@rmdes/indiekit-endpoint-microsub 1.0.55 → 1.0.56

package/index.js

@@ -2,11 +2,13 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 
 import express from "express";
+import rateLimit from "express-rate-limit";
 
 import { microsubController } from "./lib/controllers/microsub.js";
 import { opmlController } from "./lib/controllers/opml.js";
 import { readerController } from "./lib/controllers/reader.js";
 import { handleMediaProxy } from "./lib/media/proxy.js";
+import { csrfToken, csrfValidate } from "./lib/utils/csrf.js";
 import { startScheduler, stopScheduler } from "./lib/polling/scheduler.js";
 import { ensureActivityPubChannel } from "./lib/storage/channels.js";
 import {
@@ -77,17 +79,14 @@ export default class MicrosubEndpoint {
     router.get("/", microsubController.get);
     router.post("/", microsubController.post);
 
-    // WebSub callback endpoint
-    router.get("/websub/:id", websubHandler.verify);
-    router.post("/websub/:id", websubHandler.receive);
-
-    // Webmention receiving endpoint
-    router.post("/webmention", webmentionReceiver.receive);
-
-    // Media proxy endpoint
-    router.get("/media/:hash", handleMediaProxy);
+    // WebSub, webmention, and media proxy are registered in routesPublic only
+    // (they must be accessible without authentication)
 
     // Reader UI routes (mounted as sub-router for correct baseUrl)
+    // CSRF protection: generate token on all requests, validate on POST
+    readerRouter.use(csrfToken);
+    readerRouter.use(csrfValidate);
+
     readerRouter.get("/", readerController.index);
     readerRouter.get("/channels", readerController.channels);
     readerRouter.get("/channels/new", readerController.newChannel);
@@ -155,15 +154,20 @@ export default class MicrosubEndpoint {
   get routesPublic() {
     const publicRouter = express.Router();
 
+    // Rate limiters for public endpoints
+    const mediaLimiter = rateLimit({ windowMs: 60_000, max: 120, message: "Too many requests" });
+    const websubLimiter = rateLimit({ windowMs: 60_000, max: 30, message: "Too many requests" });
+    const webmentionLimiter = rateLimit({ windowMs: 60_000, max: 10, message: "Too many requests" });
+
     // WebSub verification must be public for hubs to verify
-    publicRouter.get("/websub/:id", websubHandler.verify);
-    publicRouter.post("/websub/:id", websubHandler.receive);
+    publicRouter.get("/websub/:id", websubLimiter, websubHandler.verify);
+    publicRouter.post("/websub/:id", websubLimiter, websubHandler.receive);
 
     // Webmention endpoint must be public
-    publicRouter.post("/webmention", webmentionReceiver.receive);
+    publicRouter.post("/webmention", webmentionLimiter, webmentionReceiver.receive);
 
     // Media proxy must be public for images to load
-    publicRouter.get("/media/:hash", handleMediaProxy);
+    publicRouter.get("/media/:hash", mediaLimiter, handleMediaProxy);
 
     return publicRouter;
   }
@@ -222,6 +226,13 @@ export default class MicrosubEndpoint {
       cleanupStaleItems(indiekit).catch((error) => {
         console.warn("[Microsub] Stale cleanup failed:", error.message);
       });
+
+      // Schedule daily stale cleanup (items accumulate between restarts)
+      setInterval(() => {
+        cleanupStaleItems(indiekit).catch((error) => {
+          console.warn("[Microsub] Scheduled stale cleanup failed:", error.message);
+        });
+      }, 24 * 60 * 60 * 1000);
     } else {
       console.warn(
         "[Microsub] Database not available at init, scheduler not started",

package/lib/activitypub/outbox-fetcher.js

@@ -5,6 +5,11 @@
  * @module activitypub/outbox-fetcher
  */
 
+import sanitizeHtml from "sanitize-html";
+
+import { isPrivateUrl } from "../media/proxy.js";
+import { SANITIZE_OPTIONS } from "../utils/sanitize.js";
+
 const AP_ACCEPT =
   'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"';
 const FETCH_TIMEOUT = 10_000;
@@ -121,8 +126,9 @@ function activityToJf2(activity, actorInfo) {
   ]);
   if (!contentTypes.has(object.type)) return null;
 
