-```
-
-### Task 0.10: Update templates to use unified component
-
-**Files:** `views/activitypub-reader.njk`, `views/activitypub-explore.njk`
-
-Replace `x-data="apExploreScroll"` with `x-data="apInfiniteScroll"` using the parameterized data attributes. Remove the `apExploreScroll` component definition.
-
-### Task 0.11: Verify no regressions
-
-Manual testing:
-- Reader timeline loads, infinite scroll works, new posts banner works
-- Explore search tab loads, infinite scroll works
-- Explore pinned tabs load, load-more buttons work
-- Quote embeds render in both views
-- Moderation filtering still works in reader
-- Interaction state (likes/boosts) still shows in reader
-- Read tracking still works
-
-### Files changed
-
-| File | Change |
-|------|--------|
-| `lib/item-processing.js` | **New** — `postProcessItems()`, `applyModerationFilters()`, `buildInteractionMap()`, `renderItemCards()`, `applyTabFilter()`, `stripQuoteReferences()` |
-| `lib/controllers/reader.js` | Simplified — uses `postProcessItems()` |
-| `lib/controllers/api-timeline.js` | Simplified — uses `postProcessItems()` + `renderItemCards()` |
-| `lib/controllers/explore.js` | Simplified — uses `fetchMastodonTimeline()`, `postProcessItems()`, `renderItemCards()` |
-| `assets/reader-infinite-scroll.js` | Unified — single `apInfiniteScroll` component replaces two |
-| `views/activitypub-reader.njk` | Updated data attributes for unified scroll component |
-| `views/activitypub-explore.njk` | Updated data attributes for unified scroll component |
-
-### Impact on subsequent releases
-
-After Release 0, every improvement only needs to be added in ONE place:
-
-| Enhancement | Before Release 0 | After Release 0 |
-|-------------|-------------------|-----------------|
-| Custom emoji | `timeline-store.js` + `explore-utils.js` + `reader.js` + `explore.js` | `item-processing.js` (single post-process step) |
-| Quote stripping | 4 locations | `item-processing.js` only |
-| Moderation | 2 locations | `item-processing.js` only |
-| New content transforms | Must add to both pipelines | Single pipeline |
-
----
-
-## Release 1: Custom Emoji Rendering (v2.5.0)
-
-**Impact:** High — Custom emoji is ubiquitous on the fediverse. Without it, display names show raw `:shortcode:` text and post content loses visual meaning.
-
-### Task 1.1: Store emoji data from ActivityPub inbox
-
-**File:** `lib/timeline-store.js`
-
-`extractObjectData()` currently ignores emoji data. Fedify's `Note`/`Article` objects expose custom emoji via the `getTags()` call — emoji are `Emoji` instances (a subclass of `Flag`) in the tags array, alongside `Hashtag` and `Mention`.
-
-**Changes:**
-- In the tag extraction loop (~line 190), check for Fedify `Emoji` instances
-- Each Emoji has: `name` (`:shortcode:` with colons), and an `icon` property (an `Image` with `url`)
-- Extract to an `emojis` array: `[{ shortcode: "blobcat", url: "https://..." }]`
-- Add `emojis` to the returned item object
-- Also extract emojis from the actor object in `extractActorInfo()` for display name emoji
-
-**Stored data shape:**
-```js
-emojis: [
- { shortcode: "blobcat", url: "https://cdn.example/emoji/blobcat.png" },
- { shortcode: "verified", url: "https://cdn.example/emoji/verified.png" }
-]
-```
-
-### Task 1.2: Store emoji data from Mastodon REST API (explore view)
-
-**File:** `lib/controllers/explore-utils.js`
-
-Mastodon's REST API v1 returns `status.emojis` as an array of `{ shortcode, url, static_url, visible_in_picker }` objects, and `status.account.emojis` for display name emoji.
-
-**Changes:**
-- In `mapMastodonStatusToItem()`, extract `status.emojis` → `item.emojis`
-- Extract `account.emojis` → `item.author.emojis`
-- Normalize to same shape as Task 1.1: `[{ shortcode, url }]`
-
-### Task 1.3: Create emoji replacement utility
-
-**File:** `lib/emoji-utils.js` (new)
-
-A small utility that replaces `:shortcode:` patterns with `![]()
` tags. Used in both content HTML and display names.
-
-```js
-export function replaceCustomEmoji(html, emojis) {
- if (!emojis?.length) return html;
- for (const emoji of emojis) {
- const pattern = new RegExp(`:${escapeRegex(emoji.shortcode)}:`, "g");
- html = html.replace(pattern,
- `
`
- );
- }
- return html;
-}
-```
-
-Must escape regex special characters in shortcodes. Must be called AFTER `sanitizeContent()` (which would strip the `![]()
` tags if run after).
-
-### Task 1.4: Apply emoji replacement in content pipeline
-
-**File:** `lib/item-processing.js`
-
-Add an `applyCustomEmoji(items)` step to `postProcessItems()`. Since both reader and explore flow through this single function (after Release 0), emoji replacement happens once for all items regardless of source.
-
-```js
-// Inside postProcessItems(), after quote stripping:
-applyCustomEmoji(items);
-```
-
-The function iterates items, calling `replaceCustomEmoji(item.content.html, item.emojis)` on each.
-
-### Task 1.5: Apply emoji replacement in display names
-
-**File:** `lib/item-processing.js`
-
-Add emoji replacement for display names inside the same `applyCustomEmoji()` step:
-
-```js
-if (item.author?.emojis?.length && item.author.name) {
- item.author.nameHtml = replaceCustomEmoji(
- sanitizeHtml(item.author.name, { allowedTags: [], allowedAttributes: {} }),
- item.author.emojis,
- );
-}
-```
-
-This adds `author.nameHtml` alongside existing `author.name`. Template renders `nameHtml | safe` when present, falls back to `name`.
-
-### Task 1.6: Add emoji CSS
-
-**File:** `assets/reader.css`
-
-```css
-.ap-custom-emoji {
- height: 1.2em;
- width: auto;
- vertical-align: middle;
- display: inline;
- margin: 0 0.05em;
-}
-```
-
-### Task 1.7: Update sanitize-html allowlist
-
-**File:** `lib/timeline-store.js` (or wherever `sanitizeContent` config lives)
-
-The `sanitize-html` configuration must allow `![]()
` tags with class `ap-custom-emoji` through — but only for emoji images, not arbitrary remote images. Since emoji replacement happens AFTER sanitization, this isn't an issue: the emoji `![]()
` tags are inserted post-sanitization and never pass through the sanitizer.
-
-Verify this ordering is correct in both codepaths (inbox + explore).
-
-### Task 1.8: Store emoji in MongoDB
-
-**File:** `lib/storage/timeline.js`
-
-Add `emojis` to the stored fields in `addTimelineItem()`. Also add `author.emojis` if storing per-author emoji data.
-
----
-
-## Release 2: Relative Timestamps (v2.5.1)
-
-**Impact:** High — Every fediverse client shows "2m ago" instead of "Feb 25, 2026, 4:46 PM". Relative timestamps are dramatically faster to scan when reading a timeline.
-
-### Task 2.1: Create relative time Alpine directive
-
-**File:** `assets/reader-relative-time.js` (new)
-
-A small Alpine.js directive that:
-1. Reads `datetime` attribute from a `
` that closes `.ap-item__content`) and before attachments/link preview, add:
-
-```nunjucks
- {# Poll options #}
- {% if item.type == "question" or (item.pollOptions and item.pollOptions.length > 0) %}
- {% include "partials/ap-poll-options.njk" %}
- {% endif %}
-```
-
-### Step 7: Add CSS for poll rendering
-
-In `assets/reader.css`, add a new section:
-
-```css
-/* ==========================================================================
- Poll / Question
- ========================================================================== */
-
-.ap-poll {
- margin-top: var(--space-s);
-}
-
-.ap-poll__option {
- position: relative;
- padding: var(--space-xs) var(--space-s);
- margin-bottom: var(--space-xs);
- border-radius: var(--border-radius-small);
- background: var(--color-offset);
- overflow: hidden;
-}
-
-.ap-poll__bar {
- position: absolute;
- top: 0;
- left: 0;
- bottom: 0;
- background: var(--color-primary);
- opacity: 0.15;
- border-radius: var(--border-radius-small);
-}
-
-.ap-poll__label {
- position: relative;
- font-size: var(--font-size-s);
- color: var(--color-on-background);
-}
-
-.ap-poll__votes {
- position: relative;
- float: right;
- font-size: var(--font-size-s);
- font-weight: 600;
- color: var(--color-on-offset);
-}
-
-.ap-poll__footer {
- font-size: var(--font-size-xs);
- color: var(--color-on-offset);
- margin-top: var(--space-xs);
-}
-```
-
-### Step 8: Add i18n strings
-
-In `locales/en.json`, add:
-
-```json
-"poll": {
- "voters": "voters",
- "votes": "votes",
- "closed": "Poll closed",
- "endsAt": "Ends"
-}
-```
-
-### Step 9: Verify syntax
-
-Run: `node -c lib/timeline-store.js`
-Expected: No errors
-
-### Step 10: Commit
-
-```bash
-git add lib/timeline-store.js views/partials/ap-poll-options.njk views/partials/ap-item-card.njk assets/reader.css locales/en.json
-git commit -m "feat: inbound poll/question support — parse and render vote options"
-```
-
----
-
-## Task 5: Flag Handler (Inbound Reports)
-
-Other fediverse servers can send `Flag` activities to report abusive content or actors. Currently these are silently dropped. This task adds a `Flag` inbox listener, an `ap_reports` collection, admin notification, and a reports view in the moderation dashboard.
-
-**Files:**
-- Modify: `lib/inbox-listeners.js` (add Flag handler)
-- Modify: `index.js` (register ap_reports collection + indexes)
-- Modify: `lib/storage/notifications.js:129` (add "report" to type counts)
-- Modify: `views/partials/ap-notification-card.njk` (add report notification type)
-- Modify: `views/activitypub-notifications.njk` (add Reports tab)
-- Modify: `lib/controllers/reader.js` (add "report" to validTabs)
-- Modify: `locales/en.json` (add report i18n strings)
-
-### Step 1: Register `ap_reports` collection in `index.js`
-
-In the collection registration block (around line 891), add:
-
-```javascript
-Indiekit.addCollection("ap_reports");
-```
-
-In the collection storage block (around line 910), add:
-
-```javascript
-ap_reports: indiekitCollections.get("ap_reports"),
-```
-
-In the indexes block (around line 1000), add:
-
-```javascript
-// ap_reports indexes
-try {
- await this._collections.ap_reports.createIndex(
- { createdAt: 1 },
- { expireAfterSeconds: notifRetention || undefined },
- );
- await this._collections.ap_reports.createIndex({ reporterUrl: 1 });
- await this._collections.ap_reports.createIndex({ reportedUrl: 1 });
-} catch {
- // Indexes may already exist
-}
-```
-
-### Step 2: Add Flag inbox listener
-
-In `lib/inbox-listeners.js`, add the `Flag` import to the destructure from `@fedify/fedify/vocab` (around line 6-24). Then add a new handler after the Block handler (after line ~744):
-
-```javascript
- // ── Flag (Report) ──────────────────────────────────────────────
- .on(Flag, async (ctx, flag) => {
- try {
- const authLoader = getAuthLoader ? await getAuthLoader(ctx) : undefined;
- const actorObj = await flag.getActor({ documentLoader: authLoader }).catch(() => null);
-
- const reporterUrl = actorObj?.id?.href || flag.actorId?.href || "";
- const reporterName = actorObj?.name?.toString() || actorObj?.preferredUsername?.toString() || reporterUrl;
-
- // Extract reported objects — Flag can report actors or posts
- const reportedIds = flag.objectIds?.map((u) => u.href) || [];
- const reason = flag.content?.toString() || "";
-
- if (reportedIds.length === 0 && !reason) {
- console.info("[ActivityPub] Ignoring empty Flag from", reporterUrl);
- return;
- }
-
- // Store report
- if (collections.ap_reports) {
- await collections.ap_reports.insertOne({
- reporterUrl,
- reporterName,
- reportedUrls: reportedIds,
- reason,
- createdAt: new Date().toISOString(),
- read: false,
- });
- }
-
- // Create notification
- if (collections.ap_notifications) {
- const { addNotification } = await import("./storage/notifications.js");
- await addNotification(collections, {
- uid: `flag:${reporterUrl}:${Date.now()}`,
- type: "report",
- actorUrl: reporterUrl,
- actorName: reporterName,
- actorPhoto: actorObj?.iconUrl?.href || actorObj?.icon?.url?.href || "",
- actorHandle: actorObj?.preferredUsername
- ? `@${actorObj.preferredUsername}@${new URL(reporterUrl).hostname}`
- : reporterUrl,
- objectUrl: reportedIds[0] || "",
- summary: reason ? reason.slice(0, 200) : "Report received",
- published: new Date().toISOString(),
- });
- }
-
- await logActivity(collections, {
- direction: "inbound",
- type: "Flag",
- actorUrl: reporterUrl,
- objectUrl: reportedIds[0] || "",
- summary: `Report from ${reporterName}: ${reason.slice(0, 100)}`,
- });
-
- console.info(`[ActivityPub] Flag received from ${reporterName} — ${reportedIds.length} objects reported`);
- } catch (error) {
- console.warn("[ActivityPub] Flag handler error:", error.message);
- }
- })
-```
-
-### Step 3: Update notification type handling
-
-In `lib/storage/notifications.js`, in `getNotificationCountsByType()` (around line 129), add `report: 0` to the counts object:
-
-```javascript
-const counts = { all: 0, reply: 0, like: 0, boost: 0, follow: 0, dm: 0, report: 0 };
-```
-
-And add the case to handle `_id === "report"`.
