@rmdes/indiekit-endpoint-microsub 1.0.55 → 1.0.57

package/lib/storage/read-state.js

@@ -3,7 +3,7 @@
  * @module storage/read-state
  */
 
-import { markItemsRead, markItemsUnread, getUnreadCount } from "./items.js";
+import { markItemsRead, markItemsUnread, getUnreadCount } from "./items-read-state.js";
 
 /**
  * Mark entries as read for a user

package/lib/utils/async-handler.js

@@ -0,0 +1,7 @@
+/**
+ * Wrap async route handlers to catch rejections and pass to Express error middleware
+ * @param {Function} fn - Async route handler
+ * @returns {Function} Wrapped handler
+ */
+export const asyncHandler = (fn) => (req, res, next) =>
+  Promise.resolve(fn(req, res, next)).catch(next);

package/lib/utils/constants.js

@@ -0,0 +1,7 @@
+/**
+ * Shared constants used across multiple modules
+ * @module utils/constants
+ */
+
+/** Retention period for unread count queries (only count recent items) */
+export const UNREAD_RETENTION_DAYS = 30;

package/lib/utils/csrf.js

@@ -0,0 +1,51 @@
+/**
+ * CSRF protection middleware for reader UI
+ * Uses session-based tokens (not cookies)
+ * @module utils/csrf
+ */
+
+import crypto from "node:crypto";
+
+/**
+ * Generate or retrieve CSRF token from session.
+ * Exposes token as `response.locals.csrfToken` for templates.
+ *
+ * @param {object} request - Express request
+ * @param {object} response - Express response
+ * @param {Function} next - Express next
+ */
+export function csrfToken(request, response, next) {
+  if (request.session) {
+    if (!request.session.csrfToken) {
+      request.session.csrfToken = crypto.randomUUID();
+    }
+    response.locals.csrfToken = request.session.csrfToken;
+  }
+  next();
+}
+
+/**
+ * Validate CSRF token on POST requests.
+ * Checks `_csrf` field in body or `x-csrf-token` header.
+ *
+ * @param {object} request - Express request
+ * @param {object} response - Express response
+ * @param {Function} next - Express next
+ */
+export function csrfValidate(request, response, next) {
+  if (request.method !== "POST") return next();
+
+  const sessionToken = request.session?.csrfToken;
+  if (!sessionToken) {
+    return response.status(403).send("CSRF token missing from session");
+  }
+
+  const submittedToken =
+    request.body?._csrf || request.headers["x-csrf-token"];
+
+  if (!submittedToken || submittedToken !== sessionToken) {
+    return response.status(403).send("CSRF token invalid");
+  }
+
+  next();
+}

package/lib/utils/html.js

@@ -0,0 +1,25 @@
+/**
+ * Shared HTML utilities
+ * @module utils/html
+ */
+
+/**
+ * Extract image URLs from HTML content (fallback for items without explicit photos)
+ * @param {string} html - HTML content
+ * @returns {string[]} Array of image URLs
+ */
+export function extractImagesFromHtml(html) {
+  if (!html) {
+    return [];
+  }
+  const urls = [];
+  const imgRegex = /<img[^>]+src=["']([^"']+)["'][^>]*>/gi;
+  let match;
+  while ((match = imgRegex.exec(html)) !== null) {
+    const src = match[1];
+    if (src && !urls.includes(src)) {
+      urls.push(src);
+    }
+  }
+  return urls;
+}

package/lib/utils/sanitize.js

@@ -0,0 +1,61 @@
+/**
+ * Shared HTML sanitization configuration
+ * Used by both RSS/Atom normalizer and ActivityPub outbox fetcher
+ * @module utils/sanitize
+ */
+
+/**
+ * Allowed HTML tags and attributes for sanitize-html
+ */
+export const SANITIZE_OPTIONS = {
+  allowedTags: [
+    "a",
+    "abbr",
+    "b",
+    "blockquote",
+    "br",
+    "code",
+    "em",
+    "figcaption",
+    "figure",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "hr",
+    "i",
+    "img",
+    "li",
+    "ol",
+    "p",
+    "pre",
+    "s",
+    "span",
+    "strike",
+    "strong",
+    "sub",
+    "sup",
+    "table",
+    "tbody",
+    "td",
+    "th",
+    "thead",
+    "tr",
+    "u",
+    "ul",
+    "video",
+    "audio",
+    "source",
+  ],
+  allowedAttributes: {
+    a: ["href", "title", "rel"],
+    img: ["src", "alt", "title", "width", "height"],
+    video: ["src", "poster", "controls", "width", "height"],
+    audio: ["src", "controls"],
+    source: ["src", "type"],
+    "*": ["class"],
+  },
+  allowedSchemes: ["http", "https", "mailto"],
+};

