@rmdes/indiekit-endpoint-activitypub 2.0.24 → 2.0.26

package/index.js

@@ -60,6 +60,7 @@ import {
 } from "./lib/controllers/featured-tags.js";
 import { resolveController } from "./lib/controllers/resolve.js";
 import { publicProfileController } from "./lib/controllers/public-profile.js";
+import { authorizeInteractionController } from "./lib/controllers/authorize-interaction.js";
 import { myProfileController } from "./lib/controllers/my-profile.js";
 import { noteObjectController } from "./lib/controllers/note-object.js";
 import {
@@ -173,6 +174,10 @@ export default class ActivityPubEndpoint {
     // dereference the Note ID during Create activity verification.
     router.get("/quick-replies/:id", noteObjectController(self));
 
+    // Authorize interaction — remote follow / subscribe endpoint.
+    // Remote servers redirect users here via the WebFinger subscribe template.
+    router.get("/authorize_interaction", authorizeInteractionController(self));
+
     // HTML fallback for actor URL — serve a public profile page.
     // Fedify only serves JSON-LD; browsers get 406 and fall through here.
     router.get("/users/:identifier", publicProfileController(self));

package/lib/controllers/authorize-interaction.js

@@ -0,0 +1,45 @@
+/**
+ * Authorize Interaction controller — handles the remote follow / authorize
+ * interaction flow for ActivityPub federation.
+ *
+ * When a remote server (WordPress AP, Misskey, etc.) discovers our WebFinger
+ * subscribe template, it redirects the user here with ?uri={actorOrPostUrl}.
+ *
+ * Flow:
+ * 1. Missing uri → render error page
+ * 2. Unauthenticated → redirect to login, then back here
+ * 3. Authenticated → redirect to the reader's remote profile page
+ */
+
+export function authorizeInteractionController(plugin) {
+  return async (req, res) => {
+    const uri = req.query.uri || req.query.acct;
+    if (!uri) {
+      return res.status(400).render("activitypub-authorize-interaction", {
+        title: "Authorize Interaction",
+        mountPath: plugin.options.mountPath,
+        error: "Missing uri parameter",
+      });
+    }
+
+    // Clean up acct: prefix if present
+    const resource = uri.replace(/^acct:/, "");
+
+    // Check authentication — if not logged in, redirect to login
+    // then back to this page after auth
+    const session = req.session;
+    if (!session?.access_token) {
+      const returnUrl = `${plugin.options.mountPath}/authorize_interaction?uri=${encodeURIComponent(uri)}`;
+      return res.redirect(
+        `/session/login?redirect=${encodeURIComponent(returnUrl)}`,
+      );
+    }
+
+    // Authenticated — redirect to the remote profile viewer in our reader
+    // which already has follow/unfollow/like/boost functionality
+    const encodedUrl = encodeURIComponent(resource);
+    return res.redirect(
+      `${plugin.options.mountPath}/admin/reader/profile?url=${encodedUrl}`,
+    );
+  };
+}

package/lib/federation-bridge.js

@@ -72,11 +72,11 @@ async function sendFedifyResponse(res, response, request) {
     return;
   }
 
-  // WORKAROUND: Fedify serializes endpoints with "type": "as:Endpoints"
-  // which is not a real ActivityStreams type (fails browser.pub validation).
-  // For actor JSON responses, buffer the body and strip the invalid type.
-  // See: https://github.com/fedify-dev/fedify/issues/576
-  // TODO: Remove this workaround when Fedify fixes the upstream issue.
+  // WORKAROUND: JSON-LD compaction collapses single-element arrays to a
+  // plain object. Mastodon's update_account_fields checks
+  // `attachment.is_a?(Array)` and skips if it's not an array, so
+  // profile links/PropertyValues are silently ignored.
+  // Force `attachment` to always be an array for Mastodon compatibility.
   const contentType = response.headers.get("content-type") || "";
   const isActorJson =
     contentType.includes("activity+json") ||
@@ -86,14 +86,6 @@ async function sendFedifyResponse(res, response, request) {
     const body = await response.text();
     try {
       const json = JSON.parse(body);
-      if (json.endpoints?.type) {
-        delete json.endpoints.type;
-      }
-      // WORKAROUND: Fedify's JSON-LD compaction collapses single-element
-      // arrays to a plain object. Mastodon's update_account_fields checks
-      // `attachment.is_a?(Array)` and skips if it's not an array, so
-      // profile links/PropertyValues are silently ignored.
-      // Force `attachment` to always be an array for Mastodon compatibility.
       if (json.attachment && !Array.isArray(json.attachment)) {
         json.attachment = [json.attachment];
       }