-
-### Step 4: Update notification card template
-
-In `views/partials/ap-notification-card.njk`, add the report type badge and action text:
-
-Type badge (alongside other `elif` checks):
-```nunjucks
-{% elif item.type == "report" %}⚑
-```
-
-Action text:
-```nunjucks
-{% elif item.type == "report" %}{{ __("activitypub.reports.sentReport") }}
-```
-
-### Step 5: Add Reports tab to notifications
-
-In `views/activitypub-notifications.njk`, add a Reports tab alongside the DMs tab:
-
-```nunjucks
-
- {{ __("activitypub.notifications.tabs.reports") }}
- {% if counts.report > 0 %}
- {{ counts.report }}
- {% endif %}
-
-```
-
-### Step 6: Add "report" to valid tabs
-
-In `lib/controllers/reader.js`, add `"report"` to the `validTabs` array:
-
-```javascript
-const validTabs = ["all", "reply", "like", "boost", "follow", "dm", "report"];
-```
-
-### Step 7: Add i18n strings
-
-In `locales/en.json`, add:
-
-```json
-"reports": {
- "sentReport": "filed a report",
- "title": "Reports"
-}
-```
-
-And add to `notifications.tabs`:
-
-```json
-"reports": "Reports"
-```
-
-### Step 8: Verify syntax
-
-Run: `node -c lib/inbox-listeners.js && node -c lib/storage/notifications.js && node -c index.js`
-Expected: No errors
-
-### Step 9: Commit
-
-```bash
-git add lib/inbox-listeners.js lib/storage/notifications.js views/partials/ap-notification-card.njk views/activitypub-notifications.njk lib/controllers/reader.js locales/en.json index.js
-git commit -m "feat: inbound Flag handler — receive and display abuse reports"
-```
-
----
-
-## Verification Plan
-
-After all tasks are implemented:
-
-1. **Outbound Delete** — Create a test post, syndicate to fediverse. Delete from Indiekit. Call `POST /activitypub/admin/federation/delete` with the post URL. Check activity log shows outbound Delete. Verify from a Mastodon account that the post is removed.
-
-2. **Visibility** — Set `defaultVisibility: "unlisted"` in config. Create a post. Check from Mastodon that the post appears in the home timeline of followers but NOT on the public/federated timeline. Reset to "public".
-
-3. **Content Warning** — Create a post with `sensitive: true` and a `summary` field via Micropub. Verify from Mastodon that the post shows behind a CW toggle with the summary text.
-
-4. **Polls** — From Mastodon, create a poll and post it. View the reader timeline. Verify poll options render with percentage bars and voter count.
-
-5. **Reports** — From a Mastodon instance, report the test actor. Check that:
- - A notification appears in the Reports tab
- - The activity log shows an inbound Flag
- - The `ap_reports` collection has the report entry
-
----
-
-## Summary
-
-| Task | Gap Closed | Priority | Files Changed |
-|------|-----------|----------|---------------|
-| 1 | Outbound Delete | P1 — High | index.js, new controller, en.json |
-| 2 | Unlisted + Followers-only | P1/P2 | jf2-to-as2.js, index.js |
-| 3 | Content Warning (outbound) | P2 | jf2-to-as2.js |
-| 4 | Question/Poll (inbound) | P2 | timeline-store.js, new partial, item-card, CSS, en.json |
-| 5 | Flag Handler (inbound) | P2 | inbox-listeners.js, notifications.js, templates, en.json, index.js |
-| — | Block (outbound) | **Already implemented** | No work needed |
-
-**Estimated coverage after implementation:** ~85% of Fedify capabilities, ~98% of real-world fediverse traffic.
diff --git a/docs/research/2026-03-03-elk-phanpy-comparison.md b/docs/research/2026-03-03-elk-phanpy-comparison.md
deleted file mode 100644
index 105d795..0000000
--- a/docs/research/2026-03-03-elk-phanpy-comparison.md
+++ /dev/null
@@ -1,440 +0,0 @@
-# Elk & Phanpy Deep Dive — Lessons for Our ActivityPub Reader
-
-**Date:** 2026-03-03
-**Purpose:** Identify concrete improvements by comparing our reader with two best-in-class fediverse clients.
-
----
-
-## Architecture Comparison
-
-| Aspect | Elk (Vue/Nuxt) | Phanpy (React/Vite) | Our Reader (Nunjucks/Alpine) |
-|--------|----------------|---------------------|------------------------------|
-| Rendering | Client-side SPA | Client-side SPA | Server-side HTML + Alpine sprinkles |
-| Content processing | AST parse → VNode tree | DOM manipulation pipeline | Server-side sanitize-html |
-| State management | Vue refs + composables | Valtio proxy state | Alpine.js `x-data` components |
-| Pagination | Virtual scroller + stream | IntersectionObserver + debounce | IntersectionObserver + cursor |
-| CSS | UnoCSS (Tailwind-like) | CSS Modules + custom properties | Indiekit theme custom properties |
-
-**Key insight:** Both Elk and Phanpy are full SPAs with rich client-side rendering. Our server-rendered approach is fundamentally different — we can't replicate everything, but we can cherry-pick the most impactful patterns.
-
----
-
-## 1. Content Rendering
-
-### What Elk & Phanpy Do Better
-
-**Elk's content pipeline:**
-1. Parse HTML into AST (ultrahtml)
-2. Sanitize with element whitelist
-3. Transform mentions → interactive hover cards
-4. Transform hashtags → hover cards with usage stats
-5. Transform emoji shortcodes → inline images with tooltips
-6. Transform code blocks (backtick syntax)
-7. Render as Vue VNodes
-
-**Phanpy's content pipeline:**
-1. Parse HTML into DOM
-2. Shorten long URLs (>30 chars): `https://...example.com/long`
-3. Detect hashtag stuffing (3+ tags in paragraph) → collapse
-4. Replace custom emoji shortcodes with ``
-6. Add `is-quote` class to quote links in content
-7. Wrap bare text in `` for Safari text-decoration fix
-
-### What We're Missing
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| Custom emoji rendering | ✅ `:emoji:` → `![]()
` with tooltip | ✅ `:emoji:` → `![]()
` | ❌ Raw shortcodes shown | **High** |
-| Long URL shortening | ❌ | ✅ Truncate >30 chars | ❌ Full URLs shown | Medium |
-| Hashtag stuffing collapse | ❌ | ✅ 3+ tags collapsed | ❌ All tags shown inline | Low |
-| Mention hover cards | ✅ Full profile card on hover | ❌ | ❌ Links only | Low (needs client JS) |
-| Code block rendering | ✅ Syntax highlighting | ✅ Backtick → `` | ❌ Pass-through only | Low |
-| Inline code | ✅ | ✅ Backtick → `` | ❌ | Low |
-
-### Recommended Action: Custom Emoji
-
-Both clients treat this as essential. Implementation for server-rendered HTML:
-
-In `sanitizeContent()` or a new `processEmoji()` step, replace `:shortcode:` with `![]()
` tags using the emoji data from the Mastodon API status object (`status.emojis` array). Each emoji has `{ shortcode, url, static_url }`.
-
-```js
-// In timeline-store.js or explore-utils.js
-function replaceCustomEmoji(html, emojis) {
- if (!emojis?.length) return html;
- for (const emoji of emojis) {
- const re = new RegExp(`:${emoji.shortcode}:`, 'g');
- html = html.replace(re,
- ``
- );
- }
- return html;
-}
-```
-
-CSS: `.ap-custom-emoji { height: 1.2em; vertical-align: middle; display: inline; }`
-
----
-
-## 2. Quote Posts
-
-### How Elk Handles Quotes
-
-- Dedicated `StatusQuote.vue` component
-- Handles **7 quote states**: pending, revoked, deleted, blocked_account, blocked_domain, muted_account, rejected, accepted
-- Only renders full quote embed for `accepted` state
-- Renders as a nested `StatusCard` inside a `` element
-- Supports shallow quotes (fetch on render) and pre-embedded quotes
-- Nesting limit: shows full card for levels 0-2, then author-only for 3+
-
-### How Phanpy Handles Quotes
-
-- `QuoteStatus` / `ShallowQuote` components
-- Full quote chain unwrapping (follows `quotedStatusId` up to 30 levels!)
-- Handles unfulfilled states (deleted, blocked, muted) with icon + message + optional "Show anyway" button
-- Marks quote links in parent content with `is-quote` CSS class (to visually distinguish them)
-- Nesting limit: level 3+ shows `@author …` only
-- State tracked in Valtio: `states.statusQuotes[statusKey]`
-
-### What We Should Adopt
-
-| Feature | Status | Priority |
-|---------|--------|----------|
-| Basic quote embed (author, content, photo) | ✅ Done (v2.4.3) | — |
-| Strip RE: link when quote renders | ✅ Done (v2.4.2) | — |
-| Quote state handling (deleted, pending) | ❌ We show stale/broken embeds | Medium |
-| Mark quote links in content CSS | ❌ Quote link looks like any other link | **High** |
-| Quote nesting depth limit | ❌ No nesting at all yet | Low |
-
-### Recommended Action: Quote Link Styling
-
-When we strip the `RE: ` paragraph, the remaining content is clean. But if we DON'T strip it (e.g., quote not yet fetched), the link should look distinct. Phanpy adds `is-quote` class. We could do this in `sanitizeContent` or in the template.
-
----
-
-## 3. Media Rendering
-
-### Elk's Media System
-
-- **Grid layouts**: 1 item = full width, 2 = 50/50, 3-4 = 2-column grid
-- **Focus point cropping**: Uses `meta.focus.x/y` for intelligent CSS `object-position`
-- **Blurhash placeholders**: Generates colored placeholder from blurhash until image loads
-- **Progressive loading**: Blurhash → low-res → full-res
-- **Lightbox**: Full-screen modal with arrow navigation, counter, alt text display
-- **Alt text badge**: "ALT" badge on images with descriptions, click to expand
-- **Aspect ratio clamping**: Between 0.8 and 6.0 to prevent extreme shapes
-- **Data saving mode**: Blur images until explicit click to load
-- **Video autoplay**: IntersectionObserver at 75% visibility, respects reduced-motion preference
-
-### Phanpy's Media System
-
-- **Grid**: `media-eq1` through `media-gt4` CSS classes
-- **QuickPinchZoom**: Mobile pinch-to-zoom on images
-- **Blurhash**: Average color extracted as background during load
-- **Focal point**: CSS custom property `--original-aspect-ratio`
-- **Media carousel**: Swipe navigation with snap scroll, RTL support
-- **ALT badges**: Indexed "ALT¹", "ALT²" for multiple media
-- **Audio/video**: Full HTML5 controls, no autoplay, preload metadata
-
-### What We Have vs. What We're Missing
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| Photo grid (1-4+) | ✅ 2-column adaptive | ✅ CSS class-based | ✅ Grid with +N badge | — |
-| Lightbox | ✅ Modal + carousel | ✅ Pinch zoom | ✅ Alpine.js overlay | — |
-| Blurhash placeholder | ✅ Canvas decode | ✅ OffscreenCanvas | ❌ No placeholder | Medium |
-| Focus point crop | ✅ object-position | ✅ CSS custom prop | ❌ Center crop only | Medium |
-| ALT text indicator | ✅ Badge + dropdown | ✅ Indexed badges | ❌ Not shown | **High** |
-| Video autoplay/pause | ✅ IntersectionObserver | ✅ Auto-pause on scroll | ❌ Manual only | Low |
-| Aspect ratio clamping | ✅ 0.8–6.0 range | ✅ Custom property | ❌ Max-height only | Low |
-
-### Recommended Action: ALT Text Badges
-
-Both clients prominently show ALT text availability. This is an accessibility feature and visual polish win.
