fedbox 0.0.1 → 0.0.4

package/lib/server.js

@@ -1,6 +1,7 @@
 /**
  * Fedbox Server
  * ActivityPub server using microfed
+ * Solid-compatible URI structure
  */
 
 import { createServer } from 'http'
@@ -19,6 +20,7 @@ import {
   getActivities,
   savePost,
   getPosts,
+  getPost,
   cacheActor,
   getCachedActor
 } from './store.js'
@@ -26,6 +28,11 @@ import {
 let config = null
 let actor = null
 
+// Rate limiting: track requests per IP
+const rateLimits = new Map()
+const RATE_LIMIT_WINDOW = 60000 // 1 minute
+const RATE_LIMIT_MAX = 100 // max requests per window
+
 /**
  * Load configuration
  */
@@ -52,32 +59,95 @@ function getProtocol() {
 }
 
 /**
- * Build actor object
+ * Get base URL
  */
-function buildActor() {
-  const domain = getDomain()
-  const protocol = getProtocol()
-  const baseUrl = `${protocol}://${domain}`
+function getBaseUrl() {
+  return `${getProtocol()}://${getDomain()}`
+}
 
-  return profile.createActor({
-    id: `${baseUrl}/users/${config.username}`,
-    username: config.username,
+/**
+ * Build actor object with Solid-compatible URIs
+ * /alice is the profile document
+ * /alice#me is the WebID (the Person)
+ */
+function buildActor() {
+  const baseUrl = getBaseUrl()
+  const profileUrl = `${baseUrl}/${config.username}`
+  const actorId = `${profileUrl}#me`
+
+  // Build actor manually for more control over structure
+  return {
+    '@context': [
+      'https://www.w3.org/ns/activitystreams',
+      'https://w3id.org/security/v1'
+    ],
+    type: 'Person',
+    id: actorId,
+    url: profileUrl,
+    preferredUsername: config.username,
     name: config.displayName,
     summary: config.summary ? `<p>${config.summary}</p>` : '',
-    publicKey: config.publicKey,
-    sharedInbox: `${baseUrl}/inbox`
-  })
+    inbox: `${profileUrl}/inbox`,
+    outbox: `${profileUrl}/outbox`,
+    followers: `${profileUrl}/followers`,
+    following: `${profileUrl}/following`,
+    endpoints: {
+      sharedInbox: `${baseUrl}/inbox`
+    },
+    publicKey: {
+      id: `${profileUrl}#main-key`,
+      owner: actorId,
+      publicKeyPem: config.publicKey
+    }
+  }
+}
+
+/**
+ * Check rate limit
+ */
+function checkRateLimit(ip) {
+  const now = Date.now()
+  const record = rateLimits.get(ip)
+
+  if (!record || now - record.start > RATE_LIMIT_WINDOW) {
+    rateLimits.set(ip, { start: now, count: 1 })
+    return true
+  }
+
+  record.count++
+  if (record.count > RATE_LIMIT_MAX) {
+    return false
+  }
+
+  return true
 }
 
+/**
+ * Clean old rate limit entries (run periodically)
+ */
+function cleanRateLimits() {
+  const now = Date.now()
+  for (const [ip, record] of rateLimits) {
+    if (now - record.start > RATE_LIMIT_WINDOW) {
+      rateLimits.delete(ip)
+    }
+  }
+}
+
+// Clean rate limits every minute
+setInterval(cleanRateLimits, RATE_LIMIT_WINDOW)
+
 /**
  * Fetch remote actor (with caching)
  */
 async function fetchActor(id) {
+  // Strip fragment for fetching
+  const fetchUrl = id.replace(/#.*$/, '')
   const cached = getCachedActor(id)
   if (cached) return cached
 
   try {
-    const response = await fetch(id, {
+    const response = await fetch(fetchUrl, {
       headers: { 'Accept': 'application/activity+json' }
     })
     if (!response.ok) return null
@@ -90,6 +160,65 @@ async function fetchActor(id) {
   }
 }
 
