@rmdes/indiekit-endpoint-activitypub 3.8.7 → 3.9.0

package/lib/mastodon/backfill-timeline.js

@@ -43,6 +43,16 @@ export async function backfillTimeline(collections) {
   let inserted = 0;
   let skipped = 0;
 
+  // Batch-fetch existing UIDs to avoid N+1 per-post queries
+  const allUids = allPosts
+    .map((p) => p.properties?.url)
+    .filter(Boolean);
+  const existingDocs = await ap_timeline
+    .find({ uid: { $in: allUids } })
+    .project({ uid: 1 })
+    .toArray();
+  const existingUids = new Set(existingDocs.map((d) => d.uid));
+
   for (const post of allPosts) {
     const props = post.properties;
     if (!props?.url) {
@@ -53,8 +63,7 @@ export async function backfillTimeline(collections) {
     const uid = props.url;
 
     // Check if already in timeline (fast path to avoid unnecessary upserts)
-    const exists = await ap_timeline.findOne({ uid }, { projection: { _id: 1 } });
-    if (exists) {
+    if (existingUids.has(uid)) {
       skipped++;
       continue;
     }

package/lib/mastodon/entities/sanitize.js

@@ -1,105 +1,33 @@
 /**
- * XSS HTML sanitizer for Mastodon Client API responses.
+ * HTML sanitizer for Mastodon Client API responses.
  *
- * Strips dangerous HTML while preserving safe markup that
- * Mastodon clients expect (links, paragraphs, line breaks,
- * inline formatting, mentions, hashtags).
+ * Uses the sanitize-html library for robust XSS prevention.
+ * Preserves safe markup that Mastodon clients expect (links,
+ * paragraphs, line breaks, inline formatting, mentions, hashtags).
  */
-
-/**
- * Allowed HTML tags in Mastodon API content fields.
- * Matches what Mastodon itself permits in status content.
- */
-const ALLOWED_TAGS = new Set([
-  "a",
-  "br",
-  "p",
-  "span",
-  "strong",
-  "em",
-  "b",
-  "i",
-  "u",
-  "s",
-  "del",
-  "pre",
-  "code",
-  "blockquote",
-  "ul",
-  "ol",
-  "li",
-]);
-
-/**
- * Allowed attributes per tag.
- */
-const ALLOWED_ATTRS = {
-  a: new Set(["href", "rel", "class", "target"]),
-  span: new Set(["class"]),
-};
+import sanitizeHtmlLib from "sanitize-html";
 
 /**
  * Sanitize HTML content for safe inclusion in API responses.
- *
- * Strips all tags not in the allowlist and removes disallowed attributes.
- * This is a lightweight sanitizer — for production, consider a
- * battle-tested library like DOMPurify or sanitize-html.
- *
  * @param {string} html - Raw HTML string
  * @returns {string} Sanitized HTML
  */
 export function sanitizeHtml(html) {
   if (!html || typeof html !== "string") return "";
 
-  return html.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, (match, tagName) => {
-    const tag = tagName.toLowerCase();
-
-    // Closing tag
-    if (match.startsWith("</")) {
-      return ALLOWED_TAGS.has(tag) ? `</${tag}>` : "";
-    }
-
-    // Opening tag — check if allowed
-    if (!ALLOWED_TAGS.has(tag)) return "";
-
-    // Self-closing br
-    if (tag === "br") return "<br>";
-
-    // Strip disallowed attributes
-    const allowedAttrs = ALLOWED_ATTRS[tag];
-    if (!allowedAttrs) return `<${tag}>`;
-
-    const attrs = [];
-    const attrRegex = /([a-z][a-z0-9-]*)(?:\s*=\s*(?:"([^"]*)"|'([^']*)'|(\S+)))?/gi;
-    let attrMatch;
-    while ((attrMatch = attrRegex.exec(match)) !== null) {
-      const attrName = attrMatch[1].toLowerCase();
-      if (attrName === tag) continue; // skip tag name itself
-      const attrValue = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
-      if (allowedAttrs.has(attrName)) {
-        // Block javascript: URIs in href
-        if (attrName === "href" && /^\s*javascript:/i.test(attrValue)) continue;
-        attrs.push(`${attrName}="${escapeAttr(attrValue)}"`);
-      }
-    }
-
-    return attrs.length > 0 ? `<${tag} ${attrs.join(" ")}>` : `<${tag}>`;
+  return sanitizeHtmlLib(html, {
+    allowedTags: [
+      "a", "br", "p", "span", "strong", "em", "b", "i", "u", "s",
+      "del", "pre", "code", "blockquote", "ul", "ol", "li",
+    ],
+    allowedAttributes: {
+      a: ["href", "rel", "class", "target"],
+      span: ["class"],
+    },
+    allowedSchemes: ["http", "https", "mailto"],
   });
 }
 