package/lib/federation-setup.js

@@ -262,6 +262,18 @@ export function setupFederation(options) {
     // instance actor's keys for outgoing fetches), which Fedify doesn't yet
     // support out of the box. Re-enable once Fedify adds this capability.
 
+  // --- WebFinger custom links ---
+  // Add OStatus subscribe template so remote servers (WordPress AP, Misskey, etc.)
+  // can redirect users to our authorize_interaction page for remote follow.
+  federation.setWebFingerLinksDispatcher((_ctx, _resource) => {
+    return [
+      {
+        rel: "http://ostatus.org/schema/1.0/subscribe",
+        template: `${publicationUrl}${mountPath.replace(/^\//, "")}/authorize_interaction?uri={uri}`,
+      },
+    ];
+  });
+
   // --- Inbox listeners ---
   const inboxChain = federation.setInboxListeners(
     `${mountPath}/users/{identifier}/inbox`,

package/lib/inbox-listeners.js

@@ -41,9 +41,20 @@ import { fetchAndStorePreviews } from "./og-unfurl.js";
 export function registerInboxListeners(inboxChain, options) {
   const { collections, handle, storeRawActivities } = options;
 
+  /**
+   * Get an authenticated DocumentLoader that signs outbound fetches with
+   * our actor's key. This allows .getActor()/.getObject() to succeed
+   * against Authorized Fetch (Secure Mode) servers like hachyderm.io.
+   *
+   * @param {import("@fedify/fedify").Context} ctx - Fedify context
+   * @returns {Promise<import("@fedify/fedify").DocumentLoader>}
+   */
+  const getAuthLoader = (ctx) => ctx.getDocumentLoader({ identifier: handle });
+
   inboxChain
     .on(Follow, async (ctx, follow) => {
-      const followerActor = await follow.getActor();
+      const authLoader = await getAuthLoader(ctx);
+      const followerActor = await follow.getActor({ documentLoader: authLoader });
       if (!followerActor?.id) return;
 
       const followerUrl = followerActor.id.href;
@@ -90,7 +101,7 @@ export function registerInboxListeners(inboxChain, options) {
       });
 
       // Store notification
-      const followerInfo = await extractActorInfo(followerActor);
+      const followerInfo = await extractActorInfo(followerActor, { documentLoader: authLoader });
       await addNotification(collections, {
         uid: follow.id?.href || `follow:${followerUrl}`,
         type: "follow",
@@ -104,9 +115,10 @@ export function registerInboxListeners(inboxChain, options) {
     })
     .on(Undo, async (ctx, undo) => {
       const actorUrl = undo.actorId?.href || "";
+      const authLoader = await getAuthLoader(ctx);
       let inner;
       try {
-        inner = await undo.getObject();
+        inner = await undo.getObject({ documentLoader: authLoader });
       } catch {
         // Inner activity not dereferenceable — can't determine what was undone
         return;
@@ -150,7 +162,8 @@ export function registerInboxListeners(inboxChain, options) {
       // it to a Person (the Follow's target) rather than the Follow itself.
       // Instead, we match directly against ap_following — if we have a
       // pending follow for this actor, any Accept from them confirms it.
-      const actorObj = await accept.getActor();
+      const authLoader = await getAuthLoader(ctx);
+      const actorObj = await accept.getActor({ documentLoader: authLoader });
       const actorUrl = actorObj?.id?.href || "";
       if (!actorUrl) return;
 
