svemagie/indiekit-endpoint-activitypub
1
0
Fork 0
mirror of https://github.com/svemagie/indiekit-endpoint-activitypub.git synced 2026-04-02 15:44:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

merge: upstream c2920ca raw signed fetch fallback for author resolution

Browse Source 
Merges upstream fix that adds Strategy 1b to resolveAuthor: a raw signed
HTTP fetch for servers (e.g. wafrn) that return AP JSON without @context,
which Fedify's JSON-LD processor would otherwise reject.

Combined with our 5-second timeout wrapper so both improvements apply:
- privateKey/keyId now passed to resolveAuthor for the signed raw fetch
- timeout still guards all three strategies against slow/unreachable remotes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
svemagie
2026-03-23 09:32:33 +01:00
parent 01f6f81bda c2920cafd8
commit b33932f1f6
7 changed files with 83 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
index.js
View File

@@ -856,7 +856,7 @@ export default class ActivityPubEndpoint {
"pkcs8",
Buffer.from(pemBody, "base64"),
{ name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
false,
true,
["sign"],
);
} catch (error) {
@@ -1827,6 +1827,7 @@ export default class ActivityPubEndpoint {
federation: this._federation,
followActor: (url, info) => pluginRef.followActor(url, info),
unfollowActor: (url) => pluginRef.unfollowActor(url),
loadRsaKey: () => pluginRef._loadRsaPrivateKey(),
},
});
Indiekit.addEndpoint({

5
lib/controllers/interactions-boost.js
View File

@@ -72,11 +72,16 @@ export function boostController(mountPath, plugin) {
identifier: handle,
});
const { application } = request.app.locals;
const rsaKey = await plugin._loadRsaPrivateKey();
const recipient = await resolveAuthor(
url,
ctx,
documentLoader,
application?.collections,
{
privateKey: rsaKey,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
},
);
if (recipient) {

10
lib/controllers/interactions-like.js
View File

@@ -49,11 +49,16 @@ export function likeController(mountPath, plugin) {
});
const { application } = request.app.locals;
const rsaKey = await plugin._loadRsaPrivateKey();
const recipient = await resolveAuthor(
url,
ctx,
documentLoader,
application?.collections,
{
privateKey: rsaKey,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
},
);
if (!recipient) {
@@ -170,11 +175,16 @@ export function unlikeController(mountPath, plugin) {
identifier: handle,
});
const rsaKey2 = await plugin._loadRsaPrivateKey();
const recipient = await resolveAuthor(
url,
ctx,
documentLoader,
application?.collections,
{
privateKey: rsaKey2,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
},
);
if (!recipient) {

24
lib/mastodon/helpers/interactions.js
View File

@@ -22,7 +22,7 @@ import { resolveAuthor } from "../../resolve-author.js";
* @param {object} params.interactions - ap_interactions collection
* @returns {Promise<{ activityId: string }>}
*/
export async function likePost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
export async function likePost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
const { Like } = await import("@fedify/fedify/vocab");
const ctx = federation.createContext(
new URL(publicationUrl),
@@ -32,10 +32,14 @@ export async function likePost({ targetUrl, federation, handle, publicationUrl,
const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
// resolveAuthor makes up to 3 signed HTTP requests to the remote server.
// Cap at 5 s so a slow/unreachable remote never blocks the client response.
const rsaKey = loadRsaKey ? await loadRsaKey() : null;
let recipient = null;
try {
recipient = await Promise.race([
resolveAuthor(targetUrl, ctx, documentLoader, collections),
resolveAuthor(targetUrl, ctx, documentLoader, collections, {
privateKey: rsaKey,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
}),
new Promise((_, reject) => setTimeout(() => reject(new Error("resolveAuthor timeout")), 5000)),
]);
} catch { /* skip AP delivery — interaction is still recorded locally */ }
@@ -87,7 +91,7 @@ export async function likePost({ targetUrl, federation, handle, publicationUrl,
* @param {object} params.interactions - ap_interactions collection
* @returns {Promise<void>}
*/
export async function unlikePost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
export async function unlikePost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
const existing = interactions
? await interactions.findOne({ objectUrl: targetUrl, type: "like" })
: null;
@@ -103,10 +107,14 @@ export async function unlikePost({ targetUrl, federation, handle, publicationUrl
);
const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
const rsaKey = loadRsaKey ? await loadRsaKey() : null;
let recipient = null;
try {
recipient = await Promise.race([
resolveAuthor(targetUrl, ctx, documentLoader, collections),
resolveAuthor(targetUrl, ctx, documentLoader, collections, {
privateKey: rsaKey,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
}),
new Promise((_, reject) => setTimeout(() => reject(new Error("resolveAuthor timeout")), 5000)),
]);
} catch { /* skip AP delivery */ }
@@ -145,7 +153,7 @@ export async function unlikePost({ targetUrl, federation, handle, publicationUrl
* @param {object} params.interactions - ap_interactions collection
* @returns {Promise<{ activityId: string }>}
*/
export async function boostPost({ targetUrl, federation, handle, publicationUrl, collections, interactions }) {
export async function boostPost({ targetUrl, federation, handle, publicationUrl, collections, interactions, loadRsaKey }) {
const { Announce } = await import("@fedify/fedify/vocab");
const ctx = federation.createContext(
new URL(publicationUrl),
@@ -176,10 +184,14 @@ export async function boostPost({ targetUrl, federation, handle, publicationUrl,
// Also send directly to the original post author (best-effort, 5 s cap)
const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
const rsaKey = loadRsaKey ? await loadRsaKey() : null;
let recipient = null;
try {
recipient = await Promise.race([
resolveAuthor(targetUrl, ctx, documentLoader, collections),
resolveAuthor(targetUrl, ctx, documentLoader, collections, {
privateKey: rsaKey,
keyId: `${ctx.getActorUri(handle).href}#main-key`,
}),
new Promise((_, reject) => setTimeout(() => reject(new Error("resolveAuthor timeout")), 5000)),
]);
} catch { /* skip author delivery — follower delivery already happened */ }

