microfed 0.0.12 → 0.0.13

package/src/webfinger.js

@@ -0,0 +1,182 @@
+/**
+ * Microfed WebFinger Module
+ * Actor discovery via WebFinger protocol
+ */
+
+const WEBFINGER_PATH = '/.well-known/webfinger'
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+
+/**
+ * Create WebFinger response for an actor
+ * @param {string} account - Account identifier (user@domain)
+ * @param {string} actorUrl - Actor's ActivityPub URL
+ * @param {Object} [options] - Additional options
+ * @param {string} [options.profileUrl] - HTML profile page URL
+ * @param {Array} [options.aliases] - Alternative identifiers
+ * @returns {Object} WebFinger JRD response
+ */
+export function createResponse(account, actorUrl, options = {}) {
+  const response = {
+    subject: `acct:${account}`,
+    links: [
+      {
+        rel: 'self',
+        type: ACTIVITYPUB_TYPE,
+        href: actorUrl
+      }
+    ]
+  }
+
+  // Add HTML profile link
+  if (options.profileUrl) {
+    response.links.push({
+      rel: 'http://webfinger.net/rel/profile-page',
+      type: 'text/html',
+      href: options.profileUrl
+    })
+  }
+
+  // Add aliases
+  if (options.aliases) {
+    response.aliases = options.aliases
+  }
+
+  return response
+}
+
+/**
+ * Parse WebFinger resource query
+ * @param {string} resource - Resource query (acct:user@domain or URL)
+ * @returns {Object|null} { username, domain } or null
+ */
+export function parseResource(resource) {
+  if (!resource) return null
+
+  // Handle acct: URI
+  if (resource.startsWith('acct:')) {
+    const account = resource.slice(5)
+    const [username, domain] = account.split('@')
+    if (username && domain) {
+      return { username, domain }
+    }
+  }
+
+  // Handle URL
+  if (resource.startsWith('https://') || resource.startsWith('http://')) {
+    try {
+      const url = new URL(resource)
+      const match = url.pathname.match(/\/users\/([^/]+)/)
+      if (match) {
+        return { username: match[1], domain: url.host }
+      }
+    } catch {
+      return null
+    }
+  }
+
+  return null
+}
+
+/**
+ * Lookup actor via WebFinger
+ * @param {string} account - Account to lookup (user@domain)
+ * @returns {Promise<Object>} WebFinger response
+ */
+export async function lookup(account) {
+  // Extract domain
+  const [, domain] = account.includes('@') ? account.split('@') : [null, account]
+  if (!domain) throw new Error('Invalid account format')
+
+  const resource = account.includes('@') ? `acct:${account}` : account
+  const url = `https://${domain}${WEBFINGER_PATH}?resource=${encodeURIComponent(resource)}`
+
+  const response = await fetch(url, {
+    headers: { 'Accept': 'application/jrd+json, application/json' }
+  })
+
+  if (!response.ok) {
+    throw new Error(`WebFinger lookup failed: ${response.status}`)
+  }
+
+  return response.json()
+}
+
+/**
+ * Get actor URL from WebFinger response
+ * @param {Object} webfinger - WebFinger JRD response
+ * @returns {string|null} Actor URL or null
+ */
+export function getActorUrl(webfinger) {
+  if (!webfinger.links) return null
+
+  const link = webfinger.links.find(l =>
+    l.rel === 'self' && l.type === ACTIVITYPUB_TYPE
+  )
+
+  return link?.href || null
+}
+
+/**
+ * Resolve account to actor object
+ * @param {string} account - Account (user@domain)
+ * @returns {Promise<Object>} Actor object
+ */
+export async function resolve(account) {
+  const webfinger = await lookup(account)
+  const actorUrl = getActorUrl(webfinger)
+
+  if (!actorUrl) {
+    throw new Error('No ActivityPub actor found')
+  }
+
+  const response = await fetch(actorUrl, {
+    headers: { 'Accept': ACTIVITYPUB_TYPE }
+  })
+
+  if (!response.ok) {
+    throw new Error(`Actor fetch failed: ${response.status}`)
+  }
+
+  return response.json()
+}
+
+/**
+ * Create WebFinger request handler
+ * @param {Function} findActor - Function(username) => { actorUrl, profileUrl? }
+ * @returns {Function} Handler(req) => Response
+ */
+export function createHandler(findActor) {
+  return async (req) => {
+    const url = new URL(req.url)
+    const resource = url.searchParams.get('resource')
+
+    if (!resource) {
+      return new Response('Missing resource parameter', { status: 400 })
+    }
+
+    const parsed = parseResource(resource)
+    if (!parsed) {
+      return new Response('Invalid resource format', { status: 400 })
+    }
+
+    const actor = await findActor(parsed.username)
+    if (!actor) {
+      return new Response('Not found', { status: 404 })
+    }
+
+    const response = createResponse(
+      `${parsed.username}@${parsed.domain}`,
+      actor.actorUrl,
+      { profileUrl: actor.profileUrl }
+    )
+
+    return new Response(JSON.stringify(response), {
+      headers: {
+        'Content-Type': 'application/jrd+json',
+        'Access-Control-Allow-Origin': '*'
+      }
+    })
+  }
+}
+
+export default { createResponse, parseResource, lookup, getActorUrl, resolve, createHandler }

