@rmdes/indiekit-endpoint-activitypub 1.0.29 → 1.1.2

package/lib/csrf.js

@@ -0,0 +1,49 @@
+/**
+ * Simple CSRF token generation and validation.
+ * Tokens are stored in the Express session.
+ */
+
+import { randomBytes, timingSafeEqual } from "node:crypto";
+
+/**
+ * Get or generate a CSRF token for the current session.
+ * @param {object} session - Express session object
+ * @returns {string} CSRF token
+ */
+export function getToken(session) {
+  if (!session._csrfToken) {
+    session._csrfToken = randomBytes(32).toString("hex");
+  }
+
+  return session._csrfToken;
+}
+
+/**
+ * Validate a CSRF token from a request.
+ * Checks both the request body `_csrf` field and the `X-CSRF-Token` header.
+ * @param {object} request - Express request object
+ * @returns {boolean} Whether the token is valid
+ */
+export function validateToken(request) {
+  const sessionToken = request.session?._csrfToken;
+
+  if (!sessionToken) {
+    return false;
+  }
+
+  const requestToken =
+    request.body?._csrf || request.headers["x-csrf-token"];
+
+  if (!requestToken) {
+    return false;
+  }
+
+  if (sessionToken.length !== requestToken.length) {
+    return false;
+  }
+
+  return timingSafeEqual(
+    Buffer.from(sessionToken),
+    Buffer.from(requestToken),
+  );
+}

package/lib/federation-setup.js

@@ -183,7 +183,11 @@ export function setupFederation(options) {
 
         if (profile.attachments?.length > 0) {
           personOptions.attachments = profile.attachments.map(
-            (att) => new PropertyValue({ name: att.name, value: att.value }),
+            (att) =>
+              new PropertyValue({
+                name: att.name,
+                value: formatAttachmentValue(att.value),
+              }),
           );
         }
 
@@ -689,6 +693,29 @@ async function importPkcs8Pem(pem) {
   );
 }
 
+/**
+ * Format an attachment value for ActivityPub PropertyValue.
+ * If the value looks like a URL, wrap it in an HTML anchor tag with rel="me"
+ * so Mastodon can verify profile link ownership. Plain text values pass through.
+ */
+function formatAttachmentValue(value) {
+  if (!value) return "";
+  const trimmed = value.trim();
+  // Already contains HTML — pass through
+  if (trimmed.startsWith("<")) return trimmed;
+  // URL — wrap in anchor with rel="me"
+  if (/^https?:\/\//i.test(trimmed)) {
+    const escaped = trimmed
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/"/g, "&quot;");
+    return `<a href="${escaped}" rel="me">${escaped}</a>`;
+  }
+  // Plain text (e.g. pronouns) — return as-is
+  return trimmed;
+}
+
 function guessImageMediaType(url) {
   const ext = url.split(".").pop()?.toLowerCase();
   const types = {

package/lib/inbox-listeners.js

@@ -23,6 +23,9 @@ import {
 } from "@fedify/fedify";
 
 import { logActivity as logActivityShared } from "./activity-log.js";
+import { sanitizeContent, extractActorInfo, extractObjectData } from "./timeline-store.js";
+import { addTimelineItem, deleteTimelineItem, updateTimelineItem } from "./storage/timeline.js";
+import { addNotification } from "./storage/notifications.js";
 