1
lib/mastodon/routes/statuses.js
View File

@@ -793,6 +793,7 @@ function getFederationOpts(req) {
handle: pluginOptions.handle || "user",
publicationUrl: pluginOptions.publicationUrl,
collections: req.app.locals.mastodonCollections,
loadRsaKey: pluginOptions.loadRsaKey,
};
}

46
lib/resolve-author.js
View File

@@ -6,6 +6,8 @@
*
* Strategies (tried in order):
* 1. lookupObject on post URL → getAttributedTo
* 1b. Raw signed fetch fallback (for servers like wafrn that return
* non-standard JSON-LD that Fedify can't parse)
* 2. Timeline/notification DB lookup → lookupObject on stored author URL
* 3. Extract author URL from post URL pattern → lookupObject
*/
@@ -60,6 +62,9 @@ export function extractAuthorUrl(postUrl) {
* @param {object} ctx - Fedify context
* @param {object} documentLoader - Authenticated document loader
* @param {object} [collections] - Optional MongoDB collections map (application.collections)
* @param {object} [options] - Additional options
* @param {CryptoKey} [options.privateKey] - RSA private key for raw signed fetch fallback
* @param {string} [options.keyId] - Key ID for HTTP Signature (e.g. "...#main-key")
* @returns {Promise<object|null>} - Fedify Actor object or null
*/
export async function resolveAuthor(
@@ -67,6 +72,7 @@ export async function resolveAuthor(
ctx,
documentLoader,
collections,
options = {},
) {
// Strategy 1: Look up remote post via Fedify (signed request)
try {
@@ -90,6 +96,46 @@ export async function resolveAuthor(
);
}
// Strategy 1b: Raw signed fetch fallback
// Some servers (e.g. wafrn) return AP JSON without @context, which Fedify's
// JSON-LD processor rejects. A raw fetch can still extract attributedTo/actor.
if (options.privateKey && options.keyId) {
try {
const { signRequest } = await import("@fedify/fedify/sig");
const request = new Request(postUrl, {
method: "GET",
headers: { Accept: "application/activity+json" },
});
const signed = await signRequest(request, options.privateKey, new URL(options.keyId), {
spec: "draft-cavage-http-signatures-12",
});
const res = await fetch(signed, { redirect: "follow" });
if (res.ok) {
const contentType = res.headers.get("content-type") || "";
if (contentType.includes("json")) {
const json = await res.json();
const authorUrl = json.attributedTo || json.actor;
if (authorUrl && typeof authorUrl === "string") {
const actor = await lookupWithSecurity(ctx, new URL(authorUrl), {
documentLoader,
});
if (actor) {
console.info(
`[ActivityPub] Resolved author via raw fetch for ${postUrl}${authorUrl}`,
);
return actor;
}
}
}
}
} catch (error) {
console.warn(
`[ActivityPub] Raw fetch fallback failed for ${postUrl}:`,
error.message,
);
}
}
// Strategy 2: Use author URL from timeline or notifications
if (collections) {
const ap_timeline = typeof collections.get === "function" ? collections.get("ap_timeline") : collections.ap_timeline;

2
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@rmdes/indiekit-endpoint-activitypub",
"version": "3.8.4",
"version": "3.8.5",
"description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
"keywords": [
"indiekit",