-
-```njk
-{# In ap-item-media.njk, on each image #}
-{% if photo.alt or photo.description %}
- ALT
-{% endif %}
-```
-
-Note: Our current data model stores photos as URL strings, not objects with alt text. We'd need to change `extractObjectData()` to store `{ url, alt, blurhash, width, height }` objects.
-
----
-
-## 4. Infinite Scroll / Pagination
-
-### Elk's Approach
-
-- **Virtual scroller** (optional): `vue-virtual-scroller` renders only visible items
-- **Stream integration**: WebSocket pushes new posts in real-time
-- **New posts banner**: Collected in `prevItems`, shown as "X new items" button
-- **Buffering**: Next page items held until buffer reaches 10, then batch-inserted
-- **End anchor**: Loads next page when within 2x viewport height of bottom
-
-### Phanpy's Approach
-
-- **IntersectionObserver** with rootMargin = 1.5x screen height
-- **Debounced loading** (1s) prevents rapid re-requests
-- **Skeleton loaders** during fetch
-- **"Show more..." button** as fallback inside observer target
-- **Auto-refresh**: Polls periodically if user is near top and window is visible
-
-### Our Current Approach
-
-- **IntersectionObserver** with rootMargin = 200px
-- **Cursor-based pagination** with `before` parameter
-- **New posts banner** polling every 30s
-- **No virtual scrolling** — all cards in DOM
-- **No skeleton loaders** — button text changes to "Loading..."
-
-### What We're Missing
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| IntersectionObserver auto-load | ✅ | ✅ 1.5x screen | ✅ 200px margin | — |
-| Manual "Load more" button | ✅ | ✅ | ✅ (just added for tabs) | — |
-| Skeleton loaders | ✅ | ✅ | ❌ Text "Loading..." only | Medium |
-| New posts banner | ✅ WebSocket stream | ✅ Polling | ✅ Polling 30s | — |
-| Virtual scrolling | ✅ Optional | ❌ | ❌ | Low (server-rendered) |
-| Debounced loading | ❌ | ✅ 1s debounce | ❌ | Low |
-
-### Recommended: Larger IntersectionObserver Margin
-
-Our 200px rootMargin means auto-load triggers late. Both clients use 1.5-2x viewport height. Easy fix:
-
-```js
-{ rootMargin: `0px 0px ${window.innerHeight}px 0px` }
-```
-
----
-
-## 5. Content Warnings / Sensitive Content
-
-### Elk's System
-
-- Separate toggles for text spoiler vs. sensitive media
-- User preferences: `expandCWByDefault`, `expandMediaByDefault`
-- Content filter integration (server-side filters shown as CW)
-- Eye icon toggle button
-- Dotted border separator between CW text and hidden content
-
-### Phanpy's System
-
-- `states.spoilers[id]` and `states.spoilersMedia[id]` — separate state per post
-- User preferences: `readingExpandSpoilers`, `readingExpandMedia`
-- Filtered content: Shows filter reason with separate reveal button
-- Three sensitivity levels: show_all, hide_all, user-controlled
-
-### Our System
-
-- Single toggle for both text and media (combined)
-- CW button with spoiler text shown
-- No user preference for auto-expand
-- Works well but lacks granularity
-
-### Gap Analysis
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| CW text toggle | ✅ | ✅ | ✅ | — |
-| Separate media toggle | ✅ | ✅ | ❌ Combined | Low |
-| Auto-expand preference | ✅ | ✅ | ❌ | Low |
-| Blurred media preview | ✅ Blurhash | ❌ | ❌ | Medium |
-
----
-
-## 6. Author Display
-
-### Elk's Approach
-
-- Display name with custom emoji
-- Handle with `@username@domain` format
-- Bot indicator icon
-- Lock (private account) indicator
-- **Hover card**: Full profile preview on mouseover (500ms delay) with bio, stats, follow button
-- Relative time ("2h ago") with absolute tooltip
-
-### Phanpy's Approach
-
-- Display name with custom emoji and bold
-- Username shown only if different from display name (smart dedup)
-- Bot accounts get squircle avatar shape
-- Role tags (moderator/admin badges)
-- **Relative time** with smart formatting
-- Punycode handling for international domains
-- RTL-safe username display with `bidi-isolate`
-
-### Our Approach
-
-- Display name (sanitized plain text)
-- Handle with `@username@domain`
-- Absolute timestamp only ("Feb 25, 2026, 4:46 PM")
-- No bot/lock indicators
-- No hover cards
-- No custom emoji in display names
-
-### What We're Missing
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| Custom emoji in names | ✅ | ✅ | ❌ Stripped to text | **High** (same fix as content emoji) |
-| Relative timestamps | ✅ "2h ago" | ✅ Smart format | ❌ Absolute only | **High** |
-| Bot/lock indicators | ✅ Icons | ✅ Squircle avatar | ❌ | Low |
-| Profile hover cards | ✅ Full card | ❌ | ❌ | Low (needs significant JS) |
-
-### Recommended Action: Relative Timestamps
-
-Both clients use relative time for in-feed cards. This is a major readability improvement. Since we server-render, we have two options:
-
-**Option A: Server-side relative time** — Compute in controller, but goes stale.
-**Option B: Client-side via Alpine** — Use a small Alpine component that converts ISO dates to relative strings. This is what both Elk and Phanpy do (client-side).
-
-```js
-// Small Alpine directive or component
-Alpine.directive('relative-time', (el) => {
- const iso = el.getAttribute('datetime');
- const update = () => { el.textContent = formatRelative(iso); };
- update();
- el._interval = setInterval(update, 60000);
-});
-```
-
----
-
-## 7. Hashtag Rendering
-
-### Elk
-
-- Hashtags in content preserved as links
-- `TagHoverWrapper` shows usage stats on hover
-- Sanitizer allows `hashtag` CSS class through
-
-### Phanpy
-
-- Spanifies: `#hashtag` inside link
-- Detects **hashtag stuffing** (3+ tags in one paragraph) → collapses with tooltip
-- Separate hashtag tags section at bottom of post (from API `tags` array, deduped against content)
-
-### Us
-
-- Hashtags extracted to `category` array, rendered as linked tags below content
-- Content HTML hashtag links pass through sanitization
-- **Bug found:** Inside `-webkit-line-clamp` containers (quote embeds), the `#tag` structure breaks because `-webkit-box` makes spans block-level (fixed in v2.4.5)
-
-### Recommended Action
-
-Our hashtag rendering is adequate. The main improvement would be Phanpy's hashtag stuffing collapse — but it's low priority since our tag rendering already extracts tags to a footer section.
-
----
-
-## 8. Interaction UI
-
-### Elk
-
-- **4 buttons**: Reply (blue), Boost (green), Quote (purple), Favorite (rose/yellow)
-- **Counts** shown per button (configurable to hide)
-- **Color-coded hover states**: Each button tints its area on hover
-- **Keyboard shortcuts**: r=reply, b=boost, f=favorite
-- **Bookmark** as 5th action
-
-### Phanpy
-
-- **4 buttons**: Reply, Boost, Like, Bookmark
-- **StatusButton component** with dual title (checked/unchecked)
-- **Shortened counts**: "123K" for large numbers
-- **Keyboard shortcuts**: r, b, f, m
-
-### Us
-
-- **5 buttons**: Reply (link), Boost (toggle), Like (toggle), View Original, Save (optional)
-- Optimistic UI with revert on error
-- CSRF-protected POSTs
-- No keyboard shortcuts
-- No counts shown
-
-### Gap Analysis
-
-| Feature | Elk | Phanpy | Us | Priority |
-|---------|-----|--------|-----|----------|
-| Like/Boost/Reply | ✅ | ✅ | ✅ | — |
-| Interaction counts | ✅ Per-button | ✅ Shortened | ❌ | Medium |
-| Keyboard shortcuts | ✅ | ✅ | ❌ | Low |
-| Color-coded buttons | ✅ | ✅ | Partial (active states) | Low |
-| Bookmark | ✅ | ✅ | ✅ (Save) | — |
-| Quote button | ✅ | ❌ | ❌ | Low |
-
----
-
-## Priority Improvements — Ranked by Impact
-
-### Tier 1: High Impact, Moderate Effort
-
-1. **Custom emoji rendering** — Both clients treat this as essential. Affects display names AND post content. Single utility function applicable everywhere.
-
-2. **Relative timestamps** — Both clients use this. Major readability improvement for timeline scanning. Small Alpine component.
-
-3. **ALT text badges on media** — Both clients show this prominently. Accessibility win. Requires enriching photo data model from URL strings to objects.
-
-4. **Quote link styling in content** — When `RE:` link isn't stripped (pending quote), distinguish it visually. CSS-only change.
-
-### Tier 2: Medium Impact, Moderate Effort
-
-5. **Skeleton loaders** for pagination — Replace "Loading..." text with card-shaped placeholder skeletons. CSS-only.
-
-6. **Blurhash placeholders** for media — Show colored placeholder while images load. Requires storing blurhash data from API.
-
-7. **Focus point cropping** — Use focal point data for smarter image crops. Requires storing focus data.
-
-8. **Interaction counts** — Show like/boost/reply counts on buttons. Data already available from API.
-
-### Tier 3: Lower Impact or High Effort
-
-9. **Hashtag stuffing collapse** — Collapse posts that are mostly hashtags.
-10. **Long URL shortening** — Truncate displayed URLs in content.
-11. **Bot/lock indicators** — Show account type badges.
-12. **Keyboard shortcuts** — Navigation and interaction hotkeys.
-13. **Video autoplay/pause on scroll** — IntersectionObserver for video elements.
-14. **Quote state handling** (deleted, pending, blocked) — Show appropriate message instead of broken embed.
-15. **Profile hover cards** — Full profile preview on author hover (significant JS investment).
-
----
-
-## Data Model Gaps
-
-Our timeline items store minimal data compared to what Elk/Phanpy consume. Key missing fields:
-
-| Field | Source | Used For |
-|-------|--------|----------|
-| `emojis[]` | `status.emojis` | Custom emoji rendering in content + names |
-| `media[].alt` | `attachment.description` | ALT text badges |
-| `media[].blurhash` | `attachment.blurhash` | Placeholder images |
-| `media[].focus` | `attachment.meta.focus` | Smart cropping |
-| `media[].width/height` | `attachment.meta.original` | Aspect ratio |
-| `repliesCount` | `status.replies_count` | Interaction counts |
-| `reblogsCount` | `status.reblogs_count` | Interaction counts |
-| `favouritesCount` | `status.favourites_count` | Interaction counts |
-| `account.bot` | `account.bot` | Bot indicator |
-| `account.emojis` | `account.emojis` | Custom emoji in display names |
-| `poll` | `status.poll` | Poll rendering |
-| `editedAt` | `status.edited_at` | Edit indicator |
-
-For **inbox-received posts** (via ActivityPub), some of these map to Fedify object properties. For **explore view posts** (via Mastodon REST API), all fields are directly available in the status object.
