npm - microfed - Versions diffs - 0.0.12 → 0.0.14 - Mend

microfed 0.0.12 → 0.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/src/auth.js ADDED Viewed

@@ -0,0 +1,152 @@
+/**
+ * Microfed Auth Module
+ * Keypair generation and HTTP Signatures
+ */
+import { generateKeyPairSync, createSign, createVerify, createHash } from 'crypto'
+/**
+ * Generate RSA keypair for signing
+ * @param {number} [modulusLength=2048] - Key size in bits
+ * @returns {Object} { publicKey, privateKey } in PEM format
+ */
+export function generateKeypair(modulusLength = 2048) {
+  const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+    modulusLength,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+  })
+  return { publicKey, privateKey }
+}
+/**
+ * Create HTTP Signature headers for a request
+ * @param {Object} options - Signing options
+ * @param {string} options.privateKey - PEM private key
+ * @param {string} options.keyId - Key identifier URL (actor#main-key)
+ * @param {string} options.method - HTTP method (POST, GET)
+ * @param {string} options.url - Target URL
+ * @param {string} [options.body] - Request body (for POST)
+ * @param {Object} [options.headers] - Additional headers to sign
+ * @returns {Object} Headers object with Signature, Date, Digest
+ */
+export function sign(options) {
+  const { privateKey, keyId, method, url, body } = options
+  const parsedUrl = new URL(url)
+  const date = new Date().toUTCString()
+  const headers = { ...options.headers }
+  // Build headers to sign
+  const signedHeaders = ['(request-target)', 'host', 'date']
+  const headerLines = [
+    `(request-target): ${method.toLowerCase()} ${parsedUrl.pathname}`,
+    `host: ${parsedUrl.host}`,
+    `date: ${date}`
+  ]
+  // Add digest for POST requests with body
+  if (body) {
+    const digest = createHash('sha256').update(body).digest('base64')
+    headers['Digest'] = `SHA-256=${digest}`
+    signedHeaders.push('digest')
+    headerLines.push(`digest: SHA-256=${digest}`)
+  }
+  // Create signature
+  const signingString = headerLines.join('\n')
+  const signer = createSign('RSA-SHA256')
+  signer.update(signingString)
+  const signature = signer.sign(privateKey, 'base64')
+  // Build Signature header
+  headers['Date'] = date
+  headers['Signature'] = [
+    `keyId="${keyId}"`,
+    `algorithm="rsa-sha256"`,
+    `headers="${signedHeaders.join(' ')}"`,
+    `signature="${signature}"`
+  ].join(',')
+  return headers
+}
+/**
+ * Verify HTTP Signature from request
+ * @param {Object} options - Verification options
+ * @param {string} options.publicKey - PEM public key
+ * @param {string} options.signature - Signature header value
+ * @param {string} options.method - HTTP method
+ * @param {string} options.path - Request path
+ * @param {Object} options.headers - Request headers
+ * @returns {boolean} True if valid
+ */
+export function verify(options) {
+  const { publicKey, signature, method, path, headers } = options
+  // Parse Signature header
+  const sigParts = parseSignatureHeader(signature)
+  if (!sigParts) return false
+  // Rebuild signing string
+  const signedHeaders = sigParts.headers.split(' ')
+  const headerLines = signedHeaders.map(name => {
+    if (name === '(request-target)') {
+      return `(request-target): ${method.toLowerCase()} ${path}`
+    }
+    const value = headers[name] || headers[name.toLowerCase()]
+    return `${name}: ${value}`
+  })
+  const signingString = headerLines.join('\n')
+  // Verify
+  const verifier = createVerify('RSA-SHA256')
+  verifier.update(signingString)
+  try {
+    return verifier.verify(publicKey, sigParts.signature, 'base64')
+  } catch {
+    return false
+  }
+}
+/**
+ * Parse Signature header into components
+ * @param {string} header - Signature header value
+ * @returns {Object|null} { keyId, algorithm, headers, signature }
+ */
+export function parseSignatureHeader(header) {
+  const parts = {}
+  const regex = /(\w+)="([^"]+)"/g
+  let match
+  while ((match = regex.exec(header)) !== null) {
+    parts[match[1]] = match[2]
+  }
+  if (!parts.keyId || !parts.signature) return null
+  return parts
+}
+/**
+ * Create SHA-256 digest of content
+ * @param {string} content - Content to hash
+ * @returns {string} Digest header value
+ */
+export function digest(content) {
+  const hash = createHash('sha256').update(content).digest('base64')
+  return `SHA-256=${hash}`
+}
+/**
+ * Verify digest header matches body
