OAuth 2.0 requires the server to echo the state parameter in the
callback redirect. Mastodon clients (e.g. murmel.social) send a
state value and fail with 'missing parameters' if it is absent.
Thread state through: GET query → session store → hidden form field
→ POST body → callback redirect (approve and deny paths).
- Provide content as {text, html} with linkified URLs (Micropub's
markdown-it doesn't have linkify enabled)
- Use content-warning field (not summary) to match native reader and
AP syndicator expectations
- Remove premature addTimelineItem — post appears in timeline after
syndication round-trip, not immediately
- Remove processStatusContent (unused after addTimelineItem removal)
- Remove addTimelineItem import
URLs at the end of a sentence followed by . , ; : ) etc. were capturing
the punctuation character as part of the URL, producing broken links
(e.g. https://example.com. instead of https://example.com).
Fix in both places where URL linkification happens:
- lib/jf2-to-as2.js linkifyUrls() — used when federating posts via AP
- lib/mastodon/routes/statuses.js processStatusContent() — used when
creating posts via the Mastodon Client API
Both now use a replacement callback that strips trailing [.,;:!?)\]'"]
from the captured URL before inserting it into the <a> tag.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the Mastodon Client API edit endpoint, which was returning 501 so
"Beitrag bearbeiten" / edit post always failed.
Flow:
1. Look up timeline item by cursor ID; 403 if not own post
2. Build Micropub replace operation for content/summary/sensitive/language
and call postData.update() + postContent.update() to update MongoDB
posts collection and the content file on disk
3. Patch ap_timeline with new content, summary, sensitive, and updatedAt
(serializeStatus reads updatedAt → edited_at field)
4. Broadcast AP Update(Note) to all followers via shared inbox so remote
servers can display the edit indicator
5. Return serialized status with edited_at set
Also adds Update to the top-level @fedify/fedify/vocab import and updates
the module-level comment block to list the new route.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the Mastodon Client API endpoints for pinning and unpinning posts:
- POST /api/v1/statuses/:id/pin — upserts a document into ap_featured
(same store the admin UI uses), enforces the 5-post maximum, fires
broadcastActorUpdate() so remote servers re-fetch the featured collection
- POST /api/v1/statuses/:id/unpin — removes from ap_featured, broadcasts update
- loadItemInteractions() now also queries ap_featured and returns pinnedIds
- GET /api/v1/statuses/:id response now reflects actual pin state
- broadcastActorUpdate wired into mastodon pluginOptions in index.js
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
findTimelineItemById's string range query used $gte/$lte on ISO strings,
which fails for items stored with timezone offsets (e.g. "+01:00"): the
string "2026-03-21T16:33:50+01:00" is lexicographically outside the
range ["2026-03-21T15:33:50Z", "2026-03-21T15:33:51Z"].
Replace with a $or that covers both cases:
- BSON Date stored (Micropub): direct Date range comparison
- String stored with any timezone: $dateFromString parses the offset
correctly, $toLong converts to ms-since-epoch, numeric range always
matches regardless of timezone format
Items received before extractObjectData's UTC normalization (a259c79)
was deployed are stored with the original server's timezone offset and
now resolve correctly through this fallback.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merges upstream fix that adds Strategy 1b to resolveAuthor: a raw signed
HTTP fetch for servers (e.g. wafrn) that return AP JSON without @context,
which Fedify's JSON-LD processor would otherwise reject.
Combined with our 5-second timeout wrapper so both improvements apply:
- privateKey/keyId now passed to resolveAuthor for the signed raw fetch
- timeout still guards all three strategies against slow/unreachable remotes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
likePost, unlikePost and boostPost all call resolveAuthor() which makes
up to 3 signed HTTP requests to the remote server (post fetch, author
actor fetch, getAttributedTo) with no timeout. If the remote server is
slow or unreachable, the favourite/reblog HTTP response hangs until the
Node.js socket default times out (~2 min). Mastodon clients (Phanpy,
Elk) give up much sooner and show "Failed to load post".
