@rmdes/indiekit-endpoint-microsub 1.0.0-beta.12 → 1.0.0-beta.13

package/lib/controllers/block.js

@@ -4,6 +4,7 @@
  */
 
 import { deleteItemsByAuthorUrl } from "../storage/items.js";
+import { getUserId } from "../utils/auth.js";
 import { validateUrl } from "../utils/validation.js";
 
 /**
@@ -23,7 +24,7 @@ function getCollection(application) {
  */
 export async function list(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   const collection = getCollection(application);
   const blocked = await collection.find({ userId }).toArray();
@@ -40,7 +41,7 @@ export async function list(request, response) {
  */
 export async function block(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { url } = request.body;
 
   validateUrl(url);
@@ -71,7 +72,7 @@ export async function block(request, response) {
  */
 export async function unblock(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { url } = request.body;
 
   validateUrl(url);

package/lib/controllers/channels.js

@@ -13,6 +13,7 @@ import {
   deleteChannel,
   reorderChannels,
 } from "../storage/channels.js";
+import { getUserId } from "../utils/auth.js";
 import {
   validateChannel,
   validateChannelName,
@@ -27,7 +28,7 @@ import {
  */
 export async function list(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   const channels = await getChannels(application, userId);
 
@@ -42,7 +43,7 @@ export async function list(request, response) {
  */
 export async function action(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { method, name, uid } = request.body;
 
   // Delete channel
@@ -113,7 +114,7 @@ export async function action(request, response) {
  */
 export async function get(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
 
   validateChannel(uid);

package/lib/controllers/events.js

@@ -9,6 +9,7 @@ import {
   sendEvent,
   subscribeClient,
 } from "../realtime/broker.js";
+import { getUserId } from "../utils/auth.js";
 
 /**
  * SSE stream endpoint
@@ -18,7 +19,7 @@ import {
  */
 export async function stream(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   // Set SSE headers
   response.setHeader("Content-Type", "text/event-stream");

package/lib/controllers/follow.js

@@ -13,6 +13,7 @@ import {
   getFeedsForChannel,
 } from "../storage/feeds.js";
 import { createFeedResponse } from "../utils/jf2.js";
+import { getUserId } from "../utils/auth.js";
 import { validateChannel, validateUrl } from "../utils/validation.js";
 
 /**
@@ -23,7 +24,7 @@ import { validateChannel, validateUrl } from "../utils/validation.js";
  */
 export async function list(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel } = request.query;
 
   validateChannel(channel);
@@ -47,7 +48,7 @@ export async function list(request, response) {
  */
 export async function follow(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel, url } = request.body;
 
   validateChannel(channel);
@@ -84,7 +85,7 @@ export async function follow(request, response) {
  */
 export async function unfollow(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel, url } = request.body;
 
   validateChannel(channel);

package/lib/controllers/mute.js

@@ -5,6 +5,7 @@
 
 import { IndiekitError } from "@indiekit/error";
 
+import { getUserId } from "../utils/auth.js";
 import { validateChannel, validateUrl } from "../utils/validation.js";
 
 /**
@@ -24,7 +25,7 @@ function getCollection(application) {
  */
 export async function list(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel } = request.query;
 
   // Channel can be "global" or a specific channel UID
@@ -58,7 +59,7 @@ export async function list(request, response) {
  */
 export async function mute(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel, url } = request.body;
 
   validateUrl(url);
@@ -99,7 +100,7 @@ export async function mute(request, response) {
  */
 export async function unmute(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel, url } = request.body;
 
   validateUrl(url);

package/lib/controllers/reader.js

@@ -18,6 +18,7 @@ import {
   deleteFeed,
 } from "../storage/feeds.js";
 import { getTimelineItems, getItemById } from "../storage/items.js";
+import { getUserId } from "../utils/auth.js";
 import {
   validateChannelName,
   validateExcludeTypes,
@@ -40,7 +41,7 @@ export async function index(request, response) {
  */
 export async function channels(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   const channelList = await getChannels(application, userId);
 
@@ -70,7 +71,7 @@ export async function newChannel(request, response) {
  */
 export async function createChannelAction(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { name } = request.body;
 
   validateChannelName(name);
@@ -88,7 +89,7 @@ export async function createChannelAction(request, response) {
  */
 export async function channel(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
   const { before, after } = request.query;
 
@@ -120,7 +121,7 @@ export async function channel(request, response) {
  */
 export async function settings(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
 
   const channelDocument = await getChannel(application, uid, userId);
@@ -145,7 +146,7 @@ export async function settings(request, response) {
  */
 export async function updateSettings(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
   const { excludeTypes, excludeRegex } = request.body;
 
@@ -180,7 +181,7 @@ export async function updateSettings(request, response) {
  */
 export async function deleteChannelAction(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
 
