@evanp/activitypub-bot 0.32.3 → 0.33.0

package/lib/activitydeliverer.js

@@ -1,8 +1,10 @@
-import BotMaker from './botmaker.js'
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import * as ttlcachePkg from '@isaacs/ttlcache'
 
+import as2 from './activitystreams.js'
+import BotMaker from './botmaker.js'
+
 const TTLCache =
   ttlcachePkg.TTLCache ?? ttlcachePkg.default ?? ttlcachePkg
 

package/lib/activitydistributor.js

@@ -1,7 +1,9 @@
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import { LRUCache } from 'lru-cache'
 
+import as2 from './activitystreams.js'
+
 const NS = 'https://www.w3.org/ns/activitystreams#'
 
 const COLLECTION_TYPES = [

package/lib/activityhandler.js

@@ -1,7 +1,9 @@
-import as2 from './activitystreams.js'
-import { nanoid } from 'nanoid'
 import assert from 'node:assert'
 
+import { nanoid } from 'nanoid'
+
+import as2 from './activitystreams.js'
+
 const AS2 = 'https://www.w3.org/ns/activitystreams#'
 
 const THREAD_PROP = 'https://purl.archive.org/socialweb/thread#thread'

package/lib/activitypubclient.js

@@ -1,11 +1,13 @@
-import as2 from './activitystreams.js'
-import fetch from 'node-fetch'
 import assert from 'node:assert'
-import createHttpError from 'http-errors'
 import fs from 'node:fs'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 
+import fetch from 'node-fetch'
+import createHttpError from 'http-errors'
+
+import as2 from './activitystreams.js'
+
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 

package/lib/botcontext.js

@@ -1,8 +1,10 @@
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import { nanoid } from 'nanoid'
 import fetch from 'node-fetch'
 
+import as2 from './activitystreams.js'
+
 const AS2_TYPES = [
   'application/activity+json',
   'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'

package/lib/httpsignature.js

@@ -1,7 +1,8 @@
-import createHttpError from 'http-errors'
 import crypto from 'node:crypto'
 import assert from 'node:assert'
 
+import createHttpError from 'http-errors'
+
 export class HTTPSignature {
   static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
   #logger = null

package/lib/httpsignatureauthenticator.js

@@ -1,4 +1,5 @@
 import createHttpError from 'http-errors'
+
 import BotMaker from './botmaker.js'
 
 export class HTTPSignatureAuthenticator {

package/lib/keystorage.js

@@ -1,8 +1,9 @@
-import { promisify } from 'util'
+import { promisify } from 'node:util'
 import crypto from 'node:crypto'
-import HumanHasher from 'humanhash'
 import assert from 'node:assert'
 
+import HumanHasher from 'humanhash'
+
 const generateKeyPair = promisify(crypto.generateKeyPair)
 
 export class KeyStorage {

package/lib/migrations/index.js

@@ -1,6 +1,6 @@
-import { fileURLToPath } from 'url'
-import { dirname, resolve } from 'path'
-import { readdirSync } from 'fs'
+import { fileURLToPath } from 'node:url'
+import { dirname, resolve } from 'node:path'
+import { readdirSync } from 'node:fs'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
 

package/lib/remotekeystorage.js

@@ -1,4 +1,7 @@
+import assert from 'node:assert'
+
 const SEC_NS = 'https://w3id.org/security#'
+const DEFAULT_NS = '_:'
 
