microfed 0.0.12 → 0.0.14

package/src/profile.js

@@ -0,0 +1,114 @@
+/**
+ * Microfed Profile Module
+ * Minimal ActivityPub actor/profile generation
+ */
+
+const AS_CONTEXT = 'https://www.w3.org/ns/activitystreams'
+const SECURITY_CONTEXT = 'https://w3id.org/security/v1'
+
+/**
+ * Create an ActivityPub actor profile
+ * @param {Object} options - Actor configuration
+ * @param {string} options.id - Actor's unique URL (required)
+ * @param {string} options.type - Actor type: Person, Service, Group, Application, Organization
+ * @param {string} options.username - preferredUsername (handle)
+ * @param {string} [options.name] - Display name
+ * @param {string} [options.summary] - Bio/description (HTML allowed)
+ * @param {string} [options.inbox] - Inbox URL (defaults to {id}/inbox)
+ * @param {string} [options.outbox] - Outbox URL (defaults to {id}/outbox)
+ * @param {string} [options.publicKey] - PEM-encoded public key
+ * @param {string} [options.icon] - Avatar URL
+ * @param {string} [options.image] - Header/banner URL
+ * @returns {Object} ActivityPub Actor object
+ */
+export function createActor(options) {
+  const { id, type = 'Person', username } = options
+
+  if (!id) throw new Error('Actor id is required')
+  if (!username) throw new Error('Actor username is required')
+
+  const actor = {
+    '@context': [AS_CONTEXT, SECURITY_CONTEXT],
+    type,
+    id,
+    preferredUsername: username,
+    inbox: options.inbox || `${id}/inbox`,
+    outbox: options.outbox || `${id}/outbox`,
+    followers: options.followers || `${id}/followers`,
+    following: options.following || `${id}/following`
+  }
+
+  // Optional fields
+  if (options.name) actor.name = options.name
+  if (options.summary) actor.summary = options.summary
+  if (options.url) actor.url = options.url
+  if (options.icon) actor.icon = { type: 'Image', url: options.icon }
+  if (options.image) actor.image = { type: 'Image', url: options.image }
+
+  // Public key for HTTP signatures
+  if (options.publicKey) {
+    actor.publicKey = {
+      id: `${id}#main-key`,
+      owner: id,
+      publicKeyPem: options.publicKey
+    }
+  }
+
+  // Shared inbox for efficient delivery
+  if (options.sharedInbox) {
+    actor.endpoints = { sharedInbox: options.sharedInbox }
+  }
+
+  return actor
+}
+
+/**
+ * Create a minimal actor (just the essentials)
+ * @param {string} id - Actor URL
+ * @param {string} username - Handle
+ * @returns {Object} Minimal actor object
+ */
+export function createMinimalActor(id, username) {
+  return createActor({ id, username })
+}
+
+/**
+ * Parse an actor from JSON
+ * @param {string|Object} json - JSON string or object
+ * @returns {Object} Parsed actor
+ */
+export function parseActor(json) {
+  const actor = typeof json === 'string' ? JSON.parse(json) : json
+
+  // Validate required fields
+  if (!actor.id) throw new Error('Actor missing id')
+  if (!actor.inbox) throw new Error('Actor missing inbox')
+
+  return actor
+}
+
+/**
+ * Extract actor ID from various formats
+ * @param {string|Object} actor - Actor URL, object, or activity
+ * @returns {string} Actor ID URL
+ */
+export function getActorId(actor) {
+  if (typeof actor === 'string') return actor
+  if (actor.id) return actor.id
+  if (actor.actor) return getActorId(actor.actor)
+  throw new Error('Cannot extract actor ID')
+}
+
+/**
+ * Build actor URL from domain and username
+ * @param {string} domain - Domain (e.g., example.com)
+ * @param {string} username - Username/handle
+ * @param {string} [path] - URL path pattern (default: /users/{username})
+ * @returns {string} Full actor URL
+ */
+export function buildActorUrl(domain, username, path = '/users/{username}') {
+  const actorPath = path.replace('{username}', username)
+  return `https://${domain}${actorPath}`
+}
+
+export default { createActor, createMinimalActor, parseActor, getActorId, buildActorUrl }