package/test/auth.test.js

@@ -0,0 +1,218 @@
+/**
+ * Microfed Auth Module Tests
+ * Run: node --test test/auth.test.js
+ */
+
+import { test, describe } from 'node:test'
+import assert from 'node:assert'
+import { generateKeypair, sign, verify, parseSignatureHeader, digest, verifyDigest } from '../src/auth.js'
+
+describe('generateKeypair', () => {
+  test('generates valid RSA keypair', () => {
+    const { publicKey, privateKey } = generateKeypair()
+
+    assert.ok(publicKey.includes('-----BEGIN PUBLIC KEY-----'))
+    assert.ok(publicKey.includes('-----END PUBLIC KEY-----'))
+    assert.ok(privateKey.includes('-----BEGIN PRIVATE KEY-----'))
+    assert.ok(privateKey.includes('-----END PRIVATE KEY-----'))
+  })
+
+  test('generates unique keypairs', () => {
+    const pair1 = generateKeypair()
+    const pair2 = generateKeypair()
+
+    assert.notStrictEqual(pair1.publicKey, pair2.publicKey)
+    assert.notStrictEqual(pair1.privateKey, pair2.privateKey)
+  })
+})
+
+describe('sign', () => {
+  test('returns required headers', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/users/bob/inbox',
+      body: '{"type":"Follow"}'
+    })
+
+    assert.ok(headers.Date)
+    assert.ok(headers.Signature)
+    assert.ok(headers.Digest)
+    assert.ok(headers.Digest.startsWith('SHA-256='))
+  })
+
+  test('signature header has required parts', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/users/bob/inbox',
+      body: '{}'
+    })
+
+    const parsed = parseSignatureHeader(headers.Signature)
+    assert.ok(parsed.keyId)
+    assert.ok(parsed.algorithm)
+    assert.ok(parsed.headers)
+    assert.ok(parsed.signature)
+  })
+
+  test('GET request without body omits digest', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'GET',
+      url: 'https://remote.example/users/bob'
+    })
+
+    assert.ok(headers.Date)
+    assert.ok(headers.Signature)
+    assert.strictEqual(headers.Digest, undefined)
+  })
+})
+
+describe('verify', () => {
+  test('verifies valid signature', () => {
+    const { publicKey, privateKey } = generateKeypair()
+    const url = 'https://remote.example/users/bob/inbox'
+    const body = '{"type":"Follow","actor":"https://example.com/users/alice"}'
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url,
+      body
+    })
+
+    const valid = verify({
+      publicKey,
+      signature: headers.Signature,
+      method: 'POST',
+      path: '/users/bob/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, true)
+  })
+
+  test('rejects tampered signature', () => {
+    const { publicKey, privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/inbox',
+      body: '{}'
+    })
+
+    // Tamper with signature
+    const tampered = headers.Signature.replace(/signature="[^"]+"/, 'signature="dGFtcGVyZWQ="')
+
+    const valid = verify({
+      publicKey,
+      signature: tampered,
+      method: 'POST',
+      path: '/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, false)
+  })
+
+  test('rejects wrong public key', () => {
+    const sender = generateKeypair()
+    const other = generateKeypair()
+
+    const headers = sign({
+      privateKey: sender.privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/inbox',
+      body: '{}'
+    })
+
+    const valid = verify({
+      publicKey: other.publicKey, // Wrong key
+      signature: headers.Signature,
+      method: 'POST',
+      path: '/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, false)
+  })
+})
+
+describe('parseSignatureHeader', () => {
+  test('parses valid signature header', () => {
+    const header = 'keyId="https://example.com/users/alice#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="abc123"'
+
+    const parsed = parseSignatureHeader(header)
+
+    assert.strictEqual(parsed.keyId, 'https://example.com/users/alice#main-key')
+    assert.strictEqual(parsed.algorithm, 'rsa-sha256')
+    assert.strictEqual(parsed.headers, '(request-target) host date')
+    assert.strictEqual(parsed.signature, 'abc123')
+  })
+
+  test('returns null for invalid header', () => {
+    assert.strictEqual(parseSignatureHeader('invalid'), null)
+    assert.strictEqual(parseSignatureHeader(''), null)
+  })
+})
+
+describe('digest', () => {
+  test('creates SHA-256 digest', () => {
+    const result = digest('{"test":true}')
+
+    assert.ok(result.startsWith('SHA-256='))
+    assert.strictEqual(result.length, 8 + 44) // "SHA-256=" + base64
+  })
+
+  test('same input produces same digest', () => {
+    const body = '{"type":"Create"}'
+
+    assert.strictEqual(digest(body), digest(body))
+  })
+
+  test('different input produces different digest', () => {
+    assert.notStrictEqual(digest('a'), digest('b'))
+  })
+})
+
+describe('verifyDigest', () => {
+  test('verifies matching digest', () => {
+    const body = '{"type":"Follow"}'
+    const digestHeader = digest(body)
+
+    assert.strictEqual(verifyDigest(body, digestHeader), true)
+  })
+
+  test('rejects non-matching digest', () => {
+    const body = '{"type":"Follow"}'
+    const wrongDigest = digest('{"type":"Create"}')
+
+    assert.strictEqual(verifyDigest(body, wrongDigest), false)
+  })
+})

