@rmdes/indiekit-endpoint-activitypub 3.7.3 → 3.7.5

package/index.js

@@ -721,19 +721,13 @@ export default class ActivityPubEndpoint {
       );
 
       // Resolve the remote actor to get their inbox
-      // Try authenticated document loader first (for Authorized Fetch servers),
-      // fall back to unsigned if that fails (some servers reject signed GETs)
+      // lookupWithSecurity handles signed→unsigned fallback automatically
       const documentLoader = await ctx.getDocumentLoader({
         identifier: handle,
       });
-      let remoteActor = await lookupWithSecurity(ctx, actorUrl, {
+      const remoteActor = await lookupWithSecurity(ctx, actorUrl, {
         documentLoader,
       });
-      if (!remoteActor) {
-        // Retry without authentication — some servers (e.g., tags.pub)
-        // may reject or mishandle signed GET requests
-        remoteActor = await lookupWithSecurity(ctx, actorUrl);
-      }
       if (!remoteActor) {
         return { ok: false, error: "Could not resolve remote actor" };
       }

package/lib/controllers/federation-mgmt.js

@@ -41,12 +41,16 @@ export function federationMgmtController(mountPath, plugin) {
 
       const redisUrl = plugin.options.redisUrl || "";
 
-      // Parallel: collection stats + posts + recent activities
-      const [collectionStats, postsResult, recentActivities] =
+      // Parallel: collection stats + posts + recent activities + moderation data
+      const pluginCollections = plugin._collections || {};
+      const [collectionStats, postsResult, recentActivities, blockedServers, blockedAccounts, mutedAccounts] =
         await Promise.all([
           getCollectionStats(collections, { redisUrl }),
           getPaginatedPosts(collections, request.query.page),
           getRecentActivities(collections),
+          pluginCollections.ap_blocked_servers?.find({}).sort({ blockedAt: -1 }).toArray() || [],
+          pluginCollections.ap_blocked?.find({}).sort({ blockedAt: -1 }).toArray() || [],
+          pluginCollections.ap_muted?.find({}).sort({ mutedAt: -1 }).toArray() || [],
         ]);
 
       const csrfToken = getToken(request.session);
@@ -62,6 +66,9 @@ export function federationMgmtController(mountPath, plugin) {
         posts: postsResult.posts,
         cursor: postsResult.cursor,
         recentActivities,
+        blockedServers: blockedServers || [],
+        blockedAccounts: blockedAccounts || [],
+        mutedAccounts: mutedAccounts || [],
         csrfToken,
         mountPath,
         publicationUrl: plugin._publicationUrl,

package/lib/controllers/resolve.js

@@ -60,7 +60,8 @@ export function resolveController(mountPath, plugin) {
       let object;
 
       try {
-        object = await lookupWithSecurity(ctx,lookupInput, { documentLoader });
+        // lookupWithSecurity handles signed→unsigned fallback automatically
+        object = await lookupWithSecurity(ctx, lookupInput, { documentLoader });
       } catch (error) {
         console.warn(
           `[resolve] lookupObject failed for "${query}":`,

package/lib/lookup-helpers.js

@@ -14,14 +14,36 @@
  * Using `crossOrigin: "ignore"` tells Fedify to silently discard objects
  * whose id doesn't match the fetch origin, rather than throwing.
  *
+ * When an authenticated document loader is provided (for Authorized Fetch
+ * compatibility), the lookup is tried with it first. If it fails (some
+ * servers like tags.pub return 400 for signed GETs), a fallback to the
+ * default unsigned loader is attempted automatically.
+ *
  * @param {object} ctx - Fedify Context
  * @param {string|URL} input - URL or handle to look up
  * @param {object} [options] - Additional options passed to lookupObject
  * @returns {Promise<object|null>} Resolved object or null
  */
-export function lookupWithSecurity(ctx, input, options = {}) {
-  return ctx.lookupObject(input, {
-    crossOrigin: "ignore",
-    ...options,
-  });
+export async function lookupWithSecurity(ctx, input, options = {}) {
+  const baseOptions = { crossOrigin: "ignore", ...options };
+
+  let result = null;
+  try {
+    result = await ctx.lookupObject(input, baseOptions);
+  } catch {
+    // signed lookup threw — fall through to unsigned
+  }
+
+  // If signed lookup failed and we used a custom documentLoader,
+  // retry without it (unsigned GET)
+  if (!result && options.documentLoader) {
+    try {
+      const { documentLoader: _, ...unsignedOptions } = baseOptions;
+      result = await ctx.lookupObject(input, unsignedOptions);
+    } catch {
+      // unsigned also failed — return null
+    }
+  }
+
+  return result;
 }

package/lib/mastodon/routes/accounts.js

@@ -170,11 +170,12 @@ router.get("/api/v1/accounts/relationships", async (req, res, next) => {
 
     const collections = req.app.locals.mastodonCollections;
 
