npm - @rmdes/indiekit-endpoint-activitypub - Versions diffs - 3.7.2 → 3.7.4 - Mend

@rmdes/indiekit-endpoint-activitypub 3.7.2 → 3.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/index.js +2 -8
package/lib/controllers/resolve.js +2 -1
package/lib/lookup-helpers.js +27 -5
package/lib/mastodon/routes/statuses.js +71 -2
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -721,19 +721,13 @@ export default class ActivityPubEndpoint {
       );
       // Resolve the remote actor to get their inbox
-      // Try authenticated document loader first (for Authorized Fetch servers),
-      // fall back to unsigned if that fails (some servers reject signed GETs)
+      // lookupWithSecurity handles signed→unsigned fallback automatically
       const documentLoader = await ctx.getDocumentLoader({
         identifier: handle,
       });
-      let remoteActor = await lookupWithSecurity(ctx, actorUrl, {
+      const remoteActor = await lookupWithSecurity(ctx, actorUrl, {
         documentLoader,
       });
-      if (!remoteActor) {
-        // Retry without authentication — some servers (e.g., tags.pub)
-        // may reject or mishandle signed GET requests
-        remoteActor = await lookupWithSecurity(ctx, actorUrl);
-      }
       if (!remoteActor) {
         return { ok: false, error: "Could not resolve remote actor" };
       }

package/lib/controllers/resolve.js CHANGED Viewed

@@ -60,7 +60,8 @@ export function resolveController(mountPath, plugin) {
       let object;
       try {
-        object = await lookupWithSecurity(ctx,lookupInput, { documentLoader });
+        // lookupWithSecurity handles signed→unsigned fallback automatically
+        object = await lookupWithSecurity(ctx, lookupInput, { documentLoader });
       } catch (error) {
         console.warn(
           `[resolve] lookupObject failed for "${query}":`,

package/lib/lookup-helpers.js CHANGED Viewed

@@ -14,14 +14,36 @@
  * Using `crossOrigin: "ignore"` tells Fedify to silently discard objects
  * whose id doesn't match the fetch origin, rather than throwing.
  *
+ * When an authenticated document loader is provided (for Authorized Fetch
+ * compatibility), the lookup is tried with it first. If it fails (some
+ * servers like tags.pub return 400 for signed GETs), a fallback to the
+ * default unsigned loader is attempted automatically.
+ *
  * @param {object} ctx - Fedify Context
  * @param {string|URL} input - URL or handle to look up
  * @param {object} [options] - Additional options passed to lookupObject
  * @returns {Promise<object|null>} Resolved object or null
  */
-export function lookupWithSecurity(ctx, input, options = {}) {
-  return ctx.lookupObject(input, {
-    crossOrigin: "ignore",
-    ...options,
-  });
+export async function lookupWithSecurity(ctx, input, options = {}) {
+  const baseOptions = { crossOrigin: "ignore", ...options };
+  let result = null;
+  try {
+    result = await ctx.lookupObject(input, baseOptions);
+  } catch {
+    // signed lookup threw — fall through to unsigned
+  }
+  // If signed lookup failed and we used a custom documentLoader,
+  // retry without it (unsigned GET)
+  if (!result && options.documentLoader) {
+    try {
+      const { documentLoader: _, ...unsignedOptions } = baseOptions;
+      result = await ctx.lookupObject(input, unsignedOptions);
+    } catch {
+      // unsigned also failed — return null
+    }
+  }
+  return result;
 }

package/lib/mastodon/routes/statuses.js CHANGED Viewed

@@ -247,12 +247,17 @@ router.post("/api/v1/statuses", async (req, res, next) => {
       });
     };
+    // Process content: linkify URLs and extract @mentions
+    const rawContent = data.properties.content || { text: statusText || "", html: "" };
+    const processedContent = processStatusContent(rawContent, statusText || "");
+    const mentions = extractMentions(statusText || "");
     const now = new Date().toISOString();
     const timelineItem = await addTimelineItem(collections, {
       uid: postUrl,
       url: postUrl,
       type: data.properties["post-type"] || "note",
-      content: data.properties.content || { text: statusText || "", html: "" },
+      content: processedContent,
       summary: spoilerText || "",
       sensitive: sensitive === true || sensitive === "true",
       visibility: visibility || "public",
@@ -274,7 +279,7 @@ router.post("/api/v1/statuses", async (req, res, next) => {
       category: categories,
       counts: { replies: 0, boosts: 0, likes: 0 },
       linkPreviews: [],
-      mentions: [],
+      mentions,
       emojis: [],
     });
@@ -636,4 +641,68 @@ async function loadItemInteractions(collections, item) {
   return { favouritedIds, rebloggedIds, bookmarkedIds };
 }
+/**
+ * Process status content: linkify bare URLs and convert @mentions to links.
+ *
+ * Mastodon clients send plain text — the server is responsible for
+ * converting URLs and mentions into HTML links.
+ *
+ * @param {object} content - { text, html } from Micropub pipeline
+ * @param {string} rawText - Original status text from client
+ * @returns {object} { text, html } with linkified content
+ */
+function processStatusContent(content, rawText) {
+  let html = content.html || content.text || rawText || "";
+  // If the HTML is just plain text wrapped in <p>, process it
+  // Don't touch HTML that already has links (from Micropub rendering)
+  if (!html.includes("<a ")) {
+    // Linkify bare URLs (http/https)
+    html = html.replace(
+      /(https?:\/\/[^\s<>"')\]]+)/g,
+      '<a href="$1" rel="nofollow noopener noreferrer" target="_blank">$1</a>',
+    );
+    // Convert @user@domain mentions to profile links
+    html = html.replace(
+      /(?:^|\s)(@([a-zA-Z0-9_]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))/g,
+      (match, full, username, domain) =>
+        match.replace(
+          full,
+          `<span class="h-card"><a href="https://${domain}/@${username}" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@${username}@${domain}</a></span>`,
+        ),
+    );
+  }
+  return {
+    text: content.text || rawText || "",
+    html,
+  };
+}
+/**
+ * Extract @user@domain mentions from text into mention objects.
+ *
+ * @param {string} text - Status text
+ * @returns {Array<{name: string, url: string}>} Mention objects
+ */
+function extractMentions(text) {
+  if (!text) return [];
+  const mentionRegex = /@([a-zA-Z0-9_]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g;
+  const mentions = [];
+  const seen = new Set();
+  let match;
+  while ((match = mentionRegex.exec(text)) !== null) {
+    const [, username, domain] = match;
+    const key = `${username}@${domain}`.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    mentions.push({
+      name: `@${username}@${domain}`,
+      url: `https://${domain}/@${username}`,
+    });
+  }
+  return mentions;
+}
 export default router;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.7.2",
+  "version": "3.7.4",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",