package/test/inbox.test.js

@@ -0,0 +1,135 @@
+/**
+ * Microfed Inbox Module Tests
+ * Run: node --test test/inbox.test.js
+ */
+
+import { test, describe } from 'node:test'
+import assert from 'node:assert'
+import { getActor, getObject, isAddressedTo, isPublic } from '../src/inbox.js'
+
+describe('getActor', () => {
+  test('extracts actor string', () => {
+    const activity = {
+      type: 'Create',
+      actor: 'https://example.com/users/alice'
+    }
+
+    assert.strictEqual(getActor(activity), 'https://example.com/users/alice')
+  })
+
+  test('extracts actor from object', () => {
+    const activity = {
+      type: 'Create',
+      actor: { id: 'https://example.com/users/alice' }
+    }
+
+    assert.strictEqual(getActor(activity), 'https://example.com/users/alice')
+  })
+
+  test('throws when actor missing', () => {
+    assert.throws(() => {
+      getActor({ type: 'Create' })
+    }, /Cannot extract actor/)
+  })
+})
+
+describe('getObject', () => {
+  test('returns object directly', () => {
+    const activity = {
+      type: 'Create',
+      object: { type: 'Note', content: 'Hello' }
+    }
+
+    assert.deepStrictEqual(getObject(activity), { type: 'Note', content: 'Hello' })
+  })
+
+  test('returns object ID string', () => {
+    const activity = {
+      type: 'Like',
+      object: 'https://example.com/notes/123'
+    }
+
+    assert.strictEqual(getObject(activity), 'https://example.com/notes/123')
+  })
+})
+
+describe('isAddressedTo', () => {
+  test('returns true when in to field', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), true)
+  })
+
+  test('returns true when in cc field', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://www.w3.org/ns/activitystreams#Public'],
+      cc: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), true)
+  })
+
+  test('returns false when not addressed', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/alice']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), false)
+  })
+
+  test('handles missing to/cc fields', () => {
+    const activity = { type: 'Create' }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), false)
+  })
+})
+
+describe('isPublic', () => {
+  test('returns true for Public in to', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://www.w3.org/ns/activitystreams#Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns true for Public in cc', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/alice/followers'],
+      cc: ['https://www.w3.org/ns/activitystreams#Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns true for short Public form', () => {
+    const activity = {
+      type: 'Create',
+      to: ['Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns false for non-public', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isPublic(activity), false)
+  })
+
+  test('handles missing to/cc fields', () => {
+    const activity = { type: 'Create' }
+
+    assert.strictEqual(isPublic(activity), false)
+  })
+})