-/**
- * Escape HTML attribute value.
- * @param {string} value
- * @returns {string}
- */
-function escapeAttr(value) {
-  return value
-    .replace(/&/g, "&amp;")
-    .replace(/"/g, "&quot;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;");
-}
-
 /**
  * Strip all HTML tags, returning plain text.
  * @param {string} html
@@ -107,5 +35,8 @@ function escapeAttr(value) {
  */
 export function stripHtml(html) {
   if (!html || typeof html !== "string") return "";
-  return html.replace(/<[^>]*>/g, "").trim();
+  return sanitizeHtmlLib(html, {
+    allowedTags: [],
+    allowedAttributes: {},
+  }).trim();
 }

package/lib/mastodon/helpers/account-cache.js

@@ -57,6 +57,9 @@ export function getCachedAccountStats(actorUrl) {
     return null;
   }
 
+  // Promote to end of Map (true LRU)
+  cache.delete(actorUrl);
+  cache.set(actorUrl, entry);
   return entry;
 }
 

package/lib/mastodon/helpers/enrich-accounts.js

@@ -2,19 +2,17 @@
  * Enrich embedded account objects in serialized statuses with real
  * follower/following/post counts from remote AP collections.
  *
- * Phanpy (and some other clients) never call /accounts/:id — they
- * trust the account object embedded in each status. Without enrichment,
- * these show 0/0/0 for all remote accounts.
- *
- * Uses the account stats cache to avoid redundant fetches. Only resolves
- * unique authors with 0 counts that aren't already cached.
+ * Applies cached stats immediately. Uncached accounts are resolved
+ * in the background (fire-and-forget) and will be populated for
+ * subsequent requests.
  */
 import { getCachedAccountStats } from "./account-cache.js";
 import { resolveRemoteAccount } from "./resolve-account.js";
 
 /**
  * Enrich account objects in a list of serialized statuses.
- * Resolves unique authors in parallel (max 5 concurrent).
+ * Applies cached stats synchronously. Uncached accounts are resolved
+ * in the background for future requests.
  *
  * @param {Array} statuses - Serialized Mastodon Status objects (mutated in place)
  * @param {object} pluginOptions - Plugin options with federation context
@@ -23,63 +21,33 @@ import { resolveRemoteAccount } from "./resolve-account.js";
 export async function enrichAccountStats(statuses, pluginOptions, baseUrl) {
   if (!statuses?.length || !pluginOptions?.federation) return;
 
-  // Collect unique author URLs that need enrichment
-  const accountsToEnrich = new Map(); // url -> [account references]
+  const uncachedUrls = [];
+
   for (const status of statuses) {
-    collectAccount(status.account, accountsToEnrich);
+    applyCachedOrCollect(status.account, uncachedUrls);
     if (status.reblog?.account) {
-      collectAccount(status.reblog.account, accountsToEnrich);
+      applyCachedOrCollect(status.reblog.account, uncachedUrls);
     }
   }
 
