@evanp/activitypub-bot 0.16.7 → 0.18.0

package/.eslintrc

@@ -0,0 +1,7 @@
+env:
+  node: true
+  es2022: true
+parserOptions:
+  sourceType: module
+extends:
+  - standard

package/README.md

@@ -198,6 +198,18 @@ Called when the server receives a public activity to its shared inbox. This can
 
 Called when one of the bot's objects is shared by another actor. The first argument is the object, and the second is the `Announce` activity itself. This method is called after the activity has been added to the `shares` collection.
 
+#### async actorOK (actor, activity)
+
+Lets the bot override the default check for matching the actor who sent an activity with the
+actor who did the activity. Usually, these need to be the same, but for some sub-protocols, like
+relays, it can be different. Returns a boolean saying whether the actor is OK.
+
+#### async handleActivity (activity)
+
+Runs *before* default handling for an activity. This is a chance to do non-standard handling
+for activities. Boolean return; truthy return means that the bot has already handled the
+activity and standard handling should be skipped. The activity will still be delivered to inboxes. Use with caution!
+
 ### BotFactory
 
 The BotFactory interface lets you have a lot of bots that act in a similar way without declaring them explicitly in the bots config file.
@@ -297,6 +309,11 @@ Sends a `Block` activity for the passed-in actor in [activitystrea.ms](#activity
 
 Sends an `Undo`/`Block` activity for the passed-in actor in [activitystrea.ms](#activitystreams) form.
 
+#### async doActivity (data, distribute = true)
+
+Sends an arbitrary activity object out into the network. This requires some
+care! `id`, `actor`, and timestamps will be added automatically. `distribute` flag is for sensitive activities that shouldn't be distributed to anyone.
+
 #### async toActorId (webfinger)
 
 Gets the `id` of the [ActivityPub Actor](https://www.w3.org/TR/activitypub/#actors) with the given [WebFinger](https://en.wikipedia.org/wiki/WebFinger) identity.

package/lib/activitydeliverer.js

@@ -38,10 +38,6 @@ export class ActivityDeliverer {
     this.#deliverBotQueue = new PQueue({ max: ActivityDeliverer.#MAX_BOT_QUEUE })
   }
 
-  isActivity (object) {
-    return true
-  }
-
   getActor (activity) {
     return activity.actor?.first
   }
@@ -64,10 +60,10 @@ export class ActivityDeliverer {
   }
 
   async onIdle () {
-    this.#logger.debug(`Awaiting delivery queues`)
+    this.#logger.debug('Awaiting delivery queues')
     await this.#deliverAllQueue.onIdle()
     await this.#deliverBotQueue.onIdle()
-    this.#logger.debug(`Done awaiting delivery queues`)
+    this.#logger.debug('Done awaiting delivery queues')
   }
 
   async #deliverTo (activity, bot) {

package/lib/activitydistributor.js

@@ -95,11 +95,11 @@ export class ActivityDistributor {
   }
 
   async * #public (activity, username) {
-    yield* this.#recipients(activity, username, ['to', 'cc', 'audience'])
+    yield * this.#recipients(activity, username, ['to', 'cc', 'audience'])
   }
 
   async * #private (activity, username) {
-    yield* this.#recipients(activity, username, ['bto', 'bcc'])
+    yield * this.#recipients(activity, username, ['bto', 'bcc'])
   }
 
