@rmdes/indiekit-endpoint-activitypub 2.0.26 → 2.0.28

package/lib/controllers/api-timeline.js

@@ -0,0 +1,170 @@
+/**
+ * JSON API timeline endpoint — returns pre-rendered HTML cards for infinite scroll AJAX loads.
+ */
+
+import { getTimelineItems } from "../storage/timeline.js";
+import { getToken } from "../csrf.js";
+import {
+  getMutedUrls,
+  getMutedKeywords,
+  getBlockedUrls,
+  getFilterMode,
+} from "../storage/moderation.js";
+
+export function apiTimelineController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collections = {
+        ap_timeline: application?.collections?.get("ap_timeline"),
+      };
+
+      // Query parameters
+      const tab = request.query.tab || "notes";
+      const tag = typeof request.query.tag === "string" ? request.query.tag.trim() : "";
+      const before = request.query.before;
+      const limit = 20;
+
+      // Build storage query options (same logic as readerController)
+      const options = { before, limit };
+
+      if (tag) {
+        options.tag = tag;
+      } else {
+        if (tab === "notes") {
+          options.type = "note";
+          options.excludeReplies = true;
+        } else if (tab === "articles") {
+          options.type = "article";
+        } else if (tab === "boosts") {
+          options.type = "boost";
+        }
+      }
+
+      const result = await getTimelineItems(collections, options);
+
+      // Client-side tab filtering for types not supported by storage
+      let items = result.items;
+      if (!tag) {
+        if (tab === "replies") {
+          items = items.filter((item) => item.inReplyTo);
+        } else if (tab === "media") {
+          items = items.filter(
+            (item) =>
+              (item.photo && item.photo.length > 0) ||
+              (item.video && item.video.length > 0) ||
+              (item.audio && item.audio.length > 0)
+          );
+        }
+      }
+
+      // Apply moderation filters
+      const modCollections = {
+        ap_muted: application?.collections?.get("ap_muted"),
+        ap_blocked: application?.collections?.get("ap_blocked"),
+        ap_profile: application?.collections?.get("ap_profile"),
+      };
+      const [mutedUrls, mutedKeywords, blockedUrls, filterMode] =
+        await Promise.all([
+          getMutedUrls(modCollections),
+          getMutedKeywords(modCollections),
+          getBlockedUrls(modCollections),
+          getFilterMode(modCollections),
+        ]);
+      const blockedSet = new Set(blockedUrls);
+      const mutedSet = new Set(mutedUrls);
+
+      if (blockedSet.size > 0 || mutedSet.size > 0 || mutedKeywords.length > 0) {
+        items = items.filter((item) => {
+          if (item.author?.url && blockedSet.has(item.author.url)) {
+            return false;
+          }
+
+          const isMutedActor = item.author?.url && mutedSet.has(item.author.url);
+          let matchedKeyword = null;
+          if (mutedKeywords.length > 0) {
+            const searchable = [item.content?.text, item.name, item.summary]
+              .filter(Boolean)
+              .join(" ")
+              .toLowerCase();
+            if (searchable) {
+              matchedKeyword = mutedKeywords.find((kw) =>
+                searchable.includes(kw.toLowerCase())
+              );
+            }
+          }
+
+          if (isMutedActor || matchedKeyword) {
+            if (filterMode === "warn") {
+              item._moderated = true;
+              item._moderationReason = isMutedActor ? "muted_account" : "muted_keyword";
+              if (matchedKeyword) item._moderationKeyword = matchedKeyword;
+              return true;
+            }
+            return false;
+          }
+
+          return true;
+        });
+      }
+
+      // Get interaction state
+      const interactionsCol = application?.collections?.get("ap_interactions");
+      const interactionMap = {};
+
+      if (interactionsCol) {
+        const lookupUrls = new Set();
+        const objectUrlToUid = new Map();
+        for (const item of items) {
+          const uid = item.uid;
+          const displayUrl = item.url || item.originalUrl;
+          if (uid) { lookupUrls.add(uid); objectUrlToUid.set(uid, uid); }
+          if (displayUrl) { lookupUrls.add(displayUrl); objectUrlToUid.set(displayUrl, uid || displayUrl); }
+        }
+        if (lookupUrls.size > 0) {
+          const interactions = await interactionsCol
+            .find({ objectUrl: { $in: [...lookupUrls] } })
+            .toArray();
+          for (const interaction of interactions) {
+            const key = objectUrlToUid.get(interaction.objectUrl) || interaction.objectUrl;
+            if (!interactionMap[key]) interactionMap[key] = {};
+            interactionMap[key][interaction.type] = true;
+          }
+        }
+      }
+
+      const csrfToken = getToken(request.session);
+
+      // Render each card server-side using the same Nunjucks template
+      // Merge response.locals so that i18n (__), mountPath, etc. are available
+      const templateData = {
+        ...response.locals,
+        mountPath,
+        csrfToken,
+        interactionMap,
+      };
+
+      const htmlParts = await Promise.all(
+        items.map((item) => {
+          return new Promise((resolve, reject) => {
+            request.app.render(
+              "partials/ap-item-card.njk",
+              { ...templateData, item },
+              (err, html) => {
+                if (err) reject(err);
+                else resolve(html);
+              }
+            );
+          });
+        })
+      );
+
+      response.json({
+        html: htmlParts.join(""),
+        before: result.before,
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+}

