@rmdes/indiekit-endpoint-activitypub 3.10.5 → 3.11.0

package/index.js

@@ -959,6 +959,15 @@ export default class ActivityPubEndpoint {
     Indiekit.addCollection("ap_markers");
     // Tombstones for soft-deleted posts (FEP-4f05)
     Indiekit.addCollection("ap_tombstones");
+    // Media attachments (Mastodon API upload)
+    Indiekit.addCollection("ap_media");
+    // Status edit history
+    Indiekit.addCollection("ap_status_edits");
+    // Idempotency keys for Mastodon API
+    Indiekit.addCollection("ap_idempotency");
+    // Filters and filter keywords
+    Indiekit.addCollection("ap_filters");
+    Indiekit.addCollection("ap_filter_keywords");
 
     // Store collection references (posts resolved lazily)
     const indiekitCollections = Indiekit.collections;
@@ -997,6 +1006,15 @@ export default class ActivityPubEndpoint {
       ap_oauth_tokens: indiekitCollections.get("ap_oauth_tokens"),
       ap_markers: indiekitCollections.get("ap_markers"),
       ap_tombstones: indiekitCollections.get("ap_tombstones"),
+      // Media attachments (Mastodon API upload)
+      ap_media: indiekitCollections.get("ap_media"),
+      // Status edit history
+      ap_status_edits: indiekitCollections.get("ap_status_edits"),
+      // Idempotency keys for Mastodon API
+      ap_idempotency: indiekitCollections.get("ap_idempotency"),
+      // Filters and filter keywords
+      ap_filters: indiekitCollections.get("ap_filters"),
+      ap_filter_keywords: indiekitCollections.get("ap_filter_keywords"),
       get posts() {
         return indiekitCollections.get("posts");
       },

package/lib/controllers/compose.js

@@ -144,6 +144,7 @@ export function composeController(mountPath, plugin) {
         syndicationTargets,
         csrfToken,
         mountPath,
+        mediaEndpoint: application.mediaEndpoint || "",
       });
     } catch (error) {
       next(error);
@@ -167,7 +168,7 @@ export function submitComposeController(mountPath, plugin) {
       }
 
       const { application } = request.app.locals;
-      const { content, visibility, summary } = request.body;
+      const { content, visibility, summary, photo, category } = request.body;
       const cwEnabled = request.body["cw-enabled"];
       const inReplyTo = request.body["in-reply-to"];
       const syndicateTo = request.body["mp-syndicate-to"];
@@ -228,6 +229,21 @@ export function submitComposeController(mountPath, plugin) {
         }
       }
 
+      // Photo (from file-input component — already a URL from media endpoint)
+      if (photo && photo.trim()) {
+        micropubData.append("photo", photo.trim());
+      }
+
+      // Tags / categories
+      if (category) {
+        const tags = Array.isArray(category)
+          ? category
+          : category.split(",").map((t) => t.trim()).filter(Boolean);
+        for (const tag of tags) {
+          micropubData.append("category[]", tag);
+        }
+      }
+
       console.info(
         `[ActivityPub] Compose Micropub submission:`,
         JSON.stringify({

package/lib/init-indexes.js

@@ -250,6 +250,38 @@ export function createIndexes(collections, options) {
       { url: 1 },
       { unique: true, background: true },
     );
+
+    // Media attachments (Mastodon API upload)
+    collections.ap_media?.createIndex(
+      { createdAt: 1 },
+      { expireAfterSeconds: 86400, background: true },
+    );
+
+    // Status edit history
+    collections.ap_status_edits?.createIndex(
+      { statusId: 1, editedAt: 1 },
+      { background: true },
+    );
+
+    // Idempotency keys (auto-expire after 1 hour)
+    collections.ap_idempotency?.createIndex(
+      { key: 1 },
+      { unique: true, background: true },
+    );
+    collections.ap_idempotency?.createIndex(
+      { createdAt: 1 },
+      { expireAfterSeconds: 3600, background: true },
+    );
+
+    // Filters
+    collections.ap_filters?.createIndex(
+      { createdAt: 1 },
+      { background: true },
+    );
+    collections.ap_filter_keywords?.createIndex(
+      { filterId: 1 },
+      { background: true },
+    );
   } catch {
     // Index creation failed — collections not yet available.
     // Indexes already exist from previous startups; non-fatal.

