@rmdes/indiekit-endpoint-activitypub 3.5.7 → 3.5.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -95,8 +95,8 @@ export function serializeAccount(actor, { baseUrl, isLocal = false, handle = ""
|
|
|
95
95
|
url,
|
|
96
96
|
display_name: displayName,
|
|
97
97
|
note: sanitizeHtml(note),
|
|
98
|
-
avatar: avatarUrl || `${baseUrl}/
|
|
99
|
-
avatar_static: avatarUrl || `${baseUrl}/
|
|
98
|
+
avatar: avatarUrl || `${baseUrl}/images/default-avatar.svg`,
|
|
99
|
+
avatar_static: avatarUrl || `${baseUrl}/images/default-avatar.svg`,
|
|
100
100
|
header: headerUrl || "",
|
|
101
101
|
header_static: headerUrl || "",
|
|
102
102
|
locked: actor.manuallyApprovesFollowers || false,
|
|
@@ -322,6 +322,11 @@ router.post("/oauth/authorize", async (req, res, next) => {
|
|
|
322
322
|
const code = randomHex(32);
|
|
323
323
|
const collections = req.app.locals.mastodonCollections;
|
|
324
324
|
|
|
325
|
+
// Note: accessToken is NOT set here — it's added later during token exchange.
|
|
326
|
+
// The sparse unique index on accessToken skips documents where the field is
|
|
327
|
+
// absent, allowing multiple auth codes to coexist. Setting it to null would
|
|
328
|
+
// cause E11000 duplicate key errors because MongoDB sparse indexes still
|
|
329
|
+
// enforce uniqueness on explicit null values.
|
|
325
330
|
await collections.ap_oauth_tokens.insertOne({
|
|
326
331
|
code,
|
|
327
332
|
clientId: client_id,
|
|
@@ -329,11 +334,8 @@ router.post("/oauth/authorize", async (req, res, next) => {
|
|
|
329
334
|
redirectUri: redirect_uri,
|
|
330
335
|
codeChallenge: code_challenge || null,
|
|
331
336
|
codeChallengeMethod: code_challenge_method || null,
|
|
332
|
-
accessToken: null,
|
|
333
337
|
createdAt: new Date(),
|
|
334
338
|
expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
|
|
335
|
-
usedAt: null,
|
|
336
|
-
revokedAt: null,
|
|
337
339
|
});
|
|
338
340
|
|
|
339
341
|
// Out-of-band: show code on page
|
|
@@ -399,19 +401,14 @@ router.post("/oauth/token", async (req, res, next) => {
|
|
|
399
401
|
});
|
|
400
402
|
}
|
|
401
403
|
|
|
404
|
+
// No code field — this is a direct token grant, not a code exchange.
|
|
405
|
+
// Omitting code (instead of setting null) avoids sparse index collisions.
|
|
402
406
|
const accessToken = randomHex(64);
|
|
403
407
|
await collections.ap_oauth_tokens.insertOne({
|
|
404
|
-
code: null,
|
|
405
408
|
clientId,
|
|
406
409
|
scopes: ["read"],
|
|
407
|
-
redirectUri: null,
|
|
408
|
-
codeChallenge: null,
|
|
409
|
-
codeChallengeMethod: null,
|
|
410
410
|
accessToken,
|
|
411
411
|
createdAt: new Date(),
|
|
412
|
-
expiresAt: null,
|
|
413
|
-
usedAt: null,
|
|
414
|
-
revokedAt: null,
|
|
415
412
|
grantType: "client_credentials",
|
|
416
413
|
});
|
|
417
414
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rmdes/indiekit-endpoint-activitypub",
|
|
3
|
-
"version": "3.5.
|
|
3
|
+
"version": "3.5.9",
|
|
4
4
|
"description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"indiekit",
|