package/src/webfinger.js

@@ -0,0 +1,182 @@
+/**
+ * Microfed WebFinger Module
+ * Actor discovery via WebFinger protocol
+ */
+
+const WEBFINGER_PATH = '/.well-known/webfinger'
+const ACTIVITYPUB_TYPE = 'application/activity+json'
+
+/**
+ * Create WebFinger response for an actor
+ * @param {string} account - Account identifier (user@domain)
+ * @param {string} actorUrl - Actor's ActivityPub URL
+ * @param {Object} [options] - Additional options
+ * @param {string} [options.profileUrl] - HTML profile page URL
+ * @param {Array} [options.aliases] - Alternative identifiers
+ * @returns {Object} WebFinger JRD response
+ */
+export function createResponse(account, actorUrl, options = {}) {
+  const response = {
+    subject: `acct:${account}`,
+    links: [
+      {
+        rel: 'self',
+        type: ACTIVITYPUB_TYPE,
+        href: actorUrl
+      }
+    ]
+  }
+
+  // Add HTML profile link
+  if (options.profileUrl) {
+    response.links.push({
+      rel: 'http://webfinger.net/rel/profile-page',
+      type: 'text/html',
+      href: options.profileUrl
+    })
+  }
+
+  // Add aliases
+  if (options.aliases) {
+    response.aliases = options.aliases
+  }
+
+  return response
+}
+
+/**
+ * Parse WebFinger resource query
+ * @param {string} resource - Resource query (acct:user@domain or URL)
+ * @returns {Object|null} { username, domain } or null
+ */
+export function parseResource(resource) {
+  if (!resource) return null
+
+  // Handle acct: URI
+  if (resource.startsWith('acct:')) {
+    const account = resource.slice(5)
+    const [username, domain] = account.split('@')
+    if (username && domain) {
+      return { username, domain }
+    }
+  }
+
+  // Handle URL
+  if (resource.startsWith('https://') || resource.startsWith('http://')) {
+    try {
+      const url = new URL(resource)
+      const match = url.pathname.match(/\/users\/([^/]+)/)
+      if (match) {
+        return { username: match[1], domain: url.host }
+      }
+    } catch {
+      return null
+    }
+  }
+
+  return null
+}
+
+/**
+ * Lookup actor via WebFinger
+ * @param {string} account - Account to lookup (user@domain)
+ * @returns {Promise<Object>} WebFinger response
+ */
+export async function lookup(account) {
+  // Extract domain
+  const [, domain] = account.includes('@') ? account.split('@') : [null, account]
+  if (!domain) throw new Error('Invalid account format')
+
+  const resource = account.includes('@') ? `acct:${account}` : account
+  const url = `https://${domain}${WEBFINGER_PATH}?resource=${encodeURIComponent(resource)}`
+
+  const response = await fetch(url, {
+    headers: { 'Accept': 'application/jrd+json, application/json' }
+  })
+
+  if (!response.ok) {
+    throw new Error(`WebFinger lookup failed: ${response.status}`)
+  }
+
+  return response.json()
+}
+
+/**
+ * Get actor URL from WebFinger response
+ * @param {Object} webfinger - WebFinger JRD response
+ * @returns {string|null} Actor URL or null
+ */
+export function getActorUrl(webfinger) {
+  if (!webfinger.links) return null
+
+  const link = webfinger.links.find(l =>
+    l.rel === 'self' && l.type === ACTIVITYPUB_TYPE
+  )
+
+  return link?.href || null
+}
+
+/**
+ * Resolve account to actor object
+ * @param {string} account - Account (user@domain)
+ * @returns {Promise<Object>} Actor object
+ */
+export async function resolve(account) {
+  const webfinger = await lookup(account)
+  const actorUrl = getActorUrl(webfinger)
+
+  if (!actorUrl) {
+    throw new Error('No ActivityPub actor found')
+  }
+
+  const response = await fetch(actorUrl, {
+    headers: { 'Accept': ACTIVITYPUB_TYPE }
+  })
+
+  if (!response.ok) {
+    throw new Error(`Actor fetch failed: ${response.status}`)
+  }
+
+  return response.json()
+}
+
+/**
+ * Create WebFinger request handler
+ * @param {Function} findActor - Function(username) => { actorUrl, profileUrl? }
+ * @returns {Function} Handler(req) => Response
+ */
+export function createHandler(findActor) {
+  return async (req) => {
+    const url = new URL(req.url)
+    const resource = url.searchParams.get('resource')
+
+    if (!resource) {
+      return new Response('Missing resource parameter', { status: 400 })
+    }
+
+    const parsed = parseResource(resource)
+    if (!parsed) {
+      return new Response('Invalid resource format', { status: 400 })
+    }
+
+    const actor = await findActor(parsed.username)
+    if (!actor) {
+      return new Response('Not found', { status: 404 })
+    }
+
+    const response = createResponse(
+      `${parsed.username}@${parsed.domain}`,
+      actor.actorUrl,
+      { profileUrl: actor.profileUrl }
+    )
+
+    return new Response(JSON.stringify(response), {
+      headers: {
+        'Content-Type': 'application/jrd+json',
+        'Access-Control-Allow-Origin': '*'
+      }
+    })
+  }
+}
+
+export default { createResponse, parseResource, lookup, getActorUrl, resolve, createHandler }

