@evanp/activitypub-bot 0.8.0

package/lib/botdatastorage.js

@@ -0,0 +1,87 @@
+import assert from 'node:assert'
+
+export class NoSuchValueError extends Error {
+  constructor (username, key) {
+    const message = `No such value ${key} for user ${username}`
+    super(message)
+    this.name = 'NoSuchValueError'
+  }
+}
+
+export class BotDataStorage {
+  #connection = null
+
+  constructor (connection) {
+    this.#connection = connection
+  }
+
+  async initialize () {
+    await this.#connection.query(`
+      CREATE TABLE IF NOT EXISTS botdata (
+        username VARCHAR(512) not null,
+        key VARCHAR(512) not null,
+        value TEXT not null,
+        createdAt DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        updatedAt DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        PRIMARY KEY (username, key)
+      )
+    `)
+  }
+
+  async terminate () {
+
+  }
+
+  async set (username, key, value) {
+    assert.ok(this.#connection, 'BotDataStorage not initialized')
+    assert.ok(username, 'username is required')
+    assert.equal(typeof username, 'string', 'username must be a string')
+    assert.ok(key, 'key is required')
+    assert.equal(typeof key, 'string', 'key must be a string')
+    await this.#connection.query(`
+      INSERT INTO botdata (value, username, key) VALUES (?, ?, ?)
+      ON CONFLICT DO UPDATE SET value = EXCLUDED.value, updatedAt = CURRENT_TIMESTAMP`,
+    { replacements: [JSON.stringify(value), username, key] }
+    )
+  }
+
+  async get (username, key) {
+    assert.ok(this.#connection, 'BotDataStorage not initialized')
+    assert.ok(username, 'username is required')
+    assert.equal(typeof username, 'string', 'username must be a string')
+    assert.ok(key, 'key is required')
+    assert.equal(typeof key, 'string', 'key must be a string')
+    const rows = await this.#connection.query(`
+      SELECT value FROM botdata WHERE username = ? AND key = ?`,
+    { replacements: [username, key] }
+    )
+    if (rows[0].length === 0) {
+      throw new NoSuchValueError(username, key)
+    }
+    return JSON.parse(rows[0][0].value)
+  }
+
+  async has (username, key) {
+    assert.ok(this.#connection, 'BotDataStorage not initialized')
+    assert.ok(username, 'username is required')
+    assert.equal(typeof username, 'string', 'username must be a string')
+    assert.ok(key, 'key is required')
+    assert.equal(typeof key, 'string', 'key must be a string')
+    const rows = await this.#connection.query(`
+      SELECT count(*) as count FROM botdata WHERE username = ? AND key = ?`,
+    { replacements: [username, key] }
+    )
+    return (rows[0][0].count > 0)
+  }
+
+  async delete (username, key) {
+    assert.ok(this.#connection, 'BotDataStorage not initialized')
+    assert.ok(username, 'username is required')
+    assert.equal(typeof username, 'string', 'username must be a string')
+    assert.ok(key, 'key is required')
+    await this.#connection.query(`
+      DELETE FROM botdata WHERE username = ? AND key = ?`,
+    { replacements: [username, key] }
+    )
+  }
+}

package/lib/bots/donothing.js

@@ -0,0 +1,11 @@
+import Bot from '../bot.js'
+
+export default class DoNothingBot extends Bot {
+  get fullname () {
+    return 'Do Nothing Bot'
+  }
+
+  get description () {
+    return 'A bot that does nothing.'
+  }
+}