-  const contentHtml = object.content || "";
-  const contentText = stripHtml(contentHtml);
+  const rawHtml = object.content || "";
+  const contentHtml = rawHtml ? sanitizeHtml(rawHtml, SANITIZE_OPTIONS) : "";
+  const contentText = stripHtml(rawHtml);
 
   const jf2 = {
     type: "entry",
@@ -212,6 +218,12 @@ function extractMedia(attachments, mediaPrefix) {
 async function fetchJson(url) {
   if (!url) return null;
 
+  // SSRF protection — block private/internal IPs (including DNS rebinding)
+  if (await isPrivateUrl(url)) {
+    console.warn(`[Microsub] AP fetch blocked private URL: ${url}`);
+    return null;
+  }
+
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT);
 

package/lib/cache/redis.js

@@ -56,6 +56,15 @@ export function getRedisClient(application) {
   }
 }
 
+/**
+ * Namespace cache keys to prevent cross-instance collisions
+ * @param {string} key - Raw cache key
+ * @returns {string} Namespaced key
+ */
+function nsKey(key) {
+  return `microsub:${key}`;
+}
+
 /**
  * Get value from cache
  * @param {object} redis - Redis client
@@ -68,7 +77,7 @@ export async function getCache(redis, key) {
   }
 
   try {
-    const value = await redis.get(key);
+    const value = await redis.get(nsKey(key));
     if (value) {
       return JSON.parse(value);
     }
@@ -92,9 +101,10 @@ export async function setCache(redis, key, value, ttl = 300) {
 
   try {
     const serialized = JSON.stringify(value);
+    const nk = nsKey(key);
     await (ttl
-      ? redis.set(key, serialized, "EX", ttl)
-      : redis.set(key, serialized));
+      ? redis.set(nk, serialized, "EX", ttl)
+      : redis.set(nk, serialized));
   } catch {
     // Ignore cache errors
   }
@@ -112,7 +122,7 @@ export async function deleteCache(redis, key) {
   }
 
   try {
-    await redis.del(key);
+    await redis.del(nsKey(key));
   } catch {
     // Ignore cache errors
   }

package/lib/controllers/channels.js

@@ -17,7 +17,7 @@ import { getUserId } from "../utils/auth.js";
 import {
   validateChannel,
   validateChannelName,
-  parseArrayParameter as parseArrayParametereter,
+  parseArrayParameter,
 } from "../utils/validation.js";
 
 /**
@@ -62,7 +62,7 @@ export async function action(request, response) {
 
   // Reorder channels
   if (method === "order") {
-    const channelUids = parseArrayParametereter(request.body, "channels");
+    const channelUids = parseArrayParameter(request.body, "channels");
     if (channelUids.length === 0) {
       throw new IndiekitError("Missing channels[] parameter", {
         status: 400,

package/lib/controllers/reader.js

@@ -11,6 +11,7 @@ import {
   getChannels,
   getChannelsWithColors,
   getChannel,
+  getChannelById,
   createChannel,
   updateChannelSettings,
   deleteChannel,
@@ -31,6 +32,8 @@ import {
   countReadItems,
 } from "../storage/items.js";
 import { fetchActorOutbox } from "../activitypub/outbox-fetcher.js";
+
+const ACTOR_OUTBOX_LIMIT = 30;
 import { getUserId } from "../utils/auth.js";
 import {
   validateChannelName,
@@ -399,8 +402,7 @@ export async function item(request, response) {
   // Get the channel for this item (needed for mark-read)
   let channel = null;
   if (itemDocument.channelId) {
-    const channelsCollection = application.collections.get("microsub_channels");
-    channel = await channelsCollection.findOne({ _id: itemDocument.channelId });
+    channel = await getChannelById(application, itemDocument.channelId);
   }
 
   const itemBreadcrumbs = [
@@ -556,20 +558,6 @@ export async function submitCompose(request, response) {
   const bookmarkOf = request.body["bookmark-of"];
   const syndicateTo = request.body["mp-syndicate-to"];
 