-  if (accountsToEnrich.size === 0) return;
-
-  // Resolve in parallel with concurrency limit
-  const entries = [...accountsToEnrich.entries()];
-  const CONCURRENCY = 5;
-  for (let i = 0; i < entries.length; i += CONCURRENCY) {
-    const batch = entries.slice(i, i + CONCURRENCY);
-    await Promise.all(
-      batch.map(async ([url, accounts]) => {
-        try {
-          const resolved = await resolveRemoteAccount(url, pluginOptions, baseUrl);
-          if (resolved) {
-            for (const account of accounts) {
-              account.followers_count = resolved.followers_count;
-              account.following_count = resolved.following_count;
-              account.statuses_count = resolved.statuses_count;
-              if (resolved.created_at && account.created_at) {
-                account.created_at = resolved.created_at;
-              }
-              if (resolved.note) account.note = resolved.note;
-              if (resolved.fields?.length) account.fields = resolved.fields;
-              if (resolved.avatar && resolved.avatar !== account.avatar) {
-                account.avatar = resolved.avatar;
-                account.avatar_static = resolved.avatar;
-              }
-              if (resolved.header) {
-                account.header = resolved.header;
-                account.header_static = resolved.header;
-              }
-            }
-          }
-        } catch {
-          // Silently skip failed resolutions
-        }
-      }),
-    );
+  // Fire-and-forget background enrichment for uncached accounts.
+  // Next request will pick up the cached results.
+  if (uncachedUrls.length > 0) {
+    resolveInBackground(uncachedUrls, pluginOptions, baseUrl);
   }
 }
 
 /**
- * Collect an account reference for enrichment if it has 0 counts
- * and isn't already cached.
+ * Apply cached stats to an account, or collect its URL for background resolution.
+ * @param {object} account - Account object to enrich
+ * @param {string[]} uncachedUrls - Array to collect uncached URLs into
  */
-function collectAccount(account, map) {
+function applyCachedOrCollect(account, uncachedUrls) {
   if (!account?.url) return;
+
+  // Already has real counts — skip
   if (account.followers_count > 0 || account.statuses_count > 0) return;
 
-  // Check cache first — if cached, apply immediately
   const cached = getCachedAccountStats(account.url);
   if (cached) {
     account.followers_count = cached.followersCount || 0;
@@ -89,9 +57,28 @@ function collectAccount(account, map) {
     return;
   }
 
-  // Queue for remote resolution
-  if (!map.has(account.url)) {
-    map.set(account.url, []);
+  if (!uncachedUrls.includes(account.url)) {
+    uncachedUrls.push(account.url);
   }
-  map.get(account.url).push(account);
+}
+
+/**
+ * Resolve accounts in background. Fire-and-forget — errors are silently ignored.
+ * resolveRemoteAccount() populates the account cache as a side effect.
+ * @param {string[]} urls - Actor URLs to resolve
+ * @param {object} pluginOptions - Plugin options
+ * @param {string} baseUrl - Server base URL
+ */
+function resolveInBackground(urls, pluginOptions, baseUrl) {
+  const unique = [...new Set(urls)];
+  const CONCURRENCY = 5;
+
+  (async () => {
+    for (let i = 0; i < unique.length; i += CONCURRENCY) {
+      const batch = unique.slice(i, i + CONCURRENCY);
+      await Promise.allSettled(
+        batch.map((url) => resolveRemoteAccount(url, pluginOptions, baseUrl)),
+      );
+    }
+  })().catch(() => {});
 }

package/lib/mastodon/router.js

@@ -6,6 +6,7 @@
  * /api/v1/*, /api/v2/*, /oauth/* at the domain root.
  */
 import express from "express";
+import rateLimit from "express-rate-limit";
 import { corsMiddleware } from "./middleware/cors.js";
 import { tokenRequired, optionalToken } from "./middleware/token-required.js";
 import { errorHandler, notImplementedHandler } from "./middleware/error-handler.js";
@@ -21,6 +22,31 @@ import searchRouter from "./routes/search.js";
 import mediaRouter from "./routes/media.js";
 import stubsRouter from "./routes/stubs.js";
 