+ * @param {string} body - Request body
+ * @param {string} digestHeader - Digest header value
+ * @returns {boolean} True if matches
+ */
+export function verifyDigest(body, digestHeader) {
+  return digest(body) === digestHeader
+}
+export default { generateKeypair, sign, verify, parseSignatureHeader, digest, verifyDigest }

package/src/inbox.js ADDED Viewed

@@ -0,0 +1,188 @@
+/**
+ * Microfed Inbox Module
+ * Receive and process incoming activities
+ */
+import { verify, parseSignatureHeader, verifyDigest } from './auth.js'
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+const LD_TYPE = 'application/ld+json'
+/**
+ * Create inbox handler
+ * @param {Object} options - Handler options
+ * @param {Function} options.getPublicKey - async (keyId) => publicKeyPem
+ * @param {Object} [options.handlers] - Activity type handlers { Follow, Create, ... }
+ * @param {boolean} [options.verifySignatures=true] - Require valid signatures
+ * @returns {Function} Handler(req) => Response
+ */
+export function createHandler(options) {
+  const { getPublicKey, handlers = {}, verifySignatures = true } = options
+  return async (req) => {
+    // Must be POST
+    if (req.method !== 'POST') {
+      return new Response('Method not allowed', { status: 405 })
+    }
+    // Check content type
+    const contentType = req.headers.get('content-type') || ''
+    if (!contentType.includes('json')) {
+      return new Response('Invalid content type', { status: 415 })
+    }
+    // Parse body
+    let activity
+    let body
+    try {
+      body = await req.text()
+      activity = JSON.parse(body)
+    } catch {
+      return new Response('Invalid JSON', { status: 400 })
+    }
+    // Verify signature
+    if (verifySignatures) {
+      const signatureHeader = req.headers.get('signature')
+      if (!signatureHeader) {
+        return new Response('Missing signature', { status: 401 })
+      }
+      const sigParts = parseSignatureHeader(signatureHeader)
+      if (!sigParts) {
+        return new Response('Invalid signature format', { status: 401 })
+      }
+      // Verify digest if present
+      const digestHeader = req.headers.get('digest')
+      if (digestHeader && !verifyDigest(body, digestHeader)) {
+        return new Response('Digest mismatch', { status: 401 })
+      }
+      // Fetch public key and verify
+      try {
+        const publicKey = await getPublicKey(sigParts.keyId)
+        if (!publicKey) {
+          return new Response('Unknown key', { status: 401 })
+        }
+        const url = new URL(req.url)
+        const valid = verify({
+          publicKey,
+          signature: signatureHeader,
+          method: req.method,
+          path: url.pathname,
+          headers: Object.fromEntries(req.headers)
+        })
+        if (!valid) {
+          return new Response('Invalid signature', { status: 401 })
+        }
+      } catch (err) {
+        return new Response('Signature verification failed', { status: 401 })
+      }
+    }
+    // Validate activity
+    if (!activity.type) {
+      return new Response('Missing activity type', { status: 400 })
+    }
+    // Route to handler
+    const handler = handlers[activity.type]
+    if (handler) {
+      try {
+        await handler(activity)
+      } catch (err) {
+        console.error(`Error handling ${activity.type}:`, err)
+        return new Response('Processing error', { status: 500 })
+      }
+    }
+    // Accept activity
+    return new Response('', { status: 202 })
+  }
+}
+/**
+ * Parse activity from request
+ * @param {Request} req - Incoming request
+ * @returns {Promise<Object>} Parsed activity
+ */
+export async function parseActivity(req) {
+  const body = await req.text()
+  return JSON.parse(body)
+}
+/**
+ * Get actor ID from activity
+ * @param {Object} activity - Activity object
+ * @returns {string} Actor ID
+ */
+export function getActor(activity) {
+  const actor = activity.actor
+  if (typeof actor === 'string') return actor
+  if (actor?.id) return actor.id
+  throw new Error('Cannot extract actor from activity')
+}
+/**
+ * Get object from activity
+ * @param {Object} activity - Activity object
+ * @returns {Object|string} Object or object ID
+ */
+export function getObject(activity) {
+  return activity.object
+}
+/**
+ * Check if activity is addressed to actor
+ * @param {Object} activity - Activity object
+ * @param {string} actorId - Actor to check
