@rmdes/indiekit-endpoint-activitypub 2.0.7 → 2.0.9

package/index.js

@@ -59,6 +59,7 @@ import {
 } from "./lib/controllers/featured-tags.js";
 import { resolveController } from "./lib/controllers/resolve.js";
 import { publicProfileController } from "./lib/controllers/public-profile.js";
+import { noteObjectController } from "./lib/controllers/note-object.js";
 import {
   refollowPauseController,
   refollowResumeController,
@@ -161,6 +162,10 @@ export default class ActivityPubEndpoint {
       return self._fedifyMiddleware(req, res, next);
     });
 
+    // Serve stored quick reply Notes as JSON-LD so remote servers can
+    // dereference the Note ID during Create activity verification.
+    router.get("/quick-replies/:id", noteObjectController(self));
+
     // HTML fallback for actor URL — serve a public profile page.
     // Fedify only serves JSON-LD; browsers get 406 and fall through here.
     router.get("/users/:identifier", publicProfileController(self));
@@ -835,6 +840,7 @@ export default class ActivityPubEndpoint {
     Indiekit.addCollection("ap_muted");
     Indiekit.addCollection("ap_blocked");
     Indiekit.addCollection("ap_interactions");
+    Indiekit.addCollection("ap_notes");
 
     // Store collection references (posts resolved lazily)
     const indiekitCollections = Indiekit.collections;
@@ -853,6 +859,7 @@ export default class ActivityPubEndpoint {
       ap_muted: indiekitCollections.get("ap_muted"),
       ap_blocked: indiekitCollections.get("ap_blocked"),
       ap_interactions: indiekitCollections.get("ap_interactions"),
+      ap_notes: indiekitCollections.get("ap_notes"),
       get posts() {
         return indiekitCollections.get("posts");
       },

package/lib/controllers/compose.js

@@ -5,6 +5,7 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { getToken, validateToken } from "../csrf.js";
 import { sanitizeContent } from "../timeline-store.js";
+import { resolveAuthor } from "../resolve-author.js";
 
 /**
  * Fetch syndication targets from the Micropub config endpoint.
@@ -205,33 +206,20 @@ export function submitComposeController(mountPath, plugin) {
         );
         const followersUri = ctx.getFollowersUri(handle);
 
+        const documentLoader = await ctx.getDocumentLoader({
+          identifier: handle,
+        });
+
         // Resolve the original author BEFORE constructing the Note,
         // so we can include them in cc (required for threading/notification)
         let recipient = null;
         if (inReplyTo) {
-          try {
-            const documentLoader = await ctx.getDocumentLoader({
-              identifier: handle,
-            });
-            const remoteObject = await ctx.lookupObject(new URL(inReplyTo), {
-              documentLoader,
-            });
-
-            if (
-              remoteObject &&
-              typeof remoteObject.getAttributedTo === "function"
-            ) {
-              const author = await remoteObject.getAttributedTo({
-                documentLoader,
-              });
-              recipient = Array.isArray(author) ? author[0] : author;
-            }
-          } catch (error) {
-            console.warn(
-              `[ActivityPub] lookupObject failed for ${inReplyTo} (quick reply):`,
-              error.message,
-            );
-          }
+          recipient = await resolveAuthor(
+            inReplyTo,
+            ctx,
+            documentLoader,
+            application?.collections,
+          );
         }
 
         // Build cc list: always include followers, add original author for replies
@@ -258,6 +246,21 @@ export function submitComposeController(mountPath, plugin) {
           ccs: ccList,
         });
 
+        // Store the Note so remote servers can dereference its ID
+        const ap_notes = application?.collections?.get("ap_notes");
+        if (ap_notes) {
+          await ap_notes.insertOne({
+            _id: uuid,
+            noteId,
+            actorUrl: actorUri.href,
+            content: content.trim(),
+            inReplyTo: inReplyTo || null,
+            published: new Date().toISOString(),
+            to: ["https://www.w3.org/ns/activitystreams#Public"],
+            cc: ccList.map((u) => (u instanceof URL ? u.href : u.href || u)),
+          });
+        }
+
         // Send to followers
         await ctx.sendActivity({ identifier: handle }, "followers", create, {
           preferSharedInbox: true,

package/lib/controllers/interactions-boost.js

@@ -4,6 +4,7 @@
  */
 
 import { validateToken } from "../csrf.js";
+import { resolveAuthor } from "../resolve-author.js";
 
 /**
  * POST /admin/reader/boost — send an Announce activity to followers.
@@ -66,40 +67,38 @@ export function boostController(mountPath, plugin) {
         orderingKey: url,
       });
 