Fix: wrap every resolveAuthor() call in a Promise.race() with a 5 s
timeout. The interaction is still recorded in ap_interactions and the
Like/Announce activity is still sent when recipient resolution succeeds
within the window; if it times out, AP delivery is silently skipped
(the local record is kept — the client sees a successful ⭐).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two profile display fixes:
1. Avatar not persisting across requests: resolveRemoteAccount fetches
the correct avatar via lookupWithSecurity, but only updated the
in-memory serialized status — never the DB or the cache. On the next
request serializeStatus rebuilt the account from item.author.photo
(empty if the actor was on a Secure Mode server when the item arrived),
and enrichAccountStats skipped re-fetching because follower counts
were already > 0. Fix: include avatarUrl in cacheAccountStats; in
collectAccount always check the cache first (for avatar + createdAt)
regardless of whether counts are already populated.
2. actor.published may not be UTC: Temporal.Instant.toString() preserves
the original timezone offset from the AP actor object; wrap in
new Date(...).toISOString() so created_at is always UTC ISO 8601.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three-layer fix for findTimelineItemById cursor mismatches:
1. encodeCursor returns "" (falsy) for invalid dates — serializeStatus
now correctly falls back to item._id.toString() instead of using "0"
as an opaque ID that can never be looked up.
2. findTimelineItemById adds two new fallbacks after the existing string
lookups fail:
- BSON Date lookup: Micropub pipeline (postData.create) may store
published as a JavaScript Date → MongoDB BSON Date; string
comparison never matches.
- ±999 ms ISO range query: some AP servers send published with a
timezone offset (e.g. +01:00). String(Temporal.Instant) preserves
the original offset; decodeCursor normalizes to UTC, so the stored
string and the lookup string differ.
3. timeline-store.js extractObjectData now normalizes published via
new Date(String(...)).toISOString() before storing, ensuring all
future items are stored in UTC ISO format and the exact-match lookup
succeeds without needing the range fallback.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Servers like wafrn return AP JSON without @context, causing Fedify's
JSON-LD processor to reject the document. Strategy 1b in resolveAuthor
does a direct signed GET, extracts attributedTo/actor from plain JSON,
then resolves the actor via lookupWithSecurity.
Also: _loadRsaPrivateKey now imports with extractable=true (required
by Fedify's signRequest), and loadRsaKey is wired through to all
Mastodon API interaction helpers.
- In accounts.js: all places that build an actor object from ap_followers or
ap_following docs now include `createdAt: f.createdAt || undefined`.
Previously the field was omitted, causing serializeAccount() to fall back to
`new Date().toISOString()`, making every follower/following appear to have
joined "just now" in the Mastodon client.
Affected: GET /api/v1/accounts/:id/followers, /following, /lookup, and the
resolveActorData() fallback used by GET /api/v1/accounts/:id.
- In resolve-account.js: HTTP actor URLs are now passed to lookupWithSecurity()
as a native URL object instead of a bare string, matching Fedify's preferred
type. The acct:user@domain WebFinger path remains a string (new URL() would
misparse the @ as a user-info separator under WHATWG rules).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace direct ctx.lookupObject() call in resolveRemoteAccount with
lookupWithSecurity() so servers that reject signed GETs are retried
unsigned. Also add 5 s Promise.race timeouts to followers/following/
outbox collection fetches to prevent profile loads from hanging on
slow remote servers.
Fixes missing profile pictures and zero follower stats in Mastodon
client views.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
addTimelineItem(collections, item) destructures { ap_timeline } from its
first argument. Passing collections.ap_timeline directly gave it a raw
MongoDB collection with no ap_timeline property, causing
"Cannot read properties of undefined (reading 'updateOne')".