+ * @returns {boolean} True if addressed to actor
+ */
+export function isAddressedTo(activity, actorId) {
+  const recipients = [
+    ...(activity.to || []),
+    ...(activity.cc || []),
+    ...(activity.bto || []),
+    ...(activity.bcc || [])
+  ]
+  return recipients.includes(actorId)
+}
+/**
+ * Check if activity is public
+ * @param {Object} activity - Activity object
+ * @returns {boolean} True if public
+ */
+export function isPublic(activity) {
+  const PUBLIC = 'https://www.w3.org/ns/activitystreams#Public'
+  const recipients = [...(activity.to || []), ...(activity.cc || [])]
+  return recipients.includes(PUBLIC) || recipients.includes('Public')
+}
+/**
+ * Standard activity type handlers (stubs)
+ */
+export const standardHandlers = {
+  Follow: async (activity) => { /* Accept/Reject follow */ },
+  Undo: async (activity) => { /* Reverse previous activity */ },
+  Create: async (activity) => { /* Store content */ },
+  Update: async (activity) => { /* Update content */ },
+  Delete: async (activity) => { /* Delete content */ },
+  Like: async (activity) => { /* Record like */ },
+  Announce: async (activity) => { /* Record boost */ },
+  Accept: async (activity) => { /* Confirm follow */ },
+  Reject: async (activity) => { /* Deny follow */ }
+}
+export default {
+  createHandler,
+  parseActivity,
+  getActor,
+  getObject,
+  isAddressedTo,
+  isPublic,
+  standardHandlers
+}

package/src/outbox.js ADDED Viewed

@@ -0,0 +1,268 @@
+/**
+ * Microfed Outbox Module
+ * Create and send activities to remote inboxes
+ */
+import { sign } from './auth.js'
+import { resolve } from './webfinger.js'
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+const PUBLIC = 'https://www.w3.org/ns/activitystreams#Public'
+/**
+ * Create an activity
+ * @param {Object} options - Activity options
+ * @param {string} options.type - Activity type (Create, Follow, Like, etc.)
+ * @param {string} options.actor - Actor ID URL
+ * @param {Object|string} options.object - Activity object
+ * @param {Array} [options.to] - Primary recipients
+ * @param {Array} [options.cc] - Secondary recipients
+ * @param {string} [options.id] - Activity ID (auto-generated if not provided)
+ * @returns {Object} Activity object
+ */
+export function createActivity(options) {
+  const { type, actor, object, to = [], cc = [] } = options
+  if (!type) throw new Error('Activity type is required')
+  if (!actor) throw new Error('Activity actor is required')
+  if (!object) throw new Error('Activity object is required')
+  return {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    type,
+    id: options.id || `${actor}/activities/${Date.now()}`,
+    actor,
+    object,
+    to,
+    cc,
+    published: new Date().toISOString()
+  }
+}
+/**
+ * Create a Note (post)
+ * Supports two call signatures:
+ * - createNote(actor, content, options) - positional
+ * - createNote({ actor, content, ...options }) - object
+ *
+ * @param {string|Object} actorOrOptions - Actor ID or options object
+ * @param {string} [content] - HTML content (if using positional args)
+ * @param {Object} [options] - Additional options (if using positional args)
+ * @param {string} [options.id] - Note ID (auto-generated if not provided)
+ * @param {Array} [options.to] - Primary recipients
+ * @param {Array} [options.cc] - Secondary recipients
+ * @param {string} [options.inReplyTo] - ID of post being replied to
+ * @returns {Object} Note object
+ */
+export function createNote(actorOrOptions, content, options = {}) {
+  // Support both call signatures
+  let actor, noteContent, noteOptions
+  if (typeof actorOrOptions === 'object') {
+    // Object signature: createNote({ actor, content, ... })
+    actor = actorOrOptions.actor
+    noteContent = actorOrOptions.content
+    noteOptions = actorOrOptions
+  } else {
+    // Positional signature: createNote(actor, content, options)
+    actor = actorOrOptions
+    noteContent = content
+    noteOptions = options
+  }
+  // Handle public/private addressing
+  const isPublic = noteOptions.public !== false
+  const defaultTo = isPublic ? [PUBLIC] : []
+  const defaultCc = isPublic ? [`${actor}/followers`] : []
+  const {
+    id,
+    to = defaultTo,
+    cc = defaultCc,
+    inReplyTo
+  } = noteOptions
+  const note = {
+    type: 'Note',
+    id: id || `${actor}/notes/${Date.now()}`,
+    attributedTo: actor,
+    content: noteContent,
+    published: new Date().toISOString(),
