From a9575059a7575c4114bc487f858a9fa014f158b4 Mon Sep 17 00:00:00 2001
From: Sven <sgiersig@icloud.com>
Date: Sun, 15 Mar 2026 23:16:12 +0100
Subject: [PATCH] chore: allow Fedify to fetch own-site URLs resolving to
 private IPs

blog.giersig.eu resolves to 10.100.0.10 (private LAN) from the server,
causing Fedify's SSRF guard to block lookupObject() and WebFinger calls
for own posts when processing incoming ActivityPub activities.

Adds patch-ap-allow-private-address.mjs which sets allowPrivateAddress: true
on createFederation(), wired into both postinstall and serve scripts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package.json                               |   4 +-
 scripts/patch-ap-allow-private-address.mjs | 103 +++++++++++++++++++++
 2 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 scripts/patch-ap-allow-private-address.mjs

diff --git a/package.json b/package.json
index c1b43f53..e708ba73 100644
--- a/package.json
+++ b/package.json
@@ -4,8 +4,8 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "postinstall": "xattr -w com.apple.fileprovider.ignore#P 1 node_modules 2>/dev/null || true && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-endpoint-homepage-identity-defaults.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-micropub-ai-block-resync.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-endpoint-comments-locales.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node scripts/patch-endpoint-github-changelog-categories.mjs && node scripts/patch-microsub-reader-ap-dispatch.mjs && node scripts/patch-endpoint-blogroll-feeds-alias.mjs && node scripts/patch-endpoint-posts-uid-lookup.mjs && node scripts/patch-endpoint-posts-prefill-url.mjs && node scripts/patch-microsub-feed-discovery.mjs && node scripts/patch-conversations-bluesky-self-filter.mjs && node scripts/patch-conversations-bluesky-cursor-fix.mjs && node scripts/patch-inbox-ignore-view-activity.mjs && node scripts/patch-inbox-skip-view-activity-parse.mjs && node scripts/patch-webmention-sender-content-scope.mjs && node scripts/patch-endpoint-micropub-source-filter.mjs && node scripts/patch-endpoint-posts-search-tags.mjs && node scripts/patch-syndicate-force-checked-default.mjs && node scripts/patch-ap-url-lookup-api.mjs && node scripts/patch-ap-inbox-raw-body-digest.mjs && node scripts/patch-ap-object-url-trailing-slash.mjs && node scripts/patch-ap-signature-time-window.mjs",
-    "serve":"export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-endpoint-homepage-identity-defaults.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-micropub-ai-block-resync.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-endpoint-comments-locales.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node scripts/patch-endpoint-github-changelog-categories.mjs && node scripts/patch-microsub-reader-ap-dispatch.mjs && node scripts/patch-endpoint-blogroll-feeds-alias.mjs && node scripts/patch-endpoint-posts-uid-lookup.mjs && node scripts/patch-endpoint-posts-prefill-url.mjs && node scripts/patch-microsub-feed-discovery.mjs && node scripts/patch-conversations-bluesky-self-filter.mjs && node scripts/patch-conversations-bluesky-cursor-fix.mjs && node scripts/patch-webmention-sender-content-scope.mjs && node scripts/patch-endpoint-micropub-source-filter.mjs && node scripts/patch-endpoint-posts-search-tags.mjs && node scripts/patch-syndicate-force-checked-default.mjs && node scripts/patch-ap-url-lookup-api.mjs && node scripts/patch-ap-inbox-raw-body-digest.mjs && node scripts/patch-ap-object-url-trailing-slash.mjs && node scripts/patch-ap-signature-time-window.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
+    "postinstall": "xattr -w com.apple.fileprovider.ignore#P 1 node_modules 2>/dev/null || true && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-endpoint-homepage-identity-defaults.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-micropub-ai-block-resync.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-endpoint-comments-locales.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node scripts/patch-endpoint-github-changelog-categories.mjs && node scripts/patch-microsub-reader-ap-dispatch.mjs && node scripts/patch-endpoint-blogroll-feeds-alias.mjs && node scripts/patch-endpoint-posts-uid-lookup.mjs && node scripts/patch-endpoint-posts-prefill-url.mjs && node scripts/patch-microsub-feed-discovery.mjs && node scripts/patch-conversations-bluesky-self-filter.mjs && node scripts/patch-conversations-bluesky-cursor-fix.mjs && node scripts/patch-inbox-ignore-view-activity.mjs && node scripts/patch-inbox-skip-view-activity-parse.mjs && node scripts/patch-webmention-sender-content-scope.mjs && node scripts/patch-endpoint-micropub-source-filter.mjs && node scripts/patch-endpoint-posts-search-tags.mjs && node scripts/patch-syndicate-force-checked-default.mjs && node scripts/patch-ap-url-lookup-api.mjs && node scripts/patch-ap-inbox-raw-body-digest.mjs && node scripts/patch-ap-object-url-trailing-slash.mjs && node scripts/patch-ap-signature-time-window.mjs && node scripts/patch-ap-allow-private-address.mjs",
