microfed 0.0.12 → 0.0.13

package/src/auth.js

@@ -0,0 +1,152 @@
+/**
+ * Microfed Auth Module
+ * Keypair generation and HTTP Signatures
+ */
+
+import { generateKeyPairSync, createSign, createVerify, createHash } from 'crypto'
+
+/**
+ * Generate RSA keypair for signing
+ * @param {number} [modulusLength=2048] - Key size in bits
+ * @returns {Object} { publicKey, privateKey } in PEM format
+ */
+export function generateKeypair(modulusLength = 2048) {
+  const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+    modulusLength,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+  })
+  return { publicKey, privateKey }
+}
+
+/**
+ * Create HTTP Signature headers for a request
+ * @param {Object} options - Signing options
+ * @param {string} options.privateKey - PEM private key
+ * @param {string} options.keyId - Key identifier URL (actor#main-key)
+ * @param {string} options.method - HTTP method (POST, GET)
+ * @param {string} options.url - Target URL
+ * @param {string} [options.body] - Request body (for POST)
+ * @param {Object} [options.headers] - Additional headers to sign
+ * @returns {Object} Headers object with Signature, Date, Digest
+ */
+export function sign(options) {
+  const { privateKey, keyId, method, url, body } = options
+
+  const parsedUrl = new URL(url)
+  const date = new Date().toUTCString()
+  const headers = { ...options.headers }
+
+  // Build headers to sign
+  const signedHeaders = ['(request-target)', 'host', 'date']
+  const headerLines = [
+    `(request-target): ${method.toLowerCase()} ${parsedUrl.pathname}`,
+    `host: ${parsedUrl.host}`,
+    `date: ${date}`
+  ]
+
+  // Add digest for POST requests with body
+  if (body) {
+    const digest = createHash('sha256').update(body).digest('base64')
+    headers['Digest'] = `SHA-256=${digest}`
+    signedHeaders.push('digest')
+    headerLines.push(`digest: SHA-256=${digest}`)
+  }
+
+  // Create signature
+  const signingString = headerLines.join('\n')
+  const signer = createSign('RSA-SHA256')
+  signer.update(signingString)
+  const signature = signer.sign(privateKey, 'base64')
+
+  // Build Signature header
+  headers['Date'] = date
+  headers['Signature'] = [
+    `keyId="${keyId}"`,
+    `algorithm="rsa-sha256"`,
+    `headers="${signedHeaders.join(' ')}"`,
+    `signature="${signature}"`
+  ].join(',')
+
+  return headers
+}
+
+/**
+ * Verify HTTP Signature from request
+ * @param {Object} options - Verification options
+ * @param {string} options.publicKey - PEM public key
+ * @param {string} options.signature - Signature header value
+ * @param {string} options.method - HTTP method
+ * @param {string} options.path - Request path
+ * @param {Object} options.headers - Request headers
+ * @returns {boolean} True if valid
+ */
+export function verify(options) {
+  const { publicKey, signature, method, path, headers } = options
+
+  // Parse Signature header
+  const sigParts = parseSignatureHeader(signature)
+  if (!sigParts) return false
+
+  // Rebuild signing string
+  const signedHeaders = sigParts.headers.split(' ')
+  const headerLines = signedHeaders.map(name => {
+    if (name === '(request-target)') {
+      return `(request-target): ${method.toLowerCase()} ${path}`
+    }
+    const value = headers[name] || headers[name.toLowerCase()]
+    return `${name}: ${value}`
+  })
+
+  const signingString = headerLines.join('\n')
+
+  // Verify
+  const verifier = createVerify('RSA-SHA256')
+  verifier.update(signingString)
+
+  try {
+    return verifier.verify(publicKey, sigParts.signature, 'base64')
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Parse Signature header into components
+ * @param {string} header - Signature header value
+ * @returns {Object|null} { keyId, algorithm, headers, signature }
+ */
+export function parseSignatureHeader(header) {
+  const parts = {}
+  const regex = /(\w+)="([^"]+)"/g
+  let match
+
+  while ((match = regex.exec(header)) !== null) {
+    parts[match[1]] = match[2]
+  }
+
+  if (!parts.keyId || !parts.signature) return null
+  return parts
+}
+
+/**
+ * Create SHA-256 digest of content
+ * @param {string} content - Content to hash