 /**
  * Register all inbox listeners on a federation's inbox chain.
@@ -83,6 +86,19 @@ export function registerInboxListeners(inboxChain, options) {
         actorName: followerName,
         summary: `${followerName} followed you`,
       });
+
+      // Store notification
+      const followerInfo = await extractActorInfo(followerActor);
+      await addNotification(collections, {
+        uid: follow.id?.href || `follow:${followerUrl}`,
+        type: "follow",
+        actorUrl: followerInfo.url,
+        actorName: followerInfo.name,
+        actorPhoto: followerInfo.photo,
+        actorHandle: followerInfo.handle,
+        published: follow.published ? String(follow.published) : new Date().toISOString(),
+        createdAt: new Date().toISOString(),
+      });
     })
     .on(Undo, async (ctx, undo) => {
       const actorUrl = undo.actorId?.href || "";
@@ -139,7 +155,7 @@ export function registerInboxListeners(inboxChain, options) {
       const result = await collections.ap_following.findOneAndUpdate(
         {
           actorUrl,
-          source: { $in: ["refollow:sent", "microsub-reader"] },
+          source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
         },
         {
           $set: {
@@ -176,7 +192,7 @@ export function registerInboxListeners(inboxChain, options) {
       const result = await collections.ap_following.findOneAndUpdate(
         {
           actorUrl,
-          source: { $in: ["refollow:sent", "microsub-reader"] },
+          source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
         },
         {
           $set: {
@@ -210,17 +226,18 @@ export function registerInboxListeners(inboxChain, options) {
       if (!objectId || (pubUrl && !objectId.startsWith(pubUrl))) return;
 
       const actorUrl = like.actorId?.href || "";
-      let actorName = actorUrl;
+      let actorObj;
       try {
-        const actorObj = await like.getActor();
-        actorName =
-          actorObj?.name?.toString() ||
-          actorObj?.preferredUsername?.toString() ||
-          actorUrl;
+        actorObj = await like.getActor();
       } catch {
-        /* actor not dereferenceable — use URL */
+        actorObj = null;
       }
 
+      const actorName =
+        actorObj?.name?.toString() ||
+        actorObj?.preferredUsername?.toString() ||
+        actorUrl;
+
       await logActivity(collections, storeRawActivities, {
         direction: "inbound",
         type: "Like",
@@ -229,35 +246,96 @@ export function registerInboxListeners(inboxChain, options) {
         objectUrl: objectId,
         summary: `${actorName} liked ${objectId}`,
       });
+
+      // Store notification
+      const actorInfo = await extractActorInfo(actorObj);
+      await addNotification(collections, {
+        uid: like.id?.href || `like:${actorUrl}:${objectId}`,
+        type: "like",
+        actorUrl: actorInfo.url,
+        actorName: actorInfo.name,
+        actorPhoto: actorInfo.photo,
+        actorHandle: actorInfo.handle,
+        targetUrl: objectId,
+        targetName: "", // Could fetch post title, but not critical
+        published: like.published ? String(like.published) : new Date().toISOString(),
+        createdAt: new Date().toISOString(),
+      });
     })
     .on(Announce, async (ctx, announce) => {
-      // Use .objectId — no remote fetch needed (see Like handler comment)
       const objectId = announce.objectId?.href || "";
+      if (!objectId) return;
 
-      // Only log boosts of our own content
+      const actorUrl = announce.actorId?.href || "";
       const pubUrl = collections._publicationUrl;
-      if (!objectId || (pubUrl && !objectId.startsWith(pubUrl))) return;
 
-      const actorUrl = announce.actorId?.href || "";
-      let actorName = actorUrl;
-      try {
-        const actorObj = await announce.getActor();
-        actorName =
+      // Dual path logic: Notification vs Timeline
+
+      // PATH 1: Boost of OUR content → Notification
+      if (pubUrl && objectId.startsWith(pubUrl)) {
+        let actorObj;
+        try {
+          actorObj = await announce.getActor();
+        } catch {
+          actorObj = null;
+        }
+
+        const actorName =
           actorObj?.name?.toString() ||
           actorObj?.preferredUsername?.toString() ||
           actorUrl;
-      } catch {
-        /* actor not dereferenceable — use URL */
+
+        // Log the boost activity
+        await logActivity(collections, storeRawActivities, {
+          direction: "inbound",
+          type: "Announce",
+          actorUrl,
+          actorName,
+          objectUrl: objectId,
+          summary: `${actorName} boosted ${objectId}`,
+        });
+
+        // Create notification
+        const actorInfo = await extractActorInfo(actorObj);
+        await addNotification(collections, {
+          uid: announce.id?.href || `${actorUrl}#boost-${objectId}`,
+          type: "boost",
+          actorUrl: actorInfo.url,
+          actorName: actorInfo.name,
+          actorPhoto: actorInfo.photo,
+          actorHandle: actorInfo.handle,
+          targetUrl: objectId,
+          targetName: "", // Could fetch post title, but not critical
+          published: announce.published ? String(announce.published) : new Date().toISOString(),
+          createdAt: new Date().toISOString(),
+        });
+
+        // Don't return — fall through to check if actor is also followed
       }
 