package/test/live.test.js

@@ -0,0 +1,109 @@
+/**
+ * Live Federation Tests
+ * Tests against real Mastodon instances
+ *
+ * Run: node --test test/live.test.js
+ *
+ * Note: Requires network access. May fail if instances are down.
+ */
+
+import { test, describe } from 'node:test'
+import assert from 'node:assert'
+import { lookup, resolve, getActorUrl } from '../src/webfinger.js'
+import { parseActor, getActorId } from '../src/profile.js'
+
+describe('Live WebFinger Lookup', { timeout: 10000 }, () => {
+  test('lookup mastodon.social account', async () => {
+    // Using Gargron (Mastodon creator) as a stable test account
+    const webfinger = await lookup('Gargron@mastodon.social')
+
+    assert.ok(webfinger.subject, 'missing subject')
+    assert.ok(webfinger.links, 'missing links')
+
+    const actorUrl = getActorUrl(webfinger)
+    assert.ok(actorUrl, 'no actor URL found')
+    assert.ok(actorUrl.includes('mastodon.social'), 'unexpected actor URL')
+  })
+
+  test('lookup returns valid JRD structure', async () => {
+    const webfinger = await lookup('Gargron@mastodon.social')
+
+    // Validate JRD structure
+    assert.ok(webfinger.subject.startsWith('acct:'))
+
+    const selfLink = webfinger.links.find(l =>
+      l.rel === 'self' && l.type === 'application/activity+json'
+    )
+    assert.ok(selfLink, 'missing ActivityPub self link')
+    assert.ok(selfLink.href.startsWith('https://'))
+  })
+})
+
+describe('Live Actor Fetch', { timeout: 10000 }, () => {
+  test('resolve mastodon.social actor', async () => {
+    const actor = await resolve('Gargron@mastodon.social')
+
+    // Validate required ActivityPub fields
+    assert.ok(actor.id, 'missing id')
+    assert.ok(actor.type, 'missing type')
+    assert.ok(actor.inbox, 'missing inbox')
+    assert.ok(actor.outbox, 'missing outbox')
+    assert.ok(actor.preferredUsername, 'missing preferredUsername')
+  })
+
+  test('actor has publicKey for signatures', async () => {
+    const actor = await resolve('Gargron@mastodon.social')
+
+    assert.ok(actor.publicKey, 'missing publicKey')
+    assert.ok(actor.publicKey.id, 'missing publicKey.id')
+    assert.ok(actor.publicKey.publicKeyPem, 'missing publicKeyPem')
+    assert.ok(
+      actor.publicKey.publicKeyPem.includes('BEGIN PUBLIC KEY'),
+      'publicKeyPem not in PEM format'
+    )
+  })
+
+  test('actor type is Person', async () => {
+    const actor = await resolve('Gargron@mastodon.social')
+    assert.strictEqual(actor.type, 'Person')
+  })
+
+  test('can extract actor ID', async () => {
+    const actor = await resolve('Gargron@mastodon.social')
+    const id = getActorId(actor)
+
+    assert.ok(id.startsWith('https://'))
+    assert.ok(id.includes('mastodon.social'))
+  })
+})
+
+describe('Live Outbox Fetch', { timeout: 10000 }, () => {
+  test('can fetch actor outbox', async () => {
+    const actor = await resolve('Gargron@mastodon.social')
+
+    const response = await fetch(actor.outbox, {
+      headers: { 'Accept': 'application/activity+json' }
+    })
+
+    assert.strictEqual(response.status, 200)
+
+    const outbox = await response.json()
+    assert.ok(
+      outbox.type === 'OrderedCollection' || outbox.type === 'OrderedCollectionPage',
+      'outbox must be OrderedCollection'
+    )
+    assert.ok(typeof outbox.totalItems === 'number', 'missing totalItems')
+  })
+})
+
+describe('Cross-instance Federation', { timeout: 15000 }, () => {
+  test('can lookup account on hachyderm.io', async () => {
+    // Test a different instance to verify federation lookup works
+    // Using a known active account
+    const webfinger = await lookup('nova@hachyderm.io')
+
+    assert.ok(webfinger.subject)
+    const actorUrl = getActorUrl(webfinger)
+    assert.ok(actorUrl.includes('hachyderm.io'))
+  })
+})