   // Don't allow deleting notifications channel
@@ -206,7 +207,7 @@ export async function deleteChannelAction(request, response) {
  */
 export async function feeds(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
 
   const channelDocument = await getChannel(application, uid, userId);
@@ -232,7 +233,7 @@ export async function feeds(request, response) {
  */
 export async function addFeed(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
   const { url } = request.body;
 
@@ -265,7 +266,7 @@ export async function addFeed(request, response) {
  */
 export async function removeFeed(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { uid } = request.params;
   const { url } = request.body;
 
@@ -287,7 +288,7 @@ export async function removeFeed(request, response) {
  */
 export async function item(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { id } = request.params;
 
   const itemDocument = await getItemById(application, id, userId);
@@ -338,7 +339,7 @@ export async function submitCompose(request, response) {
  */
 export async function searchPage(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   const channelList = await getChannels(application, userId);
 
@@ -357,7 +358,7 @@ export async function searchPage(request, response) {
  */
 export async function searchFeeds(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { query } = request.body;
 
   const channelList = await getChannels(application, userId);
@@ -389,7 +390,7 @@ export async function searchFeeds(request, response) {
  */
 export async function subscribe(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { url, channel: channelUid } = request.body;
 
   const channelDocument = await getChannel(application, channelUid, userId);

package/lib/controllers/search.js

@@ -8,6 +8,7 @@ import { IndiekitError } from "@indiekit/error";
 import { discoverFeeds } from "../feeds/hfeed.js";
 import { searchWithFallback } from "../search/query.js";
 import { getChannel } from "../storage/channels.js";
+import { getUserId } from "../utils/auth.js";
 import { validateChannel, validateUrl } from "../utils/validation.js";
 
 /**
@@ -77,7 +78,7 @@ export async function discover(request, response) {
  */
 export async function search(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { query, channel } = request.body;
 
   if (!query) {

package/lib/controllers/timeline.js

@@ -12,6 +12,7 @@ import {
   markItemsUnread,
   removeItems,
 } from "../storage/items.js";
+import { getUserId } from "../utils/auth.js";
 import {
   validateChannel,
   validateEntries,
@@ -26,7 +27,7 @@ import {
  */
 export async function get(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { channel, before, after, limit } = request.query;
 
   validateChannel(channel);
@@ -57,7 +58,7 @@ export async function get(request, response) {
  */
 export async function action(request, response) {
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
   const { method, channel } = request.body;
 
   validateChannel(channel);

package/lib/storage/items.js

@@ -195,7 +195,7 @@ export async function getItemsByUids(application, uids, userId) {
  * Mark items as read
  * @param {object} application - Indiekit application
  * @param {ObjectId|string} channelId - Channel ObjectId
- * @param {Array} entryIds - Array of entry IDs to mark as read
+ * @param {Array} entryIds - Array of entry IDs to mark as read (can be ObjectId, uid, or URL)
  * @param {string} userId - User ID
  * @returns {Promise<number>} Number of items updated
  */
@@ -204,6 +204,12 @@ export async function markItemsRead(application, channelId, entryIds, userId) {
   const channelObjectId =
     typeof channelId === "string" ? new ObjectId(channelId) : channelId;
 
+  console.info(
+    `[Microsub] markItemsRead called for channel ${channelId}, entries:`,
+    entryIds,
+    `userId: ${userId}`,
+  );
+
   // Handle "last-read-entry" special value
   if (entryIds.includes("last-read-entry")) {
     // Mark all items in channel as read
@@ -211,26 +217,39 @@ export async function markItemsRead(application, channelId, entryIds, userId) {
       { channelId: channelObjectId },
       { $addToSet: { readBy: userId } },
     );
+    console.info(
+      `[Microsub] Marked all items as read: ${result.modifiedCount} updated`,
+    );
     return result.modifiedCount;
   }
 
   // Convert string IDs to ObjectIds where possible
-  const objectIds = entryIds.map((id) => {
-    try {
-      return new ObjectId(id);
-    } catch {
-      return id;
-    }
-  });
+  const objectIds = entryIds
+    .map((id) => {
+      try {
+        return new ObjectId(id);
+      } catch {
+        return undefined;
+      }
+    })
+    .filter(Boolean);
 
+  // Build query to match by _id, uid, or url (Microsub spec uses URLs as entry identifiers)
   const result = await collection.updateMany(
     {
       channelId: channelObjectId,
-      $or: [{ _id: { $in: objectIds } }, { uid: { $in: entryIds } }],
+      $or: [
+        ...(objectIds.length > 0 ? [{ _id: { $in: objectIds } }] : []),
+        { uid: { $in: entryIds } },
+        { url: { $in: entryIds } },
+      ],
     },
     { $addToSet: { readBy: userId } },
   );
 
+  console.info(
+    `[Microsub] markItemsRead result: ${result.modifiedCount} items updated`,
+  );
   return result.modifiedCount;
 }
 
