npm - @rmdes/indiekit-endpoint-activitypub - Versions diffs - 3.9.2 → 3.9.4 - Mend

@rmdes/indiekit-endpoint-activitypub 3.9.2 → 3.9.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +8 -2
package/index.js +20 -0
package/lib/mastodon/routes/statuses.js +59 -124
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -88,13 +88,17 @@ ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built o
 - URL auto-linkification and @mention extraction in posted content
 - Thread context (ancestors + descendants)
 - Remote profile resolution via Fedify WebFinger with follower/following/post counts from AP collections
-- Account stats enrichment — embedded account data in timeline responses includes real counts
+- Account stats enrichment — cached account data applied immediately; uncached accounts resolved in background
 - Favourite, boost, bookmark interactions federated via Fedify AP activities
 - Notifications with type filtering
 - Search across accounts, statuses, and hashtags with remote resolution
 - Domain blocks API
 - Timeline backfill from posts collection on startup (bookmarks, likes, reposts get synthesized content)
 - In-memory account stats cache (500 entries, 1h TTL) for performance
+- OAuth2 scope enforcement — read/write scope validation on all API routes
+- Rate limiting — configurable limits on API, auth, and app registration endpoints
+- Access token expiry (1 hour) with refresh token rotation (90 days)
+- PKCE (S256) and CSRF protection on authorization flow
 **Admin UI**
 - Dashboard with follower/following counts and recent activity
@@ -318,6 +322,9 @@ The plugin creates these collections automatically:
 | `ap_blocked_servers` | Blocked server domains (instance-level blocks) |
 | `ap_key_freshness` | Tracks when remote actor keys were last verified |
 | `ap_inbox_queue` | Persistent async inbox processing queue |
+| `ap_oauth_apps` | Mastodon API client app registrations |
+| `ap_oauth_tokens` | OAuth2 authorization codes and access tokens |
+| `ap_markers` | Read position markers for Mastodon API clients |
 ## Supported Post Types
@@ -411,7 +418,6 @@ This is not a bug — Fedify requires explicit opt-in for signed fetches. But it
 - **Single actor** — One fediverse identity per Indiekit instance
 - **No Authorized Fetch enforcement** — `.authorize()` disabled on actor dispatcher (see workarounds above)
 - **No image upload in reader** — Compose form is text-only
-- **No custom emoji rendering** — Custom emoji shortcodes display as text
 - **In-process queue without Redis** — Activities may be lost on restart
 ## Acknowledgements

package/index.js CHANGED Viewed

@@ -180,6 +180,26 @@ export default class ActivityPubEndpoint {
         text: "activitypub.reader.title",
         requiresDatabase: true,
       },
+      {
+        href: `${this.options.mountPath}/admin/reader/notifications`,
+        text: "activitypub.notifications.title",
+        requiresDatabase: true,
+      },
+      {
+        href: `${this.options.mountPath}/admin/reader/messages`,
+        text: "activitypub.messages.title",
+        requiresDatabase: true,
+      },
+      {
+        href: `${this.options.mountPath}/admin/reader/moderation`,
+        text: "activitypub.moderation.title",
+        requiresDatabase: true,
+      },
+      {
+        href: `${this.options.mountPath}/admin/my-profile`,
+        text: "activitypub.myProfile.title",
+        requiresDatabase: true,
+      },
       {
         href: `${this.options.mountPath}/admin/federation`,
         text: "activitypub.federationMgmt.title",