   async * #recipients (activity, username, props) {
@@ -108,52 +108,52 @@ export class ActivityDistributor {
       if (p) {
         for (const value of p) {
           const id = value.id
-          this.#logger.debug({id}, 'Checking recipient')
+          this.#logger.debug({ id }, 'Checking recipient')
           if (ActivityDistributor.#PUBLIC.includes(id)) {
             this.#logger.debug(
               { activity: activity.id },
               'Skipping public delivery'
             )
           } else if (this.#formatter.isLocal(id)) {
-            this.#logger.debug({id}, 'Unformatting local recipient')
+            this.#logger.debug({ id }, 'Unformatting local recipient')
             const parts = this.#formatter.unformat(id)
             this.#logger.debug(parts, 'Local recipient')
             if (this.#isLocalActor(parts)) {
-              this.#logger.debug({id}, 'Local actor')
+              this.#logger.debug({ id }, 'Local actor')
               yield id
             } else if (this.#isLocalCollection(parts)) {
-              this.#logger.debug({id}, 'Local collection')
+              this.#logger.debug({ id }, 'Local collection')
               for await (const item of this.#actorStorage.items(parts.username, parts.collection)) {
-                this.#logger.debug({id: item.id}, 'Local collection member')
+                this.#logger.debug({ id: item.id }, 'Local collection member')
                 yield item.id
               }
             } else {
-              this.#logger.warn({id}, 'Local non-actor non-collection')
+              this.#logger.warn({ id }, 'Local non-actor non-collection')
             }
           } else {
             let obj
             try {
               obj = await this.#client.get(id, username)
             } catch (err) {
-              this.#logger.warn({id, err}, 'Cannot get recipient, skipping')
+              this.#logger.warn({ id, err }, 'Cannot get recipient, skipping')
               continue
             }
             if (this.#isRemoteActor(obj)) {
-              this.#logger.debug({id}, 'Remote actor')
+              this.#logger.debug({ id }, 'Remote actor')
               yield id
             } else if (this.#isRemoteCollection(obj)) {
-              this.#logger.debug({id}, 'Remote collection')
+              this.#logger.debug({ id }, 'Remote collection')
               try {
                 for await (const item of this.#client.items(obj.id, username)) {
-                  this.#logger.debug({id: item.id}, 'Remote collection member')
+                  this.#logger.debug({ id: item.id }, 'Remote collection member')
                   yield item.id
                 }
               } catch (err) {
-                this.#logger.warn({id, err}, 'Cannot iterate, skipping')
+                this.#logger.warn({ id, err }, 'Cannot iterate, skipping')
                 continue
               }
             } else {
-              this.#logger.warn({id}, 'Remote non-actor non-collection')
+              this.#logger.warn({ id }, 'Remote non-actor non-collection')
             }
           }
         }

package/lib/activityhandler.js

@@ -1,5 +1,6 @@
 import as2 from './activitystreams.js'
 import { nanoid } from 'nanoid'
+import assert from 'node:assert'
 
 const AS2 = 'https://www.w3.org/ns/activitystreams#'
 
@@ -35,6 +36,27 @@ export class ActivityHandler {
   }
 
   async handleActivity (bot, activity) {
+    assert.ok(bot, 'bot parameter is required')
+    assert.strictEqual(typeof bot, 'object', 'bot parameter must be an object')
+    assert.ok(activity, 'activity parameter is required')
+    assert.strictEqual(
+      typeof activity,
+      'object',
+      'activity parameter must be an object'
+    )
+
+    let handled = false
+
+    try {
+      handled = await bot.handleActivity(activity)
+    } catch (err) {
+      this.#logger.warn({ err }, `Bot ${bot.username} errored on activity`)
+    }
+
+    if (handled) {
+      return
+    }
+
     switch (activity.type) {
       case AS2 + 'Create': await this.#handleCreate(bot, activity); break
       case AS2 + 'Update': await this.#handleUpdate(bot, activity); break
@@ -80,7 +102,7 @@ export class ActivityHandler {
     await this.#handleCreateThread(bot, activity, actor, object)
     if (this.#isMention(bot, object)) {
       this.#logger.debug(
-         { username: bot.username, object: object.id },
+        { username: bot.username, object: object.id },
         'bot mentioned'
       )
       await bot.onMention(object, activity)
@@ -875,7 +897,7 @@ export class ActivityHandler {
     if (!type || typeof type !== 'string') {
       return 'activity'
     }
-    const parts = type.split(/[\/#]/)
+    const parts = type.split(/[/#]/)
     return parts[parts.length - 1].toLowerCase()
   }
 