+/**
+ * Verify HTTP signature on incoming request
+ */
+async function verifySignature(req, body) {
+  const signature = req.headers['signature']
+  if (!signature) {
+    return { valid: false, reason: 'No signature header' }
+  }
+
+  // Parse signature header
+  const sigParts = {}
+  signature.split(',').forEach(part => {
+    const [key, ...rest] = part.split('=')
+    sigParts[key.trim()] = rest.join('=').replace(/^"|"$/g, '')
+  })
+
+  const keyId = sigParts.keyId
+  if (!keyId) {
+    return { valid: false, reason: 'No keyId in signature' }
+  }
+
+  // Extract actor URL from keyId (strip fragment like #main-key)
+  const actorUrl = keyId.replace(/#.*$/, '')
+
+  // Fetch the actor to get their public key
+  const remoteActor = await fetchActor(actorUrl)
+  if (!remoteActor) {
+    return { valid: false, reason: `Could not fetch actor: ${actorUrl}` }
+  }
+
+  const publicKeyPem = remoteActor.publicKey?.publicKeyPem
+  if (!publicKeyPem) {
+    return { valid: false, reason: 'Actor has no public key' }
+  }
+
+  // Build the signing string
+  const headers = sigParts.headers?.split(' ') || ['(request-target)', 'host', 'date']
+  const signingParts = headers.map(header => {
+    if (header === '(request-target)') {
+      return `(request-target): ${req.method.toLowerCase()} ${req.url}`
+    }
+    if (header === 'digest' && body) {
+      const crypto = require('crypto')
+      const digest = crypto.createHash('sha256').update(body).digest('base64')
+      return `digest: SHA-256=${digest}`
+    }
+    return `${header}: ${req.headers[header.toLowerCase()] || ''}`
+  })
+  const signingString = signingParts.join('\n')
+
+  // Verify the signature
+  try {
+    const isValid = auth.verify(signingString, sigParts.signature, publicKeyPem)
+    return { valid: isValid, actor: remoteActor }
+  } catch (err) {
+    return { valid: false, reason: `Verification error: ${err.message}` }
+  }
+}
+
 /**
  * Handle incoming activities
  */
@@ -108,7 +237,7 @@ async function handleActivity(activity) {
       handleAccept(activity)
       break
     case 'Create':
-      console.log(`   New post: ${activity.object?.content?.slice(0, 50)}...`)
+      console.log(`   📝 New post: ${activity.object?.content?.slice(0, 50)}...`)
       break
     case 'Like':
       console.log(`   ❤️ Liked: ${activity.object}`)
@@ -141,7 +270,7 @@ async function handleFollow(activity) {
       activity: accept,
       inbox: followerActor.inbox,
       privateKey: config.privateKey,
-      keyId: `${actor.id}#main-key`
+      keyId: `${getBaseUrl()}/${config.username}#main-key`
     })
     console.log(`   📤 Sent Accept to ${followerActor.inbox}`)
   } catch (err) {
@@ -173,7 +302,19 @@ function handleAccept(activity) {
  * Request handler
  */
 async function handleRequest(req, res) {
-  const url = new URL(req.url, `${getProtocol()}://${getDomain()}`)
+  // Get client IP
+  const ip = req.headers['x-forwarded-for']?.split(',')[0] ||
+             req.socket.remoteAddress ||
+             'unknown'
+
+  // Check rate limit
+  if (!checkRateLimit(ip)) {
+    console.log(`🚫 Rate limited: ${ip}`)
+    res.writeHead(429, { 'Retry-After': '60' })
+    return res.end('Too many requests')
+  }
+
+  const url = new URL(req.url, getBaseUrl())
   const path = url.pathname
   const accept = req.headers.accept || ''
   const isAP = accept.includes('activity+json') || accept.includes('ld+json')
@@ -200,62 +341,112 @@ async function handleRequest(req, res) {
       return res.end('Not found')
     }
 
-    const response = webfinger.createResponse(
-      `${config.username}@${getDomain()}`,
-      actor.id,
-      { profileUrl: `${getProtocol()}://${getDomain()}/@${config.username}` }
-    )
+    // Return /alice#me as the actor (Solid-compatible WebID)
+    const profileUrl = `${getBaseUrl()}/${config.username}`
+    const response = {
+      subject: `acct:${config.username}@${getDomain()}`,
+      links: [
+        {
+          rel: 'self',
+          type: 'application/activity+json',
+          href: `${profileUrl}#me`
+        },
+        {
+          rel: 'http://webfinger.net/rel/profile-page',
+          type: 'text/html',
+          href: profileUrl
+        }
+      ]
+    }
 
     res.setHeader('Content-Type', 'application/jrd+json')
     return res.end(JSON.stringify(response, null, 2))
   }
 
-  // Actor
-  if (path === `/users/${config.username}`) {
-    res.setHeader('Content-Type', 'application/activity+json')
-    return res.end(JSON.stringify(actor, null, 2))
+  // Nodeinfo discovery
+  if (path === '/.well-known/nodeinfo') {
+    const response = {
+      links: [
+        {
+          rel: 'http://nodeinfo.diaspora.software/ns/schema/2.1',
+          href: `${getBaseUrl()}/nodeinfo/2.1`
+        }
+      ]
+    }
+    res.setHeader('Content-Type', 'application/json')
+    return res.end(JSON.stringify(response, null, 2))
   }
 
