@rmdes/indiekit-endpoint-activitypub 3.8.4 → 3.8.6

package/index.js

@@ -387,38 +387,6 @@ export default class ActivityPubEndpoint {
     const router = express.Router(); // eslint-disable-line new-cap
     const self = this;
 
-    // Intercept Micropub delete actions to broadcast Delete to fediverse.
-    // Wraps res.json to detect successful delete responses, then fires
-    // broadcastDelete asynchronously so remote servers remove the post.
-    router.use((req, res, next) => {
-      if (req.method !== "POST") return next();
-      if (!req.path.endsWith("/micropub")) return next();
-
-      const action = req.query?.action || req.body?.action;
-      if (action !== "delete") return next();
-
-      const postUrl = req.query?.url || req.body?.url;
-      if (!postUrl) return next();
-
-      const originalJson = res.json.bind(res);
-      res.json = function (body) {
-        // Fire broadcastDelete after successful delete (status 200)
-        if (res.statusCode === 200 && body?.success === "delete") {
-          console.info(
-            `[ActivityPub] Micropub delete detected for ${postUrl}, broadcasting Delete to followers`,
-          );
-          self.broadcastDelete(postUrl).catch((error) => {
-            console.warn(
-              `[ActivityPub] broadcastDelete after Micropub delete failed: ${error.message}`,
-            );
-          });
-        }
-        return originalJson(body);
-      };
-
-      return next();
-    });
-
     // Let Fedify handle NodeInfo data (/nodeinfo/2.1)
     // Only pass GET/HEAD requests — POST/PUT/DELETE must not go through
     // Fedify here, because fromExpressRequest() consumes the body stream,
@@ -715,6 +683,9 @@ export default class ActivityPubEndpoint {
           return undefined;
         }
       },
+
+      delete: async (url) => this.delete(url),
+      update: async (properties) => this.update(properties),
     };
   }
 
@@ -744,7 +715,7 @@ export default class ActivityPubEndpoint {
         "pkcs8",
         Buffer.from(pemBody, "base64"),
         { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-        false,
+        true,
         ["sign"],
       );
     } catch (error) {
@@ -1181,6 +1152,138 @@ export default class ActivityPubEndpoint {
     }
   }
 
