mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
12454749ad
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
74 lines
2.0 KiB
JavaScript
74 lines
2.0 KiB
JavaScript
/**
|
|
* In-memory cache for remote account stats (followers, following, statuses).
|
|
*
|
|
* Populated by resolveRemoteAccount() when a profile is fetched.
|
|
* Read by serializeAccount() to enrich embedded account objects in statuses.
|
|
*
|
|
* LRU-style with TTL — entries expire after 1 hour.
|
|
*/
|
|
|
|
import { remoteActorId } from "./id-mapping.js";
|
|
|
|
const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
const MAX_ENTRIES = 500;
|
|
|
|
// Map<actorUrl, { followersCount, followingCount, statusesCount, createdAt, cachedAt }>
|
|
const cache = new Map();
|
|
|
|
// Reverse map: accountId (hash) → actorUrl
|
|
// Populated alongside the stats cache for follow/unfollow lookups
|
|
const idToUrl = new Map();
|
|
|
|
/**
|
|
* Store account stats in cache.
|
|
* @param {string} actorUrl - The actor's URL (cache key)
|
|
* @param {object} stats - { followersCount, followingCount, statusesCount, createdAt }
|
|
*/
|
|
export function cacheAccountStats(actorUrl, stats) {
|
|
if (!actorUrl) return;
|
|
|
|
// Evict oldest if at capacity
|
|
if (cache.size >= MAX_ENTRIES) {
|
|
const oldest = cache.keys().next().value;
|
|
cache.delete(oldest);
|
|
}
|
|
|
|
cache.set(actorUrl, { ...stats, cachedAt: Date.now() });
|
|
|
|
// Maintain reverse lookup
|
|
const hashId = remoteActorId(actorUrl);
|
|
if (hashId) idToUrl.set(hashId, actorUrl);
|
|
}
|
|
|
|
/**
|
|
* Get cached account stats.
|
|
* @param {string} actorUrl - The actor's URL
|
|
* @returns {object|null} Stats or null if not cached/expired
|
|
*/
|
|
export function getCachedAccountStats(actorUrl) {
|
|
if (!actorUrl) return null;
|
|
|
|
const entry = cache.get(actorUrl);
|
|
if (!entry) return null;
|
|
|
|
// Check TTL
|
|
if (Date.now() - entry.cachedAt > CACHE_TTL_MS) {
|
|
cache.delete(actorUrl);
|
|
return null;
|
|
}
|
|
|
|
// Promote to end of Map (true LRU)
|
|
cache.delete(actorUrl);
|
|
cache.set(actorUrl, entry);
|
|
return entry;
|
|
}
|
|
|
|
/**
|
|
* Reverse lookup: get actor URL from account hash ID.
|
|
* @param {string} hashId - The 24-char hex account ID
|
|
* @returns {string|null} Actor URL or null
|
|
*/
|
|
export function getActorUrlFromId(hashId) {
|
|
return idToUrl.get(hashId) || null;
|
|
}
|