package/lib/actorstorage.js

@@ -319,7 +319,8 @@ export class ActorStorage {
         SET activity_id = EXCLUDED.activity_id,
             updatedAt = CURRENT_TIMESTAMP
       `,
-      { replacements: [
+      {
+        replacements: [
           username,
           this.#clearNS(activity.type),
           activity.object.first.id,

package/lib/app.js

@@ -188,10 +188,10 @@ export async function makeApp (databaseUrl, origin, bots, logLevel = 'silent') {
   })
 
   app.onIdle = async () => {
-    logger.debug(`Awaiting components`)
+    logger.debug('Awaiting components')
     await distributor.onIdle()
     await deliverer.onIdle()
-    logger.debug(`Awaiting components`)
+    logger.debug('Done awaiting components')
   }
 
   app.cleanup = async () => {

package/lib/authorizer.js

@@ -101,7 +101,7 @@ export class Authorizer {
     } else if (this.#formatter.isLocal(object.id)) {
       const parts = this.#formatter.unformat(object.id)
       return as2.import({
-        id: this.#formatter.format({username: parts.username})
+        id: this.#formatter.format({ username: parts.username })
       })
     } else {
       return null

package/lib/bot.js

@@ -48,4 +48,12 @@ export default class Bot {
   async onPublic (activity) {
     ; // no-op
   }
+
+  async actorOK (actorId, activity) {
+    return false
+  }
+
+  async handleActivity (activity) {
+    return false
+  }
 }

package/lib/botcontext.js

@@ -143,7 +143,7 @@ export class BotContext {
       attributedTo: this.#formatter.format({ username: this.#botId })
     })
     await this.#objectStorage.create(note)
-    const activity = await this.#doActivity({
+    await this.#doActivity({
       '@context': [
         'https://www.w3.org/ns/activitystreams',
         'https://purl.archive.org/socialweb/thread/1.0',
@@ -394,6 +394,12 @@ export class BotContext {
     return await this.#undoActivity('Announce', obj)
   }
 
+  async doActivity (data, distribute = true) {
+    assert.ok(data)
+    assert.equal(typeof data, 'object')
+    return await this.#doActivity(data, distribute)
+  }
+
   async #findInOutbox (type, obj) {
     const full = `https://www.w3.org/ns/activitystreams#${type}`
     let found = null
@@ -442,7 +448,7 @@ export class BotContext {
       type,
       id: this.#formatter.format({
         username: this.#botId,
-        type: type,
+        type,
         nanoid: nanoid()
       }),
       actor: {

package/lib/bots/ok.js

@@ -23,7 +23,7 @@ export default class OKBot extends Bot {
         object.attributedTo?.first.id ||
         activity.actor?.first.id
       this._context.logger.debug(
-        { object: object.id, attributedTo: attributedTo },
+        { object: object.id, attributedTo },
         'attributed to'
       )
       const wf = await this._context.toWebfinger(attributedTo)

package/lib/bots/relayclient.js

@@ -0,0 +1,38 @@
+import Bot from '../bot.js'
+
+export default class RelayClientBot extends Bot {
+  #relay
+
+  constructor (username, relay) {
+    super(username)
+    this.#relay = relay
+  }
+
+  get fullname () {
+    return 'Relay Client Bot'
+  }
+
+  get description () {
+    return 'A bot for subscribing to relays'
+  }
+
+  async initialize (context) {
+    super.initialize(context)
+    if (!(await this._context.hasData(`follow:${this.#relay}`))) {
+      await this.#followRelay()
+    }
+  }
+
+  async #followRelay () {
+    const activity = await this._context.doActivity({
+      to: this.#relay,
+      type: 'Follow',
+      object: 'https://www.w3.org/ns/activitystreams#Public'
+    })
+    this._context.setData(`follow:${this.#relay}`, activity.id)
+  }
+
+  async actorOK (actorId, activity) {
+    return (actorId === this.#relay)
+  }
+}