package/lib/mastodon/entities/status.js

@@ -246,7 +246,7 @@ export function serializeStatus(item, { baseUrl, favouritedIds, rebloggedIds, bo
 /**
  * Serialize a linkPreview object as a Mastodon PreviewCard.
  */
-function serializeCard(preview) {
+export function serializeCard(preview) {
   if (!preview) return null;
 
   return {

package/lib/mastodon/router.js

@@ -20,15 +20,20 @@ import timelinesRouter from "./routes/timelines.js";
 import notificationsRouter from "./routes/notifications.js";
 import searchRouter from "./routes/search.js";
 import mediaRouter from "./routes/media.js";
+import filtersRouter from "./routes/filters.js";
 import stubsRouter from "./routes/stubs.js";
 
-// Rate limiters for different endpoint categories
+// Rate limiters for different endpoint categories.
+// validate.trustProxy disabled — Indiekit sets Express trust proxy to true
+// (behind Cloudron/nginx), which express-rate-limit v7+ rejects as too
+// permissive. The proxy is trusted infrastructure, not user-controlled.
 const apiLimiter = rateLimit({
   windowMs: 5 * 60 * 1000, // 5 minutes
   max: 300,
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many requests, please try again later" },
+  validate: { trustProxy: false },
 });
 
 const authLimiter = rateLimit({
@@ -37,6 +42,7 @@ const authLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many authentication attempts" },
+  validate: { trustProxy: false },
 });
 
 const appRegistrationLimiter = rateLimit({
@@ -45,6 +51,7 @@ const appRegistrationLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many app registrations" },
+  validate: { trustProxy: false },
 });
 
 /**
@@ -112,6 +119,7 @@ export function createMastodonRouter({ collections, pluginOptions = {} }) {
   router.use(notificationsRouter);
   router.use(searchRouter);
   router.use(mediaRouter);
+  router.use(filtersRouter);
   router.use(stubsRouter);
 
   // ─── Catch-all for unimplemented endpoints ──────────────────────────────

package/lib/mastodon/routes/accounts.js

@@ -153,6 +153,61 @@ router.get("/api/v1/accounts/lookup", async (req, res, next) => {
   }
 });
 
+// ─── GET /api/v1/accounts/search ────────────────────────────────────────────
+// Used by clients for @mention autocomplete in compose box.
+
+router.get("/api/v1/accounts/search", tokenRequired, scopeRequired("read", "read:accounts"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    const baseUrl = `${req.protocol}://${req.get("host")}`;
+    const query = req.query.q?.trim();
+    const limit = Math.min(Number.parseInt(req.query.limit, 10) || 10, 40);
+
+    if (!query) {
+      return res.json([]);
+    }
+
+    // Escape regex special characters
+    const escaped = query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const regex = new RegExp(escaped, "i");
+
+    const results = new Map(); // dedupe by URL
+
+    // Search followers
+    if (collections.ap_followers) {
+      const followers = await collections.ap_followers
+        .find({
+          $or: [{ name: regex }, { handle: regex }, { actorUrl: regex }],
+        })
+        .limit(limit)
+        .toArray();
+      for (const f of followers) results.set(f.actorUrl, f);
+    }
+
+    // Search following
+    if (results.size < limit && collections.ap_following) {
+      const following = await collections.ap_following
+        .find({
+          $or: [{ name: regex }, { handle: regex }, { actorUrl: regex }],
+        })
+        .limit(limit - results.size)
+        .toArray();
+      for (const f of following) results.set(f.actorUrl, f);
+    }
+
+    const { serializeAccount } = await import("../entities/account.js");
+    const accounts = [...results.values()]
+      .slice(0, limit)
+      .map((actor) =>
+        serializeAccount(actor, { baseUrl, isLocal: false }),
+      );
+
+    res.json(accounts);
+  } catch (error) {
+    next(error);
+  }
+});
+
 // ─── GET /api/v1/accounts/relationships ──────────────────────────────────────
 // MUST be before /accounts/:id to prevent Express matching "relationships" as :id
 