-      await logActivity(collections, storeRawActivities, {
-        direction: "inbound",
-        type: "Announce",
-        actorUrl,
-        actorName,
-        objectUrl: objectId,
-        summary: `${actorName} boosted ${objectId}`,
-      });
+      // PATH 2: Boost from someone we follow → Timeline (store original post)
+      const following = await collections.ap_following.findOne({ actorUrl });
+      if (following) {
+        try {
+          // Fetch the original object being boosted
+          const object = await announce.getObject();
+          if (!object) return;
+
+          // Get booster actor info
+          const boosterActor = await announce.getActor();
+          const boosterInfo = await extractActorInfo(boosterActor);
+
+          // Extract and store with boost metadata
+          const timelineItem = await extractObjectData(object, {
+            boostedBy: boosterInfo,
+            boostedAt: announce.published ? String(announce.published) : new Date().toISOString(),
+          });
+
+          await addTimelineItem(collections, timelineItem);
+        } catch (error) {
+          console.error("Failed to store boosted timeline item:", error);
+        }
+      }
     })
     .on(Create, async (ctx, create) => {
       let object;
@@ -292,6 +370,7 @@ export function registerInboxListeners(inboxChain, options) {
       }
 
       // Log replies to our posts (existing behavior for conversations)
+      const pubUrl = collections._publicationUrl;
       if (inReplyTo) {
         const content = object.content?.toString() || "";
         await logActivity(collections, storeRawActivities, {
@@ -304,21 +383,86 @@ export function registerInboxListeners(inboxChain, options) {
           content,
           summary: `${actorName} replied to ${inReplyTo}`,
         });
+
+        // Create notification if reply is to one of OUR posts
+        if (pubUrl && inReplyTo.startsWith(pubUrl)) {
+          const actorInfo = await extractActorInfo(actorObj);
+          const rawHtml = object.content?.toString() || "";
+          const contentHtml = sanitizeContent(rawHtml);
+          const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 200);
+
+          await addNotification(collections, {
+            uid: object.id?.href || `reply:${actorUrl}:${inReplyTo}`,
+            type: "reply",
+            actorUrl: actorInfo.url,
+            actorName: actorInfo.name,
+            actorPhoto: actorInfo.photo,
+            actorHandle: actorInfo.handle,
+            targetUrl: inReplyTo,
+            targetName: "",
+            content: {
+              text: contentText,
+              html: contentHtml,
+            },
+            published: object.published ? String(object.published) : new Date().toISOString(),
+            createdAt: new Date().toISOString(),
+          });
+        }
+      }
+
+      // Check for mentions of our actor
+      if (object.tag) {
+        const tags = Array.isArray(object.tag) ? object.tag : [object.tag];
+        const ourActorUrl = ctx.getActorUri(handle).href;
+
+        for (const tag of tags) {
+          if (tag.type === "Mention" && tag.href?.href === ourActorUrl) {
+            const actorInfo = await extractActorInfo(actorObj);
+            const rawMentionHtml = object.content?.toString() || "";
+            const mentionHtml = sanitizeContent(rawMentionHtml);
+            const contentText = rawMentionHtml.replace(/<[^>]*>/g, "").substring(0, 200);
+
+            await addNotification(collections, {
+              uid: object.id?.href || `mention:${actorUrl}:${object.id?.href}`,
+              type: "mention",
+              actorUrl: actorInfo.url,
+              actorName: actorInfo.name,
+              actorPhoto: actorInfo.photo,
+              actorHandle: actorInfo.handle,
+              content: {
+                text: contentText,
+                html: mentionHtml,
+              },
+              published: object.published ? String(object.published) : new Date().toISOString(),
+              createdAt: new Date().toISOString(),
+            });
+
+            break; // Only create one mention notification per post
+          }
+        }
+      }
+
+      // Store timeline items from accounts we follow (native storage)
+      const following = await collections.ap_following.findOne({ actorUrl });
+      if (following) {
+        try {
+          const timelineItem = await extractObjectData(object);
+          await addTimelineItem(collections, timelineItem);
+        } catch (error) {
+          // Log extraction errors but don't fail the entire handler
+          console.error("Failed to store timeline item:", error);
+        }
       }
 