-  // Debug logging
-  console.info(
-    "[Microsub] submitCompose request.body:",
-    JSON.stringify(request.body),
-  );
-  console.info("[Microsub] Extracted values:", {
-    content,
-    inReplyTo,
-    likeOf,
-    repostOf,
-    bookmarkOf,
-    syndicateTo,
-  });
-
   // Get Micropub endpoint
   const micropubEndpoint = application.micropubEndpoint;
   if (!micropubEndpoint) {
@@ -629,12 +617,6 @@ export async function submitCompose(request, response) {
     }
   }
 
-  // Debug: log what we're sending
-  console.info("[Microsub] Sending to Micropub:", {
-    url: micropubUrl,
-    body: micropubData.toString(),
-  });
-
   try {
     const micropubResponse = await fetch(micropubUrl, {
       method: "POST",
@@ -1268,7 +1250,7 @@ export async function actorProfile(request, response) {
   const canFollow = !!apPlugin;
 
   try {
-    const { actor, items } = await fetchActorOutbox(actorUrl, { limit: 30 });
+    const { actor, items } = await fetchActorOutbox(actorUrl, { limit: ACTOR_OUTBOX_LIMIT });
 
     response.render("actor", {
       title: actor.name || "Actor",

package/lib/controllers/search.js

@@ -6,6 +6,7 @@
 import { IndiekitError } from "@indiekit/error";
 
 import { discoverFeeds } from "../feeds/hfeed.js";
+import { isPrivateUrl } from "../media/proxy.js";
 import { searchWithFallback } from "../search/query.js";
 import { getChannel } from "../storage/channels.js";
 import { getUserId } from "../utils/auth.js";
@@ -35,6 +36,11 @@ export async function discover(request, response) {
     return response.json({ results: [] });
   }
 
+  // SSRF protection
+  if (await isPrivateUrl(url.href)) {
+    throw new IndiekitError("URL blocked (private/internal address)", { status: 400 });
+  }
+
   try {
     // Fetch the URL content
     const fetchResponse = await fetch(url.href, {

package/lib/controllers/timeline.js

@@ -18,7 +18,7 @@ import { getUserId } from "../utils/auth.js";
 import {
   validateChannel,
   validateEntries,
-  parseArrayParameter as parseArrayParametereter,
+  parseArrayParameter,
 } from "../utils/validation.js";
 
 /**
@@ -90,7 +90,7 @@ export async function action(request, response) {
   }
 
   // Get entry IDs from request
-  const entries = parseArrayParametereter(request.body, "entry");
+  const entries = parseArrayParameter(request.body, "entry");
 
   switch (method) {
     case "mark_read": {

package/lib/feeds/capabilities.js

@@ -4,6 +4,8 @@
  * @module feeds/capabilities
  */
 
+import { isPrivateUrl } from "../media/proxy.js";
+
 /**
  * Known Fediverse domain patterns
  */
@@ -136,6 +138,9 @@ async function discoverEndpoints(url) {
     micropub: null,
   };
 
+  // SSRF protection
+  if (await isPrivateUrl(url)) return endpoints;
+
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 15_000);
 

package/lib/feeds/fetcher.js

@@ -4,6 +4,7 @@
  */
 
 import { getCache, setCache } from "../cache/redis.js";
+import { isPrivateUrl } from "../media/proxy.js";
 
 const DEFAULT_TIMEOUT = 30_000; // 30 seconds
 const DEFAULT_USER_AGENT = "Indiekit Microsub/1.0 (+https://getindiekit.com)";
@@ -21,6 +22,11 @@ const DEFAULT_USER_AGENT = "Indiekit Microsub/1.0 (+https://getindiekit.com)";
 export async function fetchFeed(url, options = {}) {
   const { etag, lastModified, timeout = DEFAULT_TIMEOUT, redis } = options;
 