@@ -186,7 +199,8 @@ export function registerInboxListeners(inboxChain, options) {
       }
     })
     .on(Reject, async (ctx, reject) => {
-      const actorObj = await reject.getActor();
+      const authLoader = await getAuthLoader(ctx);
+      const actorObj = await reject.getActor({ documentLoader: authLoader });
       const actorUrl = actorObj?.id?.href || "";
       if (!actorUrl) return;
 
@@ -217,20 +231,19 @@ export function registerInboxListeners(inboxChain, options) {
       }
     })
     .on(Like, async (ctx, like) => {
-      // Use .objectId to get the URL without dereferencing the remote object.
-      // Calling .getObject() would trigger an HTTP fetch to the remote server,
-      // which fails with 404 when the server has Authorized Fetch (Secure Mode)
-      // enabled — causing pointless retries and log spam.
+      // Use .objectId (non-fetching) for the liked URL — we only need the
+      // URL to filter and log, not the full remote object.
       const objectId = like.objectId?.href || "";
 
       // Only log likes of our own content
       const pubUrl = collections._publicationUrl;
       if (!objectId || (pubUrl && !objectId.startsWith(pubUrl))) return;
 
+      const authLoader = await getAuthLoader(ctx);
       const actorUrl = like.actorId?.href || "";
       let actorObj;
       try {
-        actorObj = await like.getActor();
+        actorObj = await like.getActor({ documentLoader: authLoader });
       } catch {
         actorObj = null;
       }
@@ -250,7 +263,7 @@ export function registerInboxListeners(inboxChain, options) {
       });
 
       // Store notification
-      const actorInfo = await extractActorInfo(actorObj);
+      const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
       await addNotification(collections, {
         uid: like.id?.href || `like:${actorUrl}:${objectId}`,
         type: "like",
@@ -268,6 +281,7 @@ export function registerInboxListeners(inboxChain, options) {
       const objectId = announce.objectId?.href || "";
       if (!objectId) return;
 
+      const authLoader = await getAuthLoader(ctx);
       const actorUrl = announce.actorId?.href || "";
       const pubUrl = collections._publicationUrl;
 
@@ -277,7 +291,7 @@ export function registerInboxListeners(inboxChain, options) {
       if (pubUrl && objectId.startsWith(pubUrl)) {
         let actorObj;
         try {
-          actorObj = await announce.getActor();
+          actorObj = await announce.getActor({ documentLoader: authLoader });
         } catch {
           actorObj = null;
         }
@@ -298,7 +312,7 @@ export function registerInboxListeners(inboxChain, options) {
         });
 
         // Create notification
-        const actorInfo = await extractActorInfo(actorObj);
+        const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
         await addNotification(collections, {
           uid: announce.id?.href || `${actorUrl}#boost-${objectId}`,
           type: "boost",
@@ -319,8 +333,8 @@ export function registerInboxListeners(inboxChain, options) {
       const following = await collections.ap_following.findOne({ actorUrl });
       if (following) {
         try {
-          // Fetch the original object being boosted
-          const object = await announce.getObject();
+          // Fetch the original object being boosted (authenticated for Secure Mode servers)
+          const object = await announce.getObject({ documentLoader: authLoader });
           if (!object) return;
 
           // Skip non-content objects (Lemmy/PieFed like/create activities
@@ -329,13 +343,14 @@ export function registerInboxListeners(inboxChain, options) {
           if (!hasContent) return;
 
           // Get booster actor info
-          const boosterActor = await announce.getActor();
-          const boosterInfo = await extractActorInfo(boosterActor);
+          const boosterActor = await announce.getActor({ documentLoader: authLoader });
+          const boosterInfo = await extractActorInfo(boosterActor, { documentLoader: authLoader });
 
