javascript-solid-server 0.0.62 → 0.0.65

package/.claude/settings.local.json

@@ -215,7 +215,9 @@
       "WebFetch(domain:fonstr.com)",
       "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)",
       "Bash(gh repo list:*)",
-      "Bash(gh search:*)"
+      "Bash(gh search:*)",
+      "Bash(__NEW_LINE__ echo \"\")",
+      "WebFetch(domain:webfinger.net)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.62",
+  "version": "0.0.65",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -36,7 +36,8 @@
     "microfed": "^0.0.14",
     "n3": "^1.26.0",
     "nostr-tools": "^2.19.4",
-    "oidc-provider": "^9.6.0"
+    "oidc-provider": "^9.6.0",
+    "sql.js": "^1.13.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/ap/index.js

@@ -11,6 +11,10 @@ import { createOutboxHandler } from './routes/outbox.js'
 import { createCollectionsHandler } from './routes/collections.js'
 import { createActorHandler } from './routes/actor.js'
 
+// Shared state for actor handler (accessed by server.js)
+let sharedActorHandler = null
+export function getActorHandler() { return sharedActorHandler }
+
 /**
  * ActivityPub Fastify plugin
  * @param {FastifyInstance} fastify
@@ -23,7 +27,7 @@ import { createActorHandler } from './routes/actor.js'
 export async function activityPubPlugin(fastify, options = {}) {
   // Initialize storage and keypair
   const keypair = loadOrCreateKeypair()
-  initStore()
+  await initStore()
 
   // Store config for handlers
   const config = {
@@ -37,16 +41,37 @@ export async function activityPubPlugin(fastify, options = {}) {
   // Decorate fastify with AP config
   fastify.decorate('apConfig', config)
 
+  // Helper to detect protocol from proxy headers
+  const getProtocol = (request) => {
+    // Check X-Forwarded-Proto first
+    let protocol = request.headers['x-forwarded-proto']
+    if (!protocol) {
+      // Cloudflare uses cf-visitor: {"scheme":"https"}
+      const cfVisitor = request.headers['cf-visitor']
+      if (cfVisitor) {
+        try {
+          const parsed = JSON.parse(cfVisitor)
+          protocol = parsed.scheme
+        } catch { /* ignore */ }
+      }
+    }
+    // If still no protocol and hostname looks like a public domain, assume https
+    if (!protocol && request.hostname && !request.hostname.match(/^(localhost|127\.|192\.168\.|10\.)/)) {
+      protocol = 'https'
+    }
+    return protocol || request.protocol
+  }
+
   // Helper to build actor ID from request
   const getActorId = (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const protocol = getProtocol(request)
     const host = request.headers['x-forwarded-host'] || request.hostname
     return `${protocol}://${host}/profile/card#me`
   }
 
   // Helper to get base URL
   const getBaseUrl = (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const protocol = getProtocol(request)
     const host = request.headers['x-forwarded-host'] || request.hostname
     return `${protocol}://${host}`
   }
@@ -110,7 +135,7 @@ export async function activityPubPlugin(fastify, options = {}) {
         version: '2.1',
         software: {
           name: 'jss',
-          version: '0.0.62',
+          version: '0.0.65',
           repository: 'https://github.com/JavaScriptSolidServer/JavaScriptSolidServer'
         },
         protocols: ['activitypub', 'solid'],
@@ -127,37 +152,11 @@ export async function activityPubPlugin(fastify, options = {}) {
       })
   })
 
-  // Actor endpoint - handle AP content negotiation for /profile/card
+  // Actor endpoint - expose handler for profile/card AP requests
   const actorHandler = createActorHandler(config, keypair)
 
