svemagie/indiekit-endpoint-activitypub
1
0
Fork 0
mirror of https://github.com/svemagie/indiekit-endpoint-activitypub.git synced 2026-04-02 15:44:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
195 Commits 1 Branch 0 Tags
c1a6f7e24c63eafe712ab6870efccecefb2dfd64
Commit Graph

14 Commits

Author SHA1 Message Date
Ricardo
c1a6f7e24c docs: add comprehensive FEP/standards compliance tables 
README.md: 18-row table covering core protocols (ActivityPub, HTTP
Signatures, RFC 9421, WebFinger, NodeInfo) and 11 FEPs with status
and provider attribution (Fedify vs Plugin).

CLAUDE.md: developer-facing 11-row FEP table with implementation
file locations for each standard.
 2026-03-26 18:03:25 +01:00
Ricardo
35ab840a56 feat: upgrade Fedify to 2.1.0 + implement 5 FEPs 
Fedify 2.1.0 upgrade:
- Upgrade @fedify/fedify, @fedify/redis, @fedify/debugger to ^2.1.0
- Remove as:Endpoints type-stripping workaround (fixed upstream, fedify#576)
- Wire onUnverifiedActivity handler for Delete from actors with gone keys

FEP implementations:
- FEP-5feb: Add indexable + discoverable to actor (search indexing consent)
- FEP-f1d5/0151: Enrich NodeInfo 2.1 with metadata, staff accounts, repo info
- FEP-4f05: Soft delete with Tombstone — deleted posts serve 410 + Tombstone
  JSON-LD with formerType, published, deleted timestamps. New ap_tombstones
  collection + lib/storage/tombstones.js
- FEP-3b86: Activity Intents — WebFinger links for Follow/Create/Like/Announce
  intents, authorize_interaction routes by intent parameter
- FEP-8fcf: Collection Sync outbound via Fedify syncCollection (documented
  that receiving side is not yet implemented)
 2026-03-26 17:33:28 +01:00
Ricardo
47fe21c681 docs: update CLAUDE.md for Mastodon API status creation changes (v3.9.4) 2026-03-26 15:41:57 +01:00
Ricardo
80ef9bca11 docs: update CLAUDE.md and README.md for v3.9 audit refactoring 
CLAUDE.md:
- Architecture tree: add 4 extracted modules (batch-broadcast,
  syndicator, init-indexes, federation-actions)
- Update index.js description to "lifecycle orchestration"
- Data flow: add batch-broadcast delivery path

README.md:
- Remove stale "no custom emoji rendering" limitation
- Update account enrichment to describe non-blocking behavior
- Add 3 missing Mastodon API MongoDB collections
- Add OAuth scope enforcement, rate limiting, token expiry,
  and CSRF to Mastodon Client API features
 2026-03-25 12:35:10 +01:00
Ricardo
12454749ad fix: comprehensive security, performance, and architecture audit fixes 
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low):

Security (Critical):
- Escape HTML in OAuth authorization page to prevent XSS (C1)
- Add CSRF protection to OAuth authorize flow (C2)
- Replace bypassable regex sanitizer with sanitize-html library (C3)
- Enforce OAuth scopes on all Mastodon API routes (C4)

Security (Medium/Low):
- Fix SSRF via DNS resolution before private IP check (M1)
- Add rate limiting to API, auth, and app registration endpoints (M2)
- Validate redirect_uri on POST /oauth/authorize (M4)
- Fix custom emoji URL injection with scheme validation + escaping (M5)
- Remove data: scheme from allowed image sources (L6)
- Add access token expiry (1hr) and refresh token rotation (90d) (M3)
- Hash client secrets before storage (L3)

Architecture:
- Extract batch-broadcast.js — shared delivery logic (H1a)
- Extract init-indexes.js — MongoDB index creation (H1b)
- Extract syndicator.js — syndication logic (H1c)
- Create federation-actions.js facade for controllers (M6)
- index.js reduced from 1810 to ~1169 lines (35%)

Performance:
- Cache moderation data with 30s TTL + write invalidation (H6)
- Increase inbox queue throughput to 10 items/sec (H5)
- Make account enrichment non-blocking with fire-and-forget (H4)
- Remove ephemeral getReplies/getLikes/getShares from ingest (M11)
- Fix LRU caches to use true LRU eviction (L1)
- Fix N+1 backfill queries with batch $in lookup (L2)

UI/UX:
- Split 3441-line reader.css into 15 feature-scoped files (H2)
- Extract inline Alpine.js interaction component (H3)
- Reduce sidebar navigation from 7 to 3 items (M7)
- Add ARIA live regions for dynamic content updates (M8)
- Extract shared CW/non-CW content partial (M9)
- Document form handling pattern convention (M10)
- Add accessible labels to functional emoji icons (L4)
- Convert profile editor to Alpine.js (L5)

Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md
Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
 2026-03-25 07:41:20 +01:00
Ricardo
c71fd691a3 fix: direct follow workaround for tags.pub identity/v1 context rejection 
tags.pub's activitypub-bot (activitystrea.ms parser) rejects any activity
body containing the https://w3id.org/identity/v1 JSON-LD context with
400 Invalid request body. Fedify 2.0 adds this context via LD Signatures
(RsaSignature2017) on all outbound activities.