+  /**
+   * Called by post-content.js when a Micropub delete succeeds.
+   * Broadcasts an ActivityPub Delete activity to all followers.
+   * @param {string} url - Full URL of the deleted post
+   */
+  async delete(url) {
+    await this.broadcastDelete(url).catch((err) =>
+      console.warn(`[ActivityPub] broadcastDelete failed for ${url}: ${err.message}`)
+    );
+  }
+
+  /**
+   * Called by post-content.js when a Micropub update succeeds.
+   * Broadcasts an ActivityPub Update activity for the post to all followers.
+   * @param {object} properties - JF2 post properties (must include url)
+   */
+  async update(properties) {
+    await this.broadcastPostUpdate(properties).catch((err) =>
+      console.warn(`[ActivityPub] broadcastPostUpdate failed for ${properties?.url}: ${err.message}`)
+    );
+  }
+
+  /**
+   * Send an Update activity to all followers for a modified post.
+   * Mirrors broadcastDelete() pattern: batch delivery with shared inbox dedup.
+   * @param {object} properties - JF2 post properties
+   */
+  async broadcastPostUpdate(properties) {
+    if (!this._federation) return;
+
+    try {
+      const { Update } = await import("@fedify/fedify/vocab");
+      const actorUrl = this._getActorUrl();
+      const handle = this.options.actor.handle;
+      const ctx = this._federation.createContext(
+        new URL(this._publicationUrl),
+        { handle, publicationUrl: this._publicationUrl },
+      );
+
+      // Build the Note/Article object by calling jf2ToAS2Activity() and
+      // extracting the wrapped object from the returned Create activity.
+      // For post edits, Fediverse servers expect an Update activity wrapping
+      // the updated object — NOT a second Create activity.
+      const createActivity = jf2ToAS2Activity(
+        properties,
+        actorUrl,
+        this._publicationUrl,
+        { visibility: this.options.defaultVisibility },
+      );
+
+      if (!createActivity) {
+        console.warn(`[ActivityPub] broadcastPostUpdate: could not convert post to AS2 for ${properties?.url}`);
+        return;
+      }
+
+      // Extract the Note/Article object from the Create wrapper, then build
+      // an Update activity around it — matching broadcastActorUpdate() pattern.
+      const noteObject = await createActivity.getObject();
+      const activity = new Update({
+        actor: ctx.getActorUri(handle),
+        object: noteObject,
+      });
+
+      const followers = await this._collections.ap_followers
+        .find({})
+        .project({ actorUrl: 1, inbox: 1, sharedInbox: 1 })
+        .toArray();
+
+      const inboxMap = new Map();
+      for (const f of followers) {
+        const key = f.sharedInbox || f.inbox;
+        if (key && !inboxMap.has(key)) {
+          inboxMap.set(key, f);
+        }
+      }
+
+      const uniqueRecipients = [...inboxMap.values()];
+      const BATCH_SIZE = 25;
+      const BATCH_DELAY_MS = 5000;
+      let delivered = 0;
+      let failed = 0;
+
+      console.info(
+        `[ActivityPub] Broadcasting Update for ${properties.url} to ${uniqueRecipients.length} unique inboxes`,
+      );
+
+      for (let i = 0; i < uniqueRecipients.length; i += BATCH_SIZE) {
+        const batch = uniqueRecipients.slice(i, i + BATCH_SIZE);
+        const recipients = batch.map((f) => ({
+          id: new URL(f.actorUrl),
+          inboxId: new URL(f.inbox || f.sharedInbox),
+          endpoints: f.sharedInbox
+            ? { sharedInbox: new URL(f.sharedInbox) }
+            : undefined,
+        }));
+
+        try {
+          await ctx.sendActivity(
+            { identifier: handle },
+            recipients,
+            activity,
+            { preferSharedInbox: true },
+          );
+          delivered += batch.length;
+        } catch (error) {
+          failed += batch.length;
+          console.warn(
+            `[ActivityPub] Update batch ${Math.floor(i / BATCH_SIZE) + 1} failed: ${error.message}`,
+          );
+        }
+
+        if (i + BATCH_SIZE < uniqueRecipients.length) {
+          await new Promise((resolve) => setTimeout(resolve, BATCH_DELAY_MS));
+        }
+      }
+
+      console.info(
+        `[ActivityPub] Update broadcast complete for ${properties.url}: ${delivered} delivered, ${failed} failed`,
+      );
+
+      await logActivity(this._collections.ap_activities, {
+        direction: "outbound",
+        type: "Update",
+        actorUrl: this._publicationUrl,
+        objectUrl: properties.url,
+        summary: `Sent Update for ${properties.url} to ${delivered} inboxes`,
+      }).catch(() => {});
+    } catch (error) {
+      console.warn("[ActivityPub] broadcastPostUpdate failed:", error.message);
+    }
+  }
+
   /**
    * Build the full actor URL from config.
    * @returns {string}
@@ -1589,6 +1692,7 @@ export default class ActivityPubEndpoint {
         federation: this._federation,
         followActor: (url, info) => pluginRef.followActor(url, info),
         unfollowActor: (url) => pluginRef.unfollowActor(url),
+        loadRsaKey: () => pluginRef._loadRsaPrivateKey(),
       },
     });
     Indiekit.addEndpoint({
@@ -1614,6 +1718,7 @@ export default class ActivityPubEndpoint {
     }, 10_000);
 
     // Run one-time migrations (idempotent — safe to run on every startup)
+    console.info("[ActivityPub] Init: starting post-refollow setup");
     runSeparateMentionsMigration(this._collections).then(({ skipped, updated }) => {
       if (!skipped) {
         console.log(`[ActivityPub] Migration separate-mentions: updated ${updated} timeline items`);
@@ -1660,6 +1765,7 @@ export default class ActivityPubEndpoint {
     });
 