-    const [followers, following, blocked, muted] = await Promise.all([
+    const [followers, following, blocked, muted, blockedServers] = await Promise.all([
       collections.ap_followers.find({}).toArray(),
       collections.ap_following.find({}).toArray(),
       collections.ap_blocked.find({}).toArray(),
       collections.ap_muted.find({}).toArray(),
+      collections.ap_blocked_servers?.find({}).toArray() || [],
     ]);
 
     const followerIds = new Set(followers.map((f) => remoteActorId(f.actorUrl)));
@@ -182,6 +183,21 @@ router.get("/api/v1/accounts/relationships", async (req, res, next) => {
     const blockedIds = new Set(blocked.map((b) => remoteActorId(b.url)));
     const mutedIds = new Set(muted.filter((m) => m.url).map((m) => remoteActorId(m.url)));
 
+    // Build domain-blocked actor ID set by checking known actors against blocked server hostnames
+    const blockedDomains = new Set(blockedServers.map((s) => s.hostname).filter(Boolean));
+    const domainBlockedIds = new Set();
+    if (blockedDomains.size > 0) {
+      const allActors = [...followers, ...following];
+      for (const actor of allActors) {
+        try {
+          const domain = new URL(actor.actorUrl).hostname;
+          if (blockedDomains.has(domain)) {
+            domainBlockedIds.add(remoteActorId(actor.actorUrl));
+          }
+        } catch { /* skip invalid URLs */ }
+      }
+    }
+
     const relationships = ids.map((id) => ({
       id,
       following: followingIds.has(id),
@@ -195,7 +211,7 @@ router.get("/api/v1/accounts/relationships", async (req, res, next) => {
       muting_notifications: mutedIds.has(id),
       requested: false,
       requested_by: false,
-      domain_blocking: false,
+      domain_blocking: domainBlockedIds.has(id),
       endorsed: false,
       note: "",
     }));

package/lib/mastodon/routes/stubs.js

@@ -314,8 +314,15 @@ router.get("/api/v1/conversations", (req, res) => {
 
 // ─── Domain blocks ──────────────────────────────────────────────────────────
 
-router.get("/api/v1/domain_blocks", (req, res) => {
-  res.json([]);
+router.get("/api/v1/domain_blocks", async (req, res) => {
+  try {
+    const collections = req.app.locals.mastodonCollections;
+    if (!collections?.ap_blocked_servers) return res.json([]);
+    const docs = await collections.ap_blocked_servers.find({}).toArray();
+    res.json(docs.map((d) => d.hostname).filter(Boolean));
+  } catch {
+    res.json([]);
+  }
 });
 
 // ─── Endorsements ───────────────────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.7.3",
+  "version": "3.7.5",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",

package/views/activitypub-federation-mgmt.njk

@@ -116,6 +116,53 @@
     {% endif %}
   </section>
 
+  {# --- Moderation Overview --- #}
+  <section class="ap-federation__section">
+    <h2>Moderation</h2>
+    {% if blockedServers.length > 0 %}
+      <h3>Blocked servers ({{ blockedServers.length }})</h3>
+      <div class="ap-federation__stats-grid">
+        {% for server in blockedServers %}
+          <div class="ap-federation__stat-card">
+            <span class="ap-federation__stat-label">🚫 {{ server.hostname }}</span>
+            {% if server.blockedAt %}
+              <span class="ap-federation__stat-count" style="font-size: 0.75rem; opacity: 0.7">{{ server.blockedAt | date("PPp") }}</span>
+            {% endif %}
+          </div>
+        {% endfor %}
+      </div>
+    {% else %}
+      {{ prose({ text: "No servers blocked." }) }}
+    {% endif %}
+
+    {% if blockedAccounts.length > 0 %}
+      <h3>Blocked accounts ({{ blockedAccounts.length }})</h3>
+      <div class="ap-federation__stats-grid">
+        {% for account in blockedAccounts %}
+          <div class="ap-federation__stat-card">
+            <span class="ap-federation__stat-label">🚫 {{ account.url or account.handle or "Unknown" }}</span>
+            {% if account.blockedAt %}
+              <span class="ap-federation__stat-count" style="font-size: 0.75rem; opacity: 0.7">{{ account.blockedAt | date("PPp") }}</span>
+            {% endif %}
+          </div>
+        {% endfor %}
+      </div>
+    {% else %}
+      {{ prose({ text: "No accounts blocked." }) }}
+    {% endif %}
+
+    {% if mutedAccounts.length > 0 %}
+      <h3>Muted ({{ mutedAccounts.length }})</h3>
+      <div class="ap-federation__stats-grid">
+        {% for muted in mutedAccounts %}
+          <div class="ap-federation__stat-card">
+            <span class="ap-federation__stat-label">🔇 {{ muted.url or muted.keyword or "Unknown" }}</span>
+          </div>
+        {% endfor %}
+      </div>
+    {% endif %}
+  </section>
+
   {# --- JSON Modal --- #}
   <div class="ap-federation__modal-overlay" x-show="jsonModalOpen" x-cloak
     @click.self="jsonModalOpen = false" @keydown.escape.window="jsonModalOpen = false">