-      // Also send to the original post author (signed request for Authorized Fetch)
-      try {
-        const documentLoader = await ctx.getDocumentLoader({
-          identifier: handle,
-        });
-        const remoteObject = await ctx.lookupObject(new URL(url), {
-          documentLoader,
-        });
+      // Also send directly to the original post author
+      const documentLoader = await ctx.getDocumentLoader({
+        identifier: handle,
+      });
+      const { application } = request.app.locals;
+      const recipient = await resolveAuthor(
+        url,
+        ctx,
+        documentLoader,
+        application?.collections,
+      );
 
-        if (
-          remoteObject &&
-          typeof remoteObject.getAttributedTo === "function"
-        ) {
-          const author = await remoteObject.getAttributedTo({ documentLoader });
-          const recipient = Array.isArray(author) ? author[0] : author;
-
-          if (recipient) {
-            await ctx.sendActivity(
-              { identifier: handle },
-              recipient,
-              announce,
-              { orderingKey: url },
-            );
-          }
+      if (recipient) {
+        try {
+          await ctx.sendActivity(
+            { identifier: handle },
+            recipient,
+            announce,
+            { orderingKey: url },
+          );
+          console.info(
+            `[ActivityPub] Sent boost directly to ${recipient.id?.href || "author"}`,
+          );
+        } catch (error) {
+          console.warn(
+            `[ActivityPub] Direct boost delivery to author failed:`,
+            error.message,
+          );
         }
-      } catch (error) {
-        console.warn(
-          `[ActivityPub] lookupObject failed for ${url} (boost):`,
-          error.message,
-        );
       }
 
       // Track the interaction
-      const { application } = request.app.locals;
       const interactions = application?.collections?.get("ap_interactions");
 
       if (interactions) {

package/lib/controllers/interactions-like.js

@@ -4,6 +4,7 @@
  */
 
 import { validateToken } from "../csrf.js";
+import { resolveAuthor } from "../resolve-author.js";
 
 /**
  * POST /admin/reader/like — send a Like activity to the post author.
@@ -43,57 +44,23 @@ export function likeController(mountPath, plugin) {
         { handle, publicationUrl: plugin._publicationUrl },
       );
 
-      // Use authenticated document loader for servers requiring Authorized Fetch
       const documentLoader = await ctx.getDocumentLoader({
         identifier: handle,
       });
 
-      // Resolve author for delivery — try multiple strategies
-      let recipient = null;
-
-      // Strategy 1: Look up remote post via Fedify (signed request)
-      try {
-        const remoteObject = await ctx.lookupObject(new URL(url), {
-          documentLoader,
-        });
-        if (remoteObject && typeof remoteObject.getAttributedTo === "function") {
-          const author = await remoteObject.getAttributedTo({ documentLoader });
-          recipient = Array.isArray(author) ? author[0] : author;
-        }
-      } catch (error) {
-        console.warn(
-          `[ActivityPub] lookupObject failed for ${url}:`,
-          error.message,
-        );
-      }
+      const { application } = request.app.locals;
+      const recipient = await resolveAuthor(
+        url,
+        ctx,
+        documentLoader,
+        application?.collections,
+      );
 
-      // Strategy 2: Use author URL from our timeline (already stored)
-      // Note: Timeline items store both uid (canonical AP URL) and url (display URL).
-      // The card passes the display URL, so we search by both fields.
       if (!recipient) {
-        const { application } = request.app.locals;
-        const ap_timeline = application?.collections?.get("ap_timeline");
-        const timelineItem = ap_timeline
-          ? await ap_timeline.findOne({ $or: [{ uid: url }, { url }] })
-          : null;
-        const authorUrl = timelineItem?.author?.url;
-
-        if (authorUrl) {
-          try {
-            recipient = await ctx.lookupObject(new URL(authorUrl), {
-              documentLoader,
-            });
-          } catch {
-            // Could not resolve author actor either
-          }
-        }
-
-        if (!recipient) {
-          return response.status(404).json({
-            success: false,
-            error: "Could not resolve post author",
-          });
-        }
+        return response.status(404).json({
+          success: false,
+          error: "Could not resolve post author",
+        });
       }
 
       // Generate a unique activity ID
@@ -113,7 +80,6 @@ export function likeController(mountPath, plugin) {
       });
 
       // Track the interaction for undo
-      const { application } = request.app.locals;
       const interactions = application?.collections?.get("ap_interactions");
 
       if (interactions) {
@@ -200,46 +166,16 @@ export function unlikeController(mountPath, plugin) {
         { handle, publicationUrl: plugin._publicationUrl },
       );
 