+  // SSRF protection — block private/internal IPs (including DNS rebinding)
+  if (await isPrivateUrl(url)) {
+    throw new Error(`Feed URL blocked (private/internal address): ${url}`);
+  }
+
   // Check cache first
   if (redis) {
     const cached = await getCache(redis, `feed:${url}`);

package/lib/feeds/normalizer.js

@@ -7,6 +7,8 @@ import crypto from "node:crypto";
 
 import sanitizeHtml from "sanitize-html";
 
+import { SANITIZE_OPTIONS } from "../utils/sanitize.js";
+
 /**
  * Extract image URLs from HTML content.
  * Used as a fallback when no explicit photo/enclosure is provided.
@@ -89,61 +91,7 @@ function toISOStringSafe(dateInput) {
   return date ? date.toISOString() : undefined;
 }
 
-/**
- * Sanitize HTML options
- */
-const SANITIZE_OPTIONS = {
-  allowedTags: [
-    "a",
-    "abbr",
-    "b",
-    "blockquote",
-    "br",
-    "code",
-    "em",
-    "figcaption",
-    "figure",
-    "h1",
-    "h2",
-    "h3",
-    "h4",
-    "h5",
-    "h6",
-    "hr",
-    "i",
-    "img",
-    "li",
-    "ol",
-    "p",
-    "pre",
-    "s",
-    "span",
-    "strike",
-    "strong",
-    "sub",
-    "sup",
-    "table",
-    "tbody",
-    "td",
-    "th",
-    "thead",
-    "tr",
-    "u",
-    "ul",
-    "video",
-    "audio",
-    "source",
-  ],
-  allowedAttributes: {
-    a: ["href", "title", "rel"],
-    img: ["src", "alt", "title", "width", "height"],
-    video: ["src", "poster", "controls", "width", "height"],
-    audio: ["src", "controls"],
-    source: ["src", "type"],
-    "*": ["class"],
-  },
-  allowedSchemes: ["http", "https", "mailto"],
-};
+// SANITIZE_OPTIONS imported from ../utils/sanitize.js (shared with AP outbox fetcher)
 
 /**
  * Generate unique ID for an item

package/lib/media/proxy.js

@@ -4,6 +4,7 @@
  */
 
 import crypto from "node:crypto";
+import dns from "node:dns/promises";
 
 import { getCache, setCache } from "../cache/redis.js";
 
@@ -20,39 +21,59 @@ const BLOCKED_IP_PREFIXES = [
 ];
 
 /**
- * Check if a hostname resolves to a private/internal address
+ * Check if an IP address is in a private/internal range
+ * @param {string} ip - IP address to check
+ * @returns {boolean} True if private
+ */
+function isPrivateIp(ip) {
+  if (ip === "::1" || ip === "127.0.0.1") return true;
+
+  for (const prefix of BLOCKED_IP_PREFIXES) {
+    if (ip.startsWith(prefix)) return true;
+  }
+
+  // 172.16.0.0/12
+  const match172 = ip.match(/^172\.(\d+)\./);
+  if (match172) {
+    const second = Number.parseInt(match172[1], 10);
+    if (second >= 16 && second <= 31) return true;
+  }
+
+  return false;
+}
+
+/**
+ * Check if a URL targets a private/internal address.
+ * Performs both string-based hostname checks AND DNS resolution
+ * to prevent DNS rebinding attacks.
+ *
  * @param {string} urlString - URL to check
- * @returns {boolean} True if the URL targets a private/internal address
+ * @returns {Promise<boolean>} True if the URL targets a private/internal address
  */
-export function isPrivateUrl(urlString) {
+export async function isPrivateUrl(urlString) {
   try {
     const parsed = new URL(urlString);
     const hostname = parsed.hostname;
 