package/lib/utils/source-type.js

@@ -0,0 +1,28 @@
+/**
+ * URL classification utilities
+ * @module utils/source-type
+ */
+
+/**
+ * Classify a URL by its platform/protocol
+ * @param {string} url - URL to classify
+ * @returns {{ type: string, protocol: string }}
+ */
+export function classifyUrl(url) {
+  if (!url || typeof url !== "string") return { type: "web", protocol: "web" };
+  const lower = url.toLowerCase();
+  if (lower.includes("bsky.app") || lower.includes("bluesky")) {
+    return { type: "bluesky", protocol: "atmosphere" };
+  }
+  if (
+    lower.includes("mastodon.") ||
+    lower.includes("mstdn.") ||
+    lower.includes("fosstodon.") ||
+    lower.includes("pleroma.") ||
+    lower.includes("misskey.") ||
+    lower.includes("pixelfed.")
+  ) {
+    return { type: "mastodon", protocol: "fediverse" };
+  }
+  return { type: "web", protocol: "web" };
+}

package/lib/utils/validation.js

@@ -4,6 +4,7 @@
  */
 
 import { IndiekitError } from "@indiekit/error";
+import safeRegex from "safe-regex2";
 
 /**
  * Valid Microsub actions
@@ -30,7 +31,7 @@ export const VALID_CHANNEL_METHODS = ["delete", "order"];
 /**
  * Valid timeline methods
  */
-export const VALID_TIMELINE_METHODS = ["mark_read", "mark_unread", "remove"];
+export const VALID_TIMELINE_METHODS = ["mark_read", "mark_read_source", "mark_unread", "remove"];
 
 /**
  * Valid exclude types for channel filtering
@@ -173,7 +174,12 @@ export function validateExcludeRegex(pattern) {
   }
 
   try {
-    new RegExp(pattern);
+    const regex = new RegExp(pattern);
+    // Reject patterns vulnerable to catastrophic backtracking (ReDoS)
+    if (!safeRegex(regex)) {
+      console.warn(`[Microsub] Rejected unsafe regex pattern: ${pattern}`);
+      return;
+    }
     return pattern;
   } catch {
     return;

package/lib/webmention/processor.js

@@ -78,7 +78,7 @@ export async function processWebmention(application, source, target, userId) {
   }
 
   // Publish real-time event
-  const redis = getRedisClient(application);
+  const redis = await getRedisClient(application);
   if (redis && userId) {
     await publishEvent(redis, `microsub:user:${userId}`, {
       type: "new-notification",

package/lib/webmention/verifier.js

@@ -6,27 +6,8 @@
 import { mf2 } from "microformats-parser";
 import sanitizeHtml from "sanitize-html";
 
-/**
- * Sanitize HTML options (matches normalizer.js)
- */
-const SANITIZE_OPTIONS = {
-  allowedTags: [
-    "a", "abbr", "b", "blockquote", "br", "code", "em", "figcaption",
-    "figure", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img",
-    "li", "ol", "p", "pre", "s", "span", "strike", "strong", "sub",
-    "sup", "table", "tbody", "td", "th", "thead", "tr", "u", "ul",
-    "video", "audio", "source",
-  ],
-  allowedAttributes: {
-    a: ["href", "title", "rel"],
-    img: ["src", "alt", "title", "width", "height"],
-    video: ["src", "poster", "controls", "width", "height"],
-    audio: ["src", "controls"],
-    source: ["src", "type"],
-    "*": ["class"],
-  },
-  allowedSchemes: ["http", "https", "mailto"],
-};
+import { isPrivateUrl } from "../media/proxy.js";
+import { SANITIZE_OPTIONS } from "../utils/sanitize.js";
 
