mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
12454749ad
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
127 lines
4.3 KiB
Plaintext
127 lines
4.3 KiB
Plaintext
{% extends "document.njk" %}
|
|
|
|
{% from "heading/macro.njk" import heading with context %}
|
|
{% from "input/macro.njk" import input with context %}
|
|
{% from "textarea/macro.njk" import textarea with context %}
|
|
{% from "checkboxes/macro.njk" import checkboxes with context %}
|
|
{% from "radios/macro.njk" import radios with context %}
|
|
{% from "button/macro.njk" import button with context %}
|
|
{% from "notification-banner/macro.njk" import notificationBanner with context %}
|
|
{% from "prose/macro.njk" import prose with context %}
|
|
|
|
{% block content %}
|
|
{% if result %}
|
|
{{ notificationBanner({ type: result.type, text: result.text }) }}
|
|
{% endif %}
|
|
|
|
{{ prose({ text: __("activitypub.profile.intro") }) }}
|
|
|
|
<form method="post" novalidate>
|
|
{{ input({
|
|
name: "name",
|
|
label: __("activitypub.profile.nameLabel"),
|
|
hint: __("activitypub.profile.nameHint"),
|
|
value: profile.name
|
|
}) }}
|
|
|
|
{{ textarea({
|
|
name: "summary",
|
|
label: __("activitypub.profile.summaryLabel"),
|
|
hint: __("activitypub.profile.summaryHint"),
|
|
value: profile.summary,
|
|
rows: 4
|
|
}) }}
|
|
|
|
{{ input({
|
|
name: "url",
|
|
label: __("activitypub.profile.urlLabel"),
|
|
hint: __("activitypub.profile.urlHint"),
|
|
value: profile.url,
|
|
type: "url"
|
|
}) }}
|
|
|
|
{{ input({
|
|
name: "icon",
|
|
label: __("activitypub.profile.iconLabel"),
|
|
hint: __("activitypub.profile.iconHint"),
|
|
value: profile.icon,
|
|
type: "url"
|
|
}) }}
|
|
|
|
{{ input({
|
|
name: "image",
|
|
label: __("activitypub.profile.imageLabel"),
|
|
hint: __("activitypub.profile.imageHint"),
|
|
value: profile.image,
|
|
type: "url"
|
|
}) }}
|
|
|
|
{{ radios({
|
|
name: "actorType",
|
|
fieldset: {
|
|
legend: __("activitypub.profile.actorTypeLabel")
|
|
},
|
|
hint: __("activitypub.profile.actorTypeHint"),
|
|
items: [{
|
|
label: "Person",
|
|
value: "Person"
|
|
}, {
|
|
label: "Service",
|
|
value: "Service"
|
|
}, {
|
|
label: "Organization",
|
|
value: "Organization"
|
|
}],
|
|
values: [profile.actorType or "Person"]
|
|
}) }}
|
|
|
|
<fieldset class="fieldset" style="margin-block-end: var(--space-l);" x-data="{ links: [{% if profile.attachments and profile.attachments.length > 0 %}{% for att in profile.attachments %}{ name: {{ att.name | dump | safe }}, value: {{ att.value | dump | safe }} }{% if not loop.last %},{% endif %}{% endfor %}{% endif %}] }">
|
|
<legend class="label">{{ __("activitypub.profile.linksLabel") }}</legend>
|
|
<p class="hint">{{ __("activitypub.profile.linksHint") }}</p>
|
|
|
|
<template x-for="(link, index) in links" :key="index">
|
|
<div class="profile-link-row" style="display: grid; grid-template-columns: 1fr 2fr auto; gap: var(--space-s); align-items: end; margin-block-end: var(--space-s);">
|
|
<div>
|
|
<label class="label">{{ __("activitypub.profile.linkNameLabel") }}</label>
|
|
<input class="input" type="text" :name="'link_name[]'" x-model="link.name" placeholder="Website">
|
|
</div>
|
|
<div>
|
|
<label class="label">{{ __("activitypub.profile.linkValueLabel") }}</label>
|
|
<input class="input" type="url" :name="'link_value[]'" x-model="link.value" placeholder="https://example.com">
|
|
</div>
|
|
<button type="button" class="button button--small profile-link-remove" style="margin-block-end: 4px;" @click="links.splice(index, 1)">{{ __("activitypub.profile.removeLink") }}</button>
|
|
</div>
|
|
</template>
|
|
|
|
<button type="button" class="button button--small" @click="links.push({ name: '', value: '' })">{{ __("activitypub.profile.addLink") }}</button>
|
|
</fieldset>
|
|
|
|
{{ checkboxes({
|
|
name: "manuallyApprovesFollowers",
|
|
items: [
|
|
{
|
|
label: __("activitypub.profile.manualApprovalLabel"),
|
|
value: "true",
|
|
hint: __("activitypub.profile.manualApprovalHint")
|
|
}
|
|
],
|
|
values: ["true"] if profile.manuallyApprovesFollowers else []
|
|
}) }}
|
|
|
|
{{ checkboxes({
|
|
name: "authorizedFetch",
|
|
items: [
|
|
{
|
|
label: __("activitypub.profile.authorizedFetchLabel"),
|
|
value: "true",
|
|
hint: __("activitypub.profile.authorizedFetchHint")
|
|
}
|
|
],
|
|
values: ["true"] if profile.authorizedFetch else []
|
|
}) }}
|
|
|
|
{{ button({ text: __("activitypub.profile.save") }) }}
|
|
</form>
|
|
|
|
{% endblock %}
|