+    // Block non-HTTP protocols
+    if (!["http:", "https:"].includes(parsed.protocol)) return true;
+
     // Block known private hostnames
-    if (BLOCKED_HOSTNAMES.has(hostname)) {
-      return true;
-    }
+    if (BLOCKED_HOSTNAMES.has(hostname)) return true;
 
     // Block IPv6 loopback
-    if (hostname === "::1" || hostname === "[::1]") {
-      return true;
-    }
+    if (hostname === "::1" || hostname === "[::1]") return true;
 
-    // Block private IPv4 ranges
-    for (const prefix of BLOCKED_IP_PREFIXES) {
-      if (hostname.startsWith(prefix)) {
-        return true;
-      }
-    }
+    // Block private IPv4 ranges (string check for literal IPs)
+    if (isPrivateIp(hostname)) return true;
 
-    // Block 172.16.0.0/12 (172.16.x.x - 172.31.x.x)
-    const match172 = hostname.match(/^172\.(\d+)\./);
-    if (match172) {
-      const second = Number.parseInt(match172[1], 10);
-      if (second >= 16 && second <= 31) {
-        return true;
-      }
+    // DNS resolution check — catches domains resolving to private IPs
+    try {
+      const { address } = await dns.lookup(hostname);
+      if (isPrivateIp(address)) return true;
+    } catch {
+      // DNS resolution failure — block as precaution
+      return true;
     }
 
     return false;
@@ -68,8 +89,8 @@ const ALLOWED_TYPES = new Set([
   "image/png",
   "image/gif",
   "image/webp",
-  "image/svg+xml",
   "image/avif",
+  // image/svg+xml intentionally excluded — SVGs can contain embedded JavaScript
 ]);
 
 /**
@@ -81,6 +102,34 @@ export function hashUrl(url) {
   return crypto.createHash("sha256").update(url).digest("hex").slice(0, 16);
 }
 
+/**
+ * Generate HMAC signature for a media proxy URL
+ * @param {string} url - Original image URL
+ * @returns {string} HMAC hex signature (16 chars)
+ */
+export function signProxyUrl(url) {
+  const secret = process.env.SECRET || "microsub-default-secret";
+  return crypto
+    .createHmac("sha256", secret)
+    .update(url)
+    .digest("hex")
+    .slice(0, 16);
+}
+
+/**
+ * Verify HMAC signature for a media proxy URL
+ * @param {string} url - Original image URL
+ * @param {string} sig - Submitted signature
+ * @returns {boolean} Whether signature is valid
+ */
+export function verifyProxySignature(url, sig) {
+  if (!sig) return false;
+  const expected = signProxyUrl(url);
+  // Constant-time comparison
+  if (sig.length !== expected.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
+}
+
 /**
  * Get the proxied URL for an image
  * @param {string} baseUrl - Base URL of the Microsub endpoint
@@ -103,7 +152,8 @@ export function getProxiedUrl(baseUrl, originalUrl) {
   }
 
   const hash = hashUrl(originalUrl);
-  return `${baseUrl}/microsub/media/${hash}?url=${encodeURIComponent(originalUrl)}`;
+  const sig = signProxyUrl(originalUrl);
+  return `${baseUrl}/microsub/media/${hash}?url=${encodeURIComponent(originalUrl)}&sig=${sig}`;
 }
 