package/lib/controllers/explore.js

@@ -0,0 +1,293 @@
+/**
+ * Explore controller — browse public timelines from remote Mastodon-compatible instances.
+ *
+ * All remote API calls are server-side (no CORS issues).
+ * Remote HTML is always passed through sanitizeContent() before storage.
+ */
+
+import sanitizeHtml from "sanitize-html";
+import { sanitizeContent } from "../timeline-store.js";
+
+const FETCH_TIMEOUT_MS = 10_000;
+const MAX_RESULTS = 20;
+
+/**
+ * Validate the instance parameter to prevent SSRF.
+ * Only allows hostnames — no IPs, no localhost, no port numbers for exotic attacks.
+ * @param {string} instance - Raw instance parameter from query string
+ * @returns {string|null} Validated hostname or null
+ */
+function validateInstance(instance) {
+  if (!instance || typeof instance !== "string") return null;
+
+  try {
+    // Prepend https:// to parse as URL
+    const url = new URL(`https://${instance.trim()}`);
+
+    // Must be a plain hostname — no IP addresses, no localhost
+    const hostname = url.hostname;
+    if (
+      hostname === "localhost" ||
+      hostname === "127.0.0.1" ||
+      hostname === "0.0.0.0" ||
+      hostname === "::1" ||
+      hostname.startsWith("192.168.") ||
+      hostname.startsWith("10.") ||
+      hostname.startsWith("169.254.") ||
+      /^172\.(1[6-9]|2\d|3[01])\./.test(hostname) ||
+      /^[0-9]{1,3}(\.[0-9]{1,3}){3}$/.test(hostname) || // IPv4
+      hostname.includes("[") // IPv6
+    ) {
+      return null;
+    }
+
+    // Only allow the hostname (no path, no port override)
+    return hostname;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Map a Mastodon API status object to our timeline item format.
+ * @param {object} status - Mastodon API status
+ * @param {string} instance - Instance hostname (for handle construction)
+ * @returns {object} Timeline item compatible with ap-item-card.njk
+ */
+function mapMastodonStatusToItem(status, instance) {
+  const account = status.account || {};
+  const acct = account.acct || "";
+  // Mastodon acct is "user" for local, "user@remote" for remote
+  const handle = acct.includes("@") ? `@${acct}` : `@${acct}@${instance}`;
+
+  // Map mentions — store without leading @ (template prepends it)
+  const mentions = (status.mentions || []).map((m) => ({
+    name: m.acct.includes("@") ? m.acct : `${m.acct}@${instance}`,
+    url: m.url || "",
+  }));
+
+  // Map hashtags
+  const category = (status.tags || []).map((t) => t.name || "");
+
+  // Map media attachments
+  const photo = [];
+  const video = [];
+  const audio = [];
+  for (const att of status.media_attachments || []) {
+    const url = att.url || att.remote_url || "";
+    if (!url) continue;
+    if (att.type === "image" || att.type === "gifv") {
+      photo.push(url);
+    } else if (att.type === "video") {
+      video.push(url);
+    } else if (att.type === "audio") {
+      audio.push(url);
+    }
+  }
+
+  return {
+    uid: status.url || status.uri || "",
+    url: status.url || status.uri || "",
+    type: "note",
+    name: "",
+    content: {
+      text: (status.content || "").replace(/<[^>]*>/g, ""),
+      html: sanitizeContent(status.content || ""),
+    },
+    summary: status.spoiler_text || "",
+    sensitive: status.sensitive || false,
+    published: status.created_at || new Date().toISOString(),
+    author: {
+      name: sanitizeHtml(account.display_name || account.username || "Unknown", { allowedTags: [], allowedAttributes: {} }),
+      url: account.url || "",
+      photo: account.avatar || account.avatar_static || "",
+      handle,
+    },
+    category,
+    mentions,
+    photo,
+    video,
+    audio,
+    inReplyTo: status.in_reply_to_id ? `https://${instance}/web/statuses/${status.in_reply_to_id}` : "",
+    createdAt: new Date().toISOString(),
+    // Explore-specific: track source instance
+    _explore: true,
+  };
+}
+
+export function exploreController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const rawInstance = request.query.instance || "";
+      const scope = request.query.scope === "federated" ? "federated" : "local";
+      const maxId = request.query.max_id || "";
+
+      // No instance specified — render clean initial page (no error)
+      if (!rawInstance.trim()) {
+        return response.render("activitypub-explore", {
+          title: response.locals.__("activitypub.reader.explore.title"),
+          instance: "",
+          scope,
+          items: [],
+          maxId: null,
+          error: null,
+          mountPath,
+        });
+      }
+
+      const instance = validateInstance(rawInstance);
+      if (!instance) {
+        return response.render("activitypub-explore", {