+ * @returns {string} Digest header value
+ */
+export function digest(content) {
+  const hash = createHash('sha256').update(content).digest('base64')
+  return `SHA-256=${hash}`
+}
+
+/**
+ * Verify digest header matches body
+ * @param {string} body - Request body
+ * @param {string} digestHeader - Digest header value
+ * @returns {boolean} True if matches
+ */
+export function verifyDigest(body, digestHeader) {
+  return digest(body) === digestHeader
+}
+
+export default { generateKeypair, sign, verify, parseSignatureHeader, digest, verifyDigest }

package/src/inbox.js

@@ -0,0 +1,188 @@
+/**
+ * Microfed Inbox Module
+ * Receive and process incoming activities
+ */
+
+import { verify, parseSignatureHeader, verifyDigest } from './auth.js'
+
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+const LD_TYPE = 'application/ld+json'
+
+/**
+ * Create inbox handler
+ * @param {Object} options - Handler options
+ * @param {Function} options.getPublicKey - async (keyId) => publicKeyPem
+ * @param {Object} [options.handlers] - Activity type handlers { Follow, Create, ... }
+ * @param {boolean} [options.verifySignatures=true] - Require valid signatures
+ * @returns {Function} Handler(req) => Response
+ */
+export function createHandler(options) {
+  const { getPublicKey, handlers = {}, verifySignatures = true } = options
+
+  return async (req) => {
+    // Must be POST
+    if (req.method !== 'POST') {
+      return new Response('Method not allowed', { status: 405 })
+    }
+
+    // Check content type
+    const contentType = req.headers.get('content-type') || ''
+    if (!contentType.includes('json')) {
+      return new Response('Invalid content type', { status: 415 })
+    }
+
+    // Parse body
+    let activity
+    let body
+    try {
+      body = await req.text()
+      activity = JSON.parse(body)
+    } catch {
+      return new Response('Invalid JSON', { status: 400 })
+    }
+
+    // Verify signature
+    if (verifySignatures) {
+      const signatureHeader = req.headers.get('signature')
+      if (!signatureHeader) {
+        return new Response('Missing signature', { status: 401 })
+      }
+
+      const sigParts = parseSignatureHeader(signatureHeader)
+      if (!sigParts) {
+        return new Response('Invalid signature format', { status: 401 })
+      }
+
+      // Verify digest if present
+      const digestHeader = req.headers.get('digest')
+      if (digestHeader && !verifyDigest(body, digestHeader)) {
+        return new Response('Digest mismatch', { status: 401 })
+      }
+
+      // Fetch public key and verify
+      try {
+        const publicKey = await getPublicKey(sigParts.keyId)
+        if (!publicKey) {
+          return new Response('Unknown key', { status: 401 })
+        }
+
+        const url = new URL(req.url)
+        const valid = verify({
+          publicKey,
+          signature: signatureHeader,
+          method: req.method,
+          path: url.pathname,
+          headers: Object.fromEntries(req.headers)
+        })
+
+        if (!valid) {
+          return new Response('Invalid signature', { status: 401 })
+        }
+      } catch (err) {
+        return new Response('Signature verification failed', { status: 401 })
+      }
+    }
+
+    // Validate activity
+    if (!activity.type) {
+      return new Response('Missing activity type', { status: 400 })
+    }
+
+    // Route to handler
+    const handler = handlers[activity.type]
+    if (handler) {
+      try {
+        await handler(activity)
+      } catch (err) {
+        console.error(`Error handling ${activity.type}:`, err)
+        return new Response('Processing error', { status: 500 })
+      }
+    }
+
+    // Accept activity
+    return new Response('', { status: 202 })
+  }
+}
+
+/**
+ * Parse activity from request
+ * @param {Request} req - Incoming request
+ * @returns {Promise<Object>} Parsed activity
+ */
+export async function parseActivity(req) {
+  const body = await req.text()
+  return JSON.parse(body)
+}
+
+/**
+ * Get actor ID from activity
+ * @param {Object} activity - Activity object
+ * @returns {string} Actor ID
+ */