package/lib/mastodon/routes/statuses.js CHANGED Viewed

@@ -21,7 +21,6 @@ import {
   boostPost, unboostPost,
   bookmarkPost, unbookmarkPost,
 } from "../helpers/interactions.js";
-import { addTimelineItem } from "../../storage/timeline.js";
 import { tokenRequired } from "../middleware/token-required.js";
 import { scopeRequired } from "../middleware/scope-required.js";
@@ -166,130 +165,105 @@ router.post("/api/v1/statuses", tokenRequired, scopeRequired("write", "write:sta
       }
     }
-    // Build JF2 properties for the Micropub pipeline
+    // Build JF2 properties for the Micropub pipeline.
+    // Provide both text and html — linkify URLs since Micropub's markdown-it
+    // doesn't have linkify enabled. Mentions are preserved as plain text;
+    // the AP syndicator resolves them via WebFinger for federation delivery.
+    const contentText = statusText || "";
+    const contentHtml = contentText
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/(https?:\/\/[^\s<>&"')\]]+)/g, '<a href="$1">$1</a>')
+      .replace(/\n/g, "<br>");
     const jf2 = {
       type: "entry",
-      content: statusText || "",
+      content: { text: contentText, html: `<p>${contentHtml}</p>` },
     };
     if (inReplyTo) {
       jf2["in-reply-to"] = inReplyTo;
     }
-    if (spoilerText) {
-      jf2.summary = spoilerText;
+    if (visibility && visibility !== "public") {
+      jf2.visibility = visibility;
     }
-    if (sensitive === true || sensitive === "true") {
+    // Use content-warning (not summary) to match native reader behavior
+    if (spoilerText) {
+      jf2["content-warning"] = spoilerText;
       jf2.sensitive = "true";
     }
-    if (visibility && visibility !== "public") {
-      jf2.visibility = visibility;
-    }
     if (language) {
       jf2["mp-language"] = language;
     }
-    // Syndicate to AP only — posts from Mastodon clients belong to the fediverse.
-    // Never cross-post to Bluesky (conversations stay in their protocol).
-    // The publication URL is the AP syndicator's uid.
+    // Syndicate to AP — posts from Mastodon clients belong to the fediverse
     const publicationUrl = pluginOptions.publicationUrl || baseUrl;
     jf2["mp-syndicate-to"] = [publicationUrl.replace(/\/$/, "") + "/"];
-    // Create post via Micropub pipeline (same functions the Micropub endpoint uses)
-    // postData.create() handles: normalization, post type detection, path rendering,
-    // mp-syndicate-to validated against configured syndicators, MongoDB posts collection
+    // Create post via Micropub pipeline (same internal functions)
     const { postData } = await import("@indiekit/endpoint-micropub/lib/post-data.js");
     const { postContent } = await import("@indiekit/endpoint-micropub/lib/post-content.js");
     const data = await postData.create(application, publication, jf2);
-    // postContent.create() handles: template rendering, file creation in store
     await postContent.create(publication, data);
     const postUrl = data.properties.url;
     console.info(`[Mastodon API] Created post via Micropub: ${postUrl}`);
-    // Add to ap_timeline so the post is visible in the Mastodon Client API
+    // Return a minimal status to the Mastodon client.
+    // No timeline entry is created here — the post will appear in the timeline
+    // after the normal flow: Eleventy rebuild → syndication webhook → AP delivery.
     const profile = await collections.ap_profile.findOne({});
     const handle = pluginOptions.handle || "user";
-    const actorUrl = profile?.url || `${publicationUrl}/users/${handle}`;
-    // Extract hashtags from status text and merge with any Micropub categories
-    const categories = data.properties.category || [];
-    const inlineHashtags = (statusText || "").match(/(?:^|\s)#([a-zA-Z_]\w*)/g);
-    if (inlineHashtags) {
-      const existing = new Set(categories.map((c) => c.toLowerCase()));
-      for (const match of inlineHashtags) {
-        const tag = match.trim().slice(1).toLowerCase();
-        if (!existing.has(tag)) {
-          existing.add(tag);
-          categories.push(tag);
-        }
-      }
-    }
-    // Resolve relative media URLs to absolute
-    const resolveMedia = (items) => {
-      if (!items || !items.length) return [];
-      return items.map((item) => {
-        if (typeof item === "string") {
-          return item.startsWith("http") ? item : `${publicationUrl.replace(/\/$/, "")}/${item.replace(/^\//, "")}`;
-        }
-        if (item?.url && !item.url.startsWith("http")) {
-          return { ...item, url: `${publicationUrl.replace(/\/$/, "")}/${item.url.replace(/^\//, "")}` };
