@rmdes/indiekit-endpoint-activitypub 2.15.4 → 3.2.0

package/lib/mastodon/routes/oauth.js

@@ -0,0 +1,545 @@
+/**
+ * OAuth2 routes for Mastodon Client API.
+ *
+ * Handles app registration, authorization, token exchange, and revocation.
+ */
+import crypto from "node:crypto";
+import express from "express";
+
+const router = express.Router(); // eslint-disable-line new-cap
+
+/**
+ * Generate cryptographically random hex string.
+ * @param {number} bytes - Number of random bytes
+ * @returns {string} Hex-encoded random string
+ */
+function randomHex(bytes) {
+  return crypto.randomBytes(bytes).toString("hex");
+}
+
+/**
+ * Parse redirect_uris from request — accepts space-separated string or array.
+ * @param {string|string[]} value
+ * @returns {string[]}
+ */
+function parseRedirectUris(value) {
+  if (!value) return ["urn:ietf:wg:oauth:2.0:oob"];
+  if (Array.isArray(value)) return value.map((v) => v.trim());
+  return value
+    .trim()
+    .split(/\s+/)
+    .filter(Boolean);
+}
+
+/**
+ * Parse scopes from request — accepts space-separated string.
+ * @param {string} value
+ * @returns {string[]}
+ */
+function parseScopes(value) {
+  if (!value) return ["read"];
+  return value
+    .trim()
+    .split(/\s+/)
+    .filter(Boolean);
+}
+
+// ─── POST /api/v1/apps — Register client application ────────────────────────
+
+router.post("/api/v1/apps", async (req, res, next) => {
+  try {
+    const { client_name, redirect_uris, scopes, website } = req.body;
+
+    const clientId = randomHex(16);
+    const clientSecret = randomHex(32);
+    const redirectUris = parseRedirectUris(redirect_uris);
+    const parsedScopes = parseScopes(scopes);
+
+    const doc = {
+      clientId,
+      clientSecret,
+      name: client_name || "",
+      redirectUris,
+      scopes: parsedScopes,
+      website: website || null,
+      confidential: true,
+      createdAt: new Date(),
+    };
+
+    const collections = req.app.locals.mastodonCollections;
+    await collections.ap_oauth_apps.insertOne(doc);
+
+    res.json({
+      id: doc._id?.toString() || clientId,
+      name: doc.name,
+      website: doc.website,
+      redirect_uris: redirectUris,
+      redirect_uri: redirectUris.join(" "),
+      client_id: clientId,
+      client_secret: clientSecret,
+      client_secret_expires_at: 0,
+      vapid_key: "",
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── GET /api/v1/apps/verify_credentials ─────────────────────────────────────
+
+router.get("/api/v1/apps/verify_credentials", async (req, res, next) => {
+  try {
+    const token = req.mastodonToken;
+    if (!token) {
+      return res.status(401).json({ error: "The access token is invalid" });
+    }
+
+    const collections = req.app.locals.mastodonCollections;
+    const app = await collections.ap_oauth_apps.findOne({
+      clientId: token.clientId,
+    });
+
+    if (!app) {
+      return res.status(404).json({ error: "Application not found" });
+    }
+
+    res.json({
+      id: app._id.toString(),
+      name: app.name,
+      website: app.website,
+      scopes: app.scopes,
+      redirect_uris: app.redirectUris,
+      redirect_uri: app.redirectUris.join(" "),
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── GET /.well-known/oauth-authorization-server ─────────────────────────────
+
+router.get("/.well-known/oauth-authorization-server", (req, res) => {
+  const baseUrl = `${req.protocol}://${req.get("host")}`;
+
+  res.json({
+    issuer: baseUrl,
+    authorization_endpoint: `${baseUrl}/oauth/authorize`,
+    token_endpoint: `${baseUrl}/oauth/token`,
+    revocation_endpoint: `${baseUrl}/oauth/revoke`,
+    scopes_supported: [
+      "read",
+      "write",
+      "follow",
+      "push",
+      "profile",
+      "read:accounts",
+      "read:blocks",
+      "read:bookmarks",
+      "read:favourites",
+      "read:filters",
+      "read:follows",
+      "read:lists",
+      "read:mutes",
+      "read:notifications",
+      "read:search",
+      "read:statuses",
+      "write:accounts",
+      "write:blocks",
