@evanp/activitypub-bot 0.32.3 → 0.34.0

package/lib/activitydeliverer.js

@@ -1,8 +1,10 @@
-import BotMaker from './botmaker.js'
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import * as ttlcachePkg from '@isaacs/ttlcache'
 
+import as2 from './activitystreams.js'
+import BotMaker from './botmaker.js'
+
 const TTLCache =
   ttlcachePkg.TTLCache ?? ttlcachePkg.default ?? ttlcachePkg
 
@@ -158,6 +160,20 @@ export class ActivityDeliverer {
         }
       }
     }
+
+    switch (activity.type) {
+      case `${NS}Follow`:
+        await this.#deliverFollowToAll(activity, bots, deliveredTo)
+        break
+    }
+  }
+
+  async #deliverFollowToAll (activity, bots, deliveredTo) {
+    const object = activity.object?.first
+    if (object?.id && this.#isLocal(object) && !deliveredTo.has(this.#formatter.unformat(object.id).username)) {
+      this.#logger.debug({ object: object.id, activity: activity.id }, 'Follow not yet delivered to object, delivering now')
+      await this.#deliverLocalActor(activity, object, bots, deliveredTo)
+    }
   }
 
   async #isRemoteFollowersCollection (actor, object) {

package/lib/activitydistributor.js

@@ -1,7 +1,9 @@
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import { LRUCache } from 'lru-cache'
 
+import as2 from './activitystreams.js'
+
 const NS = 'https://www.w3.org/ns/activitystreams#'
 
 const COLLECTION_TYPES = [

package/lib/activityhandler.js

@@ -1,7 +1,9 @@
-import as2 from './activitystreams.js'
-import { nanoid } from 'nanoid'
 import assert from 'node:assert'
 
+import { nanoid } from 'nanoid'
+
+import as2 from './activitystreams.js'
+
 const AS2 = 'https://www.w3.org/ns/activitystreams#'
 
 const THREAD_PROP = 'https://purl.archive.org/socialweb/thread#thread'
@@ -632,16 +634,15 @@ export class ActivityHandler {
         'following',
         actor
       )
-      await this.#actorStorage.removeFromCollection(
-        bot.username,
-        'pendingFollowing',
-        actor
-      )
-      await this.#actorStorage.removeFromCollection(
-        bot.username,
-        'pendingFollowers',
-        actor
-      )
+      const followId = await this.#actorStorage.getLastActivity(bot.username, 'Follow', actor)
+      if (followId) {
+        const followActivity = await this.#objectStorage.read(followId)
+        await this.#actorStorage.removeFromCollection(
+          bot.username,
+          'pendingFollowing',
+          followActivity
+        )
+      }
     }
   }
 
@@ -827,11 +828,9 @@ export class ActivityHandler {
       })
       return
     }
-    if (
-      !(await this.#actorStorage.isInCollection(bot.username, 'followers', actor)) &&
-      !(await this.#actorStorage.isInCollection(bot.username, 'pendingFollowers', actor))) {
+    if (!(await this.#actorStorage.isInCollection(bot.username, 'followers', actor))) {
       this.#logger.warn({
-        msg: 'Undo follow activity from actor not in followers or pendingFollowers',
+        msg: 'Undo follow activity from actor not in followers',
         activity: undoActivity.id,
         followActivity: followActivity.id,
         actor: actor.id
@@ -839,7 +838,6 @@ export class ActivityHandler {
       return
     }
     await this.#actorStorage.removeFromCollection(bot.username, 'followers', actor)
-    await this.#actorStorage.removeFromCollection(bot.username, 'pendingFollowers', actor)
     this.#logger.debug(
       { bot: this.#botId(bot), activity: undoActivity.id },
       'Notifying bot of undo follow activity'

package/lib/activitypubclient.js

@@ -1,11 +1,13 @@
-import as2 from './activitystreams.js'
-import fetch from 'node-fetch'
 import assert from 'node:assert'
-import createHttpError from 'http-errors'
 import fs from 'node:fs'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 
+import fetch from 'node-fetch'
+import createHttpError from 'http-errors'
+
+import as2 from './activitystreams.js'
+
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 

package/lib/botcontext.js

@@ -1,8 +1,10 @@
 import assert from 'node:assert'
-import as2 from './activitystreams.js'
+
 import { nanoid } from 'nanoid'
 import fetch from 'node-fetch'
 
+import as2 from './activitystreams.js'
+
 const AS2_TYPES = [
   'application/activity+json',
   'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
@@ -225,8 +227,7 @@ export class BotContext {
     assert.ok(actor)
     assert.equal(typeof actor, 'object')
     let activity
-    if (await this.#actorStorage.isInCollection(this.#botId, 'following', actor) ||
-        await this.#actorStorage.isInCollection(this.#botId, 'pendingFollowing', actor)) {
+    if (await this.#actorStorage.isInCollection(this.#botId, 'following', actor)) {
       const originalId = await this.#actorStorage.getLastActivity(
         this.#botId,
         'Follow',
@@ -237,17 +238,24 @@ export class BotContext {
       }
       activity = await this.#objectStorage.read(originalId)
     } else {
-      await this.#actorStorage.addToCollection(
-        this.#botId,
-        'pendingFollowing',
-        actor
-      )
+      const pendingId = await this.#actorStorage.getLastActivity(this.#botId, 'Follow', actor)
+      if (pendingId) {
+        const pendingActivity = await this.#objectStorage.read(pendingId)
+        if (await this.#actorStorage.isInCollection(this.#botId, 'pendingFollowing', pendingActivity)) {
+          return pendingActivity
+        }
+      }
       activity = await this.#doActivity({
         type: 'Follow',
         object: actor.id,
         to: actor.id
       })
       await this.#actorStorage.setLastActivity(this.#botId, activity)
+      await this.#actorStorage.addToCollection(
+        this.#botId,
+        'pendingFollowing',
+        activity
+      )
     }
 
     return activity
@@ -256,11 +264,15 @@ export class BotContext {
   async unfollowActor (actor) {
     assert.ok(actor)
     assert.equal(typeof actor, 'object')
-    await this.#actorStorage.removeFromCollection(
-      this.#botId,
-      'pendingFollowing',
-      actor
-    )
+    const followId = await this.#actorStorage.getLastActivity(this.#botId, 'Follow', actor)
+    if (followId) {
+      const followActivity = await this.#objectStorage.read(followId)
+      await this.#actorStorage.removeFromCollection(
+        this.#botId,
+        'pendingFollowing',
+        followActivity
+      )
+    }
     await this.#actorStorage.removeFromCollection(
       this.#botId,
       'following',
@@ -273,11 +285,14 @@ export class BotContext {
     assert.ok(actor)
     assert.equal(typeof actor, 'object')
     await this.#actorStorage.addToCollection(this.#botId, 'blocked', actor)
+    const followId = await this.#actorStorage.getLastActivity(this.#botId, 'Follow', actor)
+    if (followId) {
+      const followActivity = await this.#objectStorage.read(followId)
+      await this.#actorStorage.removeFromCollection(this.#botId, 'pendingFollowing', followActivity)
+    }
     for (const coll of [
       'following',
-      'followers',
-      'pendingFollowing',
-      'pendingFollowers'
+      'followers'
     ]) {
       await this.#actorStorage.removeFromCollection(this.#botId, coll, actor)
     }

package/lib/httpsignature.js

@@ -1,7 +1,8 @@
-import createHttpError from 'http-errors'
 import crypto from 'node:crypto'
 import assert from 'node:assert'
 
+import createHttpError from 'http-errors'
+
 export class HTTPSignature {
   static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
   #logger = null

package/lib/httpsignatureauthenticator.js

@@ -1,4 +1,5 @@
 import createHttpError from 'http-errors'
+
 import BotMaker from './botmaker.js'
 
 export class HTTPSignatureAuthenticator {

package/lib/keystorage.js

@@ -1,8 +1,9 @@
-import { promisify } from 'util'
+import { promisify } from 'node:util'
 import crypto from 'node:crypto'
-import HumanHasher from 'humanhash'
 import assert from 'node:assert'
 
+import HumanHasher from 'humanhash'
+
 const generateKeyPair = promisify(crypto.generateKeyPair)
 
 export class KeyStorage {

package/lib/migrations/index.js

@@ -1,6 +1,6 @@
-import { fileURLToPath } from 'url'
-import { dirname, resolve } from 'path'
-import { readdirSync } from 'fs'
+import { fileURLToPath } from 'node:url'
+import { dirname, resolve } from 'node:path'
+import { readdirSync } from 'node:fs'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
 

package/lib/ratelimiter.js

@@ -55,7 +55,38 @@ export class RateLimiter {
             updated_at = CURRENT_TIMESTAMP`,
         { replacements: [host, remaining, reset] }
       )
+    } else if (headers.get('server') === 'Mastodon') {
+      const limits = await this.peek(host)
+      if (!limits || limits.length === 0 || limits[0].reset < (new Date())) {
+        const remaining = 299 // 300 - 1 for the current request
+        const reset = new Date(Math.ceil(Date.now() / 300000) * 300000)
+        this.#logger.debug({ reset, remaining, host }, 'updating')
+        await this.#connection.query(
+        `INSERT INTO rate_limit (host, remaining, reset)
+        VALUES (?, ?, ?)
+        ON CONFLICT (host) DO UPDATE
+        SET remaining = EXCLUDED.remaining,
+            reset = EXCLUDED.reset,
+            updated_at = CURRENT_TIMESTAMP`,
+        { replacements: [host, remaining, reset] }
+        )
+      }
+    }
+  }
+
+  async peek (host) {
+    const [result] = await this.#connection.query(
+      'SELECT remaining, reset FROM rate_limit WHERE host = ?',
+      { replacements: [host] }
+    )
+
+    if (result.length === 0) {
+      return []
     }
+
+    const { remaining, reset } = result[0]
+
+    return [{ policy: 'default', remaining, reset: new Date(reset) }]
   }
 
   async #getWaitTime (host, maxWaitTime) {

package/lib/remotekeystorage.js

@@ -1,4 +1,7 @@
+import assert from 'node:assert'
+
 const SEC_NS = 'https://w3id.org/security#'
+const DEFAULT_NS = '_:'
 
 export class RemoteKeyStorage {
   #client = null
@@ -27,6 +30,10 @@ export class RemoteKeyStorage {
       this.debug(`getPublicKey(${id}) - remote not found`)
       return null
     }
+    if (!await this.#confirmPublicKey(remote.owner, id)) {
+      this.#logger.warn({ owner: remote.owner, id }, 'Mismatched owner and key')
+      return null
+    }
     await this.#cachePublicKey(id, remote.owner, remote.publicKeyPem)
     return remote
   }
@@ -55,21 +62,11 @@ export class RemoteKeyStorage {
     if (!response) {
       return null
     }
-    this.debug(`getRemotePublicKey(${id}) - response: ${await response.id}`)
-    let owner = null
-    let publicKeyPem = null
-    if (response.get(SEC_NS + 'publicKeyPem')) {
-      this.debug(`getRemotePublicKey(${id}) - publicKeyPem`)
-      owner = response.get(SEC_NS + 'owner')?.first?.id
-      publicKeyPem = response.get(SEC_NS + 'publicKeyPem')?.first
-    } else if (response.get(SEC_NS + 'publicKey')) {
-      this.debug(`getRemotePublicKey(${id}) - publicKey`)
-      const publicKey = response.get(SEC_NS + 'publicKey').first
-      if (publicKey) {
-        owner = publicKey.get(SEC_NS + 'owner')?.first?.id
-        publicKeyPem = publicKey.get(SEC_NS + 'publicKeyPem')?.first
-      }
-    }
+    this.debug(`getRemotePublicKey(${id}) - response: ${response.id}`)
+
+    const owner = this.#getOwner(response)
+    const publicKeyPem = this.#getPublicKeyPem(response)
+
     if (!owner || !publicKeyPem) {
       return null
     }
@@ -89,4 +86,72 @@ export class RemoteKeyStorage {
       this.#logger.debug(...args)
     }
   }
+
+  async #confirmPublicKey (owner, id) {
+    assert.equal(typeof owner, 'string')
+    assert.equal(typeof id, 'string')
+    let actor
+
+    try {
+      actor = await this.#client.get(owner)
+    } catch (err) {
+      this.#logger.warn({ err, owner, id }, 'Error getting key owner')
+      return false
+    }
+
+    const publicKeyId = this.#getPublicKeyId(actor)
+
+    if (!publicKeyId) {
+      return false
+    }
+
+    return publicKeyId === id
+  }
+
+  #getSecIdProp (obj, prop) {
+    assert.strictEqual(typeof obj, 'object')
+    assert.strictEqual(typeof prop, 'string')
+    let value = obj.get(SEC_NS + prop)
+    if (value) {
+      return value.first?.id
+    }
+    value = obj.get(DEFAULT_NS + prop)
+    if (value) {
+      this.#logger.warn(
+        { objectId: obj.id, prop },
+        'security property in default namespace'
+      )
+      const first = value.first
+      return (typeof first === 'string') ? first : first?.id
+    }
+    return null
+  }
+
+  #getOwner (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    return this.#getSecIdProp(obj, 'owner')
+  }
+
+  #getPublicKeyPem (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    const prop = 'publicKeyPem'
+    let value = obj.get(SEC_NS + prop)
+    if (value) {
+      return value.first
+    }
+    value = obj.get(DEFAULT_NS + prop)
+    if (value) {
+      this.#logger.warn(
+        { objectId: obj.id, prop },
+        'security property in default namespace'
+      )
+      return value.first
+    }
+    return null
+  }
+
+  #getPublicKeyId (obj) {
+    assert.strictEqual(typeof obj, 'object')
+    return this.#getSecIdProp(obj, 'publicKey')
+  }
 }