-        }
-        return item;
-      });
-    };
-    // Process content: linkify URLs and extract @mentions
-    const rawContent = data.properties.content || { text: statusText || "", html: "" };
-    const processedContent = processStatusContent(rawContent, statusText || "");
-    const mentions = extractMentions(statusText || "");
-    const now = new Date().toISOString();
-    const timelineItem = await addTimelineItem(collections, {
-      uid: postUrl,
+    res.json({
+      id: String(Date.now()),
+      created_at: new Date().toISOString(),
+      content: `<p>${contentHtml}</p>`,
       url: postUrl,
-      type: data.properties["post-type"] || "note",
-      content: processedContent,
-      summary: spoilerText || "",
-      sensitive: sensitive === true || sensitive === "true",
+      uri: postUrl,
       visibility: visibility || "public",
+      sensitive: sensitive === true || sensitive === "true",
+      spoiler_text: spoilerText || "",
+      in_reply_to_id: inReplyToId || null,
+      in_reply_to_account_id: null,
       language: language || null,
-      inReplyTo,
-      published: data.properties.published || now,
-      createdAt: now,
-      author: {
-        name: profile?.name || handle,
+      replies_count: 0,
+      reblogs_count: 0,
+      favourites_count: 0,
+      favourited: false,
+      reblogged: false,
+      bookmarked: false,
+      account: {
+        id: "owner",
+        username: handle,
+        acct: handle,
+        display_name: profile?.name || handle,
         url: profile?.url || publicationUrl,
-        photo: profile?.icon || "",
-        handle: `@${handle}`,
+        avatar: profile?.icon || "",
+        avatar_static: profile?.icon || "",
+        header: "",
+        header_static: "",
+        followers_count: 0,
+        following_count: 0,
+        statuses_count: 0,
         emojis: [],
-        bot: false,
+        fields: [],
       },
-      photo: resolveMedia(data.properties.photo || []),
-      video: resolveMedia(data.properties.video || []),
-      audio: resolveMedia(data.properties.audio || []),
-      category: categories,
-      counts: { replies: 0, boosts: 0, likes: 0 },
-      linkPreviews: [],
-      mentions,
+      media_attachments: [],
+      mentions: extractMentions(contentText).map(m => ({
+        id: "0",
+        username: m.name.split("@")[1] || m.name,
+        acct: m.name.replace(/^@/, ""),
+        url: m.url,
+      })),
+      tags: [],
       emojis: [],
     });
-    // Serialize and return
-    const serialized = serializeStatus(timelineItem, {
-      baseUrl,
-      favouritedIds: new Set(),
-      rebloggedIds: new Set(),
-      bookmarkedIds: new Set(),
-      pinnedIds: new Set(),
-    });
-    res.json(serialized);
   } catch (error) {
     next(error);
   }
@@ -604,45 +578,6 @@ async function loadItemInteractions(collections, item) {
   return { favouritedIds, rebloggedIds, bookmarkedIds };
 }
-/**
- * Process status content: linkify bare URLs and convert @mentions to links.
- *
- * Mastodon clients send plain text — the server is responsible for
- * converting URLs and mentions into HTML links.
- *
- * @param {object} content - { text, html } from Micropub pipeline
- * @param {string} rawText - Original status text from client
- * @returns {object} { text, html } with linkified content
- */
-function processStatusContent(content, rawText) {
-  let html = content.html || content.text || rawText || "";
-  // If the HTML is just plain text wrapped in <p>, process it
-  // Don't touch HTML that already has links (from Micropub rendering)
-  if (!html.includes("<a ")) {
-    // Linkify bare URLs (http/https)
-    html = html.replace(
-      /(https?:\/\/[^\s<>"')\]]+)/g,
-      '<a href="$1" rel="nofollow noopener noreferrer" target="_blank">$1</a>',
-    );
-    // Convert @user@domain mentions to profile links
-    html = html.replace(
-      /(?:^|\s)(@([a-zA-Z0-9_]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))/g,
-      (match, full, username, domain) =>
-        match.replace(
-          full,
-          `<span class="h-card"><a href="https://${domain}/@${username}" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@${username}@${domain}</a></span>`,
-        ),
-    );
-  }
-  return {
-    text: content.text || rawText || "",
-    html,
-  };
-}
 /**
  * Extract @user@domain mentions from text into mention objects.
  *

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.9.2",
+  "version": "3.9.4",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",