mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
97a902bda1
All five 3.7.x releases published 2026-03-21 in one pass. Changes from upstream: - lib/lookup-helpers.js: lookupWithSecurity → async with signed→unsigned fallback (handles servers like tags.pub that return 400 on signed GETs) - lib/mastodon/helpers/account-cache.js: add reverse lookup map (hashId → actorUrl) populated by cacheAccountStats(); export getActorUrlFromId() for follow/unfollow resolution - lib/mastodon/helpers/enrich-accounts.js: NEW — enrichAccountStats() enriches embedded account objects in serialized statuses with real follower/following/post counts; Phanpy never calls /accounts/:id so counts were always 0 without this - lib/mastodon/routes/timelines.js: call enrichAccountStats() after serialising home, public, and hashtag timelines - lib/mastodon/routes/statuses.js: processStatusContent() linkifies bare URLs and converts @user@domain mentions to <a> links; extractMentions() builds mention list; date lookup now tries both .000Z and bare Z suffixes - lib/mastodon/routes/stubs.js: /api/v1/domain_blocks now returns real blocked-server hostnames from ap_blocked_servers instead of [] - lib/mastodon/routes/accounts.js: /accounts/relationships computes domain_blocking using ap_blocked_servers; resolveActorUrl() falls back to getActorUrlFromId() cache for timeline-author resolution - lib/controllers/federation-mgmt.js: fetch blocked servers, blocked accounts, and muted accounts in parallel; pass to template - views/activitypub-federation-mgmt.njk: add Moderation section showing blocked servers, blocked accounts, and muted accounts - package.json: bump version 3.6.8 → 3.7.5 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
50 lines
1.7 KiB
JavaScript
50 lines
1.7 KiB
JavaScript
/**
|
|
* Centralized wrapper for ctx.lookupObject() with FEP-fe34 origin-based
|
|
* security. All lookupObject calls MUST go through this helper so the
|
|
* crossOrigin policy is applied consistently.
|
|
*
|
|
* @module lookup-helpers
|
|
*/
|
|
|
|
/**
|
|
* Look up a remote ActivityPub object with cross-origin security.
|
|
*
|
|
* FEP-fe34 prevents spoofed attribution attacks by verifying that a
|
|
* fetched object's `id` matches the origin of the URL used to fetch it.
|
|
* Using `crossOrigin: "ignore"` tells Fedify to silently discard objects
|
|
* whose id doesn't match the fetch origin, rather than throwing.
|
|
*
|
|
* When an authenticated document loader is provided (for Authorized Fetch
|
|
* compatibility), the lookup is tried with it first. If it fails (some
|
|
* servers like tags.pub return 400 for signed GETs), a fallback to the
|
|
* default unsigned loader is attempted automatically.
|
|
*
|
|
* @param {object} ctx - Fedify Context
|
|
* @param {string|URL} input - URL or handle to look up
|
|
* @param {object} [options] - Additional options passed to lookupObject
|
|
* @returns {Promise<object|null>} Resolved object or null
|
|
*/
|
|
export async function lookupWithSecurity(ctx, input, options = {}) {
|
|
const baseOptions = { crossOrigin: "ignore", ...options };
|
|
|
|
let result = null;
|
|
try {
|
|
result = await ctx.lookupObject(input, baseOptions);
|
|
} catch {
|
|
// signed lookup threw — fall through to unsigned
|
|
}
|
|
|
|
// If signed lookup failed and we used a custom documentLoader,
|
|
// retry without it (unsigned GET)
|
|
if (!result && options.documentLoader) {
|
|
try {
|
|
const { documentLoader: _, ...unsignedOptions } = baseOptions;
|
|
result = await ctx.lookupObject(input, unsignedOptions);
|
|
} catch {
|
|
// unsigned also failed — return null
|
|
}
|
|
}
|
|
|
|
return result;
|
|
}
|