-  // Decorate request to track AP handling
-  fastify.decorateRequest('apHandled', false)
-
-  // Register dedicated GET route for /profile/card with AP content negotiation
-  // This needs to run BEFORE the wildcard LDP routes
-  fastify.get('/profile/card', {
-    // Run this handler first, before wildcard routes
-    preHandler: async (request, reply) => {
-      const accept = request.headers.accept || ''
-      const wantsAP = accept.includes('activity+json') ||
-                      accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"')
-
-      if (wantsAP) {
-        const actor = actorHandler(request)
-        request.apHandled = true
-        return reply
-          .header('Content-Type', 'application/activity+json')
-          .send(actor)
-      }
-      // If not AP, skip and let the request continue (but this route won't have a main handler)
-      // We return early - the request will 404 on this route but get caught by wildcard
-    }
-  }, async (request, reply) => {
-    // This handler won't be reached if AP was handled
-    // For non-AP requests, we need to pass through to LDP
-    // But we can't easily do that here, so we'll handle it differently
-    reply.callNotFound()
-  })
+  // Store actorHandler in shared state for use by server-level hook
+  sharedActorHandler = actorHandler
 
   // Inbox endpoint
   const inboxHandler = createInboxHandler(config, keypair)

package/src/ap/routes/actor.js

@@ -11,8 +11,24 @@
  */
 export function createActorHandler(config, keypair) {
   return (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    // Check various proxy headers for protocol detection
+    let protocol = request.headers['x-forwarded-proto']
+    if (!protocol) {
+      // Cloudflare uses cf-visitor: {"scheme":"https"}
+      const cfVisitor = request.headers['cf-visitor']
+      if (cfVisitor) {
+        try {
+          const parsed = JSON.parse(cfVisitor)
+          protocol = parsed.scheme
+        } catch { /* ignore */ }
+      }
+    }
+    // If still no protocol and hostname looks like a public domain, assume https
     const host = request.headers['x-forwarded-host'] || request.hostname
+    if (!protocol && host && !host.match(/^(localhost|127\.|192\.168\.|10\.)/)) {
+      protocol = 'https'
+    }
+    protocol = protocol || request.protocol
     const baseUrl = `${protocol}://${host}`
     const profileUrl = `${baseUrl}/profile/card`
     const actorId = `${profileUrl}#me`

package/src/ap/routes/inbox.js

@@ -17,9 +17,10 @@ import { getKeyId } from '../keys.js'
 /**
  * Fetch remote actor (with caching)
  * @param {string} id - Actor URL
+ * @param {object} log - Logger instance (optional)
  * @returns {Promise<object|null>} Actor object or null
  */
-async function fetchActor(id) {
+async function fetchActor(id, log) {
   // Strip fragment for fetching
   const fetchUrl = id.replace(/#.*$/, '')
   const cached = getCachedActor(id)
@@ -27,14 +28,21 @@ async function fetchActor(id) {
 
   try {
     const response = await fetch(fetchUrl, {
-      headers: { 'Accept': 'application/activity+json' }
+      headers: {
+        'Accept': 'application/activity+json',
+        'User-Agent': 'JSS/1.0 (+https://github.com/JavaScriptSolidServer/JavaScriptSolidServer)'
+      }
     })
-    if (!response.ok) return null
+    if (!response.ok) {
+      if (log) log.warn(`Actor fetch failed: ${response.status} ${response.statusText} for ${fetchUrl}`)
+      return null
+    }
 
     const actor = await response.json()
     cacheActor(actor)
     return actor
-  } catch {
+  } catch (err) {
+    if (log) log.error(`Actor fetch error for ${fetchUrl}: ${err.message}`)
     return null
   }
 }
@@ -66,7 +74,7 @@ async function verifySignature(request, body) {
   const actorUrl = keyId.replace(/#.*$/, '')
 
   // Fetch the actor to get their public key
-  const remoteActor = await fetchActor(actorUrl)
+  const remoteActor = await fetchActor(actorUrl, request.log)
   if (!remoteActor) {
     return { valid: false, reason: `Could not fetch actor: ${actorUrl}` }
   }
@@ -185,7 +193,7 @@ export function createInboxHandler(config, keypair) {
  * Handle Follow activity
  */
 async function handleFollow(activity, actorId, profileUrl, keypair, log) {
-  const followerActor = await fetchActor(activity.actor)
+  const followerActor = await fetchActor(activity.actor, log)
   if (!followerActor) {
     log.warn('Could not fetch follower actor')
     return

package/src/ap/store.js

@@ -1,72 +1,117 @@
 /**
  * ActivityPub SQLite Storage
  * Persistence layer for federation data
+ *
+ * Uses better-sqlite3 when available (native, fast)
+ * Falls back to sql.js on Android/platforms without native builds
  */
 