 export class RemoteKeyStorage {
   #client = null
@@ -27,6 +30,10 @@ export class RemoteKeyStorage {
       this.debug(`getPublicKey(${id}) - remote not found`)
       return null
     }
+    if (!await this.#confirmPublicKey(remote.owner, id)) {
+      this.#logger.warn({ owner: remote.owner, id }, 'Mismatched owner and key')
+      return null
+    }
     await this.#cachePublicKey(id, remote.owner, remote.publicKeyPem)
     return remote
   }
@@ -55,21 +62,11 @@ export class RemoteKeyStorage {
     if (!response) {
       return null
     }
-    this.debug(`getRemotePublicKey(${id}) - response: ${await response.id}`)
-    let owner = null
-    let publicKeyPem = null
-    if (response.get(SEC_NS + 'publicKeyPem')) {
-      this.debug(`getRemotePublicKey(${id}) - publicKeyPem`)
-      owner = response.get(SEC_NS + 'owner')?.first?.id
-      publicKeyPem = response.get(SEC_NS + 'publicKeyPem')?.first
-    } else if (response.get(SEC_NS + 'publicKey')) {
-      this.debug(`getRemotePublicKey(${id}) - publicKey`)
-      const publicKey = response.get(SEC_NS + 'publicKey').first
-      if (publicKey) {
-        owner = publicKey.get(SEC_NS + 'owner')?.first?.id
-        publicKeyPem = publicKey.get(SEC_NS + 'publicKeyPem')?.first
-      }
-    }
+    this.debug(`getRemotePublicKey(${id}) - response: ${response.id}`)
+
+    const owner = this.#getOwner(response)
+    const publicKeyPem = this.#getPublicKeyPem(response)
+
     if (!owner || !publicKeyPem) {
       return null
     }
@@ -89,4 +86,72 @@ export class RemoteKeyStorage {
       this.#logger.debug(...args)
     }
   }
+
+  async #confirmPublicKey (owner, id) {
+    assert.equal(typeof owner, 'string')
+    assert.equal(typeof id, 'string')
+    let actor
+
+    try {
+      actor = await this.#client.get(owner)
+    } catch (err) {
+      this.#logger.warn({ err, owner, id }, 'Error getting key owner')
+      return false
+    }
+
+    const publicKeyId = this.#getPublicKeyId(actor)
+
+    if (!publicKeyId) {
+      return false
+    }
+
+    return publicKeyId === id
+  }
+
+  #getSecIdProp (obj, prop) {
+    assert.strictEqual(typeof obj, 'object')
+    assert.strictEqual(typeof prop, 'string')
+    let value = obj.get(SEC_NS + prop)
+    if (value) {
+      return value.first?.id
+    }
+    value = obj.get(DEFAULT_NS + prop)
+    if (value) {
+      this.#logger.warn(
+        { objectId: obj.id, prop },
+        'security property in default namespace'
+      )
+      const first = value.first
+      return (typeof first === 'string') ? first : first?.id
+    }
+    return null
+  }
+
+  #getOwner (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    return this.#getSecIdProp(obj, 'owner')
+  }
+
+  #getPublicKeyPem (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    const prop = 'publicKeyPem'
+    let value = obj.get(SEC_NS + prop)
+    if (value) {
+      return value.first
+    }
+    value = obj.get(DEFAULT_NS + prop)
+    if (value) {
+      this.#logger.warn(
+        { objectId: obj.id, prop },
+        'security property in default namespace'
+      )
+      return value.first
+    }
+    return null
+  }
+
+  #getPublicKeyId (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    return this.#getSecIdProp(obj, 'publicKey')
+  }
 }

package/lib/routes/collection.js

@@ -1,8 +1,10 @@
+import assert from 'node:assert'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
+
+import as2 from '../activitystreams.js'
 import BotMaker from '../botmaker.js'
-import assert from 'node:assert'
 
 const collections = ['outbox', 'liked', 'followers', 'following']
 const router = express.Router()

package/lib/routes/inbox.js

@@ -1,8 +1,10 @@
+import http from 'node:http'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
+
+import as2 from '../activitystreams.js'
 import BotMaker from '../botmaker.js'
-import http from 'node:http'
 
 const router = express.Router()
 

package/lib/routes/object.js

@@ -1,7 +1,8 @@
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
 
+import as2 from '../activitystreams.js'
+
 const router = express.Router()
 
 export default router

package/lib/routes/sharedinbox.js

@@ -1,7 +1,9 @@
+import http from 'node:http'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
-import http from 'node:http'
+
+import as2 from '../activitystreams.js'
 
 const router = express.Router()
 

package/lib/routes/webfinger.js

@@ -33,6 +33,26 @@ async function botWebfinger (username, req, res, next) {
   })
 }
 
+async function profileWebfinger (username, profileUrl, req, res, next) {
+  const { formatter, bots } = req.app.locals
+  const bot = await BotMaker.makeBot(bots, username)
+  if (!bot) {
+    return next(createHttpError(404, `No such bot '${username}'`))
+  }
+  res.status(200)
+  res.type('application/jrd+json')
+  res.json({
+    subject: profileUrl,
+    links: [
+      {
+        rel: 'alternate',
+        type: 'application/activity+json',
+        href: formatter.format({ username })
+      }
+    ]
+  })
+}
+
 async function httpsWebfinger (resource, req, res, next) {
   const { formatter } = req.app.locals
   assert.ok(formatter)
@@ -42,6 +62,8 @@ async function httpsWebfinger (resource, req, res, next) {
   const parts = formatter.unformat(resource)
   if (parts.username && !parts.type && !parts.collection) {
     return await botWebfinger(parts.username, req, res, next)
+  } else if (parts.username && parts.type === 'profile') {
+    return await profileWebfinger(parts.username, resource, req, res, next)
   } else {
     return next(createHttpError(400, `No webfinger lookup for url ${resource}`))
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.32.3",
+  "version": "0.33.0",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",