mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
12454749ad
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
85 lines
2.9 KiB
JavaScript
85 lines
2.9 KiB
JavaScript
/**
|
|
* Enrich embedded account objects in serialized statuses with real
|
|
* follower/following/post counts from remote AP collections.
|
|
*
|
|
* Applies cached stats immediately. Uncached accounts are resolved
|
|
* in the background (fire-and-forget) and will be populated for
|
|
* subsequent requests.
|
|
*/
|
|
import { getCachedAccountStats } from "./account-cache.js";
|
|
import { resolveRemoteAccount } from "./resolve-account.js";
|
|
|
|
/**
|
|
* Enrich account objects in a list of serialized statuses.
|
|
* Applies cached stats synchronously. Uncached accounts are resolved
|
|
* in the background for future requests.
|
|
*
|
|
* @param {Array} statuses - Serialized Mastodon Status objects (mutated in place)
|
|
* @param {object} pluginOptions - Plugin options with federation context
|
|
* @param {string} baseUrl - Server base URL
|
|
*/
|
|
export async function enrichAccountStats(statuses, pluginOptions, baseUrl) {
|
|
if (!statuses?.length || !pluginOptions?.federation) return;
|
|
|
|
const uncachedUrls = [];
|
|
|
|
for (const status of statuses) {
|
|
applyCachedOrCollect(status.account, uncachedUrls);
|
|
if (status.reblog?.account) {
|
|
applyCachedOrCollect(status.reblog.account, uncachedUrls);
|
|
}
|
|
}
|
|
|
|
// Fire-and-forget background enrichment for uncached accounts.
|
|
// Next request will pick up the cached results.
|
|
if (uncachedUrls.length > 0) {
|
|
resolveInBackground(uncachedUrls, pluginOptions, baseUrl);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Apply cached stats to an account, or collect its URL for background resolution.
|
|
* @param {object} account - Account object to enrich
|
|
* @param {string[]} uncachedUrls - Array to collect uncached URLs into
|
|
*/
|
|
function applyCachedOrCollect(account, uncachedUrls) {
|
|
if (!account?.url) return;
|
|
|
|
// Already has real counts — skip
|
|
if (account.followers_count > 0 || account.statuses_count > 0) return;
|
|
|
|
const cached = getCachedAccountStats(account.url);
|
|
if (cached) {
|
|
account.followers_count = cached.followersCount || 0;
|
|
account.following_count = cached.followingCount || 0;
|
|
account.statuses_count = cached.statusesCount || 0;
|
|
if (cached.createdAt) account.created_at = cached.createdAt;
|
|
return;
|
|
}
|
|
|
|
if (!uncachedUrls.includes(account.url)) {
|
|
uncachedUrls.push(account.url);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Resolve accounts in background. Fire-and-forget — errors are silently ignored.
|
|
* resolveRemoteAccount() populates the account cache as a side effect.
|
|
* @param {string[]} urls - Actor URLs to resolve
|
|
* @param {object} pluginOptions - Plugin options
|
|
* @param {string} baseUrl - Server base URL
|
|
*/
|
|
function resolveInBackground(urls, pluginOptions, baseUrl) {
|
|
const unique = [...new Set(urls)];
|
|
const CONCURRENCY = 5;
|
|
|
|
(async () => {
|
|
for (let i = 0; i < unique.length; i += CONCURRENCY) {
|
|
const batch = unique.slice(i, i + CONCURRENCY);
|
|
await Promise.allSettled(
|
|
batch.map((url) => resolveRemoteAccount(url, pluginOptions, baseUrl)),
|
|
);
|
|
}
|
|
})().catch(() => {});
|
|
}
|