giersig.eu/indiekit-server
1
0
Fork 0
Code Issues Actions Packages Projects Releases Activity

fix(activitypub): handle publication host private DNS lookups

Browse Source
This commit is contained in:
svemagie
2026-03-09 19:39:04 +01:00
parent d237dac539
commit 1365f696f0
5 changed files with 251 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -126,6 +126,7 @@
- `REDIS_URL` (recommended for production delivery queue durability)
- Startup preflight `scripts/preflight-activitypub-rsa-key.mjs` ensures `ap_keys` contains a usable RSA key pair (`publicKeyPem` + `privateKeyPem`) so outgoing inbox deliveries are HTTP-signed and not rejected with `Request not signed`.
- Startup preflight `scripts/preflight-activitypub-profile-urls.mjs` normalizes existing ActivityPub profile URL fields in MongoDB (`url`, `icon`, `image`, `alsoKnownAs`) so WebFinger/actor responses do not fail on invalid URL values.
- The ActivityPub private-url docloader patch (`scripts/patch-endpoint-activitypub-private-url-docloader.mjs`) allows Fedify lookups for your own publication hostname when split-horizon DNS resolves it to a private jail IP.
- The ActivityPub locale patch creates/repairs `locales/de.json` from `locales/en.json` so backend UI keys do not render as raw `activitypub.*` translation strings when `SITE_LOCALE=de`.
- Quick verification commands:
- `curl -s "https://blog.giersig.eu/.well-known/webfinger?resource=acct:<handle>@blog.giersig.eu" | jq .`
@@ -138,7 +139,7 @@
- `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed.
- Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server).
- Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely.
- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-endpoint-activitypub-docloader-loglevel.mjs`, `scripts/patch-endpoint-activitypub-private-url-docloader.mjs`, `scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs`, `scripts/patch-endpoint-homepage-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
- The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes.
- One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash.
- The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`.

2
indiekit.config.mjs
View File

@@ -84,7 +84,7 @@ const blueskyHandle = (process.env.BLUESKY_HANDLE || "")
.trim()
.replace(/^@+/, "");
const blueskyPassword = process.env.BLUESKY_PASSWORD || "";
const mastodonUrl = process.env.MASTODON_URL || "https://mastodon.social";
const mastodonUrl = process.env.MASTODON_URL || "https://troet.cafe";
const mastodonUser = (
process.env.MASTODON_USER || process.env.MASTODON_USERNAME || ""
)

4
package.json
View File

@@ -4,8 +4,8 @@
"description": "",
"main": "index.js",
"scripts": {
"postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
"serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
"postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
"serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],

245
scripts/patch-endpoint-activitypub-private-url-docloader.mjs Normal file
View File

@@ -0,0 +1,245 @@
import { access, readFile, writeFile } from "node:fs/promises";
const patchSpecs = [
{
name: "activitypub-compose-publication-private-docloader",
candidates: [
"node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js",
"node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js",
],
replacements: [
{
oldSnippet: [
"import { getToken, validateToken } from \"../csrf.js\";",
"import { sanitizeContent } from \"../timeline-store.js\";",
].join("\n"),
newSnippet: [
"import { getToken, validateToken } from \"../csrf.js\";",
"import { sanitizeContent } from \"../timeline-store.js\";",
"",
"function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {",
" if (typeof documentLoader !== \"function\") {",
" return documentLoader;",
" }",
"",
" let publicationHost = \"\";",
" try {",
" publicationHost = new URL(publicationUrl).hostname;",
" } catch {",
" return documentLoader;",
" }",
"",
" return (url, options = {}) => {",
" try {",
" const parsed = new URL(",
" typeof url === \"string\" ? url : (url?.href || String(url)),",
" );",
" if (parsed.hostname === publicationHost) {",
" return documentLoader(url, { ...options, allowPrivateAddress: true });",
" }",
" } catch {",
" // Fall through to default loader behavior.",
" }",
"",
" return documentLoader(url, options);",
" };",
"}",
].join("\n"),
},
{
oldSnippet: [
" const documentLoader = await ctx.getDocumentLoader({",
" identifier: handle,",
" });",
" const remoteObject = await ctx.lookupObject(new URL(replyTo), {",
" documentLoader,",
" });",
].join("\n"),
newSnippet: [
" const rawDocumentLoader = await ctx.getDocumentLoader({",
" identifier: handle,",
" });",
" const documentLoader = createPublicationAwareDocumentLoader(",
" rawDocumentLoader,",
" plugin._publicationUrl,",
" );",
" const remoteObject = await ctx.lookupObject(new URL(replyTo), {",
" documentLoader,",
" });",
].join("\n"),
},
],
},
{
name: "activitypub-resolve-author-publication-private-docloader",
candidates: [
"node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js",
"node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js",
],
replacements: [
{
oldSnippet: [
"}",
"",
"/**",
" * Resolve the author Actor for a given post URL.",
].join("\n"),
newSnippet: [
"}",
"",
"function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {",
" if (typeof documentLoader !== \"function\") {",
" return documentLoader;",
" }",
"",
" let publicationHost = \"\";",
" try {",
" publicationHost = new URL(publicationUrl).hostname;",
" } catch {",
" return documentLoader;",
" }",
"",
" return (url, options = {}) => {",
" try {",
" const parsed = new URL(",
" typeof url === \"string\" ? url : (url?.href || String(url)),",
" );",
" if (parsed.hostname === publicationHost) {",
" return documentLoader(url, { ...options, allowPrivateAddress: true });",
" }",
" } catch {",
" // Fall through to default loader behavior.",
" }",
"",
" return documentLoader(url, options);",
" };",
"}",
"",
"/**",
" * Resolve the author Actor for a given post URL.",
].join("\n"),
},
{
oldSnippet: [
"export async function resolveAuthor(",
" postUrl,",
" ctx,",
" documentLoader,",
" collections,",
") {",
" // Strategy 1: Look up remote post via Fedify (signed request)",
].join("\n"),
newSnippet: [
"export async function resolveAuthor(",
" postUrl,",
" ctx,",
" documentLoader,",
" collections,",
") {",
" const publicationLoader = createPublicationAwareDocumentLoader(",
" documentLoader,",
" ctx?.url?.href || \"\",",
" );",
"",
" // Strategy 1: Look up remote post via Fedify (signed request)",
].join("\n"),
},
{
oldSnippet: [
" const remoteObject = await ctx.lookupObject(new URL(postUrl), {",
" documentLoader,",
" });",
" if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {",
" const author = await remoteObject.getAttributedTo({ documentLoader });",
].join("\n"),
newSnippet: [
" const remoteObject = await ctx.lookupObject(new URL(postUrl), {",
" documentLoader: publicationLoader,",
" });",
" if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {",
" const author = await remoteObject.getAttributedTo({",
" documentLoader: publicationLoader,",
" });",
].join("\n"),
},
{
oldSnippet: [
" const actor = await ctx.lookupObject(new URL(authorUrl), {",
" documentLoader,",
" });",
].join("\n"),
newSnippet: [
" const actor = await ctx.lookupObject(new URL(authorUrl), {",
" documentLoader: publicationLoader,",
" });",
].join("\n"),
},
{
oldSnippet: [
" const actor = await ctx.lookupObject(new URL(extractedUrl), {",
" documentLoader,",
" });",
].join("\n"),
newSnippet: [
" const actor = await ctx.lookupObject(new URL(extractedUrl), {",
" documentLoader: publicationLoader,",
" });",
].join("\n"),
},
],
},
];
async function exists(filePath) {
try {
await access(filePath);
return true;
} catch {
return false;
}
}
let filesChecked = 0;
let filesPatched = 0;
for (const patchSpec of patchSpecs) {
for (const filePath of patchSpec.candidates) {
if (!(await exists(filePath))) {
continue;
}
filesChecked += 1;
const source = await readFile(filePath, "utf8");
let updated = source;
for (const replacement of patchSpec.replacements) {
if (updated.includes(replacement.newSnippet)) {
continue;
}
if (!updated.includes(replacement.oldSnippet)) {
continue;
}
updated = updated.replace(replacement.oldSnippet, replacement.newSnippet);
}
if (updated === source) {
continue;
}
await writeFile(filePath, updated, "utf8");
filesPatched += 1;
}
}
if (filesChecked === 0) {
console.log("[postinstall] No activitypub private-url patch targets found");
} else if (filesPatched === 0) {
console.log("[postinstall] activitypub private-url docloader patch already applied");
} else {
console.log(
`[postinstall] Patched activitypub publication-host private-url handling in ${filesPatched}/${filesChecked} file(s)`,
);
}

1
start.example.sh
View File

@@ -60,6 +60,7 @@ unset DEBUG
/usr/local/bin/node scripts/patch-endpoint-files-upload-locales.mjs
/usr/local/bin/node scripts/patch-endpoint-activitypub-locales.mjs
/usr/local/bin/node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs
/usr/local/bin/node scripts/patch-endpoint-activitypub-private-url-docloader.mjs
/usr/local/bin/node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs
/usr/local/bin/node scripts/patch-endpoint-homepage-locales.mjs
/usr/local/bin/node scripts/patch-frontend-serviceworker-file.mjs