Ensure ActivityPub outbox requests are RSA-signed
This commit is contained in:
svemagie
@@ -93,6 +93,7 @@
|
||||
- `AP_DEBUG` (`1` or `true` enables debug dashboard)
|
||||
- `AP_DEBUG_PASSWORD` (required when debug dashboard is enabled)
|
||||
- `REDIS_URL` (recommended for production delivery queue durability)
|
||||
- Startup preflight `scripts/preflight-activitypub-rsa-key.mjs` ensures `ap_keys` contains a usable RSA key pair (`publicKeyPem` + `privateKeyPem`) so outgoing inbox deliveries are HTTP-signed and not rejected with `Request not signed`.
|
||||
- Startup preflight `scripts/preflight-activitypub-profile-urls.mjs` normalizes existing ActivityPub profile URL fields in MongoDB (`url`, `icon`, `image`, `alsoKnownAs`) so WebFinger/actor responses do not fail on invalid URL values.
|
||||
- The ActivityPub locale patch creates/repairs `locales/de.json` from `locales/en.json` so backend UI keys do not render as raw `activitypub.*` translation strings when `SITE_LOCALE=de`.
|
||||
- Quick verification commands:
|
||||
@@ -106,10 +107,11 @@
|
||||
- `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed.
|
||||
- Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server).
|
||||
- Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely.
|
||||
- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
|
||||
- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
|
||||
- The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes.
|
||||
- One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash.
|
||||
- The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`.
|
||||
- The ActivityPub RSA key preflight repairs or creates a usable `type="rsa"` key document in `ap_keys`, so outgoing federation requests can be signed and accepted by stricter inboxes.
|
||||
- The ActivityPub profile URL preflight repairs invalid URL fields in the `ap_profile` document (for example relative `icon` paths), preventing `/.well-known/webfinger` and actor responses from failing with `TypeError: Invalid URL`.
|
||||
- The media sharp runtime patch makes image transformation resilient on FreeBSD: if `sharp` cannot load, uploads continue without resize/rotation instead of crashing the server process.
|
||||
- The frontend sharp runtime patch makes icon generation non-fatal on FreeBSD when `sharp` cannot load, preventing startup crashes in asset controller imports.
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
"postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
|
||||
"serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
|
||||
"serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
|
||||
"test": "echo \"Error: no test specified\" && exit 1"
|
||||
},
|
||||
"keywords": [],
|
||||
|
||||
130
scripts/preflight-activitypub-rsa-key.mjs
Normal file
130
scripts/preflight-activitypub-rsa-key.mjs
Normal file
@@ -0,0 +1,130 @@
|
||||
import { generateKeyPairSync } from "node:crypto";
|
||||
|
||||
import { MongoClient } from "mongodb";
|
||||
|
||||
import config from "../indiekit.config.mjs";
|
||||
|
||||
const strictMode = process.env.REQUIRE_MONGO !== "0";
|
||||
const mongodbUrl = config.application?.mongodbUrl;
|
||||
|
||||
function hasPublicPem(value) {
|
||||
return (
|
||||
typeof value === "string" &&
|
||||
value.includes("-----BEGIN PUBLIC KEY-----") &&
|
||||
value.includes("-----END PUBLIC KEY-----")
|
||||
);
|
||||
}
|
||||
|
||||
function hasPrivatePem(value) {
|
||||
return (
|
||||
typeof value === "string" &&
|
||||
value.includes("-----BEGIN PRIVATE KEY-----") &&
|
||||
value.includes("-----END PRIVATE KEY-----")
|
||||
);
|
||||
}
|
||||
|
||||
function hasValidRsaPem(doc) {
|
||||
return hasPublicPem(doc?.publicKeyPem) && hasPrivatePem(doc?.privateKeyPem);
|
||||
}
|
||||
|
||||
function createRsaPemPair() {
|
||||
const { publicKey, privateKey } = generateKeyPairSync("rsa", {
|
||||
modulusLength: 2048,
|
||||
publicKeyEncoding: { type: "spki", format: "pem" },
|
||||
privateKeyEncoding: { type: "pkcs8", format: "pem" },
|
||||
});
|
||||
|
||||
return { publicKeyPem: publicKey, privateKeyPem: privateKey };
|
||||
}
|
||||
|
||||
if (!mongodbUrl) {
|
||||
console.warn(
|
||||
"[preflight] ActivityPub RSA key sync skipped: MongoDB URL is not configured.",
|
||||
);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
const client = new MongoClient(mongodbUrl, { connectTimeoutMS: 5000 });
|
||||
|
||||
try {
|
||||
await client.connect();
|
||||
|
||||
const apKeys = client.db().collection("ap_keys");
|
||||
const now = new Date().toISOString();
|
||||
const typedRsaDoc = await apKeys.findOne({ type: "rsa" });
|
||||
|
||||
if (hasValidRsaPem(typedRsaDoc)) {
|
||||
console.log("[preflight] ActivityPub RSA key pair already present");
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
if (typedRsaDoc) {
|
||||
const rsaPair = createRsaPemPair();
|
||||
|
||||
await apKeys.updateOne(
|
||||
{ _id: typedRsaDoc._id },
|
||||
{
|
||||
$set: {
|
||||
type: "rsa",
|
||||
...rsaPair,
|
||||
updatedAt: now,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
console.log(
|
||||
"[preflight] Repaired ActivityPub RSA key pair in existing type='rsa' document",
|
||||
);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
const legacyPemDoc = await apKeys.findOne({
|
||||
publicKeyPem: { $exists: true },
|
||||
privateKeyPem: { $exists: true },
|
||||
});
|
||||
|
||||
if (hasValidRsaPem(legacyPemDoc)) {
|
||||
if (legacyPemDoc.type !== "rsa") {
|
||||
await apKeys.updateOne(
|
||||
{ _id: legacyPemDoc._id },
|
||||
{
|
||||
$set: {
|
||||
type: "rsa",
|
||||
updatedAt: now,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
console.log("[preflight] Marked existing ActivityPub PEM key as type='rsa'");
|
||||
} else {
|
||||
console.log("[preflight] ActivityPub legacy RSA PEM key already usable");
|
||||
}
|
||||
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
const rsaPair = createRsaPemPair();
|
||||
|
||||
await apKeys.insertOne({
|
||||
type: "rsa",
|
||||
...rsaPair,
|
||||
createdAt: now,
|
||||
});
|
||||
|
||||
console.log("[preflight] Generated and stored ActivityPub RSA key pair");
|
||||
} catch (error) {
|
||||
const message = `[preflight] ActivityPub RSA key sync failed: ${error.message}`;
|
||||
|
||||
if (strictMode) {
|
||||
console.error(message);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
console.warn(`${message} Continuing because strict mode is disabled.`);
|
||||
} finally {
|
||||
try {
|
||||
await client.close();
|
||||
} catch {
|
||||
// no-op
|
||||
}
|
||||
}
|
||||
@@ -45,6 +45,9 @@ unset DEBUG
|
||||
# Verify MongoDB credentials/connectivity before launching server.
|
||||
/usr/local/bin/node scripts/preflight-mongo-connection.mjs
|
||||
|
||||
# Ensure ActivityPub has an RSA keypair for HTTP Signature delivery.
|
||||
/usr/local/bin/node scripts/preflight-activitypub-rsa-key.mjs
|
||||
|
||||
# Normalize ActivityPub profile URL fields (icon/image/aliases) in MongoDB.
|
||||
/usr/local/bin/node scripts/preflight-activitypub-profile-urls.mjs
|
||||
|
||||
|
||||
Reference in New Issue
Block a user