-
----
-
-## Architectural Constraints
-
-Our server-rendered approach means we can't do everything Elk and Phanpy do:
-
-1. **No reactive state** — We can't update a card's like count in real-time without a page refresh or AJAX call
-2. **No virtual scrolling** — All cards are in the DOM (but server-rendered HTML is lighter than React/Vue vDOM)
-3. **No hover cards** — Would require significant Alpine.js investment and API endpoints
-4. **No WebSocket streaming** — We poll instead (already have 30s new posts banner)
-
-But we have advantages too:
-- **Faster initial load** — Server-rendered HTML is immediately visible
-- **Works without JS** — Basic reading works even if Alpine fails
-- **Simpler deployment** — No build step, no client bundle
-- **Lower maintenance** — No framework version churn
diff --git a/index.js b/index.js
index 09108c7..9d2d559 100644
--- a/index.js
+++ b/index.js
@@ -2,6 +2,7 @@ import express from "express";
import { setupFederation, buildPersonActor } from "./lib/federation-setup.js";
import { initRedisCache } from "./lib/redis-cache.js";
+import { lookupWithSecurity } from "./lib/lookup-helpers.js";
import {
createFedifyMiddleware,
} from "./lib/federation-bridge.js";
@@ -35,10 +36,16 @@ import {
unmuteController,
blockController,
unblockController,
+ blockServerController,
+ unblockServerController,
moderationController,
filterModeController,
} from "./lib/controllers/moderation.js";
import { followersController } from "./lib/controllers/followers.js";
+import {
+ approveFollowController,
+ rejectFollowController,
+} from "./lib/controllers/follow-requests.js";
import { followingController } from "./lib/controllers/following.js";
import { activitiesController } from "./lib/controllers/activities.js";
import {
@@ -99,6 +106,9 @@ import { logActivity } from "./lib/activity-log.js";
import { resolveAuthor } from "./lib/resolve-author.js";
import { scheduleCleanup } from "./lib/timeline-cleanup.js";
import { runSeparateMentionsMigration } from "./lib/migrations/separate-mentions.js";
+import { loadBlockedServersToRedis } from "./lib/storage/server-blocks.js";
+import { scheduleKeyRefresh } from "./lib/key-refresh.js";
+import { startInboxProcessor } from "./lib/inbox-queue.js";
import { deleteFederationController } from "./lib/controllers/federation-delete.js";
import {
federationMgmtController,
@@ -304,7 +314,11 @@ export default class ActivityPubEndpoint {
router.post("/admin/reader/unmute", unmuteController(mp, this));
router.post("/admin/reader/block", blockController(mp, this));
router.post("/admin/reader/unblock", unblockController(mp, this));
+ router.post("/admin/reader/block-server", blockServerController(mp));
+ router.post("/admin/reader/unblock-server", unblockServerController(mp));
router.get("/admin/followers", followersController(mp));
+ router.post("/admin/followers/approve", approveFollowController(mp, this));
+ router.post("/admin/followers/reject", rejectFollowController(mp, this));
router.get("/admin/following", followingController(mp));
router.get("/admin/activities", activitiesController(mp));
router.get("/admin/featured", featuredGetController(mp));
@@ -421,7 +435,7 @@ export default class ActivityPubEndpoint {
"properties.url": requestUrl,
});
- if (!post) {
+ if (!post || post.properties?.deleted) {
return next();
}
@@ -510,7 +524,7 @@ export default class ActivityPubEndpoint {
let replyToActor = null;
if (properties["in-reply-to"]) {
try {
- const remoteObject = await ctx.lookupObject(
+ const remoteObject = await lookupWithSecurity(ctx,
new URL(properties["in-reply-to"]),
);
if (remoteObject && typeof remoteObject.getAttributedTo === "function") {
@@ -542,7 +556,7 @@ export default class ActivityPubEndpoint {
for (const { handle } of mentionHandles) {
try {
- const mentionedActor = await ctx.lookupObject(
+ const mentionedActor = await lookupWithSecurity(ctx,
new URL(`acct:${handle}`),
);
if (mentionedActor?.id) {
@@ -718,7 +732,7 @@ export default class ActivityPubEndpoint {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const remoteActor = await ctx.lookupObject(actorUrl, {
+ const remoteActor = await lookupWithSecurity(ctx,actorUrl, {
documentLoader,
});
if (!remoteActor) {
@@ -819,7 +833,7 @@ export default class ActivityPubEndpoint {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const remoteActor = await ctx.lookupObject(actorUrl, {
+ const remoteActor = await lookupWithSecurity(ctx,actorUrl, {
documentLoader,
});
if (!remoteActor) {
@@ -1258,6 +1272,14 @@ export default class ActivityPubEndpoint {
Indiekit.addCollection("ap_explore_tabs");
// Reports collection
Indiekit.addCollection("ap_reports");
+ // Pending follow requests (manual approval)
+ Indiekit.addCollection("ap_pending_follows");
+ // Server-level blocks
+ Indiekit.addCollection("ap_blocked_servers");
+ // Key freshness tracking for proactive refresh
+ Indiekit.addCollection("ap_key_freshness");
+ // Async inbox processing queue
+ Indiekit.addCollection("ap_inbox_queue");
// Store collection references (posts resolved lazily)
const indiekitCollections = Indiekit.collections;
@@ -1283,6 +1305,14 @@ export default class ActivityPubEndpoint {
ap_explore_tabs: indiekitCollections.get("ap_explore_tabs"),
// Reports collection
ap_reports: indiekitCollections.get("ap_reports"),
+ // Pending follow requests (manual approval)
+ ap_pending_follows: indiekitCollections.get("ap_pending_follows"),
+ // Server-level blocks
+ ap_blocked_servers: indiekitCollections.get("ap_blocked_servers"),
+ // Key freshness tracking
+ ap_key_freshness: indiekitCollections.get("ap_key_freshness"),
+ // Async inbox processing queue
+ ap_inbox_queue: indiekitCollections.get("ap_inbox_queue"),
get posts() {
return indiekitCollections.get("posts");
},
@@ -1474,6 +1504,36 @@ export default class ActivityPubEndpoint {
{ reportedUrls: 1 },
{ background: true },
);
+ // Pending follow requests — unique on actorUrl
+ this._collections.ap_pending_follows.createIndex(
+ { actorUrl: 1 },
+ { unique: true, background: true },
+ );
+ this._collections.ap_pending_follows.createIndex(
+ { requestedAt: -1 },
+ { background: true },
+ );
+ // Server-level blocks
+ this._collections.ap_blocked_servers.createIndex(
+ { hostname: 1 },
+ { unique: true, background: true },
+ );
+ // Key freshness tracking
+ this._collections.ap_key_freshness.createIndex(
+ { actorUrl: 1 },
+ { unique: true, background: true },
+ );
+
+ // Inbox queue indexes
+ this._collections.ap_inbox_queue.createIndex(
+ { status: 1, receivedAt: 1 },
+ { background: true },
+ );
+ // TTL: auto-prune completed items after 24h
+ this._collections.ap_inbox_queue.createIndex(
+ { processedAt: 1 },
+ { expireAfterSeconds: 86_400, background: true },
+ );
} catch {
// Index creation failed — collections not yet available.
// Indexes already exist from previous startups; non-fatal.
@@ -1518,7 +1578,7 @@ export default class ActivityPubEndpoint {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const actor = await ctx.lookupObject(new URL(actorUrl), {
+ const actor = await lookupWithSecurity(ctx,new URL(actorUrl), {
documentLoader,
});
if (!actor) return "";
@@ -1569,6 +1629,34 @@ export default class ActivityPubEndpoint {
if (this.options.timelineRetention > 0) {
scheduleCleanup(this._collections, this.options.timelineRetention);
}
+
+ // Load server blocks into Redis for fast inbox checks
+ loadBlockedServersToRedis(this._collections).catch((error) => {
+ console.warn("[ActivityPub] Failed to load blocked servers to Redis:", error.message);
+ });
+
+ // Schedule proactive key refresh for stale follower keys (runs on startup + every 24h)
+ const keyRefreshHandle = this.options.actor.handle;
+ const keyRefreshFederation = this._federation;
+ const keyRefreshPubUrl = this._publicationUrl;
+ scheduleKeyRefresh(
+ this._collections,
+ () => keyRefreshFederation?.createContext(new URL(keyRefreshPubUrl), {
+ handle: keyRefreshHandle,
+ publicationUrl: keyRefreshPubUrl,
+ }),
+ keyRefreshHandle,
+ );
+
+ // Start async inbox queue processor (processes one item every 3s)
+ this._inboxProcessorInterval = startInboxProcessor(
+ this._collections,
+ () => this._federation?.createContext(new URL(this._publicationUrl), {
+ handle: this.options.actor.handle,
+ publicationUrl: this._publicationUrl,
+ }),
+ this.options.actor.handle,
+ );
}
/**
diff --git a/lib/batch-refollow.js b/lib/batch-refollow.js
index 99ac690..583fdc8 100644
--- a/lib/batch-refollow.js
+++ b/lib/batch-refollow.js
@@ -1,3 +1,5 @@
+import { lookupWithSecurity } from "./lookup-helpers.js";
+
/**
* Batch re-follow processor for imported accounts.
*
@@ -232,7 +234,7 @@ async function processOneFollow(options, entry) {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const remoteActor = await ctx.lookupObject(entry.actorUrl, {
+ const remoteActor = await lookupWithSecurity(ctx,entry.actorUrl, {
documentLoader,
});
if (!remoteActor) {
diff --git a/lib/controllers/compose.js b/lib/controllers/compose.js
index 2082beb..b2332a4 100644
--- a/lib/controllers/compose.js
+++ b/lib/controllers/compose.js
@@ -5,36 +5,9 @@
import { Create, Note, Mention } from "@fedify/fedify/vocab";
import { getToken, validateToken } from "../csrf.js";
import { sanitizeContent } from "../timeline-store.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
import { addNotification } from "../storage/notifications.js";
-function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {
- if (typeof documentLoader !== "function") {
- return documentLoader;
- }
-
- let publicationHost = "";
- try {
- publicationHost = new URL(publicationUrl).hostname;
- } catch {
- return documentLoader;
- }
-
- return (url, options = {}) => {
- try {
- const parsed = new URL(
- typeof url === "string" ? url : (url?.href || String(url)),
- );
- if (parsed.hostname === publicationHost) {
- return documentLoader(url, { ...options, allowPrivateAddress: true });
- }
- } catch {
- // Fall through to default loader behavior.
- }
-
- return documentLoader(url, options);
- };
-}
-
/**
* Fetch syndication targets from the Micropub config endpoint.
* @param {object} application - Indiekit application locals
@@ -106,14 +79,10 @@ export function composeController(mountPath, plugin) {
{ handle, publicationUrl: plugin._publicationUrl },
);
// Use authenticated document loader for Authorized Fetch
- const rawDocumentLoader = await ctx.getDocumentLoader({
+ const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const documentLoader = createPublicationAwareDocumentLoader(
- rawDocumentLoader,
- plugin._publicationUrl,
- );
- const remoteObject = await ctx.lookupObject(new URL(replyTo), {
+ const remoteObject = await lookupWithSecurity(ctx,new URL(replyTo), {
documentLoader,
});
@@ -156,19 +125,6 @@ export function composeController(mountPath, plugin) {
}
}
- // Fetch syndication targets for Micropub path
- const token = request.session?.access_token;
- const syndicationTargets = token
- ? await getSyndicationTargets(application, token)
- : [];
-
- // Default-check only AP (Fedify) and Bluesky targets
- // "@rick@rmendes.net" = AP Fedify, "@rmendes.net" = Bluesky
- for (const target of syndicationTargets) {
- const name = target.name || "";
- target.defaultChecked = name === "@rick@rmendes.net" || name === "@rmendes.net";
- }
-
// Check if this is a direct/private message reply by looking at notification metadata
let isDirect = false;
let senderActorUrl = "";
@@ -186,6 +142,19 @@ export function composeController(mountPath, plugin) {
}
}
+ // Fetch syndication targets for Micropub path
+ const token = request.session?.access_token;
+ const syndicationTargets = token
+ ? await getSyndicationTargets(application, token)
+ : [];
+
+ // Default-check only AP (Fedify) and Bluesky targets
+ // "@rick@rmendes.net" = AP Fedify, "@rmendes.net" = Bluesky
+ for (const target of syndicationTargets) {
+ const name = target.name || "";
+ target.defaultChecked = name === "@rick@rmendes.net" || name === "@rmendes.net";
+ }
+
const csrfToken = getToken(request.session);
response.render("activitypub-compose", {
@@ -194,10 +163,10 @@ export function composeController(mountPath, plugin) {
replyTo,
replyContext,
syndicationTargets,
- isDirect,
- senderActorUrl,
csrfToken,
mountPath,
+ isDirect,
+ senderActorUrl,
});
} catch (error) {
next(error);
@@ -206,7 +175,7 @@ export function composeController(mountPath, plugin) {
}
/**
- * POST /admin/reader/compose — Submit reply via Micropub.
+ * POST /admin/reader/compose — Submit reply via Micropub (public) or native AP (direct).
* @param {string} mountPath - Plugin mount path
* @param {object} plugin - ActivityPub plugin instance
*/
@@ -270,7 +239,7 @@ export function submitComposeController(mountPath, plugin) {
const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
let recipient;
try {
- recipient = await ctx.lookupObject(new URL(senderActorUrl), { documentLoader });
+ recipient = await lookupWithSecurity(ctx, new URL(senderActorUrl), { documentLoader });
} catch (lookupError) {
console.warn(`[ActivityPub] Actor lookup failed for ${senderActorUrl}:`, lookupError.message);
}
@@ -359,7 +328,7 @@ export function submitComposeController(mountPath, plugin) {
}
if (cwEnabled && summary && summary.trim()) {
- micropubData.append("summary", summary.trim());
+ micropubData.append("content-warning", summary.trim());
micropubData.append("sensitive", "true");
}
diff --git a/lib/controllers/federation-mgmt.js b/lib/controllers/federation-mgmt.js
index e0030fa..bda6a73 100644
--- a/lib/controllers/federation-mgmt.js
+++ b/lib/controllers/federation-mgmt.js
@@ -3,8 +3,10 @@
* the relationship between local content and the fediverse.