package/test/auth.test.js

@@ -0,0 +1,218 @@
+/**
+ * Microfed Auth Module Tests
+ * Run: node --test test/auth.test.js
+ */
+
+import { test, describe } from 'node:test'
+import assert from 'node:assert'
+import { generateKeypair, sign, verify, parseSignatureHeader, digest, verifyDigest } from '../src/auth.js'
+
+describe('generateKeypair', () => {
+  test('generates valid RSA keypair', () => {
+    const { publicKey, privateKey } = generateKeypair()
+
+    assert.ok(publicKey.includes('-----BEGIN PUBLIC KEY-----'))
+    assert.ok(publicKey.includes('-----END PUBLIC KEY-----'))
+    assert.ok(privateKey.includes('-----BEGIN PRIVATE KEY-----'))
+    assert.ok(privateKey.includes('-----END PRIVATE KEY-----'))
+  })
+
+  test('generates unique keypairs', () => {
+    const pair1 = generateKeypair()
+    const pair2 = generateKeypair()
+
+    assert.notStrictEqual(pair1.publicKey, pair2.publicKey)
+    assert.notStrictEqual(pair1.privateKey, pair2.privateKey)
+  })
+})
+
+describe('sign', () => {
+  test('returns required headers', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/users/bob/inbox',
+      body: '{"type":"Follow"}'
+    })
+
+    assert.ok(headers.Date)
+    assert.ok(headers.Signature)
+    assert.ok(headers.Digest)
+    assert.ok(headers.Digest.startsWith('SHA-256='))
+  })
+
+  test('signature header has required parts', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/users/bob/inbox',
+      body: '{}'
+    })
+
+    const parsed = parseSignatureHeader(headers.Signature)
+    assert.ok(parsed.keyId)
+    assert.ok(parsed.algorithm)
+    assert.ok(parsed.headers)
+    assert.ok(parsed.signature)
+  })
+
+  test('GET request without body omits digest', () => {
+    const { privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'GET',
+      url: 'https://remote.example/users/bob'
+    })
+
+    assert.ok(headers.Date)
+    assert.ok(headers.Signature)
+    assert.strictEqual(headers.Digest, undefined)
+  })
+})
+
+describe('verify', () => {
+  test('verifies valid signature', () => {
+    const { publicKey, privateKey } = generateKeypair()
+    const url = 'https://remote.example/users/bob/inbox'
+    const body = '{"type":"Follow","actor":"https://example.com/users/alice"}'
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url,
+      body
+    })
+
+    const valid = verify({
+      publicKey,
+      signature: headers.Signature,
+      method: 'POST',
+      path: '/users/bob/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, true)
+  })
+
+  test('rejects tampered signature', () => {
+    const { publicKey, privateKey } = generateKeypair()
+
+    const headers = sign({
+      privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/inbox',
+      body: '{}'
+    })
+
+    // Tamper with signature
+    const tampered = headers.Signature.replace(/signature="[^"]+"/, 'signature="dGFtcGVyZWQ="')
+
+    const valid = verify({
+      publicKey,
+      signature: tampered,
+      method: 'POST',
+      path: '/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, false)
+  })
+
+  test('rejects wrong public key', () => {
+    const sender = generateKeypair()
+    const other = generateKeypair()
+
+    const headers = sign({
+      privateKey: sender.privateKey,
+      keyId: 'https://example.com/users/alice#main-key',
+      method: 'POST',
+      url: 'https://remote.example/inbox',
+      body: '{}'
+    })
+
+    const valid = verify({
+      publicKey: other.publicKey, // Wrong key
+      signature: headers.Signature,
+      method: 'POST',
+      path: '/inbox',
+      headers: {
+        host: 'remote.example',
+        date: headers.Date,
+        digest: headers.Digest
+      }
+    })
+
+    assert.strictEqual(valid, false)
+  })
+})
+
+describe('parseSignatureHeader', () => {
+  test('parses valid signature header', () => {
+    const header = 'keyId="https://example.com/users/alice#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="abc123"'
+
+    const parsed = parseSignatureHeader(header)
+
+    assert.strictEqual(parsed.keyId, 'https://example.com/users/alice#main-key')
+    assert.strictEqual(parsed.algorithm, 'rsa-sha256')
+    assert.strictEqual(parsed.headers, '(request-target) host date')
+    assert.strictEqual(parsed.signature, 'abc123')
+  })
+
+  test('returns null for invalid header', () => {
+    assert.strictEqual(parseSignatureHeader('invalid'), null)
+    assert.strictEqual(parseSignatureHeader(''), null)
+  })
+})
+
+describe('digest', () => {
+  test('creates SHA-256 digest', () => {
+    const result = digest('{"test":true}')
+
+    assert.ok(result.startsWith('SHA-256='))
+    assert.strictEqual(result.length, 8 + 44) // "SHA-256=" + base64
+  })
+
+  test('same input produces same digest', () => {
+    const body = '{"type":"Create"}'
+
+    assert.strictEqual(digest(body), digest(body))
+  })
+
+  test('different input produces different digest', () => {
+    assert.notStrictEqual(digest('a'), digest('b'))
+  })
+})
+
+describe('verifyDigest', () => {
+  test('verifies matching digest', () => {
+    const body = '{"type":"Follow"}'
+    const digestHeader = digest(body)
+
+    assert.strictEqual(verifyDigest(body, digestHeader), true)
+  })
+
+  test('rejects non-matching digest', () => {
+    const body = '{"type":"Follow"}'
+    const wrongDigest = digest('{"type":"Create"}')
+
+    assert.strictEqual(verifyDigest(body, wrongDigest), false)
+  })
+})