+      "write:bookmarks",
+      "write:conversations",
+      "write:favourites",
+      "write:filters",
+      "write:follows",
+      "write:lists",
+      "write:media",
+      "write:mutes",
+      "write:notifications",
+      "write:reports",
+      "write:statuses",
+    ],
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "client_credentials"],
+    token_endpoint_auth_methods_supported: [
+      "client_secret_basic",
+      "client_secret_post",
+      "none",
+    ],
+    code_challenge_methods_supported: ["S256"],
+    service_documentation: "https://docs.joinmastodon.org/api/",
+    app_registration_endpoint: `${baseUrl}/api/v1/apps`,
+  });
+});
+
+// ─── GET /oauth/authorize — Show authorization page ──────────────────────────
+
+router.get("/oauth/authorize", async (req, res, next) => {
+  try {
+    const {
+      client_id,
+      redirect_uri,
+      response_type,
+      scope,
+      code_challenge,
+      code_challenge_method,
+      force_login,
+    } = req.query;
+
+    if (response_type !== "code") {
+      return res.status(400).json({
+        error: "unsupported_response_type",
+        error_description: "Only response_type=code is supported",
+      });
+    }
+
+    const collections = req.app.locals.mastodonCollections;
+    const app = await collections.ap_oauth_apps.findOne({ clientId: client_id });
+
+    if (!app) {
+      return res.status(400).json({
+        error: "invalid_client",
+        error_description: "Client application not found",
+      });
+    }
+
+    // Determine redirect URI — use provided or default to first registered
+    const resolvedRedirectUri =
+      redirect_uri || app.redirectUris[0] || "urn:ietf:wg:oauth:2.0:oob";
+
+    // Validate redirect_uri is registered
+    if (!app.redirectUris.includes(resolvedRedirectUri)) {
+      return res.status(400).json({
+        error: "invalid_redirect_uri",
+        error_description: "Redirect URI not registered for this application",
+      });
+    }
+
+    // Validate requested scopes are subset of app scopes
+    const requestedScopes = scope ? scope.split(/\s+/) : app.scopes;
+
+    // Check if user is logged in via IndieAuth session
+    const session = req.session;
+    if (!session?.access_token && !force_login) {
+      // Not logged in — redirect to Indiekit login, then back here
+      const returnUrl = `${req.protocol}://${req.get("host")}${req.originalUrl}`;
+      return res.redirect(
+        `/auth?redirect=${encodeURIComponent(returnUrl)}`,
+      );
+    }
+
+    // Render simple authorization page
+    const appName = app.name || "An application";
+    res.type("html").send(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authorize ${appName}</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 480px; margin: 2rem auto; padding: 0 1rem; }
+    h1 { font-size: 1.4rem; }
+    .scopes { background: #f5f5f5; padding: 0.75rem 1rem; border-radius: 6px; margin: 1rem 0; }
+    .scopes code { display: block; margin: 0.25rem 0; }
+    .actions { display: flex; gap: 0.75rem; margin-top: 1.5rem; }
+    button { padding: 0.6rem 1.5rem; border-radius: 6px; font-size: 1rem; cursor: pointer; border: 1px solid #ccc; }
+    .approve { background: #2b90d9; color: white; border-color: #2b90d9; }
+    .deny { background: white; }
+  </style>
+</head>
+<body>
+  <h1>Authorize ${appName}</h1>
+  <p>${appName} wants to access your account with these permissions:</p>
+  <div class="scopes">
+    ${requestedScopes.map((s) => `<code>${s}</code>`).join("")}
+  </div>
+  <form method="POST" action="/oauth/authorize">
+    <input type="hidden" name="client_id" value="${client_id}">
+    <input type="hidden" name="redirect_uri" value="${resolvedRedirectUri}">
+    <input type="hidden" name="scope" value="${requestedScopes.join(" ")}">
+    <input type="hidden" name="code_challenge" value="${code_challenge || ""}">
+    <input type="hidden" name="code_challenge_method" value="${code_challenge_method || ""}">
+    <input type="hidden" name="response_type" value="code">
+    <div class="actions">