*/
+import Redis from "ioredis";
import { getToken, validateToken } from "../csrf.js";
import { jf2ToActivityStreams } from "../jf2-to-as2.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
const PAGE_SIZE = 20;
@@ -37,10 +39,12 @@ export function federationMgmtController(mountPath, plugin) {
const { application } = request.app.locals;
const collections = application?.collections;
+ const redisUrl = plugin.options.redisUrl || "";
+
// Parallel: collection stats + posts + recent activities
const [collectionStats, postsResult, recentActivities] =
await Promise.all([
- getCollectionStats(collections),
+ getCollectionStats(collections, { redisUrl }),
getPaginatedPosts(collections, request.query.page),
getRecentActivities(collections),
]);
@@ -219,7 +223,7 @@ export function lookupObjectController(mountPath, plugin) {
identifier: handle,
});
- const object = await ctx.lookupObject(query, { documentLoader });
+ const object = await lookupWithSecurity(ctx,query, { documentLoader });
if (!object) {
return response
@@ -239,11 +243,16 @@ export function lookupObjectController(mountPath, plugin) {
// --- Helpers ---
-async function getCollectionStats(collections) {
+async function getCollectionStats(collections, { redisUrl = "" } = {}) {
if (!collections) return [];
const stats = await Promise.all(
AP_COLLECTIONS.map(async (name) => {
+ // When Redis handles KV, count fedify::* keys from Redis instead
+ if (name === "ap_kv" && redisUrl) {
+ const count = await countRedisKvKeys(redisUrl);
+ return { name: "ap_kv (redis)", count };
+ }
const col = collections.get(name);
const count = col ? await col.countDocuments() : 0;
return { name, count };
@@ -253,6 +262,36 @@ async function getCollectionStats(collections) {
return stats;
}
+/**
+ * Count Fedify KV keys in Redis (prefix: "fedify::").
+ * Uses SCAN to avoid blocking on large key spaces.
+ */
+async function countRedisKvKeys(redisUrl) {
+ let client;
+ try {
+ client = new Redis(redisUrl, { lazyConnect: true, connectTimeout: 3000 });
+ await client.connect();
+ let count = 0;
+ let cursor = "0";
+ do {
+ const [nextCursor, keys] = await client.scan(
+ cursor,
+ "MATCH",
+ "fedify::*",
+ "COUNT",
+ 500,
+ );
+ cursor = nextCursor;
+ count += keys.length;
+ } while (cursor !== "0");
+ return count;
+ } catch {
+ return 0;
+ } finally {
+ client?.disconnect();
+ }
+}
+
async function getPaginatedPosts(collections, pageParam) {
const postsCol = collections?.get("posts");
if (!postsCol) return { posts: [], cursor: null };
diff --git a/lib/controllers/follow-requests.js b/lib/controllers/follow-requests.js
new file mode 100644
index 0000000..ea3088e
--- /dev/null
+++ b/lib/controllers/follow-requests.js
@@ -0,0 +1,253 @@
+/**
+ * Follow request controllers — approve and reject pending follow requests
+ * when manual follow approval is enabled.
+ */
+
+import { validateToken } from "../csrf.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
+import { logActivity } from "../activity-log.js";
+import { addNotification } from "../storage/notifications.js";
+import { extractActorInfo } from "../timeline-store.js";
+
+/**
+ * POST /admin/followers/approve — Accept a pending follow request.
+ */
+export function approveFollowController(mountPath, plugin) {
+ return async (request, response, next) => {
+ try {
+ if (!validateToken(request)) {
+ return response.status(403).json({
+ success: false,
+ error: "Invalid CSRF token",
+ });
+ }
+
+ const { actorUrl } = request.body;
+
+ if (!actorUrl) {
+ return response.status(400).json({
+ success: false,
+ error: "Missing actor URL",
+ });
+ }
+
+ const { application } = request.app.locals;
+ const pendingCol = application?.collections?.get("ap_pending_follows");
+ const followersCol = application?.collections?.get("ap_followers");
+
+ if (!pendingCol || !followersCol) {
+ return response.status(503).json({
+ success: false,
+ error: "Collections not available",
+ });
+ }
+
+ // Find the pending request
+ const pending = await pendingCol.findOne({ actorUrl });
+ if (!pending) {
+ return response.status(404).json({
+ success: false,
+ error: "No pending follow request from this actor",
+ });
+ }
+
+ // Move to ap_followers
+ await followersCol.updateOne(
+ { actorUrl },
+ {
+ $set: {
+ actorUrl: pending.actorUrl,
+ handle: pending.handle || "",
+ name: pending.name || "",
+ avatar: pending.avatar || "",
+ inbox: pending.inbox || "",
+ sharedInbox: pending.sharedInbox || "",
+ followedAt: new Date().toISOString(),
+ },
+ },
+ { upsert: true },
+ );
+
+ // Remove from pending
+ await pendingCol.deleteOne({ actorUrl });
+
+ // Send Accept(Follow) via federation
+ if (plugin._federation) {
+ try {
+ const { Accept, Follow } = await import("@fedify/fedify/vocab");
+ const handle = plugin.options.actor.handle;
+ const ctx = plugin._federation.createContext(
+ new URL(plugin._publicationUrl),
+ { handle, publicationUrl: plugin._publicationUrl },
+ );
+
+ const documentLoader = await ctx.getDocumentLoader({
+ identifier: handle,
+ });
+
+ // Resolve the remote actor for delivery
+ const remoteActor = await lookupWithSecurity(ctx, new URL(actorUrl), {
+ documentLoader,
+ });
+
+ if (remoteActor) {
+ // Reconstruct the Follow using stored activity ID
+ const followObj = new Follow({
+ id: pending.followActivityId
+ ? new URL(pending.followActivityId)
+ : undefined,
+ actor: new URL(actorUrl),
+ object: ctx.getActorUri(handle),
+ });
+
+ await ctx.sendActivity(
+ { identifier: handle },
+ remoteActor,
+ new Accept({
+ actor: ctx.getActorUri(handle),
+ object: followObj,
+ }),
+ { orderingKey: actorUrl },
+ );
+ }
+
+ const activitiesCol = application?.collections?.get("ap_activities");
+ if (activitiesCol) {
+ await logActivity(activitiesCol, {
+ direction: "outbound",
+ type: "Accept(Follow)",
+ actorUrl: plugin._publicationUrl,
+ objectUrl: actorUrl,
+ actorName: pending.name || actorUrl,
+ summary: `Approved follow request from ${pending.name || actorUrl}`,
+ });
+ }
+ } catch (error) {
+ console.warn(
+ `[ActivityPub] Could not send Accept to ${actorUrl}: ${error.message}`,
+ );
+ }
+ }
+
+ console.info(
+ `[ActivityPub] Approved follow request from ${pending.name || actorUrl}`,
+ );
+
+ // Redirect back to followers page
+ return response.redirect(`${mountPath}/admin/followers`);
+ } catch (error) {
+ next(error);
+ }
+ };
+}
+
+/**
+ * POST /admin/followers/reject — Reject a pending follow request.
+ */
+export function rejectFollowController(mountPath, plugin) {
+ return async (request, response, next) => {
+ try {
+ if (!validateToken(request)) {
+ return response.status(403).json({
+ success: false,
+ error: "Invalid CSRF token",
+ });
+ }
+
+ const { actorUrl } = request.body;
+
+ if (!actorUrl) {
+ return response.status(400).json({
+ success: false,
+ error: "Missing actor URL",
+ });
+ }
+
+ const { application } = request.app.locals;
+ const pendingCol = application?.collections?.get("ap_pending_follows");
+
+ if (!pendingCol) {
+ return response.status(503).json({
+ success: false,
+ error: "Collections not available",
+ });
+ }
+
+ // Find the pending request
+ const pending = await pendingCol.findOne({ actorUrl });
+ if (!pending) {
+ return response.status(404).json({
+ success: false,
+ error: "No pending follow request from this actor",
+ });
+ }
+
+ // Remove from pending
+ await pendingCol.deleteOne({ actorUrl });
+
+ // Send Reject(Follow) via federation
+ if (plugin._federation) {
+ try {
+ const { Reject, Follow } = await import("@fedify/fedify/vocab");
+ const handle = plugin.options.actor.handle;
+ const ctx = plugin._federation.createContext(
+ new URL(plugin._publicationUrl),
+ { handle, publicationUrl: plugin._publicationUrl },
+ );
+
+ const documentLoader = await ctx.getDocumentLoader({
+ identifier: handle,
+ });
+
+ const remoteActor = await lookupWithSecurity(ctx, new URL(actorUrl), {
+ documentLoader,
+ });
+
+ if (remoteActor) {
+ const followObj = new Follow({
+ id: pending.followActivityId
+ ? new URL(pending.followActivityId)
+ : undefined,
+ actor: new URL(actorUrl),
+ object: ctx.getActorUri(handle),
+ });
+
+ await ctx.sendActivity(
+ { identifier: handle },
+ remoteActor,
+ new Reject({
+ actor: ctx.getActorUri(handle),
+ object: followObj,
+ }),
+ { orderingKey: actorUrl },
+ );
+ }
+
+ const activitiesCol = application?.collections?.get("ap_activities");
+ if (activitiesCol) {
+ await logActivity(activitiesCol, {
+ direction: "outbound",
+ type: "Reject(Follow)",
+ actorUrl: plugin._publicationUrl,
+ objectUrl: actorUrl,
+ actorName: pending.name || actorUrl,
+ summary: `Rejected follow request from ${pending.name || actorUrl}`,
+ });
+ }
+ } catch (error) {
+ console.warn(
+ `[ActivityPub] Could not send Reject to ${actorUrl}: ${error.message}`,
+ );
+ }
+ }
+
+ console.info(
+ `[ActivityPub] Rejected follow request from ${pending.name || actorUrl}`,
+ );
+
+ return response.redirect(`${mountPath}/admin/followers`);
+ } catch (error) {
+ next(error);
+ }
+ };
+}
diff --git a/lib/controllers/followers.js b/lib/controllers/followers.js
index 9060bc0..a5ec95b 100644
--- a/lib/controllers/followers.js
+++ b/lib/controllers/followers.js
@@ -1,6 +1,9 @@
/**
- * Followers list controller — paginated list of accounts following this actor.
+ * Followers list controller — paginated list of accounts following this actor,
+ * with pending follow requests tab when manual approval is enabled.