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The minimal bare JSON returned for visibility=direct DMs caused clients
(Phanpy, Elk) to show "no data" — they expect a full Mastodon Status
entity. Fix: build a proper ap_timeline document, store it with
visibility=direct (home/public timelines already exclude direct items),
and serialize it via serializeStatus() before returning. Also store the
DM in ap_notifications for the thread view as before.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Intercept visibility="direct" in POST /api/v1/statuses before the
Micropub pipeline. Resolve the @mention via WebFinger, build a
Create/Note AP activity addressed only to the recipient (no public
addressing), send via ctx.sendActivity(), and store in ap_notifications
for the DM thread view. No blog post is created.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add setGlobalFollow/removeGlobalFollow/getFollowedTagsWithState to
followed-tags storage; unfollowTag now preserves global follow state
- Add followTagGloballyController/unfollowTagGloballyController that
send AP Follow/Undo via Fedify to tags.pub actor URLs
- Register POST /admin/reader/follow-tag-global and unfollow-tag-global
routes with plugin reference for Fedify access
- Tag timeline controller passes isGloballyFollowed + error query param
- Tag timeline template adds global follow/unfollow buttons with globe
indicator and inline error display
- Wire GET /api/v1/followed_tags to return real data with globalFollow state
- Add i18n keys: followGlobally, unfollowGlobally, globallyFollowing,
globalFollowError
- Add setGlobalFollow/removeGlobalFollow/getFollowedTagsWithState to
followed-tags storage; unfollowTag now preserves global follow state
- Add followTagGloballyController/unfollowTagGloballyController that
send AP Follow/Undo via Fedify to tags.pub actor URLs
- Register POST /admin/reader/follow-tag-global and unfollow-tag-global
routes with plugin reference for Fedify access
- Tag timeline controller passes isGloballyFollowed + error query param
- Tag timeline template adds global follow/unfollow buttons with globe
indicator and inline error display
- Wire GET /api/v1/followed_tags to return real data with globalFollow state
- Add i18n keys: followGlobally, unfollowGlobally, globallyFollowing,
globalFollowError
All five 3.7.x releases published 2026-03-21 in one pass.
Changes from upstream:
- lib/lookup-helpers.js: lookupWithSecurity → async with signed→unsigned
fallback (handles servers like tags.pub that return 400 on signed GETs)
- lib/mastodon/helpers/account-cache.js: add reverse lookup map
(hashId → actorUrl) populated by cacheAccountStats(); export
getActorUrlFromId() for follow/unfollow resolution
- lib/mastodon/helpers/enrich-accounts.js: NEW — enrichAccountStats()
enriches embedded account objects in serialized statuses with real
follower/following/post counts; Phanpy never calls /accounts/:id so
counts were always 0 without this
- lib/mastodon/routes/timelines.js: call enrichAccountStats() after
serialising home, public, and hashtag timelines
- lib/mastodon/routes/statuses.js: processStatusContent() linkifies bare
URLs and converts @user@domain mentions to <a> links; extractMentions()
builds mention list; date lookup now tries both .000Z and bare Z suffixes
- lib/mastodon/routes/stubs.js: /api/v1/domain_blocks now returns real
blocked-server hostnames from ap_blocked_servers instead of []
- lib/mastodon/routes/accounts.js: /accounts/relationships computes
domain_blocking using ap_blocked_servers; resolveActorUrl() falls back
to getActorUrlFromId() cache for timeline-author resolution
- lib/controllers/federation-mgmt.js: fetch blocked servers, blocked
accounts, and muted accounts in parallel; pass to template
- views/activitypub-federation-mgmt.njk: add Moderation section showing
blocked servers, blocked accounts, and muted accounts
- package.json: bump version 3.6.8 → 3.7.5
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1. Federation admin page (/admin/federation): new Moderation section
showing blocked servers (with hostnames), blocked accounts, and
muted accounts/keywords
2. GET /api/v1/domain_blocks: returns actual blocked server hostnames
from ap_blocked_servers (was stub returning [])
3. Relationship responses: domain_blocking field now checks if the
account's domain matches a blocked server hostname (was always false)
Mastodon clients send plain text — the server must convert bare URLs
and @user@domain mentions into HTML links. Previously, URLs appeared
as plain text and mentions were not stored as mention objects.