           // Extract and store with boost metadata
           const timelineItem = await extractObjectData(object, {
             boostedBy: boosterInfo,
             boostedAt: announce.published ? String(announce.published) : new Date().toISOString(),
+            documentLoader: authLoader,
           });
 
           await addTimelineItem(collections, timelineItem);
@@ -347,11 +362,12 @@ export function registerInboxListeners(inboxChain, options) {
       }
     })
     .on(Create, async (ctx, create) => {
+      const authLoader = await getAuthLoader(ctx);
       let object;
       try {
-        object = await create.getObject();
+        object = await create.getObject({ documentLoader: authLoader });
       } catch {
-        // Remote object not dereferenceable (Authorized Fetch, deleted, etc.)
+        // Remote object not dereferenceable (deleted, etc.)
         return;
       }
       if (!object) return;
@@ -359,7 +375,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = create.actorId?.href || "";
       let actorObj;
       try {
-        actorObj = await create.getActor();
+        actorObj = await create.getActor({ documentLoader: authLoader });
       } catch {
         // Actor not dereferenceable — use URL as fallback
         actorObj = null;
@@ -389,7 +405,7 @@ export function registerInboxListeners(inboxChain, options) {
 
         // Create notification if reply is to one of OUR posts
         if (pubUrl && inReplyTo.startsWith(pubUrl)) {
-          const actorInfo = await extractActorInfo(actorObj);
+          const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
           const rawHtml = object.content?.toString() || "";
           const contentHtml = sanitizeContent(rawHtml);
           const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 200);
@@ -420,7 +436,7 @@ export function registerInboxListeners(inboxChain, options) {
 
         for (const tag of tags) {
           if (tag.type === "Mention" && tag.href?.href === ourActorUrl) {
-            const actorInfo = await extractActorInfo(actorObj);
+            const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
             const rawMentionHtml = object.content?.toString() || "";
             const mentionHtml = sanitizeContent(rawMentionHtml);
             const contentText = rawMentionHtml.replace(/<[^>]*>/g, "").substring(0, 200);
@@ -451,6 +467,7 @@ export function registerInboxListeners(inboxChain, options) {
         try {
           const timelineItem = await extractObjectData(object, {
             actorFallback: actorObj,
+            documentLoader: authLoader,
           });
           await addTimelineItem(collections, timelineItem);
 
@@ -479,9 +496,10 @@ export function registerInboxListeners(inboxChain, options) {
       }
     })
     .on(Move, async (ctx, move) => {
-      const oldActorObj = await move.getActor();
+      const authLoader = await getAuthLoader(ctx);
+      const oldActorObj = await move.getActor({ documentLoader: authLoader });
       const oldActorUrl = oldActorObj?.id?.href || "";
-      const target = await move.getTarget();
+      const target = await move.getTarget({ documentLoader: authLoader });
       const newActorUrl = target?.id?.href || "";
 
       if (oldActorUrl && newActorUrl) {
@@ -501,11 +519,12 @@ export function registerInboxListeners(inboxChain, options) {
     })
     .on(Update, async (ctx, update) => {
       // Update can be for a profile OR for a post (edited content)
+      const authLoader = await getAuthLoader(ctx);
 
       // Try to get the object being updated
       let object;
       try {
-        object = await update.getObject();
+        object = await update.getObject({ documentLoader: authLoader });
       } catch {
         object = null;
       }
@@ -538,7 +557,7 @@ export function registerInboxListeners(inboxChain, options) {
       }
 
       // PATH 2: Otherwise, assume profile update — refresh stored follower data
-      const actorObj = await update.getActor();
+      const actorObj = await update.getActor({ documentLoader: authLoader });
       const actorUrl = actorObj?.id?.href || "";
       if (!actorUrl) return;
 