*/
+import { getToken } from "../csrf.js";
+
const PAGE_SIZE = 20;
export function followersController(mountPath) {
@@ -8,6 +11,9 @@ export function followersController(mountPath) {
try {
const { application } = request.app.locals;
const collection = application?.collections?.get("ap_followers");
+ const pendingCol = application?.collections?.get("ap_pending_follows");
+
+ const tab = request.query.tab || "followers";
if (!collection) {
return response.render("activitypub-followers", {
@@ -15,11 +21,50 @@ export function followersController(mountPath) {
parent: { href: mountPath, text: response.locals.__("activitypub.title") },
followers: [],
followerCount: 0,
+ pendingFollows: [],
+ pendingCount: 0,
+ tab,
mountPath,
+ csrfToken: getToken(request),
});
}
const page = Math.max(1, Number.parseInt(request.query.page, 10) || 1);
+
+ // Count pending follow requests
+ const pendingCount = pendingCol
+ ? await pendingCol.countDocuments()
+ : 0;
+
+ if (tab === "pending") {
+ // Show pending follow requests
+ const totalPages = Math.ceil(pendingCount / PAGE_SIZE);
+ const pendingFollows = pendingCol
+ ? await pendingCol
+ .find()
+ .sort({ requestedAt: -1 })
+ .skip((page - 1) * PAGE_SIZE)
+ .limit(PAGE_SIZE)
+ .toArray()
+ : [];
+
+ const cursor = buildCursor(page, totalPages, mountPath + "/admin/followers?tab=pending");
+
+ return response.render("activitypub-followers", {
+ title: response.locals.__("activitypub.followers"),
+ parent: { href: mountPath, text: response.locals.__("activitypub.title") },
+ followers: [],
+ followerCount: await collection.countDocuments(),
+ pendingFollows,
+ pendingCount,
+ tab,
+ mountPath,
+ cursor,
+ csrfToken: getToken(request),
+ });
+ }
+
+ // Show accepted followers (default)
const totalCount = await collection.countDocuments();
const totalPages = Math.ceil(totalCount / PAGE_SIZE);
@@ -37,8 +82,12 @@ export function followersController(mountPath) {
parent: { href: mountPath, text: response.locals.__("activitypub.title") },
followers,
followerCount: totalCount,
+ pendingFollows: [],
+ pendingCount,
+ tab,
mountPath,
cursor,
+ csrfToken: getToken(request),
});
} catch (error) {
next(error);
@@ -49,12 +98,14 @@ export function followersController(mountPath) {
function buildCursor(page, totalPages, basePath) {
if (totalPages <= 1) return null;
+ const separator = basePath.includes("?") ? "&" : "?";
+
return {
previous: page > 1
- ? { href: `${basePath}?page=${page - 1}` }
+ ? { href: `${basePath}${separator}page=${page - 1}` }
: undefined,
next: page < totalPages
- ? { href: `${basePath}?page=${page + 1}` }
+ ? { href: `${basePath}${separator}page=${page + 1}` }
: undefined,
};
}
diff --git a/lib/controllers/interactions-boost.js b/lib/controllers/interactions-boost.js
index 17edb46..b8ea98e 100644
--- a/lib/controllers/interactions-boost.js
+++ b/lib/controllers/interactions-boost.js
@@ -198,6 +198,7 @@ export function unboostController(mountPath, plugin) {
// Send to followers
await ctx.sendActivity({ identifier: handle }, "followers", undo, {
preferSharedInbox: true,
+ syncCollection: true,
orderingKey: url,
});
diff --git a/lib/controllers/messages.js b/lib/controllers/messages.js
index 5740896..a454bf3 100644
--- a/lib/controllers/messages.js
+++ b/lib/controllers/messages.js
@@ -5,6 +5,7 @@
import { getToken, validateToken } from "../csrf.js";
import { sanitizeContent } from "../timeline-store.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
import {
getMessages,
getConversationPartners,
@@ -180,11 +181,11 @@ export function submitMessageController(mountPath, plugin) {
try {
const recipientInput = to.trim();
if (recipientInput.startsWith("http")) {
- recipient = await ctx.lookupObject(recipientInput, { documentLoader });
+ recipient = await lookupWithSecurity(ctx,recipientInput, { documentLoader });
} else {
// Handle @user@domain format
const handle = recipientInput.replace(/^@/, "");
- recipient = await ctx.lookupObject(handle, { documentLoader });
+ recipient = await lookupWithSecurity(ctx,handle, { documentLoader });
}
} catch {
recipient = null;
diff --git a/lib/controllers/moderation.js b/lib/controllers/moderation.js
index 83304ae..80abf45 100644
--- a/lib/controllers/moderation.js
+++ b/lib/controllers/moderation.js
@@ -3,6 +3,7 @@
*/
import { validateToken, getToken } from "../csrf.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
import {
addMuted,
removeMuted,
@@ -13,6 +14,11 @@ import {
getFilterMode,
setFilterMode,
} from "../storage/moderation.js";
+import {
+ addBlockedServer,
+ removeBlockedServer,
+ getAllBlockedServers,
+} from "../storage/server-blocks.js";
/**
* Helper to get moderation collections from request.
@@ -22,6 +28,7 @@ function getModerationCollections(request) {
return {
ap_muted: application?.collections?.get("ap_muted"),
ap_blocked: application?.collections?.get("ap_blocked"),
+ ap_blocked_servers: application?.collections?.get("ap_blocked_servers"),
ap_timeline: application?.collections?.get("ap_timeline"),
ap_profile: application?.collections?.get("ap_profile"),
};
@@ -157,7 +164,7 @@ export function blockController(mountPath, plugin) {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const remoteActor = await ctx.lookupObject(new URL(url), {
+ const remoteActor = await lookupWithSecurity(ctx,new URL(url), {
documentLoader,
});
@@ -236,7 +243,7 @@ export function unblockController(mountPath, plugin) {
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
- const remoteActor = await ctx.lookupObject(new URL(url), {
+ const remoteActor = await lookupWithSecurity(ctx,new URL(url), {
documentLoader,
});
@@ -281,6 +288,77 @@ export function unblockController(mountPath, plugin) {
};
}
+/**
+ * POST /admin/reader/block-server — Block a server by hostname.
+ */
+export function blockServerController(mountPath) {
+ return async (request, response, next) => {
+ try {
+ if (!validateToken(request)) {
+ return response.status(403).json({
+ success: false,
+ error: "Invalid CSRF token",
+ });
+ }
+
+ const { hostname, reason } = request.body;
+ if (!hostname) {
+ return response.status(400).json({
+ success: false,
+ error: "Missing hostname",
+ });
+ }
+
+ const collections = getModerationCollections(request);
+ await addBlockedServer(collections, hostname, reason);
+
+ console.info(`[ActivityPub] Blocked server: ${hostname}`);
+ return response.json({ success: true, type: "block-server", hostname });
+ } catch (error) {
+ console.error("[ActivityPub] Block server failed:", error.message);
+ return response.status(500).json({
+ success: false,
+ error: "Operation failed. Please try again later.",
+ });
+ }
+ };
+}
+
+/**
+ * POST /admin/reader/unblock-server — Unblock a server.
+ */
+export function unblockServerController(mountPath) {
+ return async (request, response, next) => {
+ try {
+ if (!validateToken(request)) {
+ return response.status(403).json({
+ success: false,
+ error: "Invalid CSRF token",
+ });
+ }
+
+ const { hostname } = request.body;
+ if (!hostname) {
+ return response.status(400).json({
+ success: false,
+ error: "Missing hostname",
+ });
+ }
+
+ const collections = getModerationCollections(request);
+ await removeBlockedServer(collections, hostname);
+
+ console.info(`[ActivityPub] Unblocked server: ${hostname}`);
+ return response.json({ success: true, type: "unblock-server", hostname });
+ } catch (error) {
+ return response.status(500).json({
+ success: false,
+ error: "Operation failed. Please try again later.",
+ });
+ }
+ };
+}
+
/**
* GET /admin/reader/moderation — View muted/blocked lists.
*/
@@ -290,9 +368,10 @@ export function moderationController(mountPath) {
const collections = getModerationCollections(request);
const csrfToken = getToken(request.session);
- const [muted, blocked, filterMode] = await Promise.all([
+ const [muted, blocked, blockedServers, filterMode] = await Promise.all([
getAllMuted(collections),
getAllBlocked(collections),
+ getAllBlockedServers(collections),
getFilterMode(collections),
]);
@@ -304,6 +383,7 @@ export function moderationController(mountPath) {
readerParent: { href: `${mountPath}/admin/reader`, text: response.locals.__("activitypub.reader.title") },
muted,
blocked,
+ blockedServers,
mutedActors,
mutedKeywords,
filterMode,
diff --git a/lib/controllers/post-detail.js b/lib/controllers/post-detail.js
index 90acafd..a79304a 100644
--- a/lib/controllers/post-detail.js
+++ b/lib/controllers/post-detail.js
@@ -4,6 +4,7 @@ import { getToken } from "../csrf.js";
import { extractObjectData, extractActorInfo } from "../timeline-store.js";
import { getCached, setCache } from "../lookup-cache.js";
import { fetchAndStoreQuote, stripQuoteReferenceHtml } from "../og-unfurl.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
// Load parent posts (inReplyTo chain) up to maxDepth levels
async function loadParentChain(ctx, documentLoader, timelineCol, parentUrl, maxDepth = 5) {
@@ -28,7 +29,7 @@ async function loadParentChain(ctx, documentLoader, timelineCol, parentUrl, maxD
if (!object) {
try {
- object = await ctx.lookupObject(new URL(currentUrl), {
+ object = await lookupWithSecurity(ctx,new URL(currentUrl), {
documentLoader,
});
if (object) {
@@ -61,51 +62,87 @@ async function loadParentChain(ctx, documentLoader, timelineCol, parentUrl, maxD
return parents;
}
-// Load replies collection (best-effort)
-async function loadReplies(object, ctx, documentLoader, timelineCol, maxReplies = 10) {
- const replies = [];
+// Load local replies from ap_timeline (items where inReplyTo matches this post)
+async function loadLocalReplies(timelineCol, postUrl, postUid, maxReplies = 20) {
+ if (!timelineCol) return [];
- try {
- const repliesCollection = await object.getReplies({ documentLoader });
- if (!repliesCollection) return replies;
+ const matchUrls = [postUrl, postUid].filter(Boolean);
+ if (matchUrls.length === 0) return [];
- let items = [];
+ const localReplies = await timelineCol
+ .find({ inReplyTo: { $in: matchUrls } })
+ .sort({ published: 1 })
+ .limit(maxReplies)
+ .toArray();
+
+ return localReplies;
+}
+
+// Load replies collection (best-effort) — merges local + remote
+async function loadReplies(object, ctx, documentLoader, timelineCol, maxReplies = 20) {
+ const postUrl = object?.id?.href || object?.url?.href;
+
+ // Start with local replies already in our timeline (from organic inbox delivery
+ // or reply chain fetching). These are fast and free — no network requests.
+ const seenUrls = new Set();
+ const replies = await loadLocalReplies(timelineCol, postUrl, postUrl, maxReplies);
+ for (const r of replies) {
+ if (r.uid) seenUrls.add(r.uid);
+ if (r.url) seenUrls.add(r.url);
+ }
+
+ // Supplement with remote replies collection (may contain items we don't have locally)
+ if (object && replies.length < maxReplies) {
try {
- items = await repliesCollection.getItems({ documentLoader });
- } catch {
- return replies;
- }
+ const repliesCollection = await object.getReplies({ documentLoader });
+ if (repliesCollection) {
+ let items = [];
+ try {
+ items = await repliesCollection.getItems({ documentLoader });
+ } catch {
+ // Remote fetch failed — continue with local replies only
+ }
- for (const replyItem of items.slice(0, maxReplies)) {
- try {
- const replyUrl = replyItem.id?.href || replyItem.url?.href;
- if (!replyUrl) continue;
+ for (const replyItem of items.slice(0, maxReplies - replies.length)) {
+ try {
+ const replyUrl = replyItem.id?.href || replyItem.url?.href;
+ if (!replyUrl || seenUrls.has(replyUrl)) continue;
+ seenUrls.add(replyUrl);
- // Check timeline first
- let reply = timelineCol
- ? await timelineCol.findOne({
- $or: [{ uid: replyUrl }, { url: replyUrl }],
- })
- : null;
+ // Check timeline first
+ let reply = timelineCol
+ ? await timelineCol.findOne({
+ $or: [{ uid: replyUrl }, { url: replyUrl }],
+ })
+ : null;
- if (!reply) {
- // Extract from the item we already have
- if (replyItem instanceof Note || replyItem instanceof Article) {
- reply = await extractObjectData(replyItem);
+ if (!reply) {
+ // Extract from the item we already have
+ if (replyItem instanceof Note || replyItem instanceof Article) {
+ reply = await extractObjectData(replyItem);
+ }
+ }
+
+ if (reply) {
+ replies.push(reply);
+ }
+ } catch {
+ continue; // Skip failed replies
}
}
-
- if (reply) {
- replies.push(reply);
- }
- } catch {
- continue; // Skip failed replies
}
+ } catch {
+ // getReplies() failed or not available
}
- } catch {
- // getReplies() failed or not available
}
+ // Sort all replies chronologically
+ replies.sort((a, b) => {
+ const dateA = a.published || "";
+ const dateB = b.published || "";
+ return dateA < dateB ? -1 : dateA > dateB ? 1 : 0;
+ });
+
return replies;
}
@@ -180,7 +217,7 @@ export function postDetailController(mountPath, plugin) {
object = cached;
} else {
try {
- object = await ctx.lookupObject(new URL(objectUrl), {
+ object = await lookupWithSecurity(ctx,new URL(objectUrl), {
documentLoader,
});
if (object) {
@@ -326,7 +363,7 @@ export function postDetailController(mountPath, plugin) {
);
const qLoader = await qCtx.getDocumentLoader({ identifier: handle });
- const quoteObject = await qCtx.lookupObject(new URL(timelineItem.quoteUrl), {
+ const quoteObject = await lookupWithSecurity(qCtx,new URL(timelineItem.quoteUrl), {
documentLoader: qLoader,
});
@@ -336,7 +373,7 @@ export function postDetailController(mountPath, plugin) {
// If author photo is empty, try fetching the actor directly
if (!quoteData.author.photo && quoteData.author.url) {
try {
- const actor = await qCtx.lookupObject(new URL(quoteData.author.url), { documentLoader: qLoader });
+ const actor = await lookupWithSecurity(qCtx,new URL(quoteData.author.url), { documentLoader: qLoader });
if (actor) {
const actorInfo = await extractActorInfo(actor, { documentLoader: qLoader });
if (actorInfo.photo) quoteData.author.photo = actorInfo.photo;
diff --git a/lib/controllers/profile.remote.js b/lib/controllers/profile.remote.js
index 2e0c629..e2cbd91 100644
--- a/lib/controllers/profile.remote.js
+++ b/lib/controllers/profile.remote.js
@@ -4,6 +4,7 @@
import { getToken, validateToken } from "../csrf.js";
import { sanitizeContent } from "../timeline-store.js";
+import { lookupWithSecurity } from "../lookup-helpers.js";
/**
* GET /admin/reader/profile — Show remote actor profile.
