@evanp/activitypub-bot 0.30.5 → 0.31.0

package/README.md

@@ -145,6 +145,8 @@ export default {
 }
 ```
 
+The bot name that matches the domain of the server is reserved for server activities (usually fetching remote objects that require a signature). If you use the domain name in the bot config, it will be silently overwritten. The domain name will also not be provided to the wildcard bot factory, if defined.
+
 ### Pre-installed bot classes
 
 The following bot classes are pre-installed with the server.

package/lib/activitypubclient.js

@@ -50,10 +50,12 @@ export class ActivityPubClient {
     this.#limiter = limiter
   }
 
-  async get (url, username = null) {
+  async get (url, username = this.#urlFormatter.hostname) {
     assert.ok(url)
     assert.equal(typeof url, 'string')
-    assert.ok(username === null || username !== '*')
+    assert.ok(username)
+    assert.equal(typeof username, 'string')
+    assert.ok(username !== '*')
     const res = await this.#getRes(url, username, true)
     return await this.#handleRes(res, url)
   }
@@ -61,17 +63,19 @@ export class ActivityPubClient {
   async getKey (url) {
     assert.ok(url)
     assert.equal(typeof url, 'string')
-    let res = await this.#getRes(url, null, false)
+    let res = await this.#getRes(url, this.#urlFormatter.hostname, false)
     if ([401, 403, 404].includes(res.status)) {
       // If we get a 401, 403, or 404, we should try again with the key
-      res = await this.#getRes(url, null, true)
+      res = await this.#getRes(url, this.#urlFormatter.hostname, true)
     }
     return await this.#handleRes(res, url)
   }
 
-  async #getRes (url, username = null, sign = false) {
+  async #getRes (url, username = this.#urlFormatter.hostname, sign = false) {
     assert.ok(url)
     assert.equal(typeof url, 'string')
+    assert.ok(username)
+    assert.equal(typeof username, 'string')
     const date = new Date().toUTCString()
     const headers = {
       accept: ActivityPubClient.#accept,
@@ -176,10 +180,9 @@ export class ActivityPubClient {
     assert.ok(url)
     assert.ok(method)
     assert.ok(headers)
+    assert.ok(username)
     const privateKey = await this.#keyStorage.getPrivateKey(username)
-    const keyId = (username)
-      ? this.#urlFormatter.format({ username, type: 'publickey' })
-      : this.#urlFormatter.format({ server: true, type: 'publickey' })
+    const keyId = this.#urlFormatter.format({ username, type: 'publickey' })
     return this.#signer.sign({ privateKey, keyId, url, method, headers })
   }
 
@@ -189,13 +192,12 @@ export class ActivityPubClient {
       : COLLECTION_TYPES.includes(obj.type)
   }
 
-  async * items (id, username = null) {
+  async * items (id, username = this.#urlFormatter.hostname) {
     assert.ok(id)
     assert.equal(typeof id, 'string')
-    assert.ok(
-      username === null ||
-      (typeof username === 'string' && username !== '*')
-    )
+    assert.ok(username)
+    assert.equal(typeof username, 'string')
+    assert.ok(username !== '*')
 
     const coll = await this.get(id, username)
 

package/lib/app.js

@@ -38,6 +38,7 @@ import { JobReaper } from './jobreaper.js'
 import { DeliveryWorker } from './deliveryworker.js'
 import { DistributionWorker } from './distributionworker.js'
 import { RateLimiter } from '../lib/ratelimiter.js'
+import DoNothingBot from './bots/donothing.js'
 
 const currentDir = dirname(fileURLToPath(import.meta.url))
 const DEFAULT_INDEX_FILENAME = resolve(currentDir, '..', 'web', 'index.html')
@@ -113,6 +114,25 @@ export async function makeApp ({ databaseUrl, origin, bots, logLevel = 'silent',
     ))
   )
 
+  // Special server bot
+
+  const domain = URL.parse(origin).hostname
+  bots[domain] = new DoNothingBot(domain, {
+    fullname: domain,
+    checkSignature: false
+  })
+  await bots[domain].initialize(new BotContext(
+    domain,
+    botDataStorage,
+    objectStorage,
+    actorStorage,
+    client,
+    distributor,
+    formatter,
+    transformer,
+    logger
+  ))
+
   const deliveryWorkers = new Array(deliveryWorkerCount)
   const deliveryWorkerRuns = new Array(deliveryWorkerCount)
 
@@ -188,15 +208,20 @@ export async function makeApp ({ databaseUrl, origin, bots, logLevel = 'silent',
     }
   }))
 
-  app.use(signature.authenticate.bind(signature))
+  // These should not check HTTP Signature even if provided
 
   app.use('/', serverRouter)
+  app.use('/', healthRouter)
+  app.use('/', webfingerRouter)
+
+  // These should check HTTP Signature if provided
+
+  app.use(signature.authenticate.bind(signature))
+
   app.use('/', userRouter)
   app.use('/', collectionRouter)
   app.use('/', inboxRouter)
   app.use('/', objectRouter)
-  app.use('/', healthRouter)
-  app.use('/', webfingerRouter)
   app.use('/', sharedInboxRouter)
 
   app.use(async (req, res) => {

package/lib/bot.js

@@ -1,9 +1,13 @@
 export default class Bot {
   #context = null
   #username = null
+  #checkSignature
 
-  constructor (username) {
+  constructor (username, options = {}) {
     this.#username = username
+    this.#checkSignature = ('checkSignature' in options)
+      ? options.checkSignature
+      : true
   }
 
   async initialize (context) {
@@ -25,6 +29,10 @@ export default class Bot {
     return this.#username
   }
 
+  get checkSignature () {
+    return this.#checkSignature
+  }
+
   get _context () {
     return this.#context
   }

package/lib/bots/donothing.js

@@ -1,11 +1,23 @@
 import Bot from '../bot.js'
 
+const DEFAULT_FULLNAME = 'Do Nothing Bot'
+const DEFAULT_DESCRIPTION = 'A bot that does nothing.'
+
 export default class DoNothingBot extends Bot {
+  #fullname
+  #description
+
+  constructor (username, options = {}) {
+    super(username, options)
+    this.#fullname = options.fullname || DEFAULT_FULLNAME
+    this.#description = options.description || DEFAULT_DESCRIPTION
+  }
+
   get fullname () {
-    return 'Do Nothing Bot'
+    return this.#fullname
   }
 
   get description () {
-    return 'A bot that does nothing.'
+    return this.#description
   }
 }

package/lib/bots/followback.js

@@ -7,10 +7,10 @@ export default class FollowBackBot extends Bot {
   #fullname
   #description
 
-  constructor (username, { fullname = DEFAULT_NAME, description = DEFAULT_DESCRIPTION } = {}) {
-    super(username)
-    this.#fullname = fullname
-    this.#description = description
+  constructor (username, options = {}) {
+    super(username, options)
+    this.#fullname = options.fullname || DEFAULT_NAME
+    this.#description = options.description || DEFAULT_DESCRIPTION
   }
 
   get fullname () {

package/lib/bots/relayclient.js

@@ -8,10 +8,10 @@ export default class RelayClientBot extends Bot {
   #relay
   #unsubscribe
 
-  constructor (username, relay, unsubscribe = null) {
-    super(username)
-    this.#relay = relay
-    this.#unsubscribe = !!unsubscribe
+  constructor (username, options = {}) {
+    super(username, options)
+    this.#relay = options.relay
+    this.#unsubscribe = !!options.unsubscribe
   }
 
   get fullname () {

package/lib/httpsignatureauthenticator.js

@@ -1,4 +1,5 @@
 import createHttpError from 'http-errors'
+import BotMaker from './botmaker.js'
 
 export class HTTPSignatureAuthenticator {
   static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
@@ -19,6 +20,26 @@ export class HTTPSignatureAuthenticator {
       // Just continue
       return next()
     }
+    const { formatter, origin, bots } = req.app.locals
+    const originalUrl = req.originalUrl