@@ -238,7 +257,7 @@ export async function markItemsRead(application, channelId, entryIds, userId) {
  * Mark items as unread
  * @param {object} application - Indiekit application
  * @param {ObjectId|string} channelId - Channel ObjectId
- * @param {Array} entryIds - Array of entry IDs to mark as unread
+ * @param {Array} entryIds - Array of entry IDs to mark as unread (can be ObjectId, uid, or URL)
  * @param {string} userId - User ID
  * @returns {Promise<number>} Number of items updated
  */
@@ -252,18 +271,26 @@ export async function markItemsUnread(
   const channelObjectId =
     typeof channelId === "string" ? new ObjectId(channelId) : channelId;
 
-  const objectIds = entryIds.map((id) => {
-    try {
-      return new ObjectId(id);
-    } catch {
-      return id;
-    }
-  });
+  // Convert string IDs to ObjectIds where possible
+  const objectIds = entryIds
+    .map((id) => {
+      try {
+        return new ObjectId(id);
+      } catch {
+        return undefined;
+      }
+    })
+    .filter(Boolean);
 
+  // Match by _id, uid, or url
   const result = await collection.updateMany(
     {
       channelId: channelObjectId,
-      $or: [{ _id: { $in: objectIds } }, { uid: { $in: entryIds } }],
+      $or: [
+        ...(objectIds.length > 0 ? [{ _id: { $in: objectIds } }] : []),
+        { uid: { $in: entryIds } },
+        { url: { $in: entryIds } },
+      ],
     },
     { $pull: { readBy: userId } },
   );
@@ -275,7 +302,7 @@ export async function markItemsUnread(
  * Remove items from channel
  * @param {object} application - Indiekit application
  * @param {ObjectId|string} channelId - Channel ObjectId
- * @param {Array} entryIds - Array of entry IDs to remove
+ * @param {Array} entryIds - Array of entry IDs to remove (can be ObjectId, uid, or URL)
  * @returns {Promise<number>} Number of items removed
  */
 export async function removeItems(application, channelId, entryIds) {
@@ -283,17 +310,25 @@ export async function removeItems(application, channelId, entryIds) {
   const channelObjectId =
     typeof channelId === "string" ? new ObjectId(channelId) : channelId;
 
-  const objectIds = entryIds.map((id) => {
-    try {
-      return new ObjectId(id);
-    } catch {
-      return id;
-    }
-  });
+  // Convert string IDs to ObjectIds where possible
+  const objectIds = entryIds
+    .map((id) => {
+      try {
+        return new ObjectId(id);
+      } catch {
+        return undefined;
+      }
+    })
+    .filter(Boolean);
 
+  // Match by _id, uid, or url
   const result = await collection.deleteMany({
     channelId: channelObjectId,
-    $or: [{ _id: { $in: objectIds } }, { uid: { $in: entryIds } }],
+    $or: [
+      ...(objectIds.length > 0 ? [{ _id: { $in: objectIds } }] : []),
+      { uid: { $in: entryIds } },
+      { url: { $in: entryIds } },
+    ],
   });
 
   return result.deletedCount;

package/lib/utils/auth.js

@@ -0,0 +1,37 @@
+/**
+ * Authentication utilities for Microsub
+ * @module utils/auth
+ */
+
+/**
+ * Get the user ID from request context
+ *
+ * In Indiekit, the userId can come from:
+ * 1. request.session.userId (if explicitly set)
+ * 2. request.session.me (from token introspection)
+ * 3. application.publication.me (single-user fallback)
+ *
+ * @param {object} request - Express request
+ * @returns {string|undefined} User ID
+ */
+export function getUserId(request) {
+  // Check session for explicit userId
+  if (request.session?.userId) {
+    return request.session.userId;
+  }
+
+  // Check session for me URL from token introspection
+  if (request.session?.me) {
+    return request.session.me;
+  }
+
+  // Fall back to publication me URL (single-user mode)
+  const { application } = request.app.locals;
+  if (application?.publication?.me) {
+    return application.publication.me;
+  }
+
+  // Final fallback: use "default" as user ID for single-user instances
+  // This ensures read state is tracked even without explicit user identity
+  return "default";
+}

package/lib/webmention/receiver.js

@@ -3,6 +3,7 @@
  * @module webmention/receiver
  */
 
+import { getUserId } from "../utils/auth.js";
 import { processWebmention } from "./processor.js";
 
 /**
@@ -33,7 +34,7 @@ export async function receive(request, response) {
   }
 
   const { application } = request.app.locals;
-  const userId = request.session?.userId;
+  const userId = getUserId(request);
 
   // Return 202 Accepted immediately (processing asynchronously)
   response.status(202).json({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-microsub",
-  "version": "1.0.0-beta.12",
+  "version": "1.0.0-beta.13",
   "description": "Microsub endpoint for Indiekit. Enables subscribing to feeds and reading content using the Microsub protocol.",
   "keywords": [
     "indiekit",