+      <button type="submit" name="decision" value="approve" class="approve">Authorize</button>
+      <button type="submit" name="decision" value="deny" class="deny">Deny</button>
+    </div>
+  </form>
+</body>
+</html>`);
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── POST /oauth/authorize — Process authorization decision ──────────────────
+
+router.post("/oauth/authorize", async (req, res, next) => {
+  try {
+    const {
+      client_id,
+      redirect_uri,
+      scope,
+      code_challenge,
+      code_challenge_method,
+      decision,
+    } = req.body;
+
+    // User denied
+    if (decision === "deny") {
+      if (redirect_uri && redirect_uri !== "urn:ietf:wg:oauth:2.0:oob") {
+        const url = new URL(redirect_uri);
+        url.searchParams.set("error", "access_denied");
+        url.searchParams.set(
+          "error_description",
+          "The resource owner denied the request",
+        );
+        return res.redirect(url.toString());
+      }
+      return res.status(403).json({
+        error: "access_denied",
+        error_description: "The resource owner denied the request",
+      });
+    }
+
+    // Generate authorization code
+    const code = randomHex(32);
+    const collections = req.app.locals.mastodonCollections;
+
+    await collections.ap_oauth_tokens.insertOne({
+      code,
+      clientId: client_id,
+      scopes: scope ? scope.split(/\s+/) : ["read"],
+      redirectUri: redirect_uri,
+      codeChallenge: code_challenge || null,
+      codeChallengeMethod: code_challenge_method || null,
+      accessToken: null,
+      createdAt: new Date(),
+      expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
+      usedAt: null,
+      revokedAt: null,
+    });
+
+    // Out-of-band: show code on page
+    if (!redirect_uri || redirect_uri === "urn:ietf:wg:oauth:2.0:oob") {
+      return res.type("html").send(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authorization Code</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 480px; margin: 2rem auto; padding: 0 1rem; }
+    code { display: block; background: #f5f5f5; padding: 1rem; border-radius: 6px; word-break: break-all; margin: 1rem 0; }
+  </style>
+</head>
+<body>
+  <h1>Authorization Code</h1>
+  <p>Copy this code and paste it into the application:</p>
+  <code>${code}</code>
+</body>
+</html>`);
+    }
+
+    // Redirect with code
+    const url = new URL(redirect_uri);
+    url.searchParams.set("code", code);
+    res.redirect(url.toString());
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── POST /oauth/token — Exchange code for access token ──────────────────────
+
+router.post("/oauth/token", async (req, res, next) => {
+  try {
+    const { grant_type, code, redirect_uri, code_verifier } = req.body;
+
+    // Extract client credentials from request (3 methods)
+    const { clientId, clientSecret } = extractClientCredentials(req);
+
+    const collections = req.app.locals.mastodonCollections;
+
+    if (grant_type === "client_credentials") {
+      // Client credentials grant — limited access for pre-login API calls
+      if (!clientId || !clientSecret) {
+        return res.status(401).json({
+          error: "invalid_client",
+          error_description: "Client authentication required",
+        });
+      }
+
+      const app = await collections.ap_oauth_apps.findOne({
+        clientId,
+        clientSecret,
+        confidential: true,
+      });
+
+      if (!app) {
+        return res.status(401).json({
+          error: "invalid_client",
+          error_description: "Invalid client credentials",
+        });
+      }
+
+      const accessToken = randomHex(64);
+      await collections.ap_oauth_tokens.insertOne({
+        code: null,
+        clientId,
+        scopes: ["read"],
+        redirectUri: null,
+        codeChallenge: null,
+        codeChallengeMethod: null,
+        accessToken,
+        createdAt: new Date(),
+        expiresAt: null,
+        usedAt: null,
+        revokedAt: null,
+        grantType: "client_credentials",
+      });
+