@@ -564,7 +583,8 @@ export function registerInboxListeners(inboxChain, options) {
     })
     .on(Block, async (ctx, block) => {
       // Remote actor blocked us — remove them from followers
-      const actorObj = await block.getActor();
+      const authLoader = await getAuthLoader(ctx);
+      const actorObj = await block.getActor({ documentLoader: authLoader });
       const actorUrl = actorObj?.id?.href || "";
       if (actorUrl) {
         await collections.ap_followers.deleteOne({ actorUrl });

package/lib/timeline-store.js

@@ -36,9 +36,11 @@ export function sanitizeContent(html) {
 /**
  * Extract actor information from Fedify Person/Application/Service object
  * @param {object} actor - Fedify actor object
+ * @param {object} [options] - Options
+ * @param {object} [options.documentLoader] - Authenticated DocumentLoader for Secure Mode servers
  * @returns {object} { name, url, photo, handle }
  */
-export async function extractActorInfo(actor) {
+export async function extractActorInfo(actor, options = {}) {
   if (!actor) {
     return {
       name: "Unknown",
@@ -54,10 +56,11 @@ export async function extractActorInfo(actor) {
   const url = actor.id?.href || "";
 
   // Extract photo URL from icon (Fedify uses async getters)
+  const loaderOpts = options.documentLoader ? { documentLoader: options.documentLoader } : {};
   let photo = "";
   try {
     if (typeof actor.getIcon === "function") {
-      const iconObj = await actor.getIcon();
+      const iconObj = await actor.getIcon(loaderOpts);
       photo = iconObj?.url?.href || "";
     } else {
       const iconObj = await actor.icon;
@@ -89,6 +92,7 @@ export async function extractActorInfo(actor) {
  * @param {object} [options.boostedBy] - Actor info for boosts
  * @param {Date} [options.boostedAt] - Boost timestamp
  * @param {object} [options.actorFallback] - Fedify actor to use when object.getAttributedTo() fails
+ * @param {object} [options.documentLoader] - Authenticated DocumentLoader for Secure Mode servers
  * @returns {Promise<object>} Timeline item data
  */
 export async function extractObjectData(object, options = {}) {
@@ -130,14 +134,15 @@ export async function extractObjectData(object, options = {}) {
     : new Date().toISOString();
 
   // Extract author — try multiple strategies in order of reliability
+  const loaderOpts = options.documentLoader ? { documentLoader: options.documentLoader } : {};
   let authorObj = null;
   try {
     if (typeof object.getAttributedTo === "function") {
-      const attr = await object.getAttributedTo();
+      const attr = await object.getAttributedTo(loaderOpts);
       authorObj = Array.isArray(attr) ? attr[0] : attr;
     }
   } catch {
-    // getAttributedTo() failed (Authorized Fetch, unreachable, etc.)
+    // getAttributedTo() failed (unreachable, deleted, etc.)
   }
   // If getAttributedTo() returned nothing, use the actor from the wrapping activity
   if (!authorObj && options.actorFallback) {
@@ -150,7 +155,7 @@ export async function extractObjectData(object, options = {}) {
 
   let author;
   if (authorObj) {
-    author = await extractActorInfo(authorObj);
+    author = await extractActorInfo(authorObj, loaderOpts);
   } else {
     // Last resort: use attributionIds (non-fetching) to get at least a URL
     const attrIds = object.attributionIds;
@@ -184,7 +189,7 @@ export async function extractObjectData(object, options = {}) {
   const category = [];
   try {
     if (typeof object.getTags === "function") {
-      const tags = await object.getTags();
+      const tags = await object.getTags(loaderOpts);
       for await (const tag of tags) {
         if (tag.name) {
           const tagName = tag.name.toString().replace(/^#/, "");
@@ -203,7 +208,7 @@ export async function extractObjectData(object, options = {}) {
 
   try {
     if (typeof object.getAttachments === "function") {
-      const attachments = await object.getAttachments();
+      const attachments = await object.getAttachments(loaderOpts);
       for await (const att of attachments) {
         const mediaUrl = att.url?.href || "";
         if (!mediaUrl) continue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.0.24",
+  "version": "2.0.26",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",

package/views/activitypub-authorize-interaction.njk

@@ -0,0 +1,10 @@
+{% extends "document.njk" %}
+
+{% from "prose/macro.njk" import prose with context %}
+
+{% block content %}
+  {% if error %}
+    {{ prose({ text: error }) }}
+  {% endif %}
+  <p><a href="{{ mountPath }}/">Return to dashboard</a></p>
+{% endblock %}