- Bare URLs (http/https) are wrapped in <a> tags
- @user@domain patterns are converted to profile links with h-card markup
- Mentions are extracted into the mentions[] array with name and URL
- Only processes content that doesn't already contain <a> tags
(avoids double-linkifying Micropub-rendered content)
POST /accounts/:id/follow returned 404 for actors resolved via Fedify
(like @_followback@tags.pub) because resolveActorUrl only checked local
data (followers/following/timeline). These actors aren't in local
collections — they were resolved on-demand via WebFinger.
Fix: add reverse lookup map (accountId hash → actorUrl) to the account
cache. When resolveRemoteAccount resolves a profile, the hash-to-URL
mapping is stored alongside the stats. resolveActorUrl checks this
cache before scanning local collections.
findTimelineItemById decoded the cursor (ms-since-epoch) back to an ISO
date via toISOString() which produces "2026-03-21T15:33:50.000Z". But
the stored published dates lack the .000Z milliseconds suffix — they're
"2026-03-21T15:33:50Z". The exact string match failed for every single
status, breaking /statuses/:id, /statuses/:id/context, and all
interaction endpoints (favourite, boost, bookmark, delete).
Fix: try both formats — with .000Z first, then without.
Phanpy never calls /accounts/:id for timeline authors — it trusts the
embedded account object in each status. These showed 0 counts because
timeline author data doesn't include follower stats.
Fix: after serializing statuses, batch-resolve unique authors that have
0 counts via Fedify AP collection fetch (5 concurrent). Results are
cached (1h TTL) so subsequent page loads are instant.
Applied to all three timeline endpoints (home, public, hashtag).
Phanpy never calls /accounts/:id for timeline authors — it uses the
embedded account object from the status response. These had 0 counts
because the timeline author data doesn't include follower stats.
Fix: in-memory LRU cache (500 entries, 1h TTL) stores account stats
from remote resolutions. serializeAccount() reads from cache when
the actor has 0 counts, enriching embedded accounts with real data.
Cache is populated by resolveRemoteAccount() (lookup, search, and
/accounts/:id calls). Once a profile has been viewed once, all
subsequent status embeds for that author show real counts.
Two bugs causing profile counts to show 0 in Phanpy:
1. Route ordering: /accounts/relationships and /accounts/familiar_followers
were defined AFTER /accounts/:id. Express matched "relationships" as
the :id parameter, returning 404. Moved them before the :id catch-all.
2. /accounts/:id only used local data (followers/following/timeline) which
has no follower counts. Now tries remote actor resolution via Fedify
to get real counts from AP collection totalItems.
Extract followers/following/statuses counts from AP collection
totalItems, profile fields from actor attachments, and published
date from the actor document. Previously showed 0/0/0 and today's
date for all remote profiles.
Account lookup (/api/v1/accounts/lookup) and search (/api/v2/search)
now resolve remote actors via Fedify's ctx.lookupObject() when not
found locally. Previously only checked ap_followers — missed accounts
we follow, timeline authors, and any remote actor.
Lookup chain: local profile → followers → following → timeline authors
→ remote WebFinger+actor fetch (Fedify)
Search uses remote resolution when resolve=true and query contains @.
1. Empty content on bookmarks/likes/reposts: synthesize content from
the interaction target URL (bookmark-of, like-of, repost-of) when
the post has no body text
2. Hashtags not extracted: parse #hashtag patterns from content text
and merge with explicit categories. Applies to both backfill
(startup) and POST /api/v1/statuses (runtime)
3. Hashtag links rewritten: /categories/tag/ links (site-internal)
are rewritten to /tags/tag (Mastodon convention) in the HTML
content stored in ap_timeline
4. Relative media URLs resolved: photo/video/audio URLs like
media/photos/... are resolved to absolute URLs using the site URL
Android Chrome Custom Tabs block 302 redirects to custom URI schemes
(fedilab://, moshidon-android-auth://) for security. The server sends
the redirect correctly but the WebView silently ignores it — "nothing
happens" when the user taps Authorize.