@@ -43,7 +44,7 @@ export function remoteProfileController(mountPath, plugin) {
let actor;
try {
- actor = await ctx.lookupObject(new URL(actorUrl), { documentLoader });
+ actor = await lookupWithSecurity(ctx,new URL(actorUrl), { documentLoader });
} catch {
return response.status(404).render("error", {
title: "Error",
diff --git a/lib/controllers/resolve.js b/lib/controllers/resolve.js
index 23e3fbc..466acde 100644
--- a/lib/controllers/resolve.js
+++ b/lib/controllers/resolve.js
@@ -2,6 +2,7 @@
* Resolve controller — accepts any fediverse URL or handle, resolves it
* via lookupObject(), and redirects to the appropriate internal view.
*/
+import { lookupWithSecurity } from "../lookup-helpers.js";
import {
Article,
Note,
@@ -59,7 +60,7 @@ export function resolveController(mountPath, plugin) {
let object;
try {
- object = await ctx.lookupObject(lookupInput, { documentLoader });
+ object = await lookupWithSecurity(ctx,lookupInput, { documentLoader });
} catch (error) {
console.warn(
`[resolve] lookupObject failed for "${query}":`,
diff --git a/lib/federation-bridge.js b/lib/federation-bridge.js
index 0f109df..9ed5153 100644
--- a/lib/federation-bridge.js
+++ b/lib/federation-bridge.js
@@ -92,6 +92,12 @@ async function sendFedifyResponse(res, response, request) {
if (json.attachment && !Array.isArray(json.attachment)) {
json.attachment = [json.attachment];
}
+ // WORKAROUND: Fedify serializes endpoints with "type": "as:Endpoints"
+ // which is not a valid AS2 type. The endpoints object should be a plain
+ // object with just sharedInbox/proxyUrl etc. Strip the invalid type.
+ if (json.endpoints && json.endpoints.type) {
+ delete json.endpoints.type;
+ }
const patched = JSON.stringify(json);
res.setHeader("content-length", Buffer.byteLength(patched));
res.end(patched);
diff --git a/lib/federation-setup.js b/lib/federation-setup.js
index 4334920..e019d9f 100644
--- a/lib/federation-setup.js
+++ b/lib/federation-setup.js
@@ -40,6 +40,10 @@ import Redis from "ioredis";
import { MongoKvStore } from "./kv-store.js";
import { registerInboxListeners } from "./inbox-listeners.js";
import { jf2ToAS2Activity, resolvePostUrl } from "./jf2-to-as2.js";
+import { cachedQuery } from "./redis-cache.js";
+import { onOutboxPermanentFailure } from "./outbox-failure.js";
+
+const COLLECTION_CACHE_TTL = 300; // 5 minutes
/**
* Create and configure a Fedify Federation instance.
@@ -350,25 +354,15 @@ export function setupFederation(options) {
});
// Handle permanent delivery failures (Fedify 2.0).
- // Fires when a remote inbox returns 404/410 — the server is gone.
- // Log it and let the admin see which followers are unreachable.
+ // Fires when a remote inbox returns 404/410.
+ // 410: immediate full cleanup. 404: strike system (3 strikes over 7 days).
federation.setOutboxPermanentFailureHandler(async (_ctx, values) => {
- const { inbox, error, actorIds } = values;
- const inboxUrl = inbox?.href || String(inbox);
- const actors = actorIds?.map((id) => id?.href || String(id)) || [];
- console.warn(
- `[ActivityPub] Permanent delivery failure to ${inboxUrl}: ${error?.message || "unknown"}` +
- (actors.length ? ` (actors: ${actors.join(", ")})` : ""),
+ await onOutboxPermanentFailure(
+ values.statusCode,
+ values.actorIds,
+ values.inbox,
+ collections,
);
- collections.ap_activities.insertOne({
- direction: "outbound",
- type: "DeliveryFailed",
- actorUrl: publicationUrl,
- objectUrl: inboxUrl,
- summary: `Permanent delivery failure to ${inboxUrl}: ${error?.message || "unknown"}`,
- affectedActors: actors,
- receivedAt: new Date().toISOString(),
- }).catch(() => {});
});
// Wrap with debug dashboard if enabled. The debugger proxies the
@@ -415,10 +409,12 @@ function setupFollowers(federation, mountPath, handle, collections) {
// as Recipient objects so sendActivity("followers") can deliver.
// See: https://fedify.dev/manual/collections#one-shot-followers-collection-for-gathering-recipients
if (cursor == null) {
- const docs = await collections.ap_followers
- .find()
- .sort({ followedAt: -1 })
- .toArray();
+ const docs = await cachedQuery("col:followers:recipients", COLLECTION_CACHE_TTL, async () => {
+ return await collections.ap_followers
+ .find()
+ .sort({ followedAt: -1 })
+ .toArray();
+ });
return {
items: docs.map((f) => ({
id: new URL(f.actorUrl),
@@ -433,13 +429,16 @@ function setupFollowers(federation, mountPath, handle, collections) {
// Paginated collection: for remote browsing of /followers endpoint
const pageSize = 20;
const skip = Number.parseInt(cursor, 10);
- const docs = await collections.ap_followers
- .find()
- .sort({ followedAt: -1 })
- .skip(skip)
- .limit(pageSize)
- .toArray();
- const total = await collections.ap_followers.countDocuments();
+ const [docs, total] = await cachedQuery(`col:followers:page:${cursor}`, COLLECTION_CACHE_TTL, async () => {
+ const d = await collections.ap_followers
+ .find()
+ .sort({ followedAt: -1 })
+ .skip(skip)
+ .limit(pageSize)
+ .toArray();
+ const t = await collections.ap_followers.countDocuments();
+ return [d, t];
+ });
return {
items: docs.map((f) => new URL(f.actorUrl)),
@@ -450,7 +449,9 @@ function setupFollowers(federation, mountPath, handle, collections) {
)
.setCounter(async (ctx, identifier) => {
if (identifier !== handle) return 0;
- return await collections.ap_followers.countDocuments();
+ return await cachedQuery("col:followers:count", COLLECTION_CACHE_TTL, async () => {
+ return await collections.ap_followers.countDocuments();
+ });
})
.setFirstCursor(async () => "0");
}
@@ -463,13 +464,16 @@ function setupFollowing(federation, mountPath, handle, collections) {
if (identifier !== handle) return null;
const pageSize = 20;
const skip = cursor ? Number.parseInt(cursor, 10) : 0;
- const docs = await collections.ap_following
- .find()
- .sort({ followedAt: -1 })
- .skip(skip)
- .limit(pageSize)
- .toArray();
- const total = await collections.ap_following.countDocuments();
+ const [docs, total] = await cachedQuery(`col:following:page:${cursor}`, COLLECTION_CACHE_TTL, async () => {
+ const d = await collections.ap_following
+ .find()
+ .sort({ followedAt: -1 })
+ .skip(skip)
+ .limit(pageSize)
+ .toArray();
+ const t = await collections.ap_following.countDocuments();
+ return [d, t];
+ });
return {
items: docs.map((f) => new URL(f.actorUrl)),
@@ -480,7 +484,9 @@ function setupFollowing(federation, mountPath, handle, collections) {
)
.setCounter(async (ctx, identifier) => {
if (identifier !== handle) return 0;
- return await collections.ap_following.countDocuments();
+ return await cachedQuery("col:following:count", COLLECTION_CACHE_TTL, async () => {
+ return await collections.ap_following.countDocuments();
+ });
})
.setFirstCursor(async () => "0");
}
@@ -496,13 +502,16 @@ function setupLiked(federation, mountPath, handle, collections) {
const pageSize = 20;
const skip = cursor ? Number.parseInt(cursor, 10) : 0;
const query = { "properties.post-type": "like" };
- const docs = await collections.posts
- .find(query)
- .sort({ "properties.published": -1 })
- .skip(skip)
- .limit(pageSize)
- .toArray();
- const total = await collections.posts.countDocuments(query);
+ const [docs, total] = await cachedQuery(`col:liked:page:${cursor}`, COLLECTION_CACHE_TTL, async () => {
+ const d = await collections.posts
+ .find(query)
+ .sort({ "properties.published": -1 })
+ .skip(skip)
+ .limit(pageSize)
+ .toArray();
+ const t = await collections.posts.countDocuments(query);
+ return [d, t];
+ });
const items = docs
.map((d) => {
@@ -521,8 +530,10 @@ function setupLiked(federation, mountPath, handle, collections) {
.setCounter(async (ctx, identifier) => {
if (identifier !== handle) return 0;
if (!collections.posts) return 0;
- return await collections.posts.countDocuments({
- "properties.post-type": "like",
+ return await cachedQuery("col:liked:count", COLLECTION_CACHE_TTL, async () => {
+ return await collections.posts.countDocuments({
+ "properties.post-type": "like",
+ });
});
})
.setFirstCursor(async () => "0");
@@ -612,6 +623,7 @@ function setupOutbox(federation, mountPath, handle, collections) {
const federationVisibilityQuery = {
"properties.post-status": { $ne: "draft" },
"properties.visibility": { $ne: "unlisted" },
+ "properties.deleted": { $exists: false },
};
const total = await postsCollection.countDocuments(
federationVisibilityQuery,
@@ -653,6 +665,7 @@ function setupOutbox(federation, mountPath, handle, collections) {
return await postsCollection.countDocuments({
"properties.post-status": { $ne: "draft" },
"properties.visibility": { $ne: "unlisted" },
+ "properties.deleted": { $exists: false },
});
})
.setFirstCursor(async () => "0");
@@ -671,6 +684,8 @@ function setupObjectDispatchers(federation, mountPath, handle, collections, publ
if (!post) return null;
if (post?.properties?.["post-status"] === "draft") return null;
if (post?.properties?.visibility === "unlisted") return null;
+ // Soft-deleted posts should not be dereferenceable
+ if (post.properties?.deleted) return null;
const actorUrl = ctx.getActorUri(handle).href;
const activity = jf2ToAS2Activity(post.properties, actorUrl, publicationUrl);
// Only Create activities wrap Note/Article objects
diff --git a/lib/inbox-handlers.js b/lib/inbox-handlers.js
new file mode 100644
index 0000000..f40ca46
--- /dev/null
+++ b/lib/inbox-handlers.js
@@ -0,0 +1,1102 @@
+/**
+ * Inbox handler functions for each ActivityPub activity type.
+ *
+ * These handlers are extracted from inbox-listeners.js so they can be
+ * invoked from a background queue processor. Each handler receives a
+ * queue item document instead of a live Fedify activity object.
+ *
+ * Design notes:
+ * - Follow handler: only logs activity. Follower storage, Accept/Reject
+ * response, pending follow storage, and notifications are all handled
+ * synchronously in the inbox listener before the item is enqueued.
+ * - Block handler: only logs activity. Follower removal is done
+ * synchronously in the inbox listener.
+ * - All other handlers: perform full processing.
+ */
+
+import {
+ Accept,
+ Announce,
+ Article,
+ Block,
+ Create,
+ Delete,
+ Flag,
+ Follow,
+ Like,
+ Move,
+ Note,
+ Reject,
+ Undo,
+ Update,
+} from "@fedify/fedify/vocab";
+
+import { logActivity as logActivityShared } from "./activity-log.js";
+import { sanitizeContent, extractActorInfo, extractObjectData } from "./timeline-store.js";
+import { addTimelineItem, deleteTimelineItem, updateTimelineItem } from "./storage/timeline.js";
+import { addNotification } from "./storage/notifications.js";
+import { addMessage } from "./storage/messages.js";
+import { fetchAndStorePreviews, fetchAndStoreQuote } from "./og-unfurl.js";
+import { getFollowedTags } from "./storage/followed-tags.js";
+
+/** @type {string} ActivityStreams Public Collection constant */
+const PUBLIC = "https://www.w3.org/ns/activitystreams#Public";
+
+// ---------------------------------------------------------------------------
+// Router
+// ---------------------------------------------------------------------------
+
+/**
+ * Route a queued inbox item to the appropriate handler.