+          title: response.locals.__("activitypub.reader.explore.title"),
+          instance: rawInstance,
+          scope,
+          items: [],
+          maxId: null,
+          error: response.locals.__("activitypub.reader.explore.invalidInstance"),
+          mountPath,
+        });
+      }
+
+      // Fetch public timeline from remote instance
+      const isLocal = scope === "local";
+      const apiUrl = new URL(`https://${instance}/api/v1/timelines/public`);
+      apiUrl.searchParams.set("local", isLocal ? "true" : "false");
+      apiUrl.searchParams.set("limit", String(MAX_RESULTS));
+      if (maxId) apiUrl.searchParams.set("max_id", maxId);
+
+      let items = [];
+      let nextMaxId = null;
+      let error = null;
+
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+
+        const fetchRes = await fetch(apiUrl.toString(), {
+          headers: { Accept: "application/json" },
+          signal: controller.signal,
+        });
+        clearTimeout(timeoutId);
+
+        if (!fetchRes.ok) {
+          throw new Error(`Remote instance returned HTTP ${fetchRes.status}`);
+        }
+
+        const statuses = await fetchRes.json();
+
+        if (!Array.isArray(statuses)) {
+          throw new Error("Unexpected API response format");
+        }
+
+        items = statuses.map((s) => mapMastodonStatusToItem(s, instance));
+
+        // Get next max_id from last item for pagination
+        if (statuses.length === MAX_RESULTS && statuses.length > 0) {
+          const last = statuses[statuses.length - 1];
+          nextMaxId = last.id || null;
+        }
+      } catch (fetchError) {
+        const msg = fetchError.name === "AbortError"
+          ? response.locals.__("activitypub.reader.explore.timeout")
+          : response.locals.__("activitypub.reader.explore.loadError");
+        error = msg;
+      }
+
+      response.render("activitypub-explore", {
+        title: response.locals.__("activitypub.reader.explore.title"),
+        instance,
+        scope,
+        items,
+        maxId: nextMaxId,
+        error,
+        mountPath,
+        // Pass empty interactionMap — explore posts are not in our DB
+        interactionMap: {},
+        csrfToken: "",
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+/**
+ * AJAX API endpoint for explore page infinite scroll.
+ * Returns JSON { html, maxId }.
+ */
+export function exploreApiController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const rawInstance = request.query.instance || "";
+      const scope = request.query.scope === "federated" ? "federated" : "local";
+      const maxId = request.query.max_id || "";
+
+      const instance = validateInstance(rawInstance);
+      if (!instance) {
+        return response.status(400).json({ error: "Invalid instance" });
+      }
+
+      const isLocal = scope === "local";
+      const apiUrl = new URL(`https://${instance}/api/v1/timelines/public`);
+      apiUrl.searchParams.set("local", isLocal ? "true" : "false");
+      apiUrl.searchParams.set("limit", String(MAX_RESULTS));
+      if (maxId) apiUrl.searchParams.set("max_id", maxId);
+
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+
+      const fetchRes = await fetch(apiUrl.toString(), {
+        headers: { Accept: "application/json" },
+        signal: controller.signal,
+      });
+      clearTimeout(timeoutId);
+
+      if (!fetchRes.ok) {
+        return response.status(502).json({ error: `Remote returned ${fetchRes.status}` });
+      }
+
+      const statuses = await fetchRes.json();
+      if (!Array.isArray(statuses)) {
+        return response.status(502).json({ error: "Unexpected API response" });
+      }
+
+      const items = statuses.map((s) => mapMastodonStatusToItem(s, instance));
+
+      let nextMaxId = null;
+      if (statuses.length === MAX_RESULTS && statuses.length > 0) {
+        const last = statuses[statuses.length - 1];
+        nextMaxId = last.id || null;
+      }
+
+      // Render each card server-side
+      const templateData = {
+        ...response.locals,
+        mountPath,
+        csrfToken: "",
+        interactionMap: {},
+      };
+
+      const htmlParts = await Promise.all(
+        items.map((item) => {
+          return new Promise((resolve, reject) => {
+            request.app.render(
+              "partials/ap-item-card.njk",
+              { ...templateData, item },
+              (err, html) => {
+                if (err) reject(err);
+                else resolve(html);
+              }
+            );
+          });
+        })
+      );
+
+      response.json({
+        html: htmlParts.join(""),
+        maxId: nextMaxId,
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+}