-import Database from 'better-sqlite3'
-import { existsSync, mkdirSync } from 'fs'
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs'
 import { dirname } from 'path'
 
 let db = null
+let dbPath = null
+let usingSqlJs = false
+
+// SQL schema
+const SCHEMA = `
+  -- Followers (people following us)
+  CREATE TABLE IF NOT EXISTS followers (
+    id TEXT PRIMARY KEY,
+    actor TEXT NOT NULL,
+    inbox TEXT,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Following (people we follow)
+  CREATE TABLE IF NOT EXISTS following (
+    id TEXT PRIMARY KEY,
+    actor TEXT NOT NULL,
+    accepted INTEGER DEFAULT 0,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Activities (inbox)
+  CREATE TABLE IF NOT EXISTS activities (
+    id TEXT PRIMARY KEY,
+    type TEXT NOT NULL,
+    actor TEXT,
+    object TEXT,
+    raw TEXT NOT NULL,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Posts (our outbox)
+  CREATE TABLE IF NOT EXISTS posts (
+    id TEXT PRIMARY KEY,
+    content TEXT NOT NULL,
+    in_reply_to TEXT,
+    published TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Known actors (cache)
+  CREATE TABLE IF NOT EXISTS actors (
+    id TEXT PRIMARY KEY,
+    data TEXT NOT NULL,
+    fetched_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+`
 
 /**
  * Initialize the database
+ * Tries better-sqlite3 first, falls back to sql.js
  * @param {string} path - Path to SQLite file
  */
-export function initStore(path = 'data/activitypub.db') {
+export async function initStore(path = 'data/activitypub.db') {
   // Ensure directory exists
   const dir = dirname(path)
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true })
   }
 
-  db = new Database(path)
-
-  // Create tables
-  db.exec(`
-    -- Followers (people following us)
-    CREATE TABLE IF NOT EXISTS followers (
-      id TEXT PRIMARY KEY,
-      actor TEXT NOT NULL,
-      inbox TEXT,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Following (people we follow)
-    CREATE TABLE IF NOT EXISTS following (
-      id TEXT PRIMARY KEY,
-      actor TEXT NOT NULL,
-      accepted INTEGER DEFAULT 0,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Activities (inbox)
-    CREATE TABLE IF NOT EXISTS activities (
-      id TEXT PRIMARY KEY,
-      type TEXT NOT NULL,
-      actor TEXT,
-      object TEXT,
-      raw TEXT NOT NULL,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Posts (our outbox)
-    CREATE TABLE IF NOT EXISTS posts (
-      id TEXT PRIMARY KEY,
-      content TEXT NOT NULL,
-      in_reply_to TEXT,
-      published TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Known actors (cache)
-    CREATE TABLE IF NOT EXISTS actors (
-      id TEXT PRIMARY KEY,
-      data TEXT NOT NULL,
-      fetched_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-  `)
+  dbPath = path
+
+  // Try better-sqlite3 first (fast, native)
+  try {
+    const Database = (await import('better-sqlite3')).default
+    db = new Database(path)
+    db.exec(SCHEMA)
+    usingSqlJs = false
+    return db
+  } catch (e) {
+    // Fall back to sql.js (WASM, works everywhere)
+    console.log('ActivityPub: Using sql.js (WASM) for SQLite storage')
+
+    const initSqlJs = (await import('sql.js')).default
+    const SQL = await initSqlJs()
+
+    // Load existing database if it exists
+    if (existsSync(path)) {
+      const buffer = readFileSync(path)
+      db = new SQL.Database(buffer)
+    } else {
+      db = new SQL.Database()
+    }
+
+    db.run(SCHEMA)
+    usingSqlJs = true
+
+    // Save initial database
+    saveDatabase()
+
+    return db
+  }
+}
 
-  return db
+/**
+ * Save sql.js database to disk
+ */
+function saveDatabase() {
+  if (usingSqlJs && db && dbPath) {
+    const data = db.export()
+    const buffer = Buffer.from(data)
+    writeFileSync(dbPath, buffer)
+  }
 }
 