     // Start async inbox queue processor (processes one item every 3s)
+    console.info("[ActivityPub] Init: starting inbox queue processor");
     this._inboxProcessorInterval = startInboxProcessor(
       this._collections,
       () => this._federation?.createContext(new URL(this._publicationUrl), {

package/lib/controllers/interactions-boost.js

@@ -72,11 +72,16 @@ export function boostController(mountPath, plugin) {
         identifier: handle,
       });
       const { application } = request.app.locals;
+      const rsaKey = await plugin._loadRsaPrivateKey();
       const recipient = await resolveAuthor(
         url,
         ctx,
         documentLoader,
         application?.collections,
+        {
+          privateKey: rsaKey,
+          keyId: `${ctx.getActorUri(handle).href}#main-key`,
+        },
       );
 
       if (recipient) {

package/lib/controllers/interactions-like.js

@@ -49,11 +49,16 @@ export function likeController(mountPath, plugin) {
       });
 
       const { application } = request.app.locals;
+      const rsaKey = await plugin._loadRsaPrivateKey();
       const recipient = await resolveAuthor(
         url,
         ctx,
         documentLoader,
         application?.collections,
+        {
+          privateKey: rsaKey,
+          keyId: `${ctx.getActorUri(handle).href}#main-key`,
+        },
       );
 
       if (!recipient) {
@@ -170,11 +175,16 @@ export function unlikeController(mountPath, plugin) {
         identifier: handle,
       });
 
+      const rsaKey2 = await plugin._loadRsaPrivateKey();
       const recipient = await resolveAuthor(
         url,
         ctx,
         documentLoader,
         application?.collections,
+        {
+          privateKey: rsaKey2,
+          keyId: `${ctx.getActorUri(handle).href}#main-key`,
+        },
       );
 
       if (!recipient) {

package/lib/mastodon/helpers/interactions.js

@@ -22,7 +22,7 @@ import { resolveAuthor } from "../../resolve-author.js";
  * @param {object} params.interactions - ap_interactions collection
  * @returns {Promise<{ activityId: string }>}
  */
-export async function likePost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
+export async function likePost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
   const { Like } = await import("@fedify/fedify/vocab");
   const ctx = federation.createContext(
     new URL(publicationUrl),
@@ -30,7 +30,11 @@ export async function likePost({ targetUrl, federation, handle, publicationUrl,
   );
 
   const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
-  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections);
+  const rsaKey = loadRsaKey ? await loadRsaKey() : null;
+  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections, {
+    privateKey: rsaKey,
+    keyId: `${ctx.getActorUri(handle).href}#main-key`,
+  });
 
   const uuid = crypto.randomUUID();
   const baseUrl = publicationUrl.replace(/\/$/, "");
@@ -79,7 +83,7 @@ export async function likePost({ targetUrl, federation, handle, publicationUrl,
  * @param {object} params.interactions - ap_interactions collection
  * @returns {Promise<void>}
  */
-export async function unlikePost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
+export async function unlikePost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
   const existing = interactions
     ? await interactions.findOne({ objectUrl: targetUrl, type: "like" })
     : null;
@@ -95,7 +99,11 @@ export async function unlikePost({ targetUrl, federation, handle, publicationUrl
   );
 
   const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
-  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections);
+  const rsaKey = loadRsaKey ? await loadRsaKey() : null;
+  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections, {
+    privateKey: rsaKey,
+    keyId: `${ctx.getActorUri(handle).href}#main-key`,
+  });
 
   if (recipient) {
     const like = new Like({
@@ -131,7 +139,7 @@ export async function unlikePost({ targetUrl, federation, handle, publicationUrl
  * @param {object} params.interactions - ap_interactions collection
  * @returns {Promise<{ activityId: string }>}
  */
-export async function boostPost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
+export async function boostPost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
   const { Announce } = await import("@fedify/fedify/vocab");
   const ctx = federation.createContext(
     new URL(publicationUrl),
@@ -162,7 +170,11 @@ export async function boostPost({ targetUrl, federation, handle, publicationUrl,
 
   // Also send directly to the original post author
   const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
-  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections);
+  const rsaKey = loadRsaKey ? await loadRsaKey() : null;
+  const recipient = await resolveAuthor(targetUrl, ctx, documentLoader, collections, {
+    privateKey: rsaKey,
+    keyId: `${ctx.getActorUri(handle).href}#main-key`,
+  });
   if (recipient) {
     try {
       await ctx.sendActivity({ identifier: handle }, recipient, announce, {

package/lib/mastodon/routes/statuses.js

@@ -614,6 +614,7 @@ function getFederationOpts(req) {
     handle: pluginOptions.handle || "user",
     publicationUrl: pluginOptions.publicationUrl,
     collections: req.app.locals.mastodonCollections,
+    loadRsaKey: pluginOptions.loadRsaKey,
   };
 }
 

package/lib/resolve-author.js

@@ -6,6 +6,8 @@
  *
  * Strategies (tried in order):
  * 1. lookupObject on post URL → getAttributedTo
+ * 1b. Raw signed fetch fallback (for servers like wafrn that return
+ *     non-standard JSON-LD that Fedify can't parse)
  * 2. Timeline/notification DB lookup → lookupObject on stored author URL
  * 3. Extract author URL from post URL pattern → lookupObject
  */
@@ -60,6 +62,9 @@ export function extractAuthorUrl(postUrl) {
  * @param {object} ctx - Fedify context
  * @param {object} documentLoader - Authenticated document loader
  * @param {object} [collections] - Optional MongoDB collections map (application.collections)
+ * @param {object} [options] - Additional options
+ * @param {CryptoKey} [options.privateKey] - RSA private key for raw signed fetch fallback
+ * @param {string} [options.keyId] - Key ID for HTTP Signature (e.g. "...#main-key")
  * @returns {Promise<object|null>} - Fedify Actor object or null
  */
 export async function resolveAuthor(
@@ -67,6 +72,7 @@ export async function resolveAuthor(
   ctx,
   documentLoader,
   collections,
+  options = {},
 ) {
   // Strategy 1: Look up remote post via Fedify (signed request)
   try {
@@ -90,6 +96,46 @@ export async function resolveAuthor(
     );
   }
 
+  // Strategy 1b: Raw signed fetch fallback
+  // Some servers (e.g. wafrn) return AP JSON without @context, which Fedify's
+  // JSON-LD processor rejects. A raw fetch can still extract attributedTo/actor.
+  if (options.privateKey && options.keyId) {
+    try {
+      const { signRequest } = await import("@fedify/fedify/sig");
+      const request = new Request(postUrl, {
+        method: "GET",
+        headers: { Accept: "application/activity+json" },
+      });
+      const signed = await signRequest(request, options.privateKey, new URL(options.keyId), {
+        spec: "draft-cavage-http-signatures-12",
+      });
+      const res = await fetch(signed, { redirect: "follow" });
+      if (res.ok) {
+        const contentType = res.headers.get("content-type") || "";
+        if (contentType.includes("json")) {
+          const json = await res.json();
+          const authorUrl = json.attributedTo || json.actor;
+          if (authorUrl && typeof authorUrl === "string") {
+            const actor = await lookupWithSecurity(ctx, new URL(authorUrl), {
+              documentLoader,
+            });
+            if (actor) {
+              console.info(
+                `[ActivityPub] Resolved author via raw fetch for ${postUrl} → ${authorUrl}`,
+              );
+              return actor;
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.warn(
+        `[ActivityPub] Raw fetch fallback failed for ${postUrl}:`,
+        error.message,
+      );
+    }
+  }
+
   // Strategy 2: Use author URL from timeline or notifications
   if (collections) {
     const ap_timeline = collections.get("ap_timeline");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.8.4",
+  "version": "3.8.6",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",