+export function getActor(activity) {
+  const actor = activity.actor
+  if (typeof actor === 'string') return actor
+  if (actor?.id) return actor.id
+  throw new Error('Cannot extract actor from activity')
+}
+
+/**
+ * Get object from activity
+ * @param {Object} activity - Activity object
+ * @returns {Object|string} Object or object ID
+ */
+export function getObject(activity) {
+  return activity.object
+}
+
+/**
+ * Check if activity is addressed to actor
+ * @param {Object} activity - Activity object
+ * @param {string} actorId - Actor to check
+ * @returns {boolean} True if addressed to actor
+ */
+export function isAddressedTo(activity, actorId) {
+  const recipients = [
+    ...(activity.to || []),
+    ...(activity.cc || []),
+    ...(activity.bto || []),
+    ...(activity.bcc || [])
+  ]
+  return recipients.includes(actorId)
+}
+
+/**
+ * Check if activity is public
+ * @param {Object} activity - Activity object
+ * @returns {boolean} True if public
+ */
+export function isPublic(activity) {
+  const PUBLIC = 'https://www.w3.org/ns/activitystreams#Public'
+  const recipients = [...(activity.to || []), ...(activity.cc || [])]
+  return recipients.includes(PUBLIC) || recipients.includes('Public')
+}
+
+/**
+ * Standard activity type handlers (stubs)
+ */
+export const standardHandlers = {
+  Follow: async (activity) => { /* Accept/Reject follow */ },
+  Undo: async (activity) => { /* Reverse previous activity */ },
+  Create: async (activity) => { /* Store content */ },
+  Update: async (activity) => { /* Update content */ },
+  Delete: async (activity) => { /* Delete content */ },
+  Like: async (activity) => { /* Record like */ },
+  Announce: async (activity) => { /* Record boost */ },
+  Accept: async (activity) => { /* Confirm follow */ },
+  Reject: async (activity) => { /* Deny follow */ }
+}
+
+export default {
+  createHandler,
+  parseActivity,
+  getActor,
+  getObject,
+  isAddressedTo,
+  isPublic,
+  standardHandlers
+}

package/src/outbox.js

@@ -0,0 +1,239 @@
+/**
+ * Microfed Outbox Module
+ * Create and send activities to remote inboxes
+ */
+
+import { sign } from './auth.js'
+import { resolve } from './webfinger.js'
+
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+const PUBLIC = 'https://www.w3.org/ns/activitystreams#Public'
+
+/**
+ * Create an activity
+ * @param {Object} options - Activity options
+ * @param {string} options.type - Activity type (Create, Follow, Like, etc.)
+ * @param {string} options.actor - Actor ID URL
+ * @param {Object|string} options.object - Activity object
+ * @param {Array} [options.to] - Primary recipients
+ * @param {Array} [options.cc] - Secondary recipients
+ * @param {string} [options.id] - Activity ID (auto-generated if not provided)
+ * @returns {Object} Activity object
+ */
+export function createActivity(options) {
+  const { type, actor, object, to = [], cc = [] } = options
+
+  if (!type) throw new Error('Activity type is required')
+  if (!actor) throw new Error('Activity actor is required')
+  if (!object) throw new Error('Activity object is required')
+
+  return {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    type,
+    id: options.id || `${actor}/activities/${Date.now()}`,
+    actor,
+    object,
+    to,
+    cc,
+    published: new Date().toISOString()
+  }
+}
+
+/**
+ * Create a Note (post)
+ * @param {Object} options - Note options
+ * @param {string} options.actor - Author's actor ID
+ * @param {string} options.content - HTML content
+ * @param {string} [options.id] - Note ID (auto-generated if not provided)
+ * @param {boolean} [options.public=true] - Make post public
+ * @param {string} [options.inReplyTo] - ID of post being replied to
+ * @returns {Object} Note object
+ */
+export function createNote(options) {
+  const { actor, content, public: isPublic = true, inReplyTo } = options
+
+  const note = {
+    type: 'Note',
+    id: options.id || `${actor}/notes/${Date.now()}`,
+    attributedTo: actor,
+    content,
+    published: new Date().toISOString(),
+    to: isPublic ? [PUBLIC] : [],
+    cc: isPublic ? [`${actor}/followers`] : []
+  }
+
+  if (inReplyTo) note.inReplyTo = inReplyTo
