@rmdes/indiekit-endpoint-activitypub 3.5.0 → 3.5.3

package/index.js

@@ -224,6 +224,14 @@ export default class ActivityPubEndpoint {
       // Skip Fedify for admin UI routes — they're handled by the
       // authenticated `routes` getter, not the federation layer.
       if (req.path.startsWith("/admin")) return next();
+
+      // Diagnostic: log inbox POSTs to detect federation stalls
+      if (req.method === "POST" && req.path.includes("inbox")) {
+        const ua = req.get("user-agent") || "unknown";
+        const bodyParsed = req.body !== undefined && Object.keys(req.body || {}).length > 0;
+        console.info(`[federation-diag] POST ${req.path} from=${ua.slice(0, 60)} bodyParsed=${bodyParsed} readable=${req.readable}`);
+      }
+
       return self._fedifyMiddleware(req, res, next);
     });
 

package/lib/inbox-listeners.js

@@ -46,12 +46,31 @@ export function registerInboxListeners(inboxChain, options) {
 
   const getAuthLoader = (ctx) => ctx.getDocumentLoader({ identifier: handle });
 
+  // Diagnostic: track listener invocations to detect federation stalls
+  const _diag = { count: 0, lastType: "", lastActor: "", lastAt: 0 };
+  const _diagInterval = setInterval(() => {
+    if (_diag.count > 0) {
+      console.info(`[inbox-diag] ${_diag.count} activities received in last 5min (last: ${_diag.lastType} from ${_diag.lastActor})`);
+      _diag.count = 0;
+    }
+  }, 5 * 60 * 1000);
+  // Prevent timer from keeping the process alive
+  _diagInterval.unref?.();
+
+  const _diagTrack = (type, actorUrl) => {
+    _diag.count++;
+    _diag.lastType = type;
+    _diag.lastActor = actorUrl?.split("/").pop() || "?";
+    _diag.lastAt = Date.now();
+  };
+
   inboxChain
     // ── Follow ──────────────────────────────────────────────────────
     // Synchronous: Accept/Reject + follower storage (federation requirement)
     // Async: notification + activity log
     .on(Follow, async (ctx, follow) => {
       const actorUrl = follow.actorId?.href || "";
+      _diagTrack("Follow", actorUrl);
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
       await resetDeliveryStrikes(collections, actorUrl);
@@ -226,6 +245,7 @@ export function registerInboxListeners(inboxChain, options) {
     // ── Announce ────────────────────────────────────────────────────
     .on(Announce, async (ctx, announce) => {
       const actorUrl = announce.actorId?.href || "";
+      _diagTrack("Announce", actorUrl);
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
       await resetDeliveryStrikes(collections, actorUrl);
@@ -241,6 +261,7 @@ export function registerInboxListeners(inboxChain, options) {
     // ── Create ──────────────────────────────────────────────────────
     .on(Create, async (ctx, create) => {
       const actorUrl = create.actorId?.href || "";
+      _diagTrack("Create", actorUrl);
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
       await resetDeliveryStrikes(collections, actorUrl);
@@ -291,6 +312,7 @@ export function registerInboxListeners(inboxChain, options) {
     // ── Delete ──────────────────────────────────────────────────────
     .on(Delete, async (ctx, del) => {
       const actorUrl = del.actorId?.href || "";
+      _diagTrack("Delete", actorUrl);
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
       await resetDeliveryStrikes(collections, actorUrl);
@@ -320,6 +342,7 @@ export function registerInboxListeners(inboxChain, options) {
     // ── Update ──────────────────────────────────────────────────────
     .on(Update, async (ctx, update) => {
       const actorUrl = update.actorId?.href || "";
+      _diagTrack("Update", actorUrl);
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
       await resetDeliveryStrikes(collections, actorUrl);

package/lib/inbox-queue.js

@@ -83,11 +83,32 @@ export async function enqueueActivity(collections, { activityType, actorUrl, obj
  * @returns {NodeJS.Timeout} Interval ID (for cleanup)
  */
 export function startInboxProcessor(collections, getCtx, handle) {
+  // Diagnostic: detect stuck processing items and log queue health
+  let _diagProcessed = 0;
+  const _diagInterval = setInterval(async () => {
+    try {
+      const stuck = await collections.ap_inbox_queue?.countDocuments({ status: "processing" }) || 0;
+      const pending = await collections.ap_inbox_queue?.countDocuments({ status: "pending" }) || 0;
+      if (stuck > 0 || _diagProcessed > 0 || pending > 10) {
+        console.info(`[inbox-queue-diag] processed=${_diagProcessed}/5min pending=${pending} stuck_processing=${stuck}`);
+      }
+      _diagProcessed = 0;
+    } catch { /* ignore */ }
+  }, 5 * 60 * 1000);
+  _diagInterval.unref?.();
+
   const intervalId = setInterval(async () => {
     try {
       const ctx = getCtx();
       if (ctx) {
+        const before = Date.now();
         await processNextItem(collections, ctx, handle);
+        const elapsed = Date.now() - before;
+        if (elapsed > 0) _diagProcessed++;
+        // Warn if a single item takes too long (potential hang)
+        if (elapsed > 30_000) {
+          console.warn(`[inbox-queue-diag] slow item: ${elapsed}ms`);
+        }
       }
     } catch (error) {
       console.error("[inbox-queue] Processor error:", error.message);

package/lib/mastodon/routes/oauth.js

@@ -174,7 +174,7 @@ router.get("/.well-known/oauth-authorization-server", (req, res) => {
 
 router.get("/oauth/authorize", async (req, res, next) => {
   try {
-    const {
+    let {
       client_id,
       redirect_uri,
       response_type,
@@ -184,6 +184,21 @@ router.get("/oauth/authorize", async (req, res, next) => {
       force_login,
     } = req.query;
 
+    // Restore OAuth params from session after login redirect.
+    // Indiekit's login flow doesn't re-encode the redirect param, so query
+    // params with & are stripped during the /session/login → /session/auth
+    // round-trip. We store them in the session before redirecting.
+    if (!response_type && req.session?.pendingOAuth) {
+      const p = req.session.pendingOAuth;
+      delete req.session.pendingOAuth;
+      client_id = p.client_id;
+      redirect_uri = p.redirect_uri;
+      response_type = p.response_type;
+      scope = p.scope;
+      code_challenge = p.code_challenge;
+      code_challenge_method = p.code_challenge_method;
+    }
+
     if (response_type !== "code") {
       return res.status(400).json({
         error: "unsupported_response_type",
@@ -219,11 +234,14 @@ router.get("/oauth/authorize", async (req, res, next) => {
     // Check if user is logged in via IndieAuth session
     const session = req.session;
     if (!session?.access_token && !force_login) {
-      // Not logged in — redirect to Indiekit login, then back here
-      const returnUrl = `${req.protocol}://${req.get("host")}${req.originalUrl}`;
-      return res.redirect(
-        `/auth?redirect=${encodeURIComponent(returnUrl)}`,
-      );
+      // Store OAuth params in session — they won't survive Indiekit's
+      // login redirect chain due to a re-encoding bug in indieauth.js.
+      req.session.pendingOAuth = {
+        client_id, redirect_uri, response_type, scope,
+        code_challenge, code_challenge_method,
+      };
+      // Redirect to Indiekit's login page with a simple return path.
+      return res.redirect("/session/login?redirect=/oauth/authorize");
     }
 
     // Render simple authorization page

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.5.0",
+  "version": "3.5.3",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",