 /**
  * Verify a webmention
@@ -36,6 +17,14 @@ const SANITIZE_OPTIONS = {
  */
 export async function verifyWebmention(source, target) {
   try {
+    // SSRF protection — block private/internal IPs (highest risk: unauthenticated endpoint)
+    if (await isPrivateUrl(source)) {
+      return {
+        verified: false,
+        error: "Source URL blocked (private/internal address)",
+      };
+    }
+
     // Fetch the source URL
     const response = await fetch(source, {
       headers: {

package/lib/websub/subscriber.js

@@ -5,6 +5,7 @@
 
 import crypto from "node:crypto";
 
+import { isPrivateUrl } from "../media/proxy.js";
 import { updateFeedWebsub } from "../storage/feeds.js";
 
 const DEFAULT_LEASE_SECONDS = 86_400 * 7; // 7 days
@@ -24,6 +25,12 @@ export async function subscribe(application, feed, callbackUrl) {
   const topic = feed.websub.topic || feed.url;
   const secret = generateSecret();
 
+  // SSRF protection — hub URL comes from untrusted feed content
+  if (await isPrivateUrl(feed.websub.hub)) {
+    console.warn(`[Microsub] WebSub blocked private hub URL: ${feed.websub.hub}`);
+    return false;
+  }
+
   try {
     const response = await fetch(feed.websub.hub, {
       method: "POST",
@@ -137,6 +144,11 @@ export function verifySignature(signature, body, secret) {
   // Normalize algorithm name
   const algo = algorithm.toLowerCase().replace("sha", "sha");
 
+  // Warn about deprecated SHA-1 (accepted for compatibility, but SHA-256 preferred)
+  if (algo === "sha1") {
+    console.warn("[Microsub] WebSub: hub using deprecated SHA-1 signature (SHA-256 preferred)");
+  }
+
   try {
     const expectedHash = crypto
       .createHmac(algo, secret)

package/locales/de.json

@@ -4,6 +4,9 @@
       "title": "Leser",
       "empty": "Keine Elemente zum Anzeigen",
       "markAllRead": "Alle als gelesen markieren",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Gelesene anzeigen ({{count}})",
       "hideRead": "Gelesene Elemente ausblenden",
       "allRead": "Alles aufgeholt!",

package/locales/en.json

@@ -5,6 +5,8 @@
       "empty": "No items to display",
       "markAllRead": "Mark all as read",
       "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Show read ({{count}})",
       "hideRead": "Hide read items",
       "allRead": "All caught up!",

package/locales/es-419.json

@@ -4,6 +4,9 @@
       "title": "Lector",
       "empty": "No hay elementos para mostrar",
       "markAllRead": "Marcar todo como leído",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Mostrar leídos ({{count}})",
       "hideRead": "Ocultar elementos leídos",
       "allRead": "¡Todo al día!",

package/locales/es.json

@@ -4,6 +4,9 @@
       "title": "Lector",
       "empty": "No hay elementos para mostrar",
       "markAllRead": "Marcar todo como leído",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Mostrar leídos ({{count}})",
       "hideRead": "Ocultar elementos leídos",
       "allRead": "¡Todo al día!",

package/locales/fr.json

@@ -4,6 +4,9 @@
       "title": "Lecteur",
       "empty": "Aucun élément à afficher",
       "markAllRead": "Tout marquer comme lu",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Afficher les lus ({{count}})",
       "hideRead": "Masquer les éléments lus",
       "allRead": "Tout est à jour !",

package/locales/hi.json

@@ -4,6 +4,9 @@
       "title": "रीडर",
       "empty": "प्रदर्शित करने के लिए कोई आइटम नहीं",
       "markAllRead": "सभी को पढ़ा हुआ चिह्नित करें",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "पढ़े हुए दिखाएं ({{count}})",
       "hideRead": "पढ़े हुए आइटम छिपाएं",
       "allRead": "सब पकड़ लिया!",

package/locales/id.json

@@ -4,6 +4,9 @@
       "title": "Pembaca",
       "empty": "Tidak ada item untuk ditampilkan",
       "markAllRead": "Tandai semua sudah dibaca",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Tampilkan yang sudah dibaca ({{count}})",
       "hideRead": "Sembunyikan item yang sudah dibaca",
       "allRead": "Semua sudah terbaca!",