package/lib/bots/relayserver.js

@@ -0,0 +1,61 @@
+import assert from 'node:assert'
+
+import Bot from '../bot.js'
+
+const NS = 'https://www.w3.org/ns/activitystreams#'
+const FOLLOW = `${NS}Follow`
+const PUBLICS = [
+  'Public',
+  'as:Public',
+  `${NS}Public`
+]
+const CLIENTS = 'relay-clients'
+
+export default class RelayServerBot extends Bot {
+  get fullname () {
+    return 'Relay Server Bot'
+  }
+
+  get description () {
+    return 'A bot for subscribing to relays'
+  }
+
+  async handleActivity (activity) {
+    if (activity.type === FOLLOW &&
+      PUBLICS.includes(activity.object?.first?.id)) {
+      this._context.logger.debug(
+        { activity: activity.id },
+        'Non-default handling for relay follow'
+      )
+      const actorId = activity.actor?.first?.id
+      if (actorId) {
+        this._context.logger.info(
+          { actor: actorId },
+          'Adding actor as relay follower'
+        )
+        // FIXME: will this work at scale?
+        const clients = (await this._context.hasData(CLIENTS))
+          ? await this._context.getData(CLIENTS)
+          : []
+        assert.ok(Array.isArray(clients))
+        const clientSet = new Set(clients)
+        if (!clientSet.has(actorId)) {
+          clientSet.add(actorId)
+          await this._context.setData(CLIENTS, Array.from(clientSet))
+        }
+        this._context.logger.debug(
+          { activity: activity.id },
+          'Accepting follow activity'
+        )
+        await this._context.doActivity({
+          type: 'Accept',
+          object: activity.id,
+          to: actorId
+        })
+      }
+      return true
+    } else {
+      return false
+    }
+  }
+}

package/lib/httpsignature.js

@@ -43,8 +43,8 @@ export class HTTPSignature {
       throw createHttpError(401, 'No algorithm provided')
     }
     this.#logger.debug({ algorithm }, 'validating signature')
-    if (algorithm !== 'rsa-sha256') {
-      throw createHttpError(401, 'Only rsa-sha256 is supported')
+    if (!(algorithm === 'rsa-sha256' || (algorithm === 'hs2019' && this.#isRSAKey(publicKeyPem)))) {
+      throw createHttpError(401, 'Only rsa-sha256 or hs2019 with RSA supported')
     }
     if (!params.headers) {
       throw createHttpError(401, 'No headers provided')
@@ -192,4 +192,8 @@ export class HTTPSignature {
     verifier.end()
     return isValid
   }
+
+  #isRSAKey (publicKeyPem) {
+    return crypto.createPublicKey(publicKeyPem).asymmetricKeyType === 'rsa'
+  }
 }

package/lib/routes/collection.js

@@ -99,7 +99,7 @@ function collectionPageHandler (collection) {
           } catch (err) {
             req.log.debug(
               { err, remote: remote.id, object: object.id },
-              `Error checking read access`
+              'Error checking read access'
             )
             result = false
           }

package/lib/routes/inbox.js

@@ -35,7 +35,7 @@ router.post('/user/:username/inbox', async (req, res, next) => {
     return next(createHttpError(400, 'Invalid request body'))
   }
 
-  if (!deliverer.isActivity(activity)) {
+  if (!activity.isActivity()) {
     return next(createHttpError(400, 'Request body is not an activity'))
   }
 
@@ -49,7 +49,7 @@ router.post('/user/:username/inbox', async (req, res, next) => {
     return next(createHttpError(400, 'No actor id found in activity'))
   }
 