-      // Use authenticated document loader for servers requiring Authorized Fetch
       const documentLoader = await ctx.getDocumentLoader({
         identifier: handle,
       });
 
-      // Resolve the recipient — try remote first, then timeline fallback
-      let recipient = null;
-
-      try {
-        const remoteObject = await ctx.lookupObject(new URL(url), {
-          documentLoader,
-        });
-        if (remoteObject && typeof remoteObject.getAttributedTo === "function") {
-          const author = await remoteObject.getAttributedTo({ documentLoader });
-          recipient = Array.isArray(author) ? author[0] : author;
-        }
-      } catch (error) {
-        console.warn(
-          `[ActivityPub] lookupObject failed for ${url} (unlike):`,
-          error.message,
-        );
-      }
-
-      if (!recipient) {
-        const ap_timeline = application?.collections?.get("ap_timeline");
-        const timelineItem = ap_timeline
-          ? await ap_timeline.findOne({ $or: [{ uid: url }, { url }] })
-          : null;
-        const authorUrl = timelineItem?.author?.url;
-
-        if (authorUrl) {
-          try {
-            recipient = await ctx.lookupObject(new URL(authorUrl), {
-              documentLoader,
-            });
-          } catch {
-            // Could not resolve — will proceed to cleanup
-          }
-        }
-      }
+      const recipient = await resolveAuthor(
+        url,
+        ctx,
+        documentLoader,
+        application?.collections,
+      );
 
       if (!recipient) {
         // Clean up the local record even if we can't send Undo

package/lib/controllers/note-object.js

@@ -0,0 +1,51 @@
+/**
+ * Public route handler for serving quick reply Notes as ActivityPub JSON-LD.
+ *
+ * Remote servers dereference Note IDs to verify Create activities.
+ * Without this, quick replies are rejected by servers that validate
+ * the Note's ID URL (Mastodon with Authorized Fetch, Bonfire, etc.).
+ */
+
+/**
+ * GET /quick-replies/:id — serve a stored Note as JSON-LD.
+ * @param {object} plugin - ActivityPub plugin instance
+ */
+export function noteObjectController(plugin) {
+  return async (request, response) => {
+    const { id } = request.params;
+
+    const { application } = request.app.locals;
+    const ap_notes = application?.collections?.get("ap_notes");
+
+    if (!ap_notes) {
+      return response.status(404).json({ error: "Not Found" });
+    }
+
+    const note = await ap_notes.findOne({ _id: id });
+
+    if (!note) {
+      return response.status(404).json({ error: "Not Found" });
+    }
+
+    const noteJson = {
+      "@context": "https://www.w3.org/ns/activitystreams",
+      id: note.noteId,
+      type: "Note",
+      attributedTo: note.actorUrl,
+      content: note.content,
+      published: note.published,
+      to: note.to,
+      cc: note.cc,
+    };
+
+    if (note.inReplyTo) {
+      noteJson.inReplyTo = note.inReplyTo;
+    }
+
+    response
+      .status(200)
+      .set("Content-Type", "application/activity+json; charset=utf-8")
+      .set("Cache-Control", "public, max-age=3600")
+      .json(noteJson);
+  };
+}

package/lib/inbox-listeners.js

@@ -340,7 +340,9 @@ export function registerInboxListeners(inboxChain, options) {
 
           await addTimelineItem(collections, timelineItem);
         } catch (error) {
-          console.error("Failed to store boosted timeline item:", error);
+          // Remote object unreachable (timeout, Authorized Fetch, deleted, etc.) — skip
+          const cause = error?.cause?.code || error?.message || "unknown";
+          console.warn(`[AP] Skipped boost from ${actorUrl}: ${cause}`);
         }
       }
     })

