freshness, body size
-  const { body } = await verifyInboxRequest(event, 'shared-inbox');
+  const { actorUri, body } = await verifyInboxRequest(event, 'shared-inbox');
+  // Bind the activity's actor to the verified signer (anti-spoofing).
+  assertActorMatchesSigner(actorUri, body, 'shared-inbox');
 
   const db = useDB();
   const runtimeConfig = useRuntimeConfig();

package/server/routes/users/[username]/inbox.ts

@@ -1,6 +1,6 @@
 import { processInboxActivity } from '@commonpub/protocol';
 import { createInboxHandlers } from '@commonpub/server';
-import { verifyInboxRequest, extractDomain } from '../../../utils/inbox';
+import { verifyInboxRequest, assertActorMatchesSigner, extractDomain } from '../../../utils/inbox';
 
 export default defineEventHandler(async (event) => {
   const config = useConfig();
@@ -13,7 +13,8 @@ export default defineEventHandler(async (event) => {
   }
 
   // Verify signature, domain, date freshness, body size
-  const { body } = await verifyInboxRequest(event, 'user-inbox');
+  const { actorUri, body } = await verifyInboxRequest(event, 'user-inbox');
+  assertActorMatchesSigner(actorUri, body, 'user-inbox');
 
   const db = useDB();
   const runtimeConfig = useRuntimeConfig();

package/server/utils/inbox.ts

@@ -31,6 +31,44 @@ interface VerifiedInbox {
   body: Record<string, unknown>;
 }
 
+/**
+ * Bind an inbound activity to its HTTP-signature signer: the activity's top-level `actor` MUST be
+ * on the same host as the cryptographically-verified signer (from `verifyInboxRequest`). Without
+ * this, a validly-signed request from instance X could carry `actor: https://victim/actor` and be
+ * processed as if it came from the victim — spoofed mirror requests/Accepts (Phase 3), federated
+ * content attributed to others, like/boost tampering, etc. CommonPub and Mastodon sign with the
+ * actor's own key (we don't support relays/LD-signature forwarding), so host equality is the
+ * correct binding. Throws 401 on mismatch; no-ops when `actor` is absent (processInboxActivity
+ * rejects a missing actor itself).
+ */
+export function assertActorMatchesSigner(
+  signerActorUri: string,
+  body: Record<string, unknown>,
+  label: string,
+): void {
+  const raw = body.actor;
+  const actorUri =
+    typeof raw === 'string'
+      ? raw
+      : raw && typeof raw === 'object'
+        ? ((raw as Record<string, unknown>).id as string | undefined)
+        : undefined;
+  if (!actorUri) return;
+
+  let signerHost: string;
+  let actorHost: string;
+  try {
+    signerHost = new URL(signerActorUri).hostname;
+    actorHost = new URL(actorUri).hostname;
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid activity actor' });
+  }
+  if (signerHost !== actorHost) {
+    console.warn(`[${label}] actor/signer host mismatch: actor=${actorHost}, signer=${signerHost}`);
+    throw createError({ statusCode: 401, statusMessage: 'Activity actor does not match request signer' });
+  }
+}
+
 /**
  * Verify an inbound AP activity request.
  * Checks: body size, signature presence, actor resolution, domain match,