@@ -228,6 +283,46 @@ router.get("/api/v1/accounts/familiar_followers", tokenRequired, scopeRequired("
   res.json(ids.map((id) => ({ id, accounts: [] })));
 });
 
+// ─── PATCH /api/v1/accounts/update_credentials ──────────────────────────────
+
+router.patch("/api/v1/accounts/update_credentials", tokenRequired, scopeRequired("write", "write:accounts"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    const pluginOptions = req.app.locals.mastodonPluginOptions || {};
+    const baseUrl = `${req.protocol}://${req.get("host")}`;
+
+    const update = {};
+    if (req.body.display_name !== undefined) update.name = req.body.display_name;
+    if (req.body.note !== undefined) update.summary = req.body.note;
+    if (req.body.fields_attributes) {
+      update.attachments = Object.values(req.body.fields_attributes).map(
+        (f) => ({
+          name: f.name,
+          value: f.value,
+        }),
+      );
+    }
+
+    if (Object.keys(update).length > 0 && collections.ap_profile) {
+      await collections.ap_profile.updateOne({}, { $set: update });
+    }
+
+    // Return updated credential account
+    const profile = collections.ap_profile
+      ? await collections.ap_profile.findOne({})
+      : {};
+
+    const { serializeCredentialAccount } = await import(
+      "../entities/account.js"
+    );
+    res.json(
+      await serializeCredentialAccount(profile, { baseUrl, collections }),
+    );
+  } catch (error) {
+    next(error);
+  }
+});
+
 // ─── GET /api/v1/accounts/:id ────────────────────────────────────────────────
 
 router.get("/api/v1/accounts/:id", tokenRequired, scopeRequired("read", "read:accounts"), async (req, res, next) => {