+      return res.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        scope: "read",
+        created_at: Math.floor(Date.now() / 1000),
+      });
+    }
+
+    if (grant_type !== "authorization_code") {
+      return res.status(400).json({
+        error: "unsupported_grant_type",
+        error_description: "Only authorization_code and client_credentials are supported",
+      });
+    }
+
+    if (!code) {
+      return res.status(400).json({
+        error: "invalid_request",
+        error_description: "Missing authorization code",
+      });
+    }
+
+    // Atomic claim-or-fail: find the code and mark it used in one operation
+    const grant = await collections.ap_oauth_tokens.findOneAndUpdate(
+      {
+        code,
+        usedAt: null,
+        revokedAt: null,
+        expiresAt: { $gt: new Date() },
+      },
+      { $set: { usedAt: new Date() } },
+      { returnDocument: "before" },
+    );
+
+    if (!grant) {
+      return res.status(400).json({
+        error: "invalid_grant",
+        error_description:
+          "Authorization code is invalid, expired, or already used",
+      });
+    }
+
+    // Validate redirect_uri matches
+    if (redirect_uri && grant.redirectUri && redirect_uri !== grant.redirectUri) {
+      return res.status(400).json({
+        error: "invalid_grant",
+        error_description: "Redirect URI mismatch",
+      });
+    }
+
+    // Verify PKCE code_verifier if code_challenge was stored
+    if (grant.codeChallenge) {
+      if (!code_verifier) {
+        return res.status(400).json({
+          error: "invalid_grant",
+          error_description: "Missing code_verifier for PKCE",
+        });
+      }
+
+      const expectedChallenge = crypto
+        .createHash("sha256")
+        .update(code_verifier)
+        .digest("base64url");
+
+      if (expectedChallenge !== grant.codeChallenge) {
+        return res.status(400).json({
+          error: "invalid_grant",
+          error_description: "Invalid code_verifier",
+        });
+      }
+    }
+
+    // Generate access token
+    const accessToken = randomHex(64);
+    await collections.ap_oauth_tokens.updateOne(
+      { _id: grant._id },
+      { $set: { accessToken } },
+    );
+
+    res.json({
+      access_token: accessToken,
+      token_type: "Bearer",
+      scope: grant.scopes.join(" "),
+      created_at: Math.floor(grant.createdAt.getTime() / 1000),
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── POST /oauth/revoke — Revoke a token ────────────────────────────────────
+
+router.post("/oauth/revoke", async (req, res, next) => {
+  try {
+    const { token } = req.body;
+
+    if (!token) {
+      return res.status(400).json({
+        error: "invalid_request",
+        error_description: "Missing token parameter",
+      });
+    }
+
+    const collections = req.app.locals.mastodonCollections;
+    await collections.ap_oauth_tokens.updateOne(
+      { accessToken: token },
+      { $set: { revokedAt: new Date() } },
+    );
+
+    // RFC 7009: always return 200 even if token wasn't found
+    res.json({});
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/**
+ * Extract client credentials from request using 3 methods:
+ * 1. HTTP Basic Auth (client_secret_basic)
+ * 2. POST body (client_secret_post)
+ * 3. client_id only (none — public clients)
+ */
+function extractClientCredentials(req) {
+  // Method 1: HTTP Basic Auth
+  const authHeader = req.get("authorization");
+  if (authHeader?.startsWith("Basic ")) {
+    const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
+    const colonIndex = decoded.indexOf(":");
+    if (colonIndex > 0) {
+      return {
+        clientId: decoded.slice(0, colonIndex),
+        clientSecret: decoded.slice(colonIndex + 1),
+      };
+    }
+  }
+
+  // Method 2 & 3: POST body
+  return {
+    clientId: req.body.client_id || null,
+    clientSecret: req.body.client_secret || null,
+  };
+}
+
+export default router;

package/lib/mastodon/routes/search.js

@@ -0,0 +1,146 @@
+/**
+ * Search endpoint for Mastodon Client API.