+// Rate limiters for different endpoint categories
+const apiLimiter = rateLimit({
+  windowMs: 5 * 60 * 1000, // 5 minutes
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many requests, please try again later" },
+});
+
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many authentication attempts" },
+});
+
+const appRegistrationLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 25,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many app registrations" },
+});
+
 /**
  * Create the combined Mastodon API router.
  *
@@ -46,6 +72,11 @@ export function createMastodonRouter({ collections, pluginOptions = {} }) {
   router.use("/oauth/revoke", corsMiddleware);
   router.use("/.well-known/oauth-authorization-server", corsMiddleware);
 
+  // ─── Rate limiting ─────────────────────────────────────────────────────
+  router.use("/api", apiLimiter);
+  router.use("/oauth/token", authLimiter);
+  router.use("/api/v1/apps", appRegistrationLimiter);
+
   // ─── Inject collections + plugin options into req ───────────────────────
   router.use("/api", (req, res, next) => {
     req.app.locals.mastodonCollections = collections;

package/lib/mastodon/routes/accounts.js

@@ -11,18 +11,15 @@ import { accountId, remoteActorId } from "../helpers/id-mapping.js";
 import { buildPaginationQuery, parseLimit, setPaginationHeaders } from "../helpers/pagination.js";
 import { resolveRemoteAccount } from "../helpers/resolve-account.js";
 import { getActorUrlFromId } from "../helpers/account-cache.js";
+import { tokenRequired } from "../middleware/token-required.js";
+import { scopeRequired } from "../middleware/scope-required.js";
 
 const router = express.Router(); // eslint-disable-line new-cap
 
 // ─── GET /api/v1/accounts/verify_credentials ─────────────────────────────────
 
-router.get("/api/v1/accounts/verify_credentials", async (req, res, next) => {
+router.get("/api/v1/accounts/verify_credentials", tokenRequired, scopeRequired("read", "read:accounts"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const baseUrl = `${req.protocol}://${req.get("host")}`;
     const collections = req.app.locals.mastodonCollections;
     const pluginOptions = req.app.locals.mastodonPluginOptions || {};
@@ -62,7 +59,7 @@ router.get("/api/v1/accounts/verify_credentials", async (req, res, next) => {
 
 // ─── GET /api/v1/preferences ─────────────────────────────────────────────────
 
-router.get("/api/v1/preferences", (req, res) => {
+router.get("/api/v1/preferences", tokenRequired, scopeRequired("read", "read:accounts"), (req, res) => {
   res.json({
     "posting:default:visibility": "public",
     "posting:default:sensitive": false,
@@ -159,7 +156,7 @@ router.get("/api/v1/accounts/lookup", async (req, res, next) => {
 // ─── GET /api/v1/accounts/relationships ──────────────────────────────────────
 // MUST be before /accounts/:id to prevent Express matching "relationships" as :id
 
-router.get("/api/v1/accounts/relationships", async (req, res, next) => {
+router.get("/api/v1/accounts/relationships", tokenRequired, scopeRequired("read", "read:follows"), async (req, res, next) => {
   try {
     let ids = req.query["id[]"] || req.query.id || [];
     if (!Array.isArray(ids)) ids = [ids];
@@ -225,7 +222,7 @@ router.get("/api/v1/accounts/relationships", async (req, res, next) => {
 // ─── GET /api/v1/accounts/familiar_followers ─────────────────────────────────
 // MUST be before /accounts/:id
 
-router.get("/api/v1/accounts/familiar_followers", (req, res) => {
+router.get("/api/v1/accounts/familiar_followers", tokenRequired, scopeRequired("read", "read:follows"), (req, res) => {
   let ids = req.query["id[]"] || req.query.id || [];
   if (!Array.isArray(ids)) ids = [ids];
   res.json(ids.map((id) => ({ id, accounts: [] })));
@@ -233,7 +230,7 @@ router.get("/api/v1/accounts/familiar_followers", (req, res) => {
 