-  if (actor.id !== subject) {
+  if (actor.id !== subject && !(await bot.actorOK(subject, activity))) {
     return next(createHttpError(403, `${subject} is not the actor ${actor.id}`))
   }
 
@@ -71,11 +71,11 @@ router.post('/user/:username/inbox', async (req, res, next) => {
 })
 
 router.get('/user/:username/inbox', async (req, res, next) => {
-  return next(createHttpError(403, `No access to inbox collection`))
+  return next(createHttpError(403, 'No access to inbox collection'))
 })
 
 router.get('/user/:username/inbox/:n', async (req, res, next) => {
-  return next(createHttpError(403, `No access to inbox collection`))
+  return next(createHttpError(403, 'No access to inbox collection'))
 })
 
 export default router

package/lib/routes/sharedinbox.js

@@ -5,6 +5,19 @@ import http from 'node:http'
 
 const router = express.Router()
 
+async function asyncSome (array, asyncPredicate) {
+  for (let i = 0; i < array.length; i++) {
+    if (await asyncPredicate(array[i], i, array)) {
+      return true
+    }
+  }
+  return false
+}
+
+async function actorOK (subject, activity, bots) {
+  await asyncSome(Object.values(bots), bot => bot.actorOK(subject, activity))
+}
+
 router.post('/shared/inbox', async (req, res, next) => {
   const { bots, deliverer, logger } = req.app.locals
   const { subject } = req.auth
@@ -27,7 +40,7 @@ router.post('/shared/inbox', async (req, res, next) => {
     return next(createHttpError(400, 'Invalid request body'))
   }
 
-  if (!deliverer.isActivity(activity)) {
+  if (!activity.isActivity()) {
     return next(createHttpError(400, 'Request body is not an activity'))
   }
 
@@ -41,7 +54,7 @@ router.post('/shared/inbox', async (req, res, next) => {
     return next(createHttpError(400, 'No actor id found in activity'))
   }
 
-  if (actor.id !== subject) {
+  if (actor.id !== subject && !(await actorOK(subject, activity, bots))) {
     return next(createHttpError(403, `${subject} is not the actor ${actor.id}`))
   }
 

package/lib/urlformatter.js

@@ -20,9 +20,9 @@ export class UrlFormatter {
     let major = null
     if (type) {
       if (nanoid) {
-        major = `${base}/${type}/${nanoid}`
+        major = `${base}/${type.toLowerCase()}/${nanoid}`
       } else if (type === 'publickey') {
-        major = `${base}/${type}`
+        major = `${base}/${type.toLowerCase()}`
       } else {
         throw new Error('Cannot format URL without nanoid')
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.16.7",
+  "version": "0.18.0",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",
@@ -9,7 +9,8 @@
   },
   "scripts": {
     "test": "NODE_ENV=test node --test",
-    "start": "npx activitypub-bot"
+    "start": "npx activitypub-bot",
+    "lint": "eslint ."
   },
   "repository": {
     "type": "git",
@@ -29,7 +30,7 @@
   "homepage": "https://github.com/evanp/activitypub-bot#readme",
   "dependencies": {
     "@isaacs/ttlcache": "^2.1.4",
-    "activitystrea.ms": "3.2",
+    "activitystrea.ms": "^3.3.0",
     "express": "^5.2.1",
     "http-errors": "^2.0.0",
     "humanhash": "^1.0.4",
@@ -42,9 +43,13 @@
     "sequelize": "^6.37.7"
   },
   "devDependencies": {
-    "@evanp/activitypub-nock": "^0.4.4",
+    "@evanp/activitypub-nock": "^0.5.0",
+    "eslint": "^8.57.1",
+    "eslint-config-standard": "^17.1.0",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-n": "^16.6.2",
+    "eslint-plugin-promise": "^6.6.0",
     "nock": "^14.0.5",
-    "standard": "^17.1.2",
     "supertest": "^7.1.4"
   },
   "optionalDependencies": {