-  // Inbox
-  if (path === `/users/${config.username}/inbox` || path === '/inbox') {
-    if (req.method !== 'POST') {
-      res.writeHead(405)
-      return res.end('Method not allowed')
+  // Nodeinfo 2.1
+  if (path === '/nodeinfo/2.1') {
+    const response = {
+      version: '2.1',
+      software: {
+        name: 'fedbox',
+        version: '0.0.4',
+        repository: 'https://github.com/micro-fed/fedbox'
+      },
+      protocols: ['activitypub'],
+      services: { inbound: [], outbound: [] },
+      usage: {
+        users: { total: 1, activeMonth: 1, activeHalfyear: 1 },
+        localPosts: getPosts(1000).length
+      },
+      openRegistrations: false,
+      metadata: {
+        nodeName: config.displayName || config.username,
+        nodeDescription: config.summary || 'A Fedbox instance'
+      }
     }
+    res.setHeader('Content-Type', 'application/json; profile="http://nodeinfo.diaspora.software/ns/schema/2.1#"')
+    return res.end(JSON.stringify(response, null, 2))
+  }
+
+  // Shared inbox
+  if (path === '/inbox') {
+    return handleInbox(req, res)
+  }
 
-    const chunks = []
-    for await (const chunk of req) chunks.push(chunk)
-    const body = Buffer.concat(chunks).toString()
-
-    try {
-      const activity = JSON.parse(body)
-      await handleActivity(activity)
-      res.writeHead(202)
-      return res.end()
-    } catch (err) {
-      console.error('Inbox error:', err)
-      res.writeHead(400)
-      return res.end('Bad request')
+  // Profile routes: /alice, /alice/inbox, /alice/outbox, etc.
+  if (path === `/${config.username}`) {
+    if (isAP) {
+      // Return Actor JSON-LD
+      res.setHeader('Content-Type', 'application/activity+json')
+      return res.end(JSON.stringify(actor, null, 2))
+    } else {
+      // Return HTML with embedded JSON-LD
+      res.setHeader('Content-Type', 'text/html')
+      return res.end(renderProfile())
     }
   }
 
+  // Inbox
+  if (path === `/${config.username}/inbox`) {
+    return handleInbox(req, res)
+  }
+
   // Outbox
-  if (path === `/users/${config.username}/outbox`) {
+  if (path === `/${config.username}/outbox`) {
     const posts = getPosts(20)
+    const profileUrl = `${getBaseUrl()}/${config.username}`
     const collection = {
       '@context': 'https://www.w3.org/ns/activitystreams',
       type: 'OrderedCollection',
-      id: `${actor.id}/outbox`,
+      id: `${profileUrl}/outbox`,
       totalItems: posts.length,
       orderedItems: posts.map(p => ({
         type: 'Create',
-        actor: actor.id,
+        actor: `${profileUrl}#me`,
+        published: p.published,
         object: {
           type: 'Note',
           id: p.id,
           content: p.content,
           published: p.published,
-          attributedTo: actor.id
+          attributedTo: `${profileUrl}#me`,
+          to: ['https://www.w3.org/ns/activitystreams#Public'],
+          cc: [`${profileUrl}/followers`],
+          ...(p.in_reply_to ? { inReplyTo: p.in_reply_to } : {})
         }
       }))
     }
@@ -264,12 +455,13 @@ async function handleRequest(req, res) {
   }
 
   // Followers
-  if (path === `/users/${config.username}/followers`) {
+  if (path === `/${config.username}/followers`) {
     const followers = getFollowers()
+    const profileUrl = `${getBaseUrl()}/${config.username}`
     const collection = {
       '@context': 'https://www.w3.org/ns/activitystreams',
       type: 'OrderedCollection',
-      id: `${actor.id}/followers`,
+      id: `${profileUrl}/followers`,
       totalItems: followers.length,
       orderedItems: followers.map(f => f.actor)
     }
@@ -278,11 +470,12 @@ async function handleRequest(req, res) {
   }
 
   // Following
-  if (path === `/users/${config.username}/following`) {
+  if (path === `/${config.username}/following`) {
+    const profileUrl = `${getBaseUrl()}/${config.username}`
     const collection = {
       '@context': 'https://www.w3.org/ns/activitystreams',
       type: 'OrderedCollection',
-      id: `${actor.id}/following`,
+      id: `${profileUrl}/following`,
       totalItems: getFollowingCount(),
       orderedItems: []
     }
@@ -290,10 +483,38 @@ async function handleRequest(req, res) {
     return res.end(JSON.stringify(collection, null, 2))
   }
 
-  // HTML Profile
-  if (path === `/@${config.username}` || (path === `/users/${config.username}` && !isAP)) {
-    res.setHeader('Content-Type', 'text/html')
-    return res.end(renderProfile())
+  // Individual post: /alice/posts/123
+  const postMatch = path.match(new RegExp(`^/${config.username}/posts/(\\d+)$`))
+  if (postMatch) {
+    const postId = `${getBaseUrl()}${path}`
+    const post = getPost(postId)
+    if (!post) {
+      res.writeHead(404)
+      return res.end('Not found')
+    }
+
+    const profileUrl = `${getBaseUrl()}/${config.username}`
+    const note = {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      type: 'Note',
+      id: post.id,
+      attributedTo: `${profileUrl}#me`,
+      content: post.content,
+      published: post.published,
+      to: ['https://www.w3.org/ns/activitystreams#Public'],
+      cc: [`${profileUrl}/followers`]
+    }
+    if (post.in_reply_to) {
+      note.inReplyTo = post.in_reply_to
+    }
+
+    if (isAP) {
+      res.setHeader('Content-Type', 'application/activity+json')
+      return res.end(JSON.stringify(note, null, 2))
+    } else {
+      res.setHeader('Content-Type', 'text/html')
+      return res.end(renderPost(post, note))
+    }
   }
 
   // Home
@@ -307,11 +528,46 @@ async function handleRequest(req, res) {
 }
 
 /**
- * Render HTML profile
+ * Handle inbox POST
+ */
+async function handleInbox(req, res) {
+  if (req.method !== 'POST') {
+    res.writeHead(405)
+    return res.end('Method not allowed')
+  }
+
+  const chunks = []
+  for await (const chunk of req) chunks.push(chunk)
+  const body = Buffer.concat(chunks).toString()
+
+  // Verify signature
+  const sigResult = await verifySignature(req, body)
+  if (!sigResult.valid) {
+    console.log(`   ⚠️  Signature: ${sigResult.reason}`)
+  } else {
+    console.log(`   🔐 Signature verified`)
+  }
+
+  try {
+    const activity = JSON.parse(body)
+    await handleActivity(activity)
+    res.writeHead(202)
+    return res.end()
+  } catch (err) {
+    console.error('Inbox error:', err)
+    res.writeHead(400)
+    return res.end('Bad request')
+  }
+}
+
+/**
+ * Render HTML profile with embedded JSON-LD
  */
 function renderProfile() {
   const followers = getFollowerCount()
   const following = getFollowingCount()
+  const posts = getPosts(10)
+  const profileUrl = `${getBaseUrl()}/${config.username}`
 
   return `<!DOCTYPE html>
 <html>
@@ -319,6 +575,10 @@ function renderProfile() {
   <meta charset="utf-8">
   <title>${config.displayName} (@${config.username}@${getDomain()})</title>
   <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="alternate" type="application/activity+json" href="${profileUrl}">
+  <script type="application/ld+json">
+${JSON.stringify(actor, null, 2)}
+  </script>
   <style>
     * { box-sizing: border-box; }
     body {
@@ -335,6 +595,7 @@ function renderProfile() {
       border-radius: 16px;
       padding: 2rem;
       text-align: center;
+      margin-bottom: 1.5rem;
     }
     .avatar {
       width: 120px;
@@ -363,11 +624,21 @@ function renderProfile() {
       margin-top: 1.5rem;
       font-size: 0.9rem;
     }
+    .posts { margin-top: 1rem; }
+    .post {
+      background: #16213e;
+      border-radius: 12px;
+      padding: 1rem;
+      margin-bottom: 1rem;
+    }
+    .post-content { margin-bottom: 0.5rem; }
+    .post-meta { color: #666; font-size: 0.8rem; }
+    .post a { color: #667eea; text-decoration: none; }
   </style>
 </head>
 <body>
   <div class="card">
-    <div class="avatar">🍺</div>
+    <div class="avatar">📦</div>
     <h1>${config.displayName}</h1>
     <p class="handle">@${config.username}@${getDomain()}</p>
     ${config.summary ? `<p class="bio">${config.summary}</p>` : ''}
@@ -380,9 +651,94 @@ function renderProfile() {
         <div class="stat-num">${following}</div>
         <div class="stat-label">Following</div>
       </div>
+      <div class="stat">
+        <div class="stat-num">${posts.length}</div>
+        <div class="stat-label">Posts</div>
+      </div>
     </div>
     <div class="badge">📦 Powered by Fedbox</div>
   </div>
+
+  ${posts.length > 0 ? `
+  <div class="posts">
+    ${posts.map(p => `
+    <div class="post">
+      <div class="post-content">${p.content}</div>
+      <div class="post-meta">
+        <a href="${p.id}">${new Date(p.published).toLocaleString()}</a>
+      </div>
+    </div>
+    `).join('')}
+  </div>
+  ` : ''}
+</body>
+</html>`
+}
+
+/**
+ * Render individual post with embedded JSON-LD
+ */
+function renderPost(post, note) {
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Post by ${config.displayName}</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="alternate" type="application/activity+json" href="${post.id}">
+  <script type="application/ld+json">
+${JSON.stringify(note, null, 2)}
+  </script>
+  <style>
+    * { box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      max-width: 600px;
+      margin: 0 auto;
+      padding: 2rem;
+      background: #1a1a2e;
+      color: #eee;
+      min-height: 100vh;
+    }
+    .post {
+      background: #16213e;
+      border-radius: 16px;
+      padding: 2rem;
+    }
+    .author {
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+      margin-bottom: 1rem;
+    }
+    .avatar {
+      width: 48px;
+      height: 48px;
+      border-radius: 50%;
+      background: linear-gradient(135deg, #667eea, #764ba2);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-size: 1.5rem;
+    }
+    .author-info a { color: #667eea; text-decoration: none; }
+    .author-info p { margin: 0; color: #888; font-size: 0.9rem; }
+    .content { font-size: 1.2rem; line-height: 1.6; margin: 1rem 0; }
+    .meta { color: #666; font-size: 0.9rem; }
+  </style>
+</head>
+<body>
+  <div class="post">
+    <div class="author">
+      <div class="avatar">📦</div>
+      <div class="author-info">
+        <a href="/${config.username}">${config.displayName}</a>
+        <p>@${config.username}@${getDomain()}</p>
+      </div>
+    </div>
+    <div class="content">${post.content}</div>
+    <div class="meta">${new Date(post.published).toLocaleString()}</div>
+  </div>
 </body>
 </html>`
 }
@@ -391,6 +747,7 @@ function renderProfile() {
  * Render home page
  */
 function renderHome() {
+  const profileUrl = `${getBaseUrl()}/${config.username}`
   return `<!DOCTYPE html>
 <html>
 <head>
@@ -418,15 +775,16 @@ function renderHome() {
   <p>Your Fediverse server is running!</p>
 
   <h2>Your Profile</h2>
-  <p><a href="/@${config.username}">@${config.username}@${getDomain()}</a></p>
+  <p><a href="/${config.username}">@${config.username}@${getDomain()}</a></p>
 
   <h2>Endpoints</h2>
   <ul class="endpoints">
     <li><code>/.well-known/webfinger</code> - Discovery</li>
-    <li><code>/users/${config.username}</code> - Actor</li>
-    <li><code>/users/${config.username}/inbox</code> - Inbox</li>
-    <li><code>/users/${config.username}/outbox</code> - Outbox</li>
-    <li><code>/users/${config.username}/followers</code> - Followers</li>
+    <li><code>/${config.username}</code> - Profile (HTML + JSON-LD)</li>
+    <li><code>/${config.username}#me</code> - WebID (Actor)</li>
+    <li><code>/${config.username}/inbox</code> - Inbox</li>
+    <li><code>/${config.username}/outbox</code> - Outbox</li>
+    <li><code>/${config.username}/followers</code> - Followers</li>
   </ul>
 
   <h2>Federation</h2>
@@ -451,10 +809,10 @@ export async function startServer() {
     console.log(`
 📦 Fedbox is running!
 
-   Profile: http://localhost:${config.port}/@${config.username}
-   Actor:   http://localhost:${config.port}/users/${config.username}
+   Profile: http://localhost:${config.port}/${config.username}
+   WebID:   http://localhost:${config.port}/${config.username}#me
 
-${config.domain ? `   Federated: https://${config.domain}/@${config.username}` : '   ⚠️  Set "domain" in fedbox.json for federation'}
+${config.domain ? `   Federated: https://${config.domain}/${config.username}` : '   ⚠️  Set "domain" in fedbox.json for federation'}
 
    Press Ctrl+C to stop
 `)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fedbox",
-  "version": "0.0.1",
+  "version": "0.0.4",
   "description": "Zero to Fediverse in 60 seconds",
   "type": "module",
   "main": "lib/server.js",