+
+  return note
+}
+
+/**
+ * Wrap object in Create activity
+ * @param {string} actor - Actor ID
+ * @param {Object} object - Object to wrap
+ * @returns {Object} Create activity
+ */
+export function wrapCreate(actor, object) {
+  return createActivity({
+    type: 'Create',
+    actor,
+    object,
+    to: object.to,
+    cc: object.cc
+  })
+}
+
+/**
+ * Create Follow activity
+ * @param {string} actor - Follower's actor ID
+ * @param {string} target - Target actor ID to follow
+ * @returns {Object} Follow activity
+ */
+export function createFollow(actor, target) {
+  return createActivity({
+    type: 'Follow',
+    actor,
+    object: target,
+    to: [target]
+  })
+}
+
+/**
+ * Create Undo activity
+ * @param {string} actor - Actor ID
+ * @param {Object|string} activity - Activity to undo
+ * @returns {Object} Undo activity
+ */
+export function createUndo(actor, activity) {
+  const activityId = typeof activity === 'string' ? activity : activity.id
+  return createActivity({
+    type: 'Undo',
+    actor,
+    object: activity,
+    to: activity.to || [],
+    cc: activity.cc || []
+  })
+}
+
+/**
+ * Create Accept activity (for follow requests)
+ * @param {string} actor - Actor accepting
+ * @param {Object} follow - Follow activity being accepted
+ * @returns {Object} Accept activity
+ */
+export function createAccept(actor, follow) {
+  return createActivity({
+    type: 'Accept',
+    actor,
+    object: follow,
+    to: [follow.actor]
+  })
+}
+
+/**
+ * Send activity to inbox
+ * @param {Object} options - Send options
+ * @param {Object} options.activity - Activity to send
+ * @param {string} options.inbox - Target inbox URL
+ * @param {string} options.privateKey - Sender's private key (PEM)
+ * @param {string} options.keyId - Sender's key ID
+ * @returns {Promise<Response>} Fetch response
+ */
+export async function send(options) {
+  const { activity, inbox, privateKey, keyId } = options
+
+  const body = JSON.stringify(activity)
+
+  const headers = sign({
+    privateKey,
+    keyId,
+    method: 'POST',
+    url: inbox,
+    body,
+    headers: {
+      'Content-Type': ACTIVITYPUB_TYPE,
+      'Accept': ACTIVITYPUB_TYPE
+    }
+  })
+
+  return fetch(inbox, {
+    method: 'POST',
+    headers: {
+      ...headers,
+      'Content-Type': ACTIVITYPUB_TYPE
+    },
+    body
+  })
+}
+
+/**
+ * Deliver activity to multiple inboxes
+ * @param {Object} options - Delivery options
+ * @param {Object} options.activity - Activity to deliver
+ * @param {Array<string>} options.inboxes - Target inbox URLs
+ * @param {string} options.privateKey - Sender's private key
+ * @param {string} options.keyId - Sender's key ID
+ * @returns {Promise<Array>} Array of { inbox, success, error? }
+ */
+export async function deliver(options) {
+  const { activity, inboxes, privateKey, keyId } = options
+
+  const results = await Promise.allSettled(
+    inboxes.map(async (inbox) => {
+      const response = await send({ activity, inbox, privateKey, keyId })
+      return { inbox, status: response.status }
+    })
+  )
+
+  return results.map((result, i) => ({
+    inbox: inboxes[i],
+    success: result.status === 'fulfilled' && result.value.status < 300,
+    error: result.status === 'rejected' ? result.reason.message : null
+  }))
+}
+
+/**
+ * Resolve recipients and get their inboxes
+ * @param {Array<string>} recipients - Actor IDs or accounts
+ * @returns {Promise<Array<string>>} Inbox URLs
+ */
+export async function resolveInboxes(recipients) {
+  const inboxes = new Set()
+
+  for (const recipient of recipients) {
+    // Skip public addressing
+    if (recipient === PUBLIC || recipient.endsWith('/followers')) continue
+
+    try {
+      let actor
+      if (recipient.includes('@') && !recipient.startsWith('http')) {
+        actor = await resolve(recipient)
+      } else {
+        const response = await fetch(recipient, {
+          headers: { 'Accept': ACTIVITYPUB_TYPE }
+        })
+        actor = await response.json()
+      }
+
+      if (actor.inbox) {
+        inboxes.add(actor.endpoints?.sharedInbox || actor.inbox)
+      }
+    } catch (err) {