Workaround: lib/direct-follow.js sends Follow/Undo(Follow) with a minimal
body (no LD Sig, no proof) using draft-cavage HTTP Signatures, scoped only
to tags.pub via DIRECT_FOLLOW_HOSTS set.

Also removes [federation-diag] inbox POST logging (no longer needed).

Upstream: https://github.com/social-web-foundation/tags.pub/issues/10
 2026-03-22 19:40:12 +01:00
Ricardo
0d8b2d0f11 docs: update CLAUDE.md and README.md with Mastodon Client API layer 
CLAUDE.md:
- Architecture: add full lib/mastodon/ tree (entities, helpers, middleware, routes)
- Data flow: add Mastodon API path (client → /api/v1/* → ap_timeline + Fedify)
- Collections: add ap_oauth_apps, ap_oauth_tokens, ap_markers; fix ap_blocked_servers field name
- Gotchas #34-35: Mastodon API architecture decisions (pagination, own-post detection,
  account enrichment, OAuth native app redirect, token storage, route ordering,
  unsigned fallback, backfill, content processing)
- Route table: add all Mastodon Client API endpoints

README.md:
- Updated description to mention Mastodon Client API compatibility
- Added full Mastodon Client API feature section
- Added moderation overview to Admin UI features
 2026-03-21 20:50:36 +01:00
Ricardo
d676374ec1 docs: document Fedify workarounds for endpoints type and PropertyValue attachment 
- Gotcha 10: endpoints as:Endpoints type stripping (fedify#576, fixed in 2.1.0)
- Gotcha 11: PropertyValue attachment type validation (fedify#629, open)
- README: added both to Fedify Workarounds section
- Renumbered gotchas 10-31 → 12-33

Confab-Link: http://localhost:8080/sessions/af5f8b45-6b8d-442d-8f25-78c326190709
 2026-03-17 15:16:01 +01:00
Ricardo
a87fe59259 docs: update CLAUDE.md and README.md with v2.14.0/v2.15.0 features 
Add full feature documentation for federation resilience (v2.14.0) and
Hollo-inspired patterns (v2.15.0). Add credits to Hollo, Fedify, and Wafrn.
Update architecture tree, collections table, routes, and gotchas in CLAUDE.md.

Confab-Link: http://localhost:8080/sessions/af5f8b45-6b8d-442d-8f25-78c326190709
 2026-03-17 11:23:12 +01:00
Ricardo
ab2363d123 docs: update CLAUDE.md and README.md for v2.5.0 
Document unified item processing pipeline (gotcha #23), parameterized
infinite scroll component (gotcha #24), quote embeds (gotcha #25).
Update architecture tree with new modules and controllers. Expand
route table and admin UI pages with explore, tag timeline, post detail,
and API endpoints. Add reader features (explore, hashtags, quotes,
link previews, read tracking, infinite scroll) to README.

Confab-Link: http://localhost:8080/sessions/e9d666ac-3c90-4298-9e92-9ac9d142bc06
 2026-03-03 13:03:48 +01:00
Ricardo
fceac1f344 feat: use authenticated document loader for all inbox handler fetches 
Pass ctx.getDocumentLoader({ identifier: handle }) to every .getActor(),
.getObject(), and .getTarget() call in inbox handlers. This signs outbound
fetches with our actor's key, fixing silent failures against Authorized
Fetch (Secure Mode) servers like hachyderm.io.

The authenticated loader is also threaded through extractObjectData() and
extractActorInfo() in timeline-store.js so internal calls to
.getAttributedTo(), .getIcon(), .getTags(), and .getAttachments() also
use signed requests.

Also removes the endpoints.type workaround in federation-bridge.js since
Fedify 2.0 fixed issue #576 upstream. The attachment array workaround
for Mastodon compatibility remains.

Bumps version to 2.0.26.
 2026-02-25 09:41:29 +01:00
Ricardo
a6f3f8dd6c docs: update CLAUDE.md and README.md for Fedify 2.0 
- Update dependencies table (remove @fedify/express, add @fedify/debugger, unfurl.js)
- Add new config options: debugDashboard, debugPassword, notificationRetentionDays
- Document new gotchas: modular imports, importSpkiPem removal, KvStore list(), debug dashboard body consumption
- Update LogTape gotcha for debug dashboard interaction
- Add debug dashboard and public profile routes to route table
- README: add public profile and debug dashboard feature sections, Fedify 2.0 mention
 2026-02-22 14:36:40 +01:00
Ricardo
0fa446ceb2 feat: make Fedify log level configurable via logLevel option 
Default changed from "info" to "warning" so production logs are quiet.
Set logLevel to "info" or "debug" in config to troubleshoot federation.
 2026-02-21 22:51:07 +01:00
Ricardo
b81ecbcaa4 docs: add CLAUDE.md for AI agents and README.md for humans 
CLAUDE.md covers architecture, 18 critical gotchas distilled from
bug fixes (Fedify bridge, objectId vs getObject, template collisions,
Express 5 redirect, date handling, author fallback chain, etc.),
MongoDB collections, route table, and publishing workflow.

README.md covers features, installation, configuration, nginx setup,
how syndication/inbox/content negotiation work, Mastodon migration,
admin UI reference, and known limitations.
 2026-02-21 17:06:11 +01:00