package/lib/bots/ok.js

@@ -0,0 +1,41 @@
+import Bot from '../bot.js'
+
+export default class OKBot extends Bot {
+  get fullname () {
+    return 'OK Bot'
+  }
+
+  get description () {
+    return 'A bot that says "OK" when mentioned.'
+  }
+
+  async onMention (object, activity) {
+    if (!await this.hasSeen(object)) {
+      const attributedTo =
+        object.attributedTo?.first.id ||
+        activity.actor?.first.id
+      const wf = await this._context.toWebfinger(attributedTo)
+      this._context.logger.info({ object: object.id, attributedTo, wf }, 'received mention')
+      const content = (wf) ? `@${wf} OK` : 'OK'
+      const reply = await this._context.sendReply(content, object)
+      this._context.logger.info({
+        reply: reply.id,
+        content,
+        inReplyTo: reply.inReplyTo.id
+      }, 'sent reply')
+      await this.setSeen(object)
+    }
+  }
+
+  async hasSeen (object) {
+    const id = object.id
+    const key = `seen:${id}`
+    return this._context.hasData(key)
+  }
+
+  async setSeen (object) {
+    const id = object.id
+    const key = `seen:${id}`
+    return this._context.setData(key, true)
+  }
+}

package/lib/digester.js

@@ -0,0 +1,23 @@
+import crypto from 'node:crypto'
+
+export class Digester {
+  #logger
+  constructor (logger) {
+    this.#logger = logger.child({ class: this.constructor.name })
+  }
+
+  async digest (body) {
+    const digest = crypto.createHash('sha256')
+    digest.update(body)
+    return `sha-256=${digest.digest('base64')}`
+  }
+
+  equals (digest1, digest2) {
+    const [alg1, hash1] = digest1.split('=', 2)
+    const [alg2, hash2] = digest2.split('=', 2)
+    if (alg1.toLowerCase() !== alg2.toLowerCase()) {
+      return false
+    }
+    return hash1 === hash2
+  }
+}

package/lib/httpsignature.js

@@ -0,0 +1,195 @@
+import createHttpError from 'http-errors'
+import crypto from 'node:crypto'
+import assert from 'node:assert'
+
+export class HTTPSignature {
+  static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
+  #logger = null
+  constructor (logger) {
+    this.#logger = logger.child({ class: this.constructor.name })
+  }
+
+  keyId (signature) {
+    const params = this.#parseSignatureHeader(signature)
+    if (!params.keyId) {
+      throw createHttpError(401, 'No keyId provided')
+    }
+    return params.keyId
+  }
+
+  async validate (publicKeyPem, signature, method, path, headers) {
+    if (!signature) {
+      throw createHttpError(401, 'No signature provided')
+    }
+    if (!method) {
+      throw createHttpError(400, 'No HTTP method provided')
+    }
+    if (!path) {
+      throw createHttpError(400, 'No URL path provided')
+    }
+    if (!headers) {
+      throw createHttpError(400, 'No request headers provided')
+    }
+
+    const params = this.#parseSignatureHeader(signature)
+
+    const keyId = params.keyId
+    if (!keyId) {
+      throw createHttpError(401, 'No keyId provided')
+    }
+    this.#logger.debug({ keyId }, 'validating signature')
+    const algorithm = params.algorithm
+    if (!algorithm) {
+      throw createHttpError(401, 'No algorithm provided')
+    }
+    this.#logger.debug({ algorithm }, 'validating signature')
+    if (algorithm !== 'rsa-sha256') {
+      throw createHttpError(401, 'Only rsa-sha256 is supported')
+    }
+    if (!params.headers) {
+      throw createHttpError(401, 'No headers provided')
+    }
+    const signedHeaders = params.headers.split(' ')
+    this.#logger.debug({ signedHeaders }, 'validating signature')
+    const signatureString = params.signature
+    if (!signatureString) {
+      throw createHttpError(401, 'No signature field provided in signature header')
+    }
+    this.#logger.debug({ signatureString }, 'validating signature')
+    const signingString = this.#signingString({
+      method,
+      target: path,
+      host: headers.host,
+      headers,
+      headersList: signedHeaders
+    })
+    this.#logger.debug({ signingString }, 'validating signature')
+    return this.#verify(publicKeyPem, signingString, signatureString)
+  }
+
+  async sign ({ privateKey, keyId, url, method, headers }) {
+    assert.ok(privateKey)
+    assert.equal(typeof privateKey, 'string')
+    assert.ok(keyId)
+    assert.equal(typeof keyId, 'string')
+    assert.ok(url)
+    assert.equal(typeof url, 'string')
+    assert.ok(method)
+    assert.equal(typeof method, 'string')
+    assert.ok(headers)
+    assert.equal(typeof headers, 'object')
+
+    this.#logger.debug({ keyId, url, method, headers }, 'signing a request')
+
+    const algorithm = 'rsa-sha256'
+    const headersList = (method === 'POST')
+      ? ['(request-target)', 'host', 'date', 'user-agent', 'content-type', 'digest']
+      : ['(request-target)', 'host', 'date', 'user-agent', 'accept']
+
+    this.#logger.debug({ algorithm, headersList }, 'signing a request')
+
+    const parsed = new URL(url)
+    const target = (parsed.search && parsed.search.length)
+      ? `${parsed.pathname}${parsed.search}`
+      : `${parsed.pathname}`
+    const host = parsed.host
+
+    this.#logger.debug({ parsed, target, host }, 'signing a request')
+
+    const signingString = this.#signingString({
+      method,
+      host,
+      target,
+      headers,
+      headersList
+    })
+
+    this.#logger.debug({ signingString }, 'signing a request')
+
+    const signature = this.#signWithKey({
+      privateKey,
+      signingString,
+      algorithm
+    })
+
+    this.#logger.debug({ signature }, 'signed a request')
+
+    const signatureHeader = this.#signatureHeader({ keyId, headersList, signature, algorithm })
+
+    this.#logger.debug({ signatureHeader }, 'signed a request')
+    return signatureHeader
+  }
+
+  #signWithKey ({ privateKey, signingString, algorithm }) {
+    if (algorithm !== 'rsa-sha256') {
+      throw new Error('Only rsa-sha256 is supported')
+    }
+    const signer = crypto.createSign('sha256')
+    signer.update(signingString)
+    const signature = signer.sign(privateKey).toString('base64')
+    signer.end()
+
+    return signature
+  }
+
+  #signingString ({ method, host, target, headers, headersList }) {
+    const lines = []
+    const canon = {}
+    for (const key in headers) {
+      canon[key.toLowerCase()] = headers[key]
+    }
+    for (const headerName of headersList) {
+      if (headerName === '(request-target)') {
+        lines.push(`(request-target): ${method.toLowerCase()} ${target.trim()}`)
+      } else if (headerName === 'host') {
+        lines.push(`host: ${host.trim()}`)
+      } else if (headerName in canon) {
+        assert.ok(typeof canon[headerName] === 'string', `Header ${headerName} is not a string: ${canon[headerName]}`)
+        lines.push(`${headerName}: ${canon[headerName].trim()}`)
+      } else {
+        throw new Error(`Missing header: ${headerName}`)
+      }
+    }
+
+    return lines.join('\n')
+  }
+
+  #signatureHeader ({ keyId, headersList, signature, algorithm }) {
+    const components = {
+      keyId,
+      headers: headersList.join(' '),
+      signature,
+      algorithm
+    }
+    const properties = ['keyId', 'headers', 'signature', 'algorithm']
+
+    const pairs = []
+    for (const prop of properties) {
+      pairs.push(`${prop}="${this.#escape(components[prop])}"`)
+    }
+
+    return pairs.join(',')
+  }
+
+  #escape (value) {
+    return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')
+  }
+
+  #parseSignatureHeader (signature) {
+    const parts = signature.split(',')
+    const params = {}
+    for (const part of parts) {
+      const [key, value] = part.split('=')
+      params[key] = value.replace(/"/g, '')
+    }
+    return params
+  }
+
+  #verify (publicKeyPem, signingString, signature) {
+    const verifier = crypto.createVerify('sha256')
+    verifier.update(signingString)
+    const isValid = verifier.verify(publicKeyPem, signature, 'base64')
+    verifier.end()
+    return isValid
+  }
+}