-      // Store timeline items from accounts we follow
-      await storeTimelineItem(collections, {
-        actorUrl,
-        actorName,
-        actorObj,
-        object,
-        inReplyTo,
-      });
     })
     .on(Delete, async (ctx, del) => {
       const objectId = del.objectId?.href || "";
       if (objectId) {
+        // Remove from activity log
         await collections.ap_activities.deleteMany({ objectUrl: objectId });
+
+        // Remove from timeline
+        await deleteTimelineItem(collections, objectId);
       }
     })
     .on(Move, async (ctx, move) => {
@@ -343,7 +487,44 @@ export function registerInboxListeners(inboxChain, options) {
       });
     })
     .on(Update, async (ctx, update) => {
-      // Remote actor updated their profile — refresh stored follower data
+      // Update can be for a profile OR for a post (edited content)
+
+      // Try to get the object being updated
+      let object;
+      try {
+        object = await update.getObject();
+      } catch {
+        object = null;
+      }
+
+      // PATH 1: If object is a Note/Article → Update timeline item content
+      if (object && (object instanceof Note || object.type === "Article")) {
+        const objectUrl = object.id?.href || "";
+        if (objectUrl) {
+          try {
+            // Extract updated content
+            const contentHtml = object.content?.toString() || "";
+            const contentText = object.source?.content?.toString() || contentHtml.replace(/<[^>]*>/g, "");
+
+            const updates = {
+              content: {
+                text: contentText,
+                html: contentHtml,
+              },
+              name: object.name?.toString() || "",
+              summary: object.summary?.toString() || "",
+              sensitive: object.sensitive || false,
+            };
+
+            await updateTimelineItem(collections, objectUrl, updates);
+          } catch (error) {
+            console.error("Failed to update timeline item:", error);
+          }
+        }
+        return;
+      }
+
+      // PATH 2: Otherwise, assume profile update — refresh stored follower data
       const actorObj = await update.getActor();
       const actorUrl = actorObj?.id?.href || "";
       if (!actorUrl) return;
@@ -397,180 +578,3 @@ async function logActivity(collections, storeRaw, record, rawJson) {
   );
 }
 