package/lib/controllers/follow-tag.js

@@ -0,0 +1,62 @@
+/**
+ * Hashtag follow/unfollow controllers
+ */
+
+import { validateToken } from "../csrf.js";
+import { followTag, unfollowTag } from "../storage/followed-tags.js";
+
+export function followTagController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+
+      // CSRF validation
+      if (!validateToken(request)) {
+        return response.status(403).json({ error: "Invalid CSRF token" });
+      }
+
+      const tag = typeof request.body.tag === "string" ? request.body.tag.trim() : "";
+      if (!tag) {
+        return response.redirect(`${mountPath}/admin/reader`);
+      }
+
+      const collections = {
+        ap_followed_tags: application?.collections?.get("ap_followed_tags"),
+      };
+
+      await followTag(collections, tag);
+
+      return response.redirect(`${mountPath}/admin/reader/tag?tag=${encodeURIComponent(tag)}`);
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+export function unfollowTagController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+
+      // CSRF validation
+      if (!validateToken(request)) {
+        return response.status(403).json({ error: "Invalid CSRF token" });
+      }
+
+      const tag = typeof request.body.tag === "string" ? request.body.tag.trim() : "";
+      if (!tag) {
+        return response.redirect(`${mountPath}/admin/reader`);
+      }
+
+      const collections = {
+        ap_followed_tags: application?.collections?.get("ap_followed_tags"),
+      };
+
+      await unfollowTag(collections, tag);
+
+      return response.redirect(`${mountPath}/admin/reader/tag?tag=${encodeURIComponent(tag)}`);
+    } catch (error) {
+      next(error);
+    }
+  };
+}

package/lib/controllers/reader.js

@@ -18,6 +18,7 @@ import {
   getBlockedUrls,
   getFilterMode,
 } from "../storage/moderation.js";
+import { getFollowedTags } from "../storage/followed-tags.js";
 
 // Re-export controllers from split modules for backward compatibility
 export {
@@ -38,6 +39,7 @@ export function readerController(mountPath) {
       const collections = {
         ap_timeline: application?.collections?.get("ap_timeline"),
         ap_notifications: application?.collections?.get("ap_notifications"),
+        ap_followed_tags: application?.collections?.get("ap_followed_tags"),
       };
 
       // Query parameters
@@ -191,6 +193,14 @@ export function readerController(mountPath) {
       // CSRF token for interaction forms
       const csrfToken = getToken(request.session);
 
+      // Followed tags for sidebar
+      let followedTags = [];
+      try {
+        followedTags = await getFollowedTags(collections);
+      } catch {
+        // Non-critical — collection may not exist yet
+      }
+
       response.render("activitypub-reader", {
         title: response.locals.__("activitypub.reader.title"),
         items,
@@ -201,6 +211,7 @@ export function readerController(mountPath) {
         interactionMap,
         csrfToken,
         mountPath,
+        followedTags,
       });
     } catch (error) {
       next(error);