package/locales/it.json

@@ -4,6 +4,9 @@
       "title": "Lettore",
       "empty": "Nessun elemento da visualizzare",
       "markAllRead": "Segna tutto come letto",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Mostra letti ({{count}})",
       "hideRead": "Nascondi elementi letti",
       "allRead": "Tutto aggiornato!",

package/locales/nl.json

@@ -4,6 +4,9 @@
       "title": "Lezer",
       "empty": "Geen items om weer te geven",
       "markAllRead": "Alles als gelezen markeren",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Toon gelezen ({{count}})",
       "hideRead": "Verberg gelezen items",
       "allRead": "Alles bijgewerkt!",

package/locales/pl.json

@@ -4,6 +4,9 @@
       "title": "Czytnik",
       "empty": "Brak elementów do wyświetlenia",
       "markAllRead": "Oznacz wszystkie jako przeczytane",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Pokaż przeczytane ({{count}})",
       "hideRead": "Ukryj przeczytane elementy",
       "allRead": "Wszystko przeczytane!",

package/locales/pt-BR.json

@@ -4,6 +4,9 @@
       "title": "Leitor",
       "empty": "Nenhum item para exibir",
       "markAllRead": "Marcar tudo como lido",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Mostrar lidos ({{count}})",
       "hideRead": "Ocultar itens lidos",
       "allRead": "Tudo em dia!",

package/locales/pt.json

@@ -4,6 +4,9 @@
       "title": "Leitor",
       "empty": "Nenhum item para exibir",
       "markAllRead": "Marcar tudo como lido",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Mostrar lidos ({{count}})",
       "hideRead": "Ocultar itens lidos",
       "allRead": "Tudo em dia!",

package/locales/sr.json

@@ -4,6 +4,9 @@
       "title": "Читач",
       "empty": "Нема ставки за приказ",
       "markAllRead": "Означи све као прочитано",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Прикажи прочитано ({{count}})",
       "hideRead": "Сакриј прочитане ставке",
       "allRead": "Све ажурирано!",

package/locales/sv.json

@@ -4,6 +4,9 @@
       "title": "Läsare",
       "empty": "Inga objekt att visa",
       "markAllRead": "Markera allt som läst",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "Visa lästa ({{count}})",
       "hideRead": "Dölj lästa objekt",
       "allRead": "Allt är uppdaterat!",

package/locales/zh-Hans-CN.json

@@ -4,6 +4,9 @@
       "title": "阅读器",
       "empty": "没有可显示的项目",
       "markAllRead": "全部标记为已读",
+      "markViewRead": "Mark current view as read",
+      "filterChannels": "Filter channels",
+      "apply": "Apply",
       "showRead": "显示已读 ({{count}})",
       "hideRead": "隐藏已读项目",
       "allRead": "全部已读！",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-microsub",
-  "version": "1.0.55",
+  "version": "1.0.57",
   "description": "Microsub endpoint for Indiekit. Enables subscribing to feeds and reading content using the Microsub protocol.",
   "keywords": [
     "indiekit",
@@ -46,6 +46,8 @@
     "ioredis": "^5.3.0",
     "luxon": "^3.4.0",
     "microformats-parser": "^2.0.0",
+    "express-rate-limit": "^7.0.0",
+    "safe-regex2": "^4.0.0",
     "sanitize-html": "^2.11.0"
   },
   "publishConfig": {

package/views/actor.njk

@@ -46,6 +46,7 @@
         {% if canFollow %}
           {% if isFollowing %}
           <form action="{{ baseUrl }}/actor/unfollow" method="POST" style="display: inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="actorUrl" value="{{ actorUrl }}">
             <button type="submit" class="button button--secondary button--small">
               {{ icon("tick") }} Following
@@ -53,6 +54,7 @@
           </form>
           {% else %}
           <form action="{{ baseUrl }}/actor/follow" method="POST" style="display: inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="actorUrl" value="{{ actorUrl }}">
             <input type="hidden" name="actorName" value="{{ actor.name }}">
             <button type="submit" class="button button--primary button--small">

package/views/channel-new.njk

@@ -9,6 +9,7 @@
     <h2>{{ __("microsub.channels.new") }}</h2>
 
     <form method="post" action="{{ baseUrl }}/channels/new">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       {{ input({
         id: "name",
         name: "name",