package/lib/resolve-author.js

@@ -0,0 +1,156 @@
+/**
+ * Multi-strategy author resolution for interaction delivery.
+ *
+ * Resolves a post URL to the author's Actor object so that Like, Announce,
+ * and other activities can be delivered to the correct inbox.
+ *
+ * Strategies (tried in order):
+ * 1. lookupObject on post URL → getAttributedTo
+ * 2. Timeline/notification DB lookup → lookupObject on stored author URL
+ * 3. Extract author URL from post URL pattern → lookupObject
+ */
+
+/**
+ * Extract a probable author URL from a post URL using common fediverse patterns.
+ *
+ * @param {string} postUrl - The post URL
+ * @returns {string|null} - Author URL or null
+ *
+ * Patterns matched:
+ *   https://instance/users/USERNAME/statuses/ID  → https://instance/users/USERNAME
+ *   https://instance/@USERNAME/ID                → https://instance/users/USERNAME
+ *   https://instance/p/USERNAME/ID               → https://instance/users/USERNAME  (Pixelfed)
+ *   https://instance/notice/ID                   → null (no username in URL)
+ */
+export function extractAuthorUrl(postUrl) {
+  try {
+    const parsed = new URL(postUrl);
+    const path = parsed.pathname;
+
+    // /users/USERNAME/statuses/ID — Mastodon, GoToSocial, Akkoma canonical
+    const usersMatch = path.match(/^\/users\/([^/]+)\//);
+    if (usersMatch) {
+      return `${parsed.origin}/users/${usersMatch[1]}`;
+    }
+
+    // /@USERNAME/ID — Mastodon display URL
+    const atMatch = path.match(/^\/@([^/]+)\/\d/);
+    if (atMatch) {
+      return `${parsed.origin}/users/${atMatch[1]}`;
+    }
+
+    // /p/USERNAME/ID — Pixelfed
+    const pixelfedMatch = path.match(/^\/p\/([^/]+)\/\d/);
+    if (pixelfedMatch) {
+      return `${parsed.origin}/users/${pixelfedMatch[1]}`;
+    }
+
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Resolve the author Actor for a given post URL.
+ *
+ * @param {string} postUrl - The post URL to resolve the author for
+ * @param {object} ctx - Fedify context
+ * @param {object} documentLoader - Authenticated document loader
+ * @param {object} [collections] - Optional MongoDB collections map (application.collections)
+ * @returns {Promise<object|null>} - Fedify Actor object or null
+ */
+export async function resolveAuthor(
+  postUrl,
+  ctx,
+  documentLoader,
+  collections,
+) {
+  // Strategy 1: Look up remote post via Fedify (signed request)
+  try {
+    const remoteObject = await ctx.lookupObject(new URL(postUrl), {
+      documentLoader,
+    });
+    if (remoteObject && typeof remoteObject.getAttributedTo === "function") {
+      const author = await remoteObject.getAttributedTo({ documentLoader });
+      const recipient = Array.isArray(author) ? author[0] : author;
+      if (recipient) {
+        console.info(
+          `[ActivityPub] Resolved author via lookupObject for ${postUrl}`,
+        );
+        return recipient;
+      }
+    }
+  } catch (error) {
+    console.warn(
+      `[ActivityPub] lookupObject failed for ${postUrl}:`,
+      error.message,
+    );
+  }
+
+  // Strategy 2: Use author URL from timeline or notifications
+  if (collections) {
+    const ap_timeline = collections.get("ap_timeline");
+    const ap_notifications = collections.get("ap_notifications");
+
+    // Search timeline by both uid (canonical) and url (display)
+    let authorUrl = null;
+    if (ap_timeline) {
+      const item = await ap_timeline.findOne({
+        $or: [{ uid: postUrl }, { url: postUrl }],
+      });
+      authorUrl = item?.author?.url;
+    }
+
+    // Fall back to notifications if not in timeline
+    if (!authorUrl && ap_notifications) {
+      const notif = await ap_notifications.findOne({
+        $or: [{ objectUrl: postUrl }, { targetUrl: postUrl }],
+      });
+      authorUrl = notif?.actorUrl;
+    }
+
+    if (authorUrl) {
+      try {
+        const actor = await ctx.lookupObject(new URL(authorUrl), {
+          documentLoader,
+        });
+        if (actor) {
+          console.info(
+            `[ActivityPub] Resolved author via DB for ${postUrl} → ${authorUrl}`,
+          );
+          return actor;
+        }
+      } catch (error) {
+        console.warn(
+          `[ActivityPub] lookupObject failed for author ${authorUrl}:`,
+          error.message,
+        );
+      }
+    }
+  }
+
+  // Strategy 3: Extract author URL from post URL pattern
+  const extractedUrl = extractAuthorUrl(postUrl);
+  if (extractedUrl) {
+    try {
+      const actor = await ctx.lookupObject(new URL(extractedUrl), {
+        documentLoader,
+      });
+      if (actor) {
+        console.info(
+          `[ActivityPub] Resolved author via URL pattern for ${postUrl} → ${extractedUrl}`,
+        );
+        return actor;
+      }
+    } catch (error) {
+      console.warn(
+        `[ActivityPub] lookupObject failed for extracted author ${extractedUrl}:`,
+        error.message,
+      );
+    }
+  }
+
+  console.warn(`[ActivityPub] All author resolution strategies failed for ${postUrl}`);
+  return null;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.0.7",
+  "version": "2.0.9",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",