 /**
@@ -155,7 +205,7 @@ export function proxyItemImages(item, baseUrl) {
  */
 export async function fetchImage(redis, url) {
   // Block private/internal URLs (defense-in-depth)
-  if (isPrivateUrl(url)) {
+  if (await isPrivateUrl(url)) {
     console.error(`[Microsub] Media proxy blocked private URL: ${url}`);
     return;
   }
@@ -239,12 +289,17 @@ export async function fetchImage(redis, url) {
  * @returns {Promise<void>}
  */
 export async function handleMediaProxy(request, response) {
-  const { url } = request.query;
+  const { url, sig } = request.query;
 
   if (!url) {
     return response.status(400).send("Missing url parameter");
   }
 
+  // Verify HMAC signature (prevents abuse as open proxy)
+  if (!verifyProxySignature(url, sig)) {
+    return response.status(403).send("Invalid proxy signature");
+  }
+
   // Validate URL
   try {
     const parsed = new URL(url);
@@ -256,7 +311,7 @@ export async function handleMediaProxy(request, response) {
   }
 
   // Block requests to private/internal networks (SSRF protection)
-  if (isPrivateUrl(url)) {
+  if (await isPrivateUrl(url)) {
     return response.status(403).send("URL not allowed");
   }
 

package/lib/polling/processor.js

@@ -3,10 +3,13 @@
  * @module polling/processor
  */
 
+const FEED_PROCESS_TIMEOUT = 60_000; // 60 seconds max per feed
+const MAX_ITEMS_PER_CYCLE = 100; // Max items to process per feed per cycle
+
 import { getRedisClient, publishEvent } from "../cache/redis.js";
 import { detectCapabilities } from "../feeds/capabilities.js";
 import { fetchAndParseFeed } from "../feeds/fetcher.js";
-import { getChannel } from "../storage/channels.js";
+import { getChannelById } from "../storage/channels.js";
 import {
   updateFeed,
   updateFeedAfterFetch,
@@ -69,11 +72,14 @@ export async function processFeed(application, feed) {
     }
 
     // Get channel for filtering
-    const channel = await getChannel(application, feed.channelId);
+    const channel = await getChannelById(application, feed.channelId);
 
-    // Process items
+    // Process items (limited to MAX_ITEMS_PER_CYCLE per feed per cycle)
     let newItemCount = 0;
+    let processedCount = 0;
     for (const item of parsed.items) {
+      if (processedCount >= MAX_ITEMS_PER_CYCLE) break;
+      processedCount++;
       // Apply channel filters
       if (channel?.settings && !passesFilters(item, channel.settings)) {
         continue;
@@ -276,7 +282,24 @@ export async function processFeedBatch(application, feeds, options = {}) {
   for (let index = 0; index < feeds.length; index += concurrency) {
     const batch = feeds.slice(index, index + concurrency);
     const batchResults = await Promise.all(
-      batch.map((feed) => processFeed(application, feed)),
+      batch.map((feed) =>
+        Promise.race([
+          processFeed(application, feed),
+          new Promise((resolve) =>
+            setTimeout(
+              () =>
+                resolve({
+                  feedId: feed._id,
+                  url: feed.url,
+                  success: false,
+                  itemsAdded: 0,
+                  error: "Feed processing timeout",
+                }),
+              FEED_PROCESS_TIMEOUT,
+            ),
+          ),
+        ]),
+      ),
     );
     results.push(...batchResults);
   }

package/lib/polling/scheduler.js

@@ -7,6 +7,8 @@ import { getFeedsToFetch } from "../storage/feeds.js";
 
 import { processFeedBatch } from "./processor.js";
 
+// TODO: Refactor scheduler to a class that accepts `application` as constructor
+// argument. Module-level singletons prevent unit testing and multiple instances.
 let schedulerInterval;
 let indiekitInstance;
 let isRunning = false;

package/lib/realtime/broker.js

@@ -62,7 +62,12 @@ export function removeClient(response) {
       (c) => c.userId === client.userId,
     );
     if (!hasOtherClients) {
-      // Could clean up Redis subscription here if needed
+      // Clean up Redis subscriber connection for this user
+      const subscriber = userSubscribers.get(client.userId);
+      if (subscriber) {
+        subscriber.quit().catch(() => {});
+        userSubscribers.delete(client.userId);
+      }
     }
   }
 }