package/lib/httpsignatureauthenticator.js

@@ -0,0 +1,81 @@
+import createHttpError from 'http-errors'
+
+export class HTTPSignatureAuthenticator {
+  static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
+  #remoteKeyStorage = null
+  #logger = null
+  #digester = null
+  #signer = null
+  constructor (remoteKeyStorage, signer, digester, logger) {
+    this.#remoteKeyStorage = remoteKeyStorage
+    this.#signer = signer
+    this.#digester = digester
+    this.#logger = logger.child({ class: this.constructor.name })
+  }
+
+  async authenticate (req, res, next) {
+    const signature = req.get('Signature')
+    if (!signature) {
+      // Just continue
+      return next()
+    }
+    const date = req.get('Date')
+    if (!date) {
+      return next(createHttpError(400, 'No date provided'))
+    }
+    try {
+      if (Math.abs(Date.parse(date) - Date.now()) >
+        HTTPSignatureAuthenticator.#maxDateDiff) {
+        return next(createHttpError(400, 'Time skew too large'))
+      }
+    } catch (err) {
+      // for date parsing errors
+      return next(err)
+    }
+    if (req.rawBodyText && req.rawBodyText.length > 0) {
+      const digest = req.get('Digest')
+      if (!digest) {
+        return next(createHttpError(400, 'No digest provided'))
+      }
+      const calculated = await this.#digester.digest(req.rawBodyText)
+      if (!this.#digester.equals(digest, calculated)) {
+        this.#logger.debug(`calculated: ${calculated} digest: ${digest}`)
+        return next(createHttpError(400, 'Digest mismatch'))
+      }
+    }
+    const { method, headers } = req
+    const originalUrl = req.originalUrl
+    this.#logger.debug({ originalUrl }, 'original URL')
+    try {
+      const keyId = this.#signer.keyId(signature)
+      const ok = await this.#remoteKeyStorage.getPublicKey(keyId)
+      let owner = ok.owner
+      let publicKeyPem = ok.publicKeyPem
+      let result = await this.#signer.validate(publicKeyPem, signature, method, originalUrl, headers)
+      this.#logger.debug(`First validation result: ${result}`)
+      if (!result) {
+        // May be key rotation. Try again with uncached key
+        const ok2 = await this.#remoteKeyStorage.getPublicKey(keyId, false)
+        if (ok2.publicKeyPem === ok.publicKeyPem) {
+          this.#logger.debug('same keys')
+        } else {
+          this.#logger.debug('different keys')
+          owner = ok2.owner
+          publicKeyPem = ok2.publicKeyPem
+          result = await this.#signer.validate(publicKeyPem, signature, method, originalUrl, headers)
+          this.#logger.debug(`Validation result: ${result}`)
+        }
+      }
+      if (result) {
+        this.#logger.debug(`Signature valid for ${keyId}`)
+        req.auth = req.auth || {}
+        req.auth.subject = owner
+        return next()
+      } else {
+        return next(createHttpError(401, 'Unauthorized'))
+      }
+    } catch (err) {
+      return next(err)
+    }
+  }
+}

package/lib/keystorage.js

@@ -0,0 +1,113 @@
+import { promisify } from 'util'
+import crypto from 'node:crypto'
+import HumanHasher from 'humanhash'
+import assert from 'node:assert'
+
+const generateKeyPair = promisify(crypto.generateKeyPair)
+
+export class KeyStorage {
+  #connection = null
+  #logger = null
+  #hasher = null
+  constructor (connection, logger) {
+    assert.ok(connection, 'connection is required')
+    assert.ok(logger, 'logger is required')
+    this.#connection = connection
+    this.#logger = logger.child({ class: this.constructor.name })
+    this.#hasher = new HumanHasher()
+  }
+
+  async initialize () {
+    await this.#connection.query(`
+            CREATE TABLE IF NOT EXISTS new_keys (
+                username varchar(512) PRIMARY KEY,
+                public_key TEXT,
+                private_key TEXT
+            )
+        `)
+    try {
+      await this.#connection.query(`
+              INSERT OR IGNORE INTO new_keys (username, public_key, private_key)
+              SELECT bot_id, public_key, private_key
+              FROM keys
+          `)
+    } catch (error) {
+      this.#logger.debug(
+        { error, method: 'KeyStorage.initialize' },
+        'failed to copy keys to new_keys table')
+    }
+  }
+
+  async getPublicKey (username) {
+    this.#logger.debug(
+      { username, method: 'KeyStorage.getPublicKey' },
+      'getting public key for bot')
+    const [publicKey] = await this.#getKeys(username)
+    return publicKey
+  }
+
+  async getPrivateKey (username) {
+    this.#logger.debug(
+      { username, method: 'KeyStorage.getPrivateKey' },
+      'getting private key for bot')
+    const [, privateKey] = await this.#getKeys(username)
+    return privateKey
+  }
+
+  async #getKeys (username) {
+    let privateKey
+    let publicKey
+    const [result] = await this.#connection.query(`
+          SELECT public_key, private_key FROM new_keys WHERE username = ?
+      `, { replacements: [username] })
+    if (result.length > 0) {
+      this.#logger.debug(
+        { username, method: 'KeyStorage.#getKeys' },
+        'found key for bot in database')
+      publicKey = result[0].public_key
+      privateKey = result[0].private_key
+    } else {
+      this.#logger.debug(
+        { username, method: 'KeyStorage.#getKeys' },
+        'no key for bot, generating new key'
+      );
+      [publicKey, privateKey] = await this.#newKeyPair(username)
+      this.#logger.debug(
+        { username, method: 'KeyStorage.#getKeys' },
+        'saving new keypair to database'
+      )
+      await this.#saveKeyPair(username, publicKey, privateKey)
+    }
+    this.#logger.debug({
+      username,
+      method: 'KeyStorage.#getKeys',
+      publicKeyHash: this.#hasher.humanize(publicKey),
+      privateKeyHash: this.#hasher.humanize(privateKey)
+    })
+    return [publicKey, privateKey]
+  }
+
+  async #newKeyPair (username) {
+    const { publicKey, privateKey } = await generateKeyPair(
+      'rsa',
+      {
+        modulusLength: 2048,
+        privateKeyEncoding: {
+          type: 'pkcs8',
+          format: 'pem'
+        },
+        publicKeyEncoding: {
+          type: 'spki',
+          format: 'pem'
+        }
+      }
+    )
+    return [publicKey, privateKey]
+  }
+
+  async #saveKeyPair (username, publicKey, privateKey) {
+    await this.#connection.query(`
+        INSERT INTO new_keys (username, public_key, private_key) VALUES (?, ?, ?)
+      `, { replacements: [username, publicKey, privateKey] })
+  }
+}

package/lib/microsyntax.js

@@ -0,0 +1,140 @@
+import assert from 'node:assert'
+import fetch from 'node-fetch'
+
+const AS2 = 'https://www.w3.org/ns/activitystreams#'
+
+export class Transformer {
+  #tagNamespace = null
+  #client = null
+  constructor (tagNamespace, client) {
+    this.#tagNamespace = tagNamespace
+    this.#client = client
+    assert.ok(this.#tagNamespace)
+    assert.ok(this.#client)
+  }
+
+  async transform (text) {
+    let html = text
+    let tag = [];
+    ({ html, tag } = this.#replaceUrls(html, tag));
+    ({ html, tag } = this.#replaceHashtags(html, tag));
+    ({ html, tag } = await this.#replaceMentions(html, tag))
+    html = `<p>${html}</p>`
+    return { html, tag }
+  }
+
+  #replaceUrls (html, tag) {
+    const url = /https?:\/\/\S+/g
+    const segments = this.#segment(html)
+    for (const i in segments) {
+      const segment = segments[i]
+      if (this.#isLink(segment)) continue
+      segments[i] = segment.replace(url, (match) => {
+        return `<a href="${match}">${match}</a>`
+      })
+    }
+    return { html: segments.join(''), tag }
+  }
+
+  #replaceHashtags (html, tag) {
+    const hashtag = /#(\w+)/g
+    const segments = this.#segment(html)
+    for (const i in segments) {
+      const segment = segments[i]
+      if (this.#isLink(segment)) continue
+      segments[i] = segment.replace(hashtag, (match, name) => {
+        const href = this.#tagNamespace + name
+        tag.push({ type: AS2 + 'Hashtag', name: match, href })
+        return `<a href="${href}">${match}</a>`
+      })
+    }
+    return { html: segments.join(''), tag }
+  }
+
+  async #replaceMentions (html, tag) {
+    const self = this
+    const webfinger = /@[a-zA-Z0-9_]+([a-zA-Z0-9_.-]+[a-zA-Z0-9_]+)?@[a-zA-Z0-9_.-]+/g
+    const segments = this.#segment(html)
+    for (const i in segments) {
+      const segment = segments[i]
+      if (this.#isLink(segment)) continue
+      segments[i] = await this.#replaceAsync(segments[i], webfinger, async (match) => {
+        const href = await self.#homePage(match.slice(1))
+        if (!href) return match
+        tag.push({ type: 'Mention', name: match, href })
+        return `<a href="${href}">${match}</a>`
+      })
+    }
+    return { html: segments.join(''), tag }
+  }
+
+  async #homePage (webfinger) {
+    if (!this.#client) return null
+    const [username, domain] = webfinger.split('@')
+    const url = `https://${domain}/.well-known/webfinger?` +
+      `resource=acct:${username}@${domain}`
+    let json = null
+    try {
+      const response = await fetch(url,
+        { headers: { Accept: 'application/jrd+json' } })
+      if (response.status !== 200) return null
+      json = await response.json()
+    } catch (error) {
+      return null
+    }
+    if (!json.links) return null
+    const link = json.links.find(
+      link => link.rel === 'self' &&
+        (link.type === 'application/activity+json' ||
+          link.type === 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'))
+    if (!link) return null
+    const actorId = link.href
+    if (!actorId) return null
+    let actor = null
+    try {
+      actor = await this.#client.get(actorId)
+    } catch (error) {
+      console.error(error)
+      return null
+    }
+    if (!actor) return null
+    if (!actor.url) {
+      return actorId
+    }
+    for (const url of actor.url) {
+      if (url.type === AS2 + 'Link' &&
+        url.mediaType === 'text/html' &&
+        url.href) {
+        return url.href
+      }
+    }
+    // Fallback to first URL
+    if (actor.url.length === 1 && !actor.url.first.type) {
+      return actor.url.first.id
+    }
+    // Fallback even further to actor ID
+    return actorId
+  }
+
+  #isLink (segment) {
+    return (segment.startsWith('<a>') || segment.startsWith('<a ')) && segment.endsWith('</a>')
+  }
+
+  #segment (html) {
+    return html.split(/(<[^>]+>[^<]+<\/[^>]+>)/)
+  }
+
+  async #replaceAsync (str, regex, asyncFn) {
+    const promises = []
+    str.replace(regex, (match, ...args) => {
+      // Add a promise for each match
+      promises.push(asyncFn(match, ...args))
+    })
+
+    // Wait for all async replacements to resolve
+    const replacements = await Promise.all(promises)
+
+    // Replace the matches with their respective replacements
+    return str.replace(regex, () => replacements.shift())
+  }
+}