+    const fullUrl = `${origin}${originalUrl}`
+    let parts
+    try {
+      parts = formatter.unformat(fullUrl)
+    } catch (err) {
+      // do nothing
+      this.#logger.debug({ fullUrl, err }, 'Could not unformat')
+    }
+    if (parts && parts.username) {
+      this.#logger.debug({ username: parts.username }, 'Request for bot')
+      const bot = await BotMaker.makeBot(bots, parts.username)
+      if (!bot) {
+        this.#logger.warn({ username: parts.username }, 'no such bot')
+      } else if (!bot.checkSignature) {
+        this.#logger.debug({ username: parts.username }, 'bot says no sig')
+        return next()
+      }
+    }
     this.#logger.debug({ signature }, 'Got signed request')
     const date = req.get('Date')
     if (!date) {
@@ -45,7 +66,6 @@ export class HTTPSignatureAuthenticator {
       }
     }
     const { method, headers } = req
-    const originalUrl = req.originalUrl
     this.#logger.debug({ originalUrl }, 'original URL')
     try {
       const keyId = this.#signer.keyId(signature)

package/lib/keystorage.js

@@ -17,8 +17,8 @@ export class KeyStorage {
     this.#hasher = new HumanHasher()
   }
 
-  async getPublicKey (username = null) {
-    assert.ok(username === null || typeof username === 'string')
+  async getPublicKey (username) {
+    assert.equal(typeof username, 'string')
     assert.ok(username !== '*')
     this.#logger.debug(
       { username, method: 'KeyStorage.getPublicKey' },
@@ -27,8 +27,8 @@ export class KeyStorage {
     return publicKey
   }
 
-  async getPrivateKey (username = null) {
-    assert.ok(username === null || typeof username === 'string')
+  async getPrivateKey (username) {
+    assert.equal(typeof username, 'string')
     assert.ok(username !== '*')
     this.#logger.debug(
       { username, method: 'KeyStorage.getPrivateKey' },
@@ -38,12 +38,10 @@ export class KeyStorage {
   }
 
   async #getKeys (username) {
+    assert.equal(typeof username, 'string')
+    assert.ok(username !== '*')
     let privateKey
     let publicKey
-    // system key uses username null but primary key can't be null
-    if (!username) {
-      username = ''
-    }
     const [result] = await this.#connection.query(
       'SELECT public_key, private_key FROM new_keys WHERE username = ?',
       { replacements: [username] }

package/lib/routes/server.js

@@ -1,5 +1,4 @@
 import express from 'express'
-import as2 from '../activitystreams.js'
 
 const router = express.Router()
 
@@ -9,65 +8,4 @@ router.get('/', async (req, res) => {
   res.sendFile(indexFileName)
 })
 
-router.get('/actor', async (req, res) => {
-  const { formatter, keyStorage, origin } = req.app.locals
-  const homepage = `${origin}/`
-  const publicKeyPem = await keyStorage.getPublicKey(null)
-  const acct = formatter.acct()
-  const webfinger = acct.slice(5)
-  const [username] = webfinger.split('@', 1)
-  const server = await as2.import({
-    '@context': [
-      'https://www.w3.org/ns/activitystreams',
-      'https://w3id.org/security/v1',
-      'https://purl.archive.org/socialweb/webfinger'
-    ],
-    id: formatter.format({ server: true }),
-    type: 'Service',
-    to: 'as:Public',
-    name: username,
-    preferredUsername: username,
-    alsoKnownAs: acct,
-    webfinger,
-    publicKey: {
-      publicKeyPem,
-      id: formatter.format({ server: true, type: 'publickey' }),
-      owner: formatter.format({ server: true }),
-      type: 'CryptographicKey',
-      to: 'as:Public'
-    },
-    url: {
-      type: 'Link',
-      mediaType: 'text/html',
-      href: homepage
-    }
-  })
-  const body = await server.export({ useOriginalContext: true })
-  res.status(200)
-  res.type(as2.mediaType)
-  res.json(body)
-})
-
-router.get('/publickey', async (req, res) => {
