mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
12454749ad
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
235 lines
6.2 KiB
JavaScript
235 lines
6.2 KiB
JavaScript
/**
|
|
* Like/Unlike interaction controllers.
|
|
* Sends Like and Undo(Like) activities via Fedify.
|
|
*/
|
|
|
|
import { validateToken } from "../csrf.js";
|
|
import { resolveAuthor } from "../resolve-author.js";
|
|
import { createContext, getHandle, getPublicationUrl, isFederationReady } from "../federation-actions.js";
|
|
|
|
/**
|
|
* POST /admin/reader/like — send a Like activity to the post author.
|
|
* @param {string} mountPath - Plugin mount path
|
|
* @param {object} plugin - ActivityPub plugin instance (for federation access)
|
|
*/
|
|
export function likeController(mountPath, plugin) {
|
|
return async (request, response, next) => {
|
|
try {
|
|
if (!validateToken(request)) {
|
|
return response.status(403).json({
|
|
success: false,
|
|
error: "Invalid CSRF token",
|
|
});
|
|
}
|
|
|
|
const { url } = request.body;
|
|
|
|
if (!url) {
|
|
return response.status(400).json({
|
|
success: false,
|
|
error: "Missing post URL",
|
|
});
|
|
}
|
|
|
|
if (!isFederationReady(plugin)) {
|
|
return response.status(503).json({
|
|
success: false,
|
|
error: "Federation not initialized",
|
|
});
|
|
}
|
|
|
|
const { Like } = await import("@fedify/fedify/vocab");
|
|
const handle = getHandle(plugin);
|
|
const ctx = createContext(plugin);
|
|
|
|
const documentLoader = await ctx.getDocumentLoader({
|
|
identifier: handle,
|
|
});
|
|
|
|
const { application } = request.app.locals;
|
|
const rsaKey = await plugin._loadRsaPrivateKey();
|
|
const recipient = await resolveAuthor(
|
|
url,
|
|
ctx,
|
|
documentLoader,
|
|
application?.collections,
|
|
{
|
|
privateKey: rsaKey,
|
|
keyId: `${ctx.getActorUri(handle).href}#main-key`,
|
|
},
|
|
);
|
|
|
|
if (!recipient) {
|
|
return response.status(404).json({
|
|
success: false,
|
|
error: "Could not resolve post author",
|
|
});
|
|
}
|
|
|
|
// Generate a unique activity ID
|
|
const uuid = crypto.randomUUID();
|
|
const baseUrl = getPublicationUrl(plugin).replace(/\/$/, "");
|
|
const activityId = `${baseUrl}/activitypub/likes/${uuid}`;
|
|
|
|
// Construct and send Like activity
|
|
const like = new Like({
|
|
id: new URL(activityId),
|
|
actor: ctx.getActorUri(handle),
|
|
object: new URL(url),
|
|
});
|
|
|
|
await ctx.sendActivity({ identifier: handle }, recipient, like, {
|
|
orderingKey: url,
|
|
});
|
|
|
|
// Track the interaction for undo
|
|
const interactions = application?.collections?.get("ap_interactions");
|
|
|
|
if (interactions) {
|
|
await interactions.updateOne(
|
|
{ objectUrl: url, type: "like" },
|
|
{
|
|
$set: {
|
|
objectUrl: url,
|
|
type: "like",
|
|
activityId,
|
|
recipientUrl: recipient.id?.href || "",
|
|
createdAt: new Date().toISOString(),
|
|
},
|
|
},
|
|
{ upsert: true },
|
|
);
|
|
}
|
|
|
|
console.info(`[ActivityPub] Sent Like for ${url}`);
|
|
|
|
return response.json({
|
|
success: true,
|
|
type: "like",
|
|
objectUrl: url,
|
|
});
|
|
} catch (error) {
|
|
console.error("[ActivityPub] Like failed:", error.message);
|
|
return response.status(500).json({
|
|
success: false,
|
|
error: "Like failed. Please try again later.",
|
|
});
|
|
}
|
|
};
|
|
}
|
|
|
|
/**
|
|
* POST /admin/reader/unlike — send an Undo(Like) activity.
|
|
*/
|
|
export function unlikeController(mountPath, plugin) {
|
|
return async (request, response, next) => {
|
|
try {
|
|
if (!validateToken(request)) {
|
|
return response.status(403).json({
|
|
success: false,
|
|
error: "Invalid CSRF token",
|
|
});
|
|
}
|
|
|
|
const { url } = request.body;
|
|
|
|
if (!url) {
|
|
return response.status(400).json({
|
|
success: false,
|
|
error: "Missing post URL",
|
|
});
|
|
}
|
|
|
|
if (!isFederationReady(plugin)) {
|
|
return response.status(503).json({
|
|
success: false,
|
|
error: "Federation not initialized",
|
|
});
|
|
}
|
|
|
|
const { application } = request.app.locals;
|
|
const interactions = application?.collections?.get("ap_interactions");
|
|
|
|
// Look up the original interaction to get the activity ID
|
|
const existing = interactions
|
|
? await interactions.findOne({ objectUrl: url, type: "like" })
|
|
: null;
|
|
|
|
if (!existing) {
|
|
return response.status(404).json({
|
|
success: false,
|
|
error: "No like found for this post",
|
|
});
|
|
}
|
|
|
|
const { Like, Undo } = await import("@fedify/fedify/vocab");
|
|
const handle = getHandle(plugin);
|
|
const ctx = createContext(plugin);
|
|
|
|
const documentLoader = await ctx.getDocumentLoader({
|
|
identifier: handle,
|
|
});
|
|
|
|
const rsaKey2 = await plugin._loadRsaPrivateKey();
|
|
const recipient = await resolveAuthor(
|
|
url,
|
|
ctx,
|
|
documentLoader,
|
|
application?.collections,
|
|
{
|
|
privateKey: rsaKey2,
|
|
keyId: `${ctx.getActorUri(handle).href}#main-key`,
|
|
},
|
|
);
|
|
|
|
if (!recipient) {
|
|
// Clean up the local record even if we can't send Undo
|
|
if (interactions) {
|
|
await interactions.deleteOne({ objectUrl: url, type: "like" });
|
|
}
|
|
|
|
return response.json({
|
|
success: true,
|
|
type: "unlike",
|
|
objectUrl: url,
|
|
});
|
|
}
|
|
|
|
// Construct Undo(Like)
|
|
const like = new Like({
|
|
id: existing.activityId ? new URL(existing.activityId) : undefined,
|
|
actor: ctx.getActorUri(handle),
|
|
object: new URL(url),
|
|
});
|
|
|
|
const undo = new Undo({
|
|
actor: ctx.getActorUri(handle),
|
|
object: like,
|
|
});
|
|
|
|
await ctx.sendActivity({ identifier: handle }, recipient, undo, {
|
|
orderingKey: url,
|
|
});
|
|
|
|
// Remove the interaction record
|
|
if (interactions) {
|
|
await interactions.deleteOne({ objectUrl: url, type: "like" });
|
|
}
|
|
|
|
console.info(`[ActivityPub] Sent Undo(Like) for ${url}`);
|
|
|
|
return response.json({
|
|
success: true,
|
|
type: "unlike",
|
|
objectUrl: url,
|
|
});
|
|
} catch (error) {
|
|
console.error("[ActivityPub] Unlike failed:", error.message);
|
|
return response.status(500).json({
|
|
success: false,
|
|
error: "Unlike failed. Please try again later.",
|
|
});
|
|
}
|
|
};
|
|
}
|