 /**
@@ -79,128 +124,156 @@ export function getStore() {
   return db
 }
 
+// Helper to run prepared statements across both implementations
+function runStmt(sql, params = []) {
+  if (usingSqlJs) {
+    db.run(sql, params)
+    saveDatabase()
+  } else {
+    db.prepare(sql).run(...params)
+  }
+}
+
+function getOne(sql, params = []) {
+  if (usingSqlJs) {
+    const stmt = db.prepare(sql)
+    stmt.bind(params)
+    if (stmt.step()) {
+      const row = stmt.getAsObject()
+      stmt.free()
+      return row
+    }
+    stmt.free()
+    return null
+  } else {
+    return db.prepare(sql).get(...params)
+  }
+}
+
+function getAll(sql, params = []) {
+  if (usingSqlJs) {
+    const results = []
+    const stmt = db.prepare(sql)
+    stmt.bind(params)
+    while (stmt.step()) {
+      results.push(stmt.getAsObject())
+    }
+    stmt.free()
+    return results
+  } else {
+    return db.prepare(sql).all(...params)
+  }
+}
+
 // Followers
 
 export function addFollower(actorId, inbox) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO followers (id, actor, inbox)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(actorId, actorId, inbox)
+  runStmt(
+    'INSERT OR REPLACE INTO followers (id, actor, inbox) VALUES (?, ?, ?)',
+    [actorId, actorId, inbox]
+  )
 }
 
 export function removeFollower(actorId) {
-  const stmt = db.prepare('DELETE FROM followers WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('DELETE FROM followers WHERE id = ?', [actorId])
 }
 
 export function getFollowers() {
-  const stmt = db.prepare('SELECT * FROM followers ORDER BY created_at DESC')
-  return stmt.all()
+  return getAll('SELECT * FROM followers ORDER BY created_at DESC')
 }
 
 export function getFollowerCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM followers')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM followers')
+  return row ? row.count : 0
 }
 
 export function getFollowerInboxes() {
-  const stmt = db.prepare('SELECT DISTINCT inbox FROM followers WHERE inbox IS NOT NULL')
-  return stmt.all().map(row => row.inbox)
+  return getAll('SELECT DISTINCT inbox FROM followers WHERE inbox IS NOT NULL')
+    .map(row => row.inbox)
 }
 
 // Following
 
 export function addFollowing(actorId, accepted = false) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO following (id, actor, accepted)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(actorId, actorId, accepted ? 1 : 0)
+  runStmt(
+    'INSERT OR REPLACE INTO following (id, actor, accepted) VALUES (?, ?, ?)',
+    [actorId, actorId, accepted ? 1 : 0]
+  )
 }
 
 export function acceptFollowing(actorId) {
-  const stmt = db.prepare('UPDATE following SET accepted = 1 WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('UPDATE following SET accepted = 1 WHERE id = ?', [actorId])
 }
 
 export function removeFollowing(actorId) {
-  const stmt = db.prepare('DELETE FROM following WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('DELETE FROM following WHERE id = ?', [actorId])
 }
 
 export function getFollowing() {
-  const stmt = db.prepare('SELECT * FROM following WHERE accepted = 1 ORDER BY created_at DESC')
-  return stmt.all()
+  return getAll('SELECT * FROM following WHERE accepted = 1 ORDER BY created_at DESC')
 }
 
 export function getFollowingCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM following WHERE accepted = 1')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM following WHERE accepted = 1')
+  return row ? row.count : 0
 }
 