+ *
+ * GET /api/v2/search — search accounts, statuses, and hashtags
+ */
+import express from "express";
+import { serializeStatus } from "../entities/status.js";
+import { serializeAccount } from "../entities/account.js";
+import { parseLimit } from "../helpers/pagination.js";
+
+const router = express.Router(); // eslint-disable-line new-cap
+
+// ─── GET /api/v2/search ─────────────────────────────────────────────────────
+
+router.get("/api/v2/search", async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    const baseUrl = `${req.protocol}://${req.get("host")}`;
+    const query = (req.query.q || "").trim();
+    const type = req.query.type; // "accounts", "statuses", "hashtags", or undefined (all)
+    const limit = parseLimit(req.query.limit);
+    const offset = Math.max(0, Number.parseInt(req.query.offset, 10) || 0);
+
+    if (!query) {
+      return res.json({ accounts: [], statuses: [], hashtags: [] });
+    }
+
+    const results = { accounts: [], statuses: [], hashtags: [] };
+
+    // ─── Account search ──────────────────────────────────────────────────
+    if (!type || type === "accounts") {
+      const escapedQuery = query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const nameRegex = new RegExp(escapedQuery, "i");
+
+      // Search followers and following by display name or handle
+      const accountDocs = [];
+
+      if (collections.ap_followers) {
+        const followers = await collections.ap_followers
+          .find({
+            $or: [
+              { name: nameRegex },
+              { preferredUsername: nameRegex },
+              { url: nameRegex },
+            ],
+          })
+          .limit(limit)
+          .toArray();
+        accountDocs.push(...followers);
+      }
+
+      if (collections.ap_following) {
+        const following = await collections.ap_following
+          .find({
+            $or: [
+              { name: nameRegex },
+              { preferredUsername: nameRegex },
+              { url: nameRegex },
+            ],
+          })
+          .limit(limit)
+          .toArray();
+        accountDocs.push(...following);
+      }
+
+      // Deduplicate by URL
+      const seen = new Set();
+      for (const doc of accountDocs) {
+        const url = doc.url || doc.id;
+        if (url && !seen.has(url)) {
+          seen.add(url);
+          results.accounts.push(
+            serializeAccount(doc, { baseUrl, isRemote: true }),
+          );
+        }
+        if (results.accounts.length >= limit) break;
+      }
+    }
+
+    // ─── Status search ───────────────────────────────────────────────────
+    if (!type || type === "statuses") {
+      const escapedQuery = query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const contentRegex = new RegExp(escapedQuery, "i");
+
+      const items = await collections.ap_timeline
+        .find({
+          isContext: { $ne: true },
+          $or: [
+            { "content.text": contentRegex },
+            { "content.html": contentRegex },
+          ],
+        })
+        .sort({ _id: -1 })
+        .skip(offset)
+        .limit(limit)
+        .toArray();
+
+      results.statuses = items.map((item) =>
+        serializeStatus(item, {
+          baseUrl,
+          favouritedIds: new Set(),
+          rebloggedIds: new Set(),
+          bookmarkedIds: new Set(),
+          pinnedIds: new Set(),
+        }),
+      );
+    }
+
+    // ─── Hashtag search ──────────────────────────────────────────────────
+    if (!type || type === "hashtags") {
+      const escapedQuery = query
+        .replace(/^#/, "")
+        .replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const tagRegex = new RegExp(escapedQuery, "i");
+
+      // Find distinct category values matching the query
+      const allCategories = await collections.ap_timeline.distinct("category", {
+        category: tagRegex,
+      });
+
+      // Flatten and deduplicate (category can be string or array)
+      const tagSet = new Set();
+      for (const cat of allCategories) {
+        if (Array.isArray(cat)) {
+          for (const c of cat) {
+            if (typeof c === "string" && tagRegex.test(c)) tagSet.add(c);
+          }
+        } else if (typeof cat === "string" && tagRegex.test(cat)) {
+          tagSet.add(cat);
+        }
+      }
+
+      results.hashtags = [...tagSet].slice(0, limit).map((name) => ({
+        name,
+        url: `${baseUrl}/tags/${encodeURIComponent(name)}`,
+        history: [],
+      }));
+    }
+
+    res.json(results);
+  } catch (error) {
+    next(error);
+  }
+});
+
+export default router;