-  const { formatter, keyStorage } = req.app.locals
-  const publicKeyPem = await keyStorage.getPublicKey(null)
-  const publicKey = await as2.import({
-    '@context': [
-      'https://www.w3.org/ns/activitystreams',
-      'https://w3id.org/security/v1'
-    ],
-    publicKeyPem,
-    id: formatter.format({ server: true, type: 'publickey' }),
-    owner: formatter.format({ server: true }),
-    type: 'CryptographicKey',
-    to: 'as:Public'
-  })
-  res.status(200)
-  res.type(as2.mediaType)
-  const body = await publicKey.prettyWrite(
-    { additional_context: 'https://w3id.org/security/v1' }
-  )
-  res.end(body)
-})
-
 export default router

package/lib/routes/webfinger.js

@@ -28,24 +28,6 @@ async function botWebfinger (username, req, res, next) {
   })
 }
 
-async function serverWebfinger (req, res, next) {
-  const { formatter } = req.app.locals
-  const webfinger = formatter.acct()
-  const id = formatter.format({ server: true })
-  res.status(200)
-  res.type('application/jrd+json')
-  res.json({
-    subject: webfinger,
-    links: [
-      {
-        rel: 'self',
-        type: 'application/activity+json',
-        href: id
-      }
-    ]
-  })
-}
-
 async function httpsWebfinger (resource, req, res, next) {
   const { formatter } = req.app.locals
   assert.ok(formatter)
@@ -53,11 +35,7 @@ async function httpsWebfinger (resource, req, res, next) {
     return next(createHttpError(400, 'Only local URLs'))
   }
   const parts = formatter.unformat(resource)
-  if (parts.server && !parts.type) {
-    return await serverWebfinger(req, res, next)
-  } else if (
-    !parts.server && parts.username && !parts.type && !parts.collection
-  ) {
+  if (parts.username && !parts.type && !parts.collection) {
     return await botWebfinger(parts.username, req, res, next)
   } else {
     return next(createHttpError(400, `No webfinger lookup for url ${resource}`))
@@ -73,11 +51,7 @@ async function acctWebfinger (resource, req, res, next) {
   if (domain !== host) {
     return next(createHttpError(400, `Invalid domain ${domain} in resource parameter`))
   }
-  if (username === domain) {
-    return await serverWebfinger(req, res, next)
-  } else {
-    return await botWebfinger(username, req, res, next)
-  }
+  return await botWebfinger(username, req, res, next)
 }
 
 router.get('/.well-known/webfinger', async (req, res, next) => {

package/lib/urlformatter.js

@@ -14,7 +14,7 @@ export class UrlFormatter {
   format ({ username, type, nanoid, collection, page, server }) {
     let base = null
     if (server) {
-      base = `${this.#origin}`
+      return this.format({ username: this.#hostname, type, nanoid, collection, page, server: false })
     } else if (username) {
       base = `${this.#origin}/user/${username}`
     } else {
@@ -69,16 +69,14 @@ export class UrlFormatter {
     }
     let pathParts = parsed.pathname.slice(1).split('/')
     if (pathParts.length > 0 && pathParts[0] === 'user') {
-      parts.server = false
       parts.username = pathParts[1]
       pathParts = pathParts.slice(2)
-    } else {
-      parts.server = true
+      parts.server = (parts.username === this.#hostname)
     }
     if (pathParts.length > 0) {
       if (USER_COLLECTIONS.includes(pathParts[0])) {
         parts.collection = pathParts[0]
-      } else if (pathParts[0] !== 'actor') {
+      } else {
         parts.type = pathParts[0]
       }
     }
@@ -111,4 +109,8 @@ export class UrlFormatter {
       ? `acct:${username}@${this.#hostname}`
       : `acct:${this.#hostname}@${this.#hostname}`
   }
+
+  get hostname () {
+    return this.#hostname
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.30.5",
+  "version": "0.31.0",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",