package/lib/mastodon/routes/filters.js

@@ -0,0 +1,216 @@
+/**
+ * Filter endpoints for Mastodon Client API v2.
+ */
+import express from "express";
+import { ObjectId } from "mongodb";
+import { tokenRequired } from "../middleware/token-required.js";
+import { scopeRequired } from "../middleware/scope-required.js";
+
+const router = express.Router(); // eslint-disable-line new-cap
+
+/**
+ * Serialize a filter document with its keywords.
+ */
+function serializeFilter(filter, keywords = []) {
+  return {
+    id: filter._id.toString(),
+    title: filter.title || "",
+    context: filter.context || [],
+    filter_action: filter.filterAction || "warn",
+    expires_at: filter.expiresAt || null,
+    keywords: keywords.map((kw) => ({
+      id: kw._id.toString(),
+      keyword: kw.keyword,
+      whole_word: kw.wholeWord ?? true,
+    })),
+    statuses: [],
+  };
+}
+
+// ─── GET /api/v2/filters ────────────────────────────────────────────────────
+
+router.get("/api/v2/filters", tokenRequired, scopeRequired("read", "read:filters"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    if (!collections.ap_filters) return res.json([]);
+
+    const filters = await collections.ap_filters.find({}).toArray();
+    const result = [];
+
+    for (const filter of filters) {
+      const keywords = collections.ap_filter_keywords
+        ? await collections.ap_filter_keywords
+            .find({ filterId: filter._id })
+            .toArray()
+        : [];
+      result.push(serializeFilter(filter, keywords));
+    }
+
+    res.json(result);
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── POST /api/v2/filters ───────────────────────────────────────────────────
+
+router.post("/api/v2/filters", tokenRequired, scopeRequired("write", "write:filters"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    if (!collections.ap_filters) {
+      return res.status(500).json({ error: "Filters not available" });
+    }
+
+    const {
+      title,
+      context,
+      filter_action: filterAction = "warn",
+      expires_in: expiresIn,
+      keywords_attributes: keywordsAttributes,
+    } = req.body;
+
+    if (!title) {
+      return res.status(422).json({ error: "title is required" });
+    }
+
+    const expiresAt = expiresIn
+      ? new Date(Date.now() + Number.parseInt(expiresIn, 10) * 1000).toISOString()
+      : null;
+
+    const filterDoc = {
+      title,
+      context: Array.isArray(context) ? context : [context].filter(Boolean),
+      filterAction,
+      expiresAt,
+      createdAt: new Date().toISOString(),
+    };
+
+    const result = await collections.ap_filters.insertOne(filterDoc);
+    filterDoc._id = result.insertedId;
+
+    // Insert keywords if provided
+    const keywords = [];
+    if (keywordsAttributes && collections.ap_filter_keywords) {
+      const attrs = Array.isArray(keywordsAttributes)
+        ? keywordsAttributes
+        : Object.values(keywordsAttributes);
+      for (const attr of attrs) {
+        if (attr.keyword) {
+          const kwDoc = {
+            filterId: filterDoc._id,
+            keyword: attr.keyword,
+            wholeWord: attr.whole_word !== "false" && attr.whole_word !== false,
+          };
+          const kwResult = await collections.ap_filter_keywords.insertOne(kwDoc);
+          kwDoc._id = kwResult.insertedId;
+          keywords.push(kwDoc);
+        }
+      }
+    }
+
+    res.json(serializeFilter(filterDoc, keywords));
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── GET /api/v2/filters/:id ────────────────────────────────────────────────
+
+router.get("/api/v2/filters/:id", tokenRequired, scopeRequired("read", "read:filters"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    let filter;
+    try {
+      filter = await collections.ap_filters?.findOne({
+        _id: new ObjectId(req.params.id),
+      });
+    } catch { /* invalid ObjectId */ }
+
+    if (!filter) {
+      return res.status(404).json({ error: "Record not found" });
+    }
+
+    const keywords = collections.ap_filter_keywords
+      ? await collections.ap_filter_keywords
+          .find({ filterId: filter._id })
+          .toArray()
+      : [];
+
+    res.json(serializeFilter(filter, keywords));
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── PUT /api/v2/filters/:id ────────────────────────────────────────────────
+
+router.put("/api/v2/filters/:id", tokenRequired, scopeRequired("write", "write:filters"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    let filter;
+    try {
+      filter = await collections.ap_filters?.findOne({
+        _id: new ObjectId(req.params.id),
+      });
+    } catch { /* invalid ObjectId */ }
+
+    if (!filter) {
+      return res.status(404).json({ error: "Record not found" });
+    }
+
+    const update = {};
+    if (req.body.title !== undefined) update.title = req.body.title;
+    if (req.body.context !== undefined) {
+      update.context = Array.isArray(req.body.context)
+        ? req.body.context
+        : [req.body.context].filter(Boolean);
+    }
+    if (req.body.filter_action !== undefined) update.filterAction = req.body.filter_action;
+    if (req.body.expires_in !== undefined) {
+      update.expiresAt = req.body.expires_in
+        ? new Date(Date.now() + Number.parseInt(req.body.expires_in, 10) * 1000).toISOString()
+        : null;
+    }
+
+    if (Object.keys(update).length > 0) {
+      await collections.ap_filters.updateOne(
+        { _id: filter._id },
+        { $set: update },
+      );
+      Object.assign(filter, update);
+    }
+
+    const keywords = collections.ap_filter_keywords
+      ? await collections.ap_filter_keywords
+          .find({ filterId: filter._id })
+          .toArray()
+      : [];
+
+    res.json(serializeFilter(filter, keywords));
+  } catch (error) {
+    next(error);
+  }
+});
+
+// ─── DELETE /api/v2/filters/:id ─────────────────────────────────────────────
+
+router.delete("/api/v2/filters/:id", tokenRequired, scopeRequired("write", "write:filters"), async (req, res, next) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    let filterId;
+    try {
+      filterId = new ObjectId(req.params.id);
+    } catch {
+      return res.status(404).json({ error: "Record not found" });
+    }
+
+    await collections.ap_filters?.deleteOne({ _id: filterId });
+    await collections.ap_filter_keywords?.deleteMany({ filterId });
+
+    res.json({});
+  } catch (error) {
+    next(error);
+  }
+});
+
+export default router;