package/test/inbox.test.js

@@ -0,0 +1,135 @@
+/**
+ * Microfed Inbox Module Tests
+ * Run: node --test test/inbox.test.js
+ */
+
+import { test, describe } from 'node:test'
+import assert from 'node:assert'
+import { getActor, getObject, isAddressedTo, isPublic } from '../src/inbox.js'
+
+describe('getActor', () => {
+  test('extracts actor string', () => {
+    const activity = {
+      type: 'Create',
+      actor: 'https://example.com/users/alice'
+    }
+
+    assert.strictEqual(getActor(activity), 'https://example.com/users/alice')
+  })
+
+  test('extracts actor from object', () => {
+    const activity = {
+      type: 'Create',
+      actor: { id: 'https://example.com/users/alice' }
+    }
+
+    assert.strictEqual(getActor(activity), 'https://example.com/users/alice')
+  })
+
+  test('throws when actor missing', () => {
+    assert.throws(() => {
+      getActor({ type: 'Create' })
+    }, /Cannot extract actor/)
+  })
+})
+
+describe('getObject', () => {
+  test('returns object directly', () => {
+    const activity = {
+      type: 'Create',
+      object: { type: 'Note', content: 'Hello' }
+    }
+
+    assert.deepStrictEqual(getObject(activity), { type: 'Note', content: 'Hello' })
+  })
+
+  test('returns object ID string', () => {
+    const activity = {
+      type: 'Like',
+      object: 'https://example.com/notes/123'
+    }
+
+    assert.strictEqual(getObject(activity), 'https://example.com/notes/123')
+  })
+})
+
+describe('isAddressedTo', () => {
+  test('returns true when in to field', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), true)
+  })
+
+  test('returns true when in cc field', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://www.w3.org/ns/activitystreams#Public'],
+      cc: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), true)
+  })
+
+  test('returns false when not addressed', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/alice']
+    }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), false)
+  })
+
+  test('handles missing to/cc fields', () => {
+    const activity = { type: 'Create' }
+
+    assert.strictEqual(isAddressedTo(activity, 'https://example.com/users/bob'), false)
+  })
+})
+
+describe('isPublic', () => {
+  test('returns true for Public in to', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://www.w3.org/ns/activitystreams#Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns true for Public in cc', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/alice/followers'],
+      cc: ['https://www.w3.org/ns/activitystreams#Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns true for short Public form', () => {
+    const activity = {
+      type: 'Create',
+      to: ['Public']
+    }
+
+    assert.strictEqual(isPublic(activity), true)
+  })
+
+  test('returns false for non-public', () => {
+    const activity = {
+      type: 'Create',
+      to: ['https://example.com/users/bob']
+    }
+
+    assert.strictEqual(isPublic(activity), false)
+  })
+
+  test('handles missing to/cc fields', () => {
+    const activity = { type: 'Create' }
+
+    assert.strictEqual(isPublic(activity), false)
+  })
+})