package/lib/routes/collection.js

@@ -1,8 +1,10 @@
+import assert from 'node:assert'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
+
+import as2 from '../activitystreams.js'
 import BotMaker from '../botmaker.js'
-import assert from 'node:assert'
 
 const collections = ['outbox', 'liked', 'followers', 'following']
 const router = express.Router()

package/lib/routes/inbox.js

@@ -1,8 +1,10 @@
+import http from 'node:http'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
+
+import as2 from '../activitystreams.js'
 import BotMaker from '../botmaker.js'
-import http from 'node:http'
 
 const router = express.Router()
 

package/lib/routes/object.js

@@ -1,7 +1,8 @@
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
 
+import as2 from '../activitystreams.js'
+
 const router = express.Router()
 
 export default router

package/lib/routes/sharedinbox.js

@@ -1,7 +1,9 @@
+import http from 'node:http'
+
 import express from 'express'
-import as2 from '../activitystreams.js'
 import createHttpError from 'http-errors'
-import http from 'node:http'
+
+import as2 from '../activitystreams.js'
 
 const router = express.Router()
 

package/lib/routes/webfinger.js

@@ -33,6 +33,26 @@ async function botWebfinger (username, req, res, next) {
   })
 }
 
+async function profileWebfinger (username, profileUrl, req, res, next) {
+  const { formatter, bots } = req.app.locals
+  const bot = await BotMaker.makeBot(bots, username)
+  if (!bot) {
+    return next(createHttpError(404, `No such bot '${username}'`))
+  }
+  res.status(200)
+  res.type('application/jrd+json')
+  res.json({
+    subject: profileUrl,
+    links: [
+      {
+        rel: 'alternate',
+        type: 'application/activity+json',
+        href: formatter.format({ username })
+      }
+    ]
+  })
+}
+
 async function httpsWebfinger (resource, req, res, next) {
   const { formatter } = req.app.locals
   assert.ok(formatter)
@@ -42,6 +62,8 @@ async function httpsWebfinger (resource, req, res, next) {
   const parts = formatter.unformat(resource)
   if (parts.username && !parts.type && !parts.collection) {
     return await botWebfinger(parts.username, req, res, next)
+  } else if (parts.username && parts.type === 'profile') {
+    return await profileWebfinger(parts.username, resource, req, res, next)
   } else {
     return next(createHttpError(400, `No webfinger lookup for url ${resource}`))
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.32.3",
+  "version": "0.34.0",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",