+ *
+ * @param {object} item - Queue document
+ * @param {string} item.activityType - Activity type name (e.g. "Follow")
+ * @param {string} item.actorUrl - Actor URL
+ * @param {string} [item.objectUrl] - Object URL (if applicable)
+ * @param {object} item.rawJson - Raw JSON-LD activity payload
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Local actor handle
+ */
+export async function routeToHandler(item, collections, ctx, handle) {
+ const { activityType } = item;
+ switch (activityType) {
+ case "Follow":
+ return handleFollow(item, collections);
+ case "Undo":
+ return handleUndo(item, collections, ctx, handle);
+ case "Accept":
+ return handleAccept(item, collections, ctx, handle);
+ case "Reject":
+ return handleReject(item, collections, ctx, handle);
+ case "Like":
+ return handleLike(item, collections, ctx, handle);
+ case "Announce":
+ return handleAnnounce(item, collections, ctx, handle);
+ case "Create":
+ return handleCreate(item, collections, ctx, handle);
+ case "Delete":
+ return handleDelete(item, collections);
+ case "Move":
+ return handleMove(item, collections, ctx, handle);
+ case "Update":
+ return handleUpdate(item, collections, ctx, handle);
+ case "Block":
+ return handleBlock(item, collections);
+ case "Flag":
+ return handleFlag(item, collections, ctx, handle);
+ default:
+ console.warn(`[inbox-handlers] Unknown activity type: ${activityType}`);
+ }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Get an authenticated DocumentLoader that signs outbound fetches with
+ * our actor's key.
+ *
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ * @returns {Promise}
+ */
+function getAuthLoader(ctx, handle) {
+ return ctx.getDocumentLoader({ identifier: handle });
+}
+
+/**
+ * Log an activity to the ap_activities collection.
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {object} record - Activity record fields
+ */
+async function logActivity(collections, record) {
+ await logActivityShared(collections.ap_activities, record, {});
+}
+
+// ---------------------------------------------------------------------------
+// isDirectMessage
+// ---------------------------------------------------------------------------
+
+/**
+ * Determine if an object is a direct message (DM).
+ * A DM is addressed only to specific actors — no PUBLIC_COLLECTION,
+ * no followers collection, and includes our actor URL.
+ *
+ * Duplicated from inbox-listeners.js (not exported there).
+ *
+ * @param {object} object - Fedify object (Note, Article, etc.)
+ * @param {string} ourActorUrl - Our actor's URL
+ * @param {string} followersUrl - Our followers collection URL
+ * @returns {boolean}
+ */
+function isDirectMessage(object, ourActorUrl, followersUrl) {
+ const allAddressed = [
+ ...object.toIds.map((u) => u.href),
+ ...object.ccIds.map((u) => u.href),
+ ...object.btoIds.map((u) => u.href),
+ ...object.bccIds.map((u) => u.href),
+ ];
+
+ // Must be addressed to us
+ if (!allAddressed.includes(ourActorUrl)) return false;
+
+ // Must NOT include public collection
+ if (allAddressed.some((u) => u === PUBLIC || u === "as:Public")) return false;
+
+ // Must NOT include our followers collection
+ if (followersUrl && allAddressed.includes(followersUrl)) return false;
+
+ return true;
+}
+
+/**
+ * Compute post visibility from to/cc addressing fields.
+ * Matches Hollo's write-time visibility classification.
+ *
+ * @param {object} object - Fedify object (Note, Article, etc.)
+ * @returns {"public"|"unlisted"|"private"|"direct"}
+ */
+function computeVisibility(object) {
+ const to = new Set((object.toIds || []).map((u) => u.href));
+ const cc = new Set((object.ccIds || []).map((u) => u.href));
+
+ if (to.has(PUBLIC)) return "public";
+ if (cc.has(PUBLIC)) return "unlisted";
+ // Without knowing the remote actor's followers URL, we can't distinguish
+ // "private" (followers-only) from "direct". Both are non-public.
+ if (to.size > 0 || cc.size > 0) return "private";
+ return "direct";
+}
+
+/**
+ * Recursively fetch and store ancestor posts for a reply chain.
+ * Each ancestor is stored with isContext: true so it can be filtered
+ * from the main timeline while being available for thread views.
+ *
+ * @param {object} object - Fedify object (Note, Article, etc.)
+ * @param {object} collections - MongoDB collections
+ * @param {object} authLoader - Authenticated document loader
+ * @param {number} maxDepth - Maximum recursion depth
+ */
+async function fetchReplyChain(object, collections, authLoader, maxDepth) {
+ if (maxDepth <= 0) return;
+ const parentUrl = object.replyTargetId?.href;
+ if (!parentUrl) return;
+
+ // Skip if we already have this post
+ if (collections.ap_timeline) {
+ const existing = await collections.ap_timeline.findOne({ uid: parentUrl });
+ if (existing) return;
+ }
+
+ // Fetch the parent post
+ let parent;
+ try {
+ parent = await object.getReplyTarget({ documentLoader: authLoader });
+ } catch {
+ // Remote server unreachable — stop climbing
+ return;
+ }
+ if (!parent || !parent.id) return;
+
+ // Store as context item
+ try {
+ const timelineItem = await extractObjectData(parent, {
+ documentLoader: authLoader,
+ });
+ timelineItem.isContext = true;
+ timelineItem.visibility = computeVisibility(parent);
+ await addTimelineItem(collections, timelineItem);
+ } catch {
+ // Extraction failed — stop climbing
+ return;
+ }
+
+ // Recurse for the parent's parent
+ await fetchReplyChain(parent, collections, authLoader, maxDepth - 1);
+}
+
+// ---------------------------------------------------------------------------
+// Individual handlers
+// ---------------------------------------------------------------------------
+
+/**
+ * Handle Follow activity.
+ *
+ * The synchronous inbox listener already handled:
+ * - follower storage (or pending follow storage)
+ * - Accept/Reject response
+ * - notification creation
+ *
+ * This async handler only logs the activity.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ */
+export async function handleFollow(item, collections) {
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Follow",
+ actorUrl: item.actorUrl,
+ summary: `${item.actorUrl} follow activity processed`,
+ });
+}
+
+/**
+ * Handle Undo activity.
+ *
+ * Undoes a Follow, Like, or Announce depending on the inner object type.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleUndo(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+ const actorUrl = item.actorUrl;
+
+ let undo;
+ try {
+ undo = await Undo.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Undo from rawJson:", error.message);
+ return;
+ }
+
+ let inner;
+ try {
+ inner = await undo.getObject({ documentLoader: authLoader });
+ } catch {
+ // Inner activity not dereferenceable — can't determine what was undone
+ return;
+ }
+
+ if (inner instanceof Follow) {
+ await collections.ap_followers.deleteOne({ actorUrl });
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Undo(Follow)",
+ actorUrl,
+ summary: `${actorUrl} unfollowed you`,
+ });
+ } else if (inner instanceof Like) {
+ const objectId = inner.objectId?.href || "";
+ await collections.ap_activities.deleteOne({
+ type: "Like",
+ actorUrl,
+ objectUrl: objectId,
+ });
+ } else if (inner instanceof Announce) {
+ const objectId = inner.objectId?.href || "";
+ await collections.ap_activities.deleteOne({
+ type: "Announce",
+ actorUrl,
+ objectUrl: objectId,
+ });
+ } else {
+ const typeName = inner?.constructor?.name || "unknown";
+ await logActivity(collections, {
+ direction: "inbound",
+ type: `Undo(${typeName})`,
+ actorUrl,
+ summary: `${actorUrl} undid ${typeName}`,
+ });
+ }
+}
+
+/**
+ * Handle Accept activity.
+ *
+ * Marks a pending follow in ap_following as accepted ("federation").
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleAccept(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let accept;
+ try {
+ accept = await Accept.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Accept from rawJson:", error.message);
+ return;
+ }
+
+ // We match against ap_following rather than inspecting the inner object
+ // because Fedify often resolves the Follow's target to a Person instead
+ // of the Follow itself. Any Accept from this actor confirms our pending follow.
+ const actorObj = await accept.getActor({ documentLoader: authLoader });
+ const actorUrl = actorObj?.id?.href || "";
+ if (!actorUrl) return;
+
+ const result = await collections.ap_following.findOneAndUpdate(
+ {
+ actorUrl,
+ source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
+ },
+ {
+ $set: {
+ source: "federation",
+ acceptedAt: new Date().toISOString(),
+ },
+ $unset: {
+ refollowAttempts: "",
+ refollowLastAttempt: "",
+ refollowError: "",
+ },
+ },
+ { returnDocument: "after" },
+ );
+
+ if (result) {
+ const actorName = result.name || result.handle || actorUrl;
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Accept(Follow)",
+ actorUrl,
+ actorName,
+ summary: `${actorName} accepted our Follow`,
+ });
+ }
+}
+
+/**
+ * Handle Reject activity.
+ *
+ * Marks a pending follow in ap_following as rejected.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleReject(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let reject;
+ try {
+ reject = await Reject.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Reject from rawJson:", error.message);
+ return;
+ }
+
+ const actorObj = await reject.getActor({ documentLoader: authLoader });
+ const actorUrl = actorObj?.id?.href || "";
+ if (!actorUrl) return;
+
+ const result = await collections.ap_following.findOneAndUpdate(
+ {
+ actorUrl,
+ source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
+ },
+ {
+ $set: {
+ source: "rejected",
+ rejectedAt: new Date().toISOString(),
+ },
+ },
+ { returnDocument: "after" },
+ );
+
+ if (result) {
+ const actorName = result.name || result.handle || actorUrl;
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Reject(Follow)",
+ actorUrl,
+ actorName,
+ summary: `${actorName} rejected our Follow`,
+ });
+ }
+}
+
+/**
+ * Handle Like activity.
+ *
+ * Only logs likes of our own content and creates a notification.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleLike(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let like;
+ try {
+ like = await Like.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Like from rawJson:", error.message);
+ return;
+ }
+
+ const objectId = like.objectId?.href || "";
+
+ // Only log likes of our own content
+ const pubUrl = collections._publicationUrl;
+ if (!objectId || (pubUrl && !objectId.startsWith(pubUrl))) return;
+
+ const actorUrl = like.actorId?.href || "";
+ let actorObj;
+ try {
+ actorObj = await like.getActor({ documentLoader: authLoader });
+ } catch {
+ actorObj = null;
+ }
+
+ const actorName =
+ actorObj?.name?.toString() ||
+ actorObj?.preferredUsername?.toString() ||
+ actorUrl;
+
+ // Extract actor info (including avatar) before logging so we can store it
+ const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
+
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Like",
+ actorUrl,
+ actorName,
+ actorAvatar: actorInfo.photo || "",
+ objectUrl: objectId,
+ summary: `${actorName} liked ${objectId}`,
+ });
+
+ // Store notification
+ await addNotification(collections, {
+ uid: like.id?.href || `like:${actorUrl}:${objectId}`,
+ type: "like",
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ targetUrl: objectId,
+ targetName: "", // Could fetch post title, but not critical
+ published: like.published ? String(like.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+}
+
+/**
+ * Handle Announce (boost) activity.
+ *
+ * PATH 1: If boost of OUR content → notification.
+ * PATH 2: If from followed account → store timeline item, quote enrichment.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleAnnounce(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let announce;
+ try {
+ announce = await Announce.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Announce from rawJson:", error.message);
+ return;
+ }
+
+ const objectId = announce.objectId?.href || "";
+ if (!objectId) return;
+
+ const actorUrl = announce.actorId?.href || "";
+ const pubUrl = collections._publicationUrl;
+
+ // PATH 1: Boost of OUR content → Notification
+ if (pubUrl && objectId.startsWith(pubUrl)) {
+ let actorObj;
+ try {
+ actorObj = await announce.getActor({ documentLoader: authLoader });
+ } catch {
+ actorObj = null;
+ }
+
+ const actorName =
+ actorObj?.name?.toString() ||
+ actorObj?.preferredUsername?.toString() ||
+ actorUrl;
+
+ // Extract actor info (including avatar) before logging so we can store it
+ const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
+
+ // Log the boost activity
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Announce",
+ actorUrl,
+ actorName,
+ actorAvatar: actorInfo.photo || "",
+ objectUrl: objectId,
+ summary: `${actorName} boosted ${objectId}`,
+ });
+
+ // Create notification
+ await addNotification(collections, {
+ uid: announce.id?.href || `${actorUrl}#boost-${objectId}`,
+ type: "boost",
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ targetUrl: objectId,
+ targetName: "", // Could fetch post title, but not critical
+ published: announce.published ? String(announce.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+
+ // Don't return — fall through to check if actor is also followed
+ }
+
+ // PATH 2: Boost from someone we follow → Timeline (store original post)
+ const following = await collections.ap_following.findOