fix(activitypub): handle publication host private DNS lookups

2026-03-09 19:39:04 +01:00
parent d237dac539
commit 1365f696f0
5 changed files with 251 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -126,6 +126,7 @@
 - `REDIS_URL` (recommended for production delivery queue durability)
 - Startup preflight `scripts/preflight-activitypub-rsa-key.mjs` ensures `ap_keys` contains a usable RSA key pair (`publicKeyPem` + `privateKeyPem`) so outgoing inbox deliveries are HTTP-signed and not rejected with `Request not signed`.
 - Startup preflight `scripts/preflight-activitypub-profile-urls.mjs` normalizes existing ActivityPub profile URL fields in MongoDB (`url`, `icon`, `image`, `alsoKnownAs`) so WebFinger/actor responses do not fail on invalid URL values.
 - The ActivityPub private-url docloader patch (`scripts/patch-endpoint-activitypub-private-url-docloader.mjs`) allows Fedify lookups for your own publication hostname when split-horizon DNS resolves it to a private jail IP.
 - The ActivityPub locale patch creates/repairs `locales/de.json` from `locales/en.json` so backend UI keys do not render as raw `activitypub.*` translation strings when `SITE_LOCALE=de`.
 - Quick verification commands:
 - `curl -s "https://blog.giersig.eu/.well-known/webfinger?resource=acct:<handle>@blog.giersig.eu" | jq .`
@@ -138,7 +139,7 @@
 - `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed.
 - Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server).
 - Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely.
- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
+- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-endpoint-activitypub-docloader-loglevel.mjs`, `scripts/patch-endpoint-activitypub-private-url-docloader.mjs`, `scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs`, `scripts/patch-endpoint-homepage-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
 - The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes.
 - One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash.
 - The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`.
--- a/indiekit.config.mjs
+++ b/indiekit.config.mjs
@@ -84,7 +84,7 @@ const blueskyHandle = (process.env.BLUESKY_HANDLE || "")
  .trim()
  .replace(/^@+/, "");
 const blueskyPassword = process.env.BLUESKY_PASSWORD || "";
-const mastodonUrl = process.env.MASTODON_URL || "https://mastodon.social";
+const mastodonUrl = process.env.MASTODON_URL || "https://troet.cafe";
 const mastodonUser = (
  process.env.MASTODON_USER || process.env.MASTODON_USERNAME || ""
 )
--- a/package.json
+++ b/package.json
@@ -4,8 +4,8 @@
  "description": "",
  "main": "index.js",
  "scripts": {
-    "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
+    "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
-    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
+    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
--- a/scripts/patch-endpoint-activitypub-private-url-docloader.mjs
+++ b/scripts/patch-endpoint-activitypub-private-url-docloader.mjs
@@ -0,0 +1,245 @@
 import { access, readFile, writeFile } from "node:fs/promises";
 const patchSpecs = [
  {
    name: "activitypub-compose-publication-private-docloader",
    candidates: [
      "node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js",
      "node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js",
    ],
    replacements: [
      {
        oldSnippet: [
          "import { getToken, validateToken } from \"../csrf.js\";",
          "import { sanitizeContent } from \"../timeline-store.js\";",
        ].join("\n"),
        newSnippet: [
          "import { getToken, validateToken } from \"../csrf.js\";",
          "import { sanitizeContent } from \"../timeline-store.js\";",
          "",
          "function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {",
          "  if (typeof documentLoader !== \"function\") {",
          "    return documentLoader;",
          "  }",
          "",
          "  let publicationHost = \"\";",
          "  try {",
          "    publicationHost = new URL(publicationUrl).hostname;",
          "  } catch {",
          "    return documentLoader;",
          "  }",
          "",
          "  return (url, options = {}) => {",
          "    try {",
          "      const parsed = new URL(",
          "        typeof url === \"string\" ? url : (url?.href || String(url)),",
          "      );",
          "      if (parsed.hostname === publicationHost) {",
          "        return documentLoader(url, { ...options, allowPrivateAddress: true });",
          "      }",
          "    } catch {",
          "      // Fall through to default loader behavior.",
          "    }",
          "",
          "    return documentLoader(url, options);",
          "  };",
          "}",
        ].join("\n"),
      },
      {
        oldSnippet: [
          "            const documentLoader = await ctx.getDocumentLoader({",
          "              identifier: handle,",
          "            });",
          "            const remoteObject = await ctx.lookupObject(new URL(replyTo), {",
          "              documentLoader,",
          "            });",
        ].join("\n"),
        newSnippet: [
          "            const rawDocumentLoader = await ctx.getDocumentLoader({",
          "              identifier: handle,",
          "            });",
          "            const documentLoader = createPublicationAwareDocumentLoader(",
          "              rawDocumentLoader,",
          "              plugin._publicationUrl,",
          "            );",
          "            const remoteObject = await ctx.lookupObject(new URL(replyTo), {",
          "              documentLoader,",
          "            });",
        ].join("\n"),
      },
    ],
  },
  {
    name: "activitypub-resolve-author-publication-private-docloader",
    candidates: [
      "node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js",
      "node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js",
    ],
    replacements: [
      {
        oldSnippet: [
          "}",
          "",
          "/**",
          " * Resolve the author Actor for a given post URL.",
        ].join("\n"),
        newSnippet: [
          "}",
          "",
          "function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {",
          "  if (typeof documentLoader !== \"function\") {",
          "    return documentLoader;",
          "  }",
          "",
          "  let publicationHost = \"\";",
          "  try {",
          "    publicationHost = new URL(publicationUrl).hostname;",
          "  } catch {",
          "    return documentLoader;",
          "  }",
          "",
          "  return (url, options = {}) => {",
          "    try {",
          "      const parsed = new URL(",
          "        typeof url === \"string\" ? url : (url?.href || String(url)),",
          "      );",
          "      if (parsed.hostname === publicationHost) {",
          "        return documentLoader(url, { ...options, allowPrivateAddress: true });",
          "      }",
          "    } catch {",
          "      // Fall through to default loader behavior.",
          "    }",
          "",
          "    return documentLoader(url, options);",
          "  };",
          "}",
          "",
          "/**",
          " * Resolve the author Actor for a given post URL.",
        ].join("\n"),
      },
      {
        oldSnippet: [
          "export async function resolveAuthor(",
          "  postUrl,",
          "  ctx,",
          "  documentLoader,",
          "  collections,",
          ") {",
          "  // Strategy 1: Look up remote post via Fedify (signed request)",
        ].join("\n"),
        newSnippet: [
          "export async function resolveAuthor(",
          "  postUrl,",
          "  ctx,",
          "  documentLoader,",
          "  collections,",
          ") {",
          "  const publicationLoader = createPublicationAwareDocumentLoader(",
          "    documentLoader,",
          "    ctx?.url?.href || \"\",",
          "  );",
          "",
          "  // Strategy 1: Look up remote post via Fedify (signed request)",
        ].join("\n"),
      },
      {
        oldSnippet: [
          "    const remoteObject = await ctx.lookupObject(new URL(postUrl), {",
          "      documentLoader,",
          "    });",
          "    if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {",
          "      const author = await remoteObject.getAttributedTo({ documentLoader });",
        ].join("\n"),
        newSnippet: [
          "    const remoteObject = await ctx.lookupObject(new URL(postUrl), {",
          "      documentLoader: publicationLoader,",
          "    });",
          "    if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {",
          "      const author = await remoteObject.getAttributedTo({",
          "        documentLoader: publicationLoader,",
          "      });",
        ].join("\n"),
      },
      {
        oldSnippet: [
          "        const actor = await ctx.lookupObject(new URL(authorUrl), {",
          "          documentLoader,",
          "        });",
        ].join("\n"),
        newSnippet: [
          "        const actor = await ctx.lookupObject(new URL(authorUrl), {",
          "          documentLoader: publicationLoader,",
          "        });",
        ].join("\n"),
      },
      {
        oldSnippet: [
          "      const actor = await ctx.lookupObject(new URL(extractedUrl), {",
          "        documentLoader,",
          "      });",
        ].join("\n"),
        newSnippet: [
          "      const actor = await ctx.lookupObject(new URL(extractedUrl), {",
          "        documentLoader: publicationLoader,",
          "      });",
        ].join("\n"),
      },
    ],
  },
 ];
 async function exists(filePath) {
  try {
    await access(filePath);
    return true;
  } catch {
    return false;
  }
 }
 let filesChecked = 0;
 let filesPatched = 0;
 for (const patchSpec of patchSpecs) {
  for (const filePath of patchSpec.candidates) {
    if (!(await exists(filePath))) {
      continue;
    }
    filesChecked += 1;
    const source = await readFile(filePath, "utf8");
    let updated = source;
    for (const replacement of patchSpec.replacements) {
      if (updated.includes(replacement.newSnippet)) {
        continue;
      }
      if (!updated.includes(replacement.oldSnippet)) {
        continue;
      }
      updated = updated.replace(replacement.oldSnippet, replacement.newSnippet);
    }
    if (updated === source) {
      continue;
    }
    await writeFile(filePath, updated, "utf8");
    filesPatched += 1;
  }
 }
 if (filesChecked === 0) {
  console.log("[postinstall] No activitypub private-url patch targets found");
 } else if (filesPatched === 0) {
  console.log("[postinstall] activitypub private-url docloader patch already applied");
 } else {
  console.log(
    `[postinstall] Patched activitypub publication-host private-url handling in ${filesPatched}/${filesChecked} file(s)`,
  );
 }
--- a/start.example.sh
+++ b/start.example.sh
@@ -60,6 +60,7 @@ unset DEBUG
 /usr/local/bin/node scripts/patch-endpoint-files-upload-locales.mjs
 /usr/local/bin/node scripts/patch-endpoint-activitypub-locales.mjs
 /usr/local/bin/node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs
 /usr/local/bin/node scripts/patch-endpoint-activitypub-private-url-docloader.mjs
 /usr/local/bin/node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs
 /usr/local/bin/node scripts/patch-endpoint-homepage-locales.mjs
 /usr/local/bin/node scripts/patch-frontend-serviceworker-file.mjs