Fix: detect non-HTTP redirect URIs and render an HTML page with both
a JavaScript window.location redirect and a meta refresh fallback.
Client-side navigation to custom schemes is allowed by WebViews.
HTTP(S) redirect URIs (Phanpy, Elk) still use standard 302.
The Mastodon API timeline sorted by MongoDB _id (insertion order), not
by published date. This caused chronological jumps — backfilled or
syndicated posts got ObjectIds at import time, interleaving them
incorrectly with federation-received posts.
Changes:
- Pagination cursors now use published date (encoded as ms-since-epoch)
instead of ObjectId. Mastodon clients pass these as opaque max_id/
min_id/since_id values and they sort correctly.
- Status and notification IDs are now encodeCursor(published) so the
cursor round-trips through client pagination.
- Status lookups (GET/DELETE /statuses/:id, context, interactions) use
findTimelineItemById() which tries published-based lookup first, then
falls back to ObjectId for backwards compatibility.
- Link pagination headers emit published-based cursors.
This matches the native reader's sort (storage/timeline.js) which has
always sorted by published: -1.
MongoDB sparse indexes skip documents where the indexed field is ABSENT,
but still enforce uniqueness on explicit null values. The auth code insert
set accessToken:null and the client_credentials insert set code:null,
causing E11000 duplicate key errors on the second authorization attempt.
Fix: omit accessToken/code entirely from inserts where they don't apply.
The field gets added later during token exchange ($set in updateOne).
The fallback avatar URL pointed to /placeholder-avatar.png which doesn't
exist (404). Changed to /images/default-avatar.svg which exists in the
Eleventy theme and is served by the nginx image caching location with
CORS headers — fixing cross-origin errors in Phanpy/Elk.
Own posts in ap_timeline have author.url set to the publication URL
(site root like "https://rmendes.net/") with no /@handle or /users/handle
pattern. extractUsername("/") returns "" which falls back to "unknown".
Fix: set module-level local identity (publicationUrl + handle) at plugin
init via setLocalIdentity(). serializeStatus() compares item.author.url
against the publication URL and passes isLocal:true + handle to
serializeAccount() when they match.
This is zero-cost for callers — no signature changes needed at the 20+
serializeStatus() call sites.
Implement the Mastodon Client REST API (/api/v1/*, /api/v2/*) and OAuth2
server within the ActivityPub plugin, enabling Mastodon-compatible clients
to connect to the Fedify-based server.
Core features:
- OAuth2 with PKCE (S256) — app registration, authorization, token exchange
- Instance info + nodeinfo for client discovery
- Account lookup, verification, relationships, follow/unfollow/mute/block
- Home/public/hashtag timelines with cursor-based pagination
- Status viewing, creation, deletion, thread context
- Favourite, boost, bookmark interactions with AP federation
- Notifications with type filtering and pagination
- Search across accounts, statuses, and hashtags
- Markers for read position tracking
- Bookmarks and favourites collection lists
- 25+ stub endpoints preventing client errors on unimplemented features
Architecture:
- 24 new files under lib/mastodon/ (entities, helpers, middleware, routes)
- Virtual endpoint at "/" via Indiekit.addEndpoint() for domain-root access
- CORS + JSON error handling for browser-based clients
- Six-layer mute/block filtering reusing existing moderation infrastructure
BREAKING CHANGE: bumps to v3.0.0 — adds new MongoDB collections
(ap_oauth_apps, ap_oauth_tokens, ap_markers) and new route registrations
Confab-Link: http://localhost:8080/sessions/5360e3f5-b3cc-4bf3-8c31-5448e2b23947