-// Cached ActivityPub channel ObjectId
-let _apChannelId = null;
-
-/**
- * Look up (or auto-create) the ActivityPub channel's ObjectId.
- * Cached after first successful call.
- *
- * The channel is created with `userId: "default"` so it appears in the
- * Microsub reader UI alongside user-created channels.
- *
- * @param {object} collections - MongoDB collections
- * @returns {Promise<import("mongodb").ObjectId|null>}
- */
-async function getApChannelId(collections) {
-  if (_apChannelId) return _apChannelId;
-  if (!collections.microsub_channels) return null;
-
-  let channel = await collections.microsub_channels.findOne({
-    uid: "activitypub",
-  });
-
-  if (!channel) {
-    // Auto-create the channel with the same fields the Microsub plugin uses
-    const maxOrderDoc = await collections.microsub_channels
-      .find({ userId: "default" })
-      .sort({ order: -1 })
-      .limit(1)
-      .toArray();
-    const order = maxOrderDoc.length > 0 ? maxOrderDoc[0].order + 1 : 0;
-
-    const doc = {
-      uid: "activitypub",
-      name: "Fediverse",
-      userId: "default",
-      order,
-      settings: { excludeTypes: [], excludeRegex: null },
-      createdAt: new Date().toISOString(),
-      updatedAt: new Date().toISOString(),
-    };
-    await collections.microsub_channels.insertOne(doc);
-    channel = doc;
-    console.info("[ActivityPub] Auto-created Microsub channel 'Fediverse'");
-  } else if (!channel.userId) {
-    // Fix existing channel missing userId (created by earlier version)
-    await collections.microsub_channels.updateOne(
-      { _id: channel._id },
-      { $set: { userId: "default" } },
-    );
-    console.info("[ActivityPub] Fixed Microsub channel: set userId to 'default'");
-  }
-
-  _apChannelId = channel._id;
-  return _apChannelId;
-}
-
-/**
- * Store a Create activity as a Microsub timeline item if the actor
- * is someone we follow. Skips gracefully if the Microsub plugin
- * isn't loaded or the AP channel doesn't exist yet.
- *
- * @param {object} collections - MongoDB collections
- * @param {object} params
- * @param {string} params.actorUrl - Actor URL
- * @param {string} params.actorName - Actor display name
- * @param {object} params.actorObj - Fedify actor object
- * @param {object} params.object - Fedify Note/Article object
- * @param {string|null} params.inReplyTo - URL this is a reply to (if any)
- */
-async function storeTimelineItem(
-  collections,
-  { actorUrl, actorName, actorObj, object, inReplyTo },
-) {
-  // Skip if Microsub plugin not loaded
-  if (!collections.microsub_items || !collections.microsub_channels) return;
-
-  // Only store posts from accounts we follow
-  const following = await collections.ap_following.findOne({ actorUrl });
-  if (!following) return;
-
-  const channelId = await getApChannelId(collections);
-  if (!channelId) return;
-
-  const objectUrl = object.id?.href || "";
-  if (!objectUrl) return;
-
-  // Extract content
-  const contentHtml = object.content?.toString() || "";
-  const contentText = contentHtml.replace(/<[^>]*>/g, "").trim();
-
-  // Name (usually only on Article, not Note)
-  const name = object.name?.toString() || undefined;
-  const summary = object.summary?.toString() || undefined;
-
-  // Published date — Fedify returns Temporal.Instant
-  let published;
-  if (object.published) {
-    try {
-      published = new Date(Number(object.published.epochMilliseconds));
-    } catch {
-      published = new Date();
-    }
-  }
-
-  // Author avatar
-  let authorPhoto = "";
-  try {
-    if (actorObj.icon) {
-      const iconObj = await actorObj.icon;
-      authorPhoto = iconObj?.url?.href || "";
-    }
-  } catch {
-    /* remote fetch may fail */
-  }
-
-  // Tags / categories
-  const category = [];
-  try {
-    for await (const tag of object.getTags()) {
-      const tagName = tag.name?.toString();
-      if (tagName) category.push(tagName.replace(/^#/, ""));
-    }
-  } catch {
-    /* ignore */
-  }
-
-  // Attachments (photos, videos, audio)
-  const photo = [];
-  const video = [];
-  const audio = [];
-  try {
-    for await (const att of object.getAttachments()) {
-      const mediaType = att.mediaType?.toString() || "";
-      const url = att.url?.href || att.id?.href || "";
-      if (!url) continue;
-      if (mediaType.startsWith("image/")) photo.push(url);
-      else if (mediaType.startsWith("video/")) video.push(url);
-      else if (mediaType.startsWith("audio/")) audio.push(url);
-    }
-  } catch {
-    /* ignore */
-  }
-
-  const item = {
-    channelId,
-    feedId: null,
-    uid: objectUrl,
-    type: "entry",
-    url: objectUrl,
-    name,
-    content: contentHtml ? { text: contentText, html: contentHtml } : undefined,
-    summary,
-    published: published || new Date(),
-    author: {
-      name: actorName,
-      url: actorUrl,
-      photo: authorPhoto,
-    },
-    category,
-    photo,
-    video,
-    audio,
-    inReplyTo: inReplyTo ? [inReplyTo] : [],
-    source: {
-      type: "activitypub",
-      actorUrl,
-    },
-    readBy: [],
-    createdAt: new Date().toISOString(),
-  };
-
-  // Atomic upsert — prevents duplicates without a separate check+insert
-  await collections.microsub_items.updateOne(
-    { channelId, uid: objectUrl },
-    { $setOnInsert: item },
-    { upsert: true },
-  );
-}