+      console.error(`Failed to resolve ${recipient}:`, err.message)
+    }
+  }
+
+  return [...inboxes]
+}
+
+export default {
+  createActivity,
+  createNote,
+  wrapCreate,
+  createFollow,
+  createUndo,
+  createAccept,
+  send,
+  deliver,
+  resolveInboxes
+}

package/src/profile.js

@@ -0,0 +1,114 @@
+/**
+ * Microfed Profile Module
+ * Minimal ActivityPub actor/profile generation
+ */
+
+const AS_CONTEXT = 'https://www.w3.org/ns/activitystreams'
+const SECURITY_CONTEXT = 'https://w3id.org/security/v1'
+
+/**
+ * Create an ActivityPub actor profile
+ * @param {Object} options - Actor configuration
+ * @param {string} options.id - Actor's unique URL (required)
+ * @param {string} options.type - Actor type: Person, Service, Group, Application, Organization
+ * @param {string} options.username - preferredUsername (handle)
+ * @param {string} [options.name] - Display name
+ * @param {string} [options.summary] - Bio/description (HTML allowed)
+ * @param {string} [options.inbox] - Inbox URL (defaults to {id}/inbox)
+ * @param {string} [options.outbox] - Outbox URL (defaults to {id}/outbox)
+ * @param {string} [options.publicKey] - PEM-encoded public key
+ * @param {string} [options.icon] - Avatar URL
+ * @param {string} [options.image] - Header/banner URL
+ * @returns {Object} ActivityPub Actor object
+ */
+export function createActor(options) {
+  const { id, type = 'Person', username } = options
+
+  if (!id) throw new Error('Actor id is required')
+  if (!username) throw new Error('Actor username is required')
+
+  const actor = {
+    '@context': [AS_CONTEXT, SECURITY_CONTEXT],
+    type,
+    id,
+    preferredUsername: username,
+    inbox: options.inbox || `${id}/inbox`,
+    outbox: options.outbox || `${id}/outbox`,
+    followers: options.followers || `${id}/followers`,
+    following: options.following || `${id}/following`
+  }
+
+  // Optional fields
+  if (options.name) actor.name = options.name
+  if (options.summary) actor.summary = options.summary
+  if (options.url) actor.url = options.url
+  if (options.icon) actor.icon = { type: 'Image', url: options.icon }
+  if (options.image) actor.image = { type: 'Image', url: options.image }
+
+  // Public key for HTTP signatures
+  if (options.publicKey) {
+    actor.publicKey = {
+      id: `${id}#main-key`,
+      owner: id,
+      publicKeyPem: options.publicKey
+    }
+  }
+
+  // Shared inbox for efficient delivery
+  if (options.sharedInbox) {
+    actor.endpoints = { sharedInbox: options.sharedInbox }
+  }
+
+  return actor
+}
+
+/**
+ * Create a minimal actor (just the essentials)
+ * @param {string} id - Actor URL
+ * @param {string} username - Handle
+ * @returns {Object} Minimal actor object
+ */
+export function createMinimalActor(id, username) {
+  return createActor({ id, username })
+}
+
+/**
+ * Parse an actor from JSON
+ * @param {string|Object} json - JSON string or object
+ * @returns {Object} Parsed actor
+ */
+export function parseActor(json) {
+  const actor = typeof json === 'string' ? JSON.parse(json) : json
+
+  // Validate required fields
+  if (!actor.id) throw new Error('Actor missing id')
+  if (!actor.inbox) throw new Error('Actor missing inbox')
+
+  return actor
+}
+
+/**
+ * Extract actor ID from various formats
+ * @param {string|Object} actor - Actor URL, object, or activity
+ * @returns {string} Actor ID URL
+ */
+export function getActorId(actor) {
+  if (typeof actor === 'string') return actor
+  if (actor.id) return actor.id
+  if (actor.actor) return getActorId(actor.actor)
+  throw new Error('Cannot extract actor ID')
+}
+
+/**
+ * Build actor URL from domain and username
+ * @param {string} domain - Domain (e.g., example.com)
+ * @param {string} username - Username/handle
+ * @param {string} [path] - URL path pattern (default: /users/{username})
+ * @returns {string} Full actor URL
+ */
+export function buildActorUrl(domain, username, path = '/users/{username}') {
+  const actorPath = path.replace('{username}', username)
+  return `https://${domain}${actorPath}`
+}
+
+export default { createActor, createMinimalActor, parseActor, getActorId, buildActorUrl }