 // ─── GET /api/v1/accounts/:id ────────────────────────────────────────────────
 
-router.get("/api/v1/accounts/:id", async (req, res, next) => {
+router.get("/api/v1/accounts/:id", tokenRequired, scopeRequired("read", "read:accounts"), async (req, res, next) => {
   try {
     const { id } = req.params;
     const baseUrl = `${req.protocol}://${req.get("host")}`;
@@ -285,7 +282,7 @@ router.get("/api/v1/accounts/:id", async (req, res, next) => {
 
 // ─── GET /api/v1/accounts/:id/statuses ──────────────────────────────────────
 
-router.get("/api/v1/accounts/:id/statuses", async (req, res, next) => {
+router.get("/api/v1/accounts/:id/statuses", tokenRequired, scopeRequired("read", "read:statuses"), async (req, res, next) => {
   try {
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
@@ -376,7 +373,7 @@ router.get("/api/v1/accounts/:id/statuses", async (req, res, next) => {
 
 // ─── GET /api/v1/accounts/:id/followers ─────────────────────────────────────
 
-router.get("/api/v1/accounts/:id/followers", async (req, res, next) => {
+router.get("/api/v1/accounts/:id/followers", tokenRequired, scopeRequired("read", "read:follows"), async (req, res, next) => {
   try {
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
@@ -409,7 +406,7 @@ router.get("/api/v1/accounts/:id/followers", async (req, res, next) => {
 
 // ─── GET /api/v1/accounts/:id/following ─────────────────────────────────────
 
-router.get("/api/v1/accounts/:id/following", async (req, res, next) => {
+router.get("/api/v1/accounts/:id/following", tokenRequired, scopeRequired("read", "read:follows"), async (req, res, next) => {
   try {
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
@@ -442,13 +439,8 @@ router.get("/api/v1/accounts/:id/following", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/follow ───────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/follow", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/follow", tokenRequired, scopeRequired("write", "write:follows", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
     const pluginOptions = req.app.locals.mastodonPluginOptions || {};
@@ -504,13 +496,8 @@ router.post("/api/v1/accounts/:id/follow", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/unfollow ─────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/unfollow", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/unfollow", tokenRequired, scopeRequired("write", "write:follows", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
     const pluginOptions = req.app.locals.mastodonPluginOptions || {};
@@ -557,13 +544,8 @@ router.post("/api/v1/accounts/:id/unfollow", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/mute ────────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/mute", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/mute", tokenRequired, scopeRequired("write", "write:mutes", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
 
@@ -600,13 +582,8 @@ router.post("/api/v1/accounts/:id/mute", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/unmute ───────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/unmute", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/unmute", tokenRequired, scopeRequired("write", "write:mutes", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
 
@@ -639,13 +616,8 @@ router.post("/api/v1/accounts/:id/unmute", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/block ───────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/block", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/block", tokenRequired, scopeRequired("write", "write:blocks", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
 
@@ -682,13 +654,8 @@ router.post("/api/v1/accounts/:id/block", async (req, res, next) => {
 
 // ─── POST /api/v1/accounts/:id/unblock ──────────────────────────────────────
 
-router.post("/api/v1/accounts/:id/unblock", async (req, res, next) => {
+router.post("/api/v1/accounts/:id/unblock", tokenRequired, scopeRequired("write", "write:blocks", "follow"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const { id } = req.params;
     const collections = req.app.locals.mastodonCollections;
 

package/lib/mastodon/routes/media.js

@@ -7,12 +7,14 @@
  * PUT /api/v1/media/:id — update media metadata (description/focus)
  */
 import express from "express";
+import { tokenRequired } from "../middleware/token-required.js";
+import { scopeRequired } from "../middleware/scope-required.js";
 
 const router = express.Router(); // eslint-disable-line new-cap
 
 // ─── POST /api/v2/media ─────────────────────────────────────────────────────
 
-router.post("/api/v2/media", (req, res) => {
+router.post("/api/v2/media", tokenRequired, scopeRequired("write", "write:media"), (req, res) => {
   // Media upload requires multer/multipart handling + storage backend.
   // For now, return 422 so clients show a user-friendly error.
   res.status(422).json({
@@ -22,7 +24,7 @@ router.post("/api/v2/media", (req, res) => {
 
 // ─── POST /api/v1/media (legacy) ────────────────────────────────────────────
 
-router.post("/api/v1/media", (req, res) => {
+router.post("/api/v1/media", tokenRequired, scopeRequired("write", "write:media"), (req, res) => {
   res.status(422).json({
     error: "Media uploads are not yet supported on this server",
   });
@@ -30,13 +32,13 @@ router.post("/api/v1/media", (req, res) => {
 
 // ─── GET /api/v1/media/:id ──────────────────────────────────────────────────
 
-router.get("/api/v1/media/:id", (req, res) => {
+router.get("/api/v1/media/:id", tokenRequired, scopeRequired("read", "read:statuses"), (req, res) => {
   res.status(404).json({ error: "Record not found" });
 });
 
 // ─── PUT /api/v1/media/:id ──────────────────────────────────────────────────
 
-router.put("/api/v1/media/:id", (req, res) => {
+router.put("/api/v1/media/:id", tokenRequired, scopeRequired("write", "write:media"), (req, res) => {
   res.status(404).json({ error: "Record not found" });
 });
 

package/lib/mastodon/routes/notifications.js

@@ -10,6 +10,8 @@ import express from "express";
 import { ObjectId } from "mongodb";
 import { serializeNotification } from "../entities/notification.js";
 import { buildPaginationQuery, parseLimit, setPaginationHeaders } from "../helpers/pagination.js";
+import { tokenRequired } from "../middleware/token-required.js";
+import { scopeRequired } from "../middleware/scope-required.js";
 
 const router = express.Router(); // eslint-disable-line new-cap
 
@@ -29,13 +31,8 @@ const REVERSE_TYPE_MAP = {
 
 // ─── GET /api/v1/notifications ──────────────────────────────────────────────
 
-router.get("/api/v1/notifications", async (req, res, next) => {
+router.get("/api/v1/notifications", tokenRequired, scopeRequired("read", "read:notifications"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const collections = req.app.locals.mastodonCollections;
     const baseUrl = `${req.protocol}://${req.get("host")}`;
     const limit = parseLimit(req.query.limit);
@@ -105,13 +102,8 @@ router.get("/api/v1/notifications", async (req, res, next) => {
 
 // ─── GET /api/v1/notifications/:id ──────────────────────────────────────────
 
-router.get("/api/v1/notifications/:id", async (req, res, next) => {
+router.get("/api/v1/notifications/:id", tokenRequired, scopeRequired("read", "read:notifications"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const collections = req.app.locals.mastodonCollections;
     const baseUrl = `${req.protocol}://${req.get("host")}`;
 
@@ -147,13 +139,8 @@ router.get("/api/v1/notifications/:id", async (req, res, next) => {
 
 // ─── POST /api/v1/notifications/clear ───────────────────────────────────────
 
-router.post("/api/v1/notifications/clear", async (req, res, next) => {
+router.post("/api/v1/notifications/clear", tokenRequired, scopeRequired("write", "write:notifications"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const collections = req.app.locals.mastodonCollections;
     await collections.ap_notifications.deleteMany({});
     res.json({});
@@ -164,13 +151,8 @@ router.post("/api/v1/notifications/clear", async (req, res, next) => {
 
 // ─── POST /api/v1/notifications/:id/dismiss ─────────────────────────────────
 
-router.post("/api/v1/notifications/:id/dismiss", async (req, res, next) => {
+router.post("/api/v1/notifications/:id/dismiss", tokenRequired, scopeRequired("write", "write:notifications"), async (req, res, next) => {
   try {
-    const token = req.mastodonToken;
-    if (!token) {
-      return res.status(401).json({ error: "The access token is invalid" });
-    }
-
     const collections = req.app.locals.mastodonCollections;
 
     let objectId;