 // Activities
 
 export function saveActivity(activity) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO activities (id, type, actor, object, raw)
-    VALUES (?, ?, ?, ?, ?)
-  `)
-  stmt.run(
-    activity.id,
-    activity.type,
-    typeof activity.actor === 'string' ? activity.actor : activity.actor?.id,
-    typeof activity.object === 'string' ? activity.object : JSON.stringify(activity.object),
-    JSON.stringify(activity)
+  runStmt(
+    'INSERT OR REPLACE INTO activities (id, type, actor, object, raw) VALUES (?, ?, ?, ?, ?)',
+    [
+      activity.id,
+      activity.type,
+      typeof activity.actor === 'string' ? activity.actor : activity.actor?.id,
+      typeof activity.object === 'string' ? activity.object : JSON.stringify(activity.object),
+      JSON.stringify(activity)
+    ]
   )
 }
 
 export function getActivities(limit = 20) {
-  const stmt = db.prepare('SELECT * FROM activities ORDER BY created_at DESC LIMIT ?')
-  return stmt.all(limit).map(row => ({
-    ...row,
-    raw: JSON.parse(row.raw)
-  }))
+  return getAll('SELECT * FROM activities ORDER BY created_at DESC LIMIT ?', [limit])
+    .map(row => ({
+      ...row,
+      raw: JSON.parse(row.raw)
+    }))
 }
 
 // Posts
 
 export function savePost(id, content, inReplyTo = null) {
-  const stmt = db.prepare(`
-    INSERT INTO posts (id, content, in_reply_to)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(id, content, inReplyTo)
+  runStmt(
+    'INSERT INTO posts (id, content, in_reply_to) VALUES (?, ?, ?)',
+    [id, content, inReplyTo]
+  )
 }
 
 export function getPosts(limit = 20) {
-  const stmt = db.prepare('SELECT * FROM posts ORDER BY published DESC LIMIT ?')
-  return stmt.all(limit)
+  return getAll('SELECT * FROM posts ORDER BY published DESC LIMIT ?', [limit])
 }
 
 export function getPost(id) {
-  const stmt = db.prepare('SELECT * FROM posts WHERE id = ?')
-  return stmt.get(id)
+  return getOne('SELECT * FROM posts WHERE id = ?', [id])
 }
 
 export function getPostCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM posts')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM posts')
+  return row ? row.count : 0
 }
 
 // Actor cache
 
 export function cacheActor(actor) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO actors (id, data, fetched_at)
-    VALUES (?, ?, CURRENT_TIMESTAMP)
-  `)
-  stmt.run(actor.id, JSON.stringify(actor))
+  runStmt(
+    'INSERT OR REPLACE INTO actors (id, data, fetched_at) VALUES (?, ?, datetime("now"))',
+    [actor.id, JSON.stringify(actor)]
+  )
 }
 
 export function getCachedActor(id) {
-  const stmt = db.prepare('SELECT * FROM actors WHERE id = ?')
-  const row = stmt.get(id)
+  const row = getOne('SELECT * FROM actors WHERE id = ?', [id])
   return row ? JSON.parse(row.data) : null
 }
 

package/src/server.js

@@ -12,7 +12,7 @@ import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 import { AccessMode } from './wac/parser.js';
 import { registerNostrRelay } from './nostr/relay.js';
-import { activityPubPlugin } from './ap/index.js';
+import { activityPubPlugin, getActorHandler } from './ap/index.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -202,6 +202,33 @@ export function createServer(options = {}) {
     // Note: OPTIONS requests are handled by handleOptions to include Accept-* headers
   });
 
+  // ActivityPub actor endpoint - dedicated route for /profile/card with AP Accept header
+  // Registered before wildcard routes to take priority
+  if (activitypubEnabled) {
+    fastify.route({
+      method: 'GET',
+      url: '/profile/card',
+      handler: async (request, reply) => {
+        const accept = request.headers.accept || '';
+        const wantsAP = accept.includes('activity+json') ||
+                        accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"');
+
+        const actorHandler = getActorHandler();
+        if (wantsAP && actorHandler) {
+          const actor = actorHandler(request);
+          return reply
+            .type('application/activity+json')
+            .send(actor);
+        }
+
+        // Not AP request - serve the HTML profile from disk
+        // This is handled by importing the resource handler
+        const { handleGet } = await import('./handlers/resource.js');
+        return handleGet(request, reply);
+      }
+    });
+  }
+
   // Security: Block access to dotfiles except allowed Solid-specific ones
   // This prevents exposure of .git/, .env, .htpasswd, etc.
   // Git protocol requests bypass this check when git is enabled