+    "serve":"export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-endpoint-homepage-identity-defaults.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-micropub-ai-block-resync.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-endpoint-comments-locales.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node scripts/patch-endpoint-github-changelog-categories.mjs && node scripts/patch-microsub-reader-ap-dispatch.mjs && node scripts/patch-endpoint-blogroll-feeds-alias.mjs && node scripts/patch-endpoint-posts-uid-lookup.mjs && node scripts/patch-endpoint-posts-prefill-url.mjs && node scripts/patch-microsub-feed-discovery.mjs && node scripts/patch-conversations-bluesky-self-filter.mjs && node scripts/patch-conversations-bluesky-cursor-fix.mjs && node scripts/patch-webmention-sender-content-scope.mjs && node scripts/patch-endpoint-micropub-source-filter.mjs && node scripts/patch-endpoint-posts-search-tags.mjs && node scripts/patch-syndicate-force-checked-default.mjs && node scripts/patch-ap-url-lookup-api.mjs && node scripts/patch-ap-inbox-raw-body-digest.mjs && node scripts/patch-ap-object-url-trailing-slash.mjs && node scripts/patch-ap-signature-time-window.mjs && node scripts/patch-ap-allow-private-address.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
diff --git a/scripts/patch-ap-allow-private-address.mjs b/scripts/patch-ap-allow-private-address.mjs
new file mode 100644
index 00000000..5cb57885
--- /dev/null
+++ b/scripts/patch-ap-allow-private-address.mjs
@@ -0,0 +1,103 @@
+/**
+ * Patch: allow Fedify to fetch URLs that resolve to private IP addresses.
+ *
+ * Root cause:
+ *   blog.giersig.eu resolves to 10.100.0.10 (a private RFC-1918 address)
+ *   from within the home network where the indiekit server runs. When a
+ *   remote Fediverse server sends an activity (Like, Announce, etc.) whose
+ *   object URL points to blog.giersig.eu, Fedify tries to dereference that
+ *   URL to validate the object. Its built-in SSRF guard calls
+ *   validatePublicUrl(), sees the resolved IP is private, and throws:
+ *
+ *     Disallowed private URL: 'https://blog.giersig.eu/likes/ed6d1/'
+ *     Invalid or private address: 10.100.0.10
+ *
+ *   This causes WebFinger lookups and lookupObject() calls for own-site URLs
+ *   to fail, producing ERR-level noise in the log and breaking thread loading
+ *   in the ActivityPub reader for local posts.
+ *
+ * Fix:
+ *   Pass allowPrivateAddress: true to createFederation. This disables the
+ *   SSRF IP check so Fedify can dereference own-site URLs. The network-level
+ *   solution (split-horizon DNS returning the public IP inside the LAN) is
+ *   cleaner but requires router/DNS changes outside the codebase.
+ */
+
+import { access, readFile, writeFile } from "node:fs/promises";
+
+const candidates = [
+  "node_modules/@rmdes/indiekit-endpoint-activitypub/lib/federation-setup.js",
+  "node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/federation-setup.js",
+];
+
+const MARKER = "// allow private address fix";
+
+const OLD_SNIPPET = `  const federation = createFederation({
+    kv,
+    queue,
+    // Accept signatures up to 12 h old. // signature time window fix
+    // Mastodon retries failed deliveries with the original signature, which
+    // can be hours old by the time the delivery succeeds.
+    signatureTimeWindow: { hours: 12 },
+  });`;
+
+const NEW_SNIPPET = `  const federation = createFederation({
+    kv,
+    queue,
+    // Accept signatures up to 12 h old. // signature time window fix
+    // Mastodon retries failed deliveries with the original signature, which
+    // can be hours old by the time the delivery succeeds.
+    signatureTimeWindow: { hours: 12 },
+    // Allow fetching own-site URLs that resolve to private IPs. // allow private address fix
+    // blog.giersig.eu resolves to 10.100.0.10 on the home LAN. Without this,
+    // Fedify's SSRF guard blocks lookupObject() / WebFinger for own posts.
+    allowPrivateAddress: true,
+  });`;
+
+async function exists(filePath) {
+  try {
+    await access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+let checked = 0;
+let patched = 0;
+
+for (const filePath of candidates) {
+  if (!(await exists(filePath))) {
+    continue;
+  }
+
+  checked += 1;
+  const source = await readFile(filePath, "utf8");
+
+  if (source.includes(MARKER)) {
+    continue;
+  }
+
+  if (!source.includes(OLD_SNIPPET)) {
+    console.log(`[postinstall] patch-ap-allow-private-address: snippet not found in ${filePath}`);
+    continue;
+  }
+
+  const updated = source.replace(OLD_SNIPPET, NEW_SNIPPET);
+
+  if (updated === source) {
+    continue;
+  }
+
+  await writeFile(filePath, updated, "utf8");
+  patched += 1;
+  console.log(`[postinstall] Applied patch-ap-allow-private-address to ${filePath}`);
+}
+
+if (checked === 0) {
+  console.log("[postinstall] patch-ap-allow-private-address: no target files found");
+} else if (patched === 0) {
+  console.log("[postinstall] patch-ap-allow-private-address: already up to date");
+} else {
+  console.log(`[postinstall] patch-ap-allow-private-address: patched ${patched}/${checked} file(s)`);
+}