+    to,
+    cc
+  }
+  if (inReplyTo) note.inReplyTo = inReplyTo
+  return note
+}
+/**
+ * Wrap object in Create activity
+ * @param {string} actor - Actor ID
+ * @param {Object} object - Object to wrap
+ * @returns {Object} Create activity
+ */
+export function wrapCreate(actor, object) {
+  return createActivity({
+    type: 'Create',
+    actor,
+    object,
+    to: object.to,
+    cc: object.cc
+  })
+}
+/**
+ * Create Follow activity
+ * @param {string} actor - Follower's actor ID
+ * @param {string} target - Target actor ID to follow
+ * @returns {Object} Follow activity
+ */
+export function createFollow(actor, target) {
+  return createActivity({
+    type: 'Follow',
+    actor,
+    object: target,
+    to: [target]
+  })
+}
+/**
+ * Create Undo activity
+ * @param {string} actor - Actor ID
+ * @param {Object|string} activity - Activity to undo
+ * @returns {Object} Undo activity
+ */
+export function createUndo(actor, activity) {
+  const activityId = typeof activity === 'string' ? activity : activity.id
+  return createActivity({
+    type: 'Undo',
+    actor,
+    object: activity,
+    to: activity.to || [],
+    cc: activity.cc || []
+  })
+}
+/**
+ * Create Accept activity (for follow requests)
+ * @param {string} actor - Actor accepting
+ * @param {Object} follow - Follow activity being accepted
+ * @returns {Object} Accept activity
+ */
+export function createAccept(actor, follow) {
+  return createActivity({
+    type: 'Accept',
+    actor,
+    object: follow,
+    to: [follow.actor]
+  })
+}
+/**
+ * Send activity to inbox
+ * @param {Object} options - Send options
+ * @param {Object} options.activity - Activity to send
+ * @param {string} options.inbox - Target inbox URL
+ * @param {string} options.privateKey - Sender's private key (PEM)
+ * @param {string} options.keyId - Sender's key ID
+ * @returns {Promise<Response>} Fetch response
+ */
+export async function send(options) {
+  const { activity, inbox, privateKey, keyId } = options
+  const body = JSON.stringify(activity)
+  const headers = sign({
+    privateKey,
+    keyId,
+    method: 'POST',
+    url: inbox,
+    body,
+    headers: {
+      'Content-Type': ACTIVITYPUB_TYPE,
+      'Accept': ACTIVITYPUB_TYPE
+    }
+  })
+  return fetch(inbox, {
+    method: 'POST',
+    headers: {
+      ...headers,
+      'Content-Type': ACTIVITYPUB_TYPE
+    },
+    body
+  })
+}
+/**
+ * Deliver activity to multiple inboxes
+ * @param {Object} options - Delivery options
+ * @param {Object} options.activity - Activity to deliver
+ * @param {Array<string>} options.inboxes - Target inbox URLs
+ * @param {string} options.privateKey - Sender's private key
+ * @param {string} options.keyId - Sender's key ID
+ * @returns {Promise<Array>} Array of { inbox, success, error? }
+ */
+export async function deliver(options) {
+  const { activity, inboxes, privateKey, keyId } = options
+  const results = await Promise.allSettled(
+    inboxes.map(async (inbox) => {
+      const response = await send({ activity, inbox, privateKey, keyId })
+      return { inbox, status: response.status }
+    })
+  )
+  return results.map((result, i) => ({
+    inbox: inboxes[i],
+    success: result.status === 'fulfilled' && result.value.status < 300,
+    error: result.status === 'rejected' ? result.reason.message : null
+  }))
+}
+/**
+ * Resolve recipients and get their inboxes
+ * @param {Array<string>} recipients - Actor IDs or accounts
+ * @returns {Promise<Array<string>>} Inbox URLs
+ */
+export async function resolveInboxes(recipients) {
+  const inboxes = new Set()
+  for (const recipient of recipients) {
+    // Skip public addressing
+    if (recipient === PUBLIC || recipient.endsWith('/followers')) continue
+    try {
+      let actor
+      if (recipient.includes('@') && !recipient.startsWith('http')) {
+        actor = await resolve(recipient)
+      } else {
+        const response = await fetch(recipient, {
+          headers: { 'Accept': ACTIVITYPUB_TYPE }
+        })
+        actor = await response.json()
+      }
+      if (actor.inbox) {
+        inboxes.add(actor.endpoints?.sharedInbox || actor.inbox)
+      }
+    } catch (err) {
+      console.error(`Failed to resolve ${recipient}:`, err.message)
+    }
+  }
+  return [...inboxes]
+}
+export default {
+  createActivity,
+  createNote,
+  wrapCreate,
+  createFollow,
+  createUndo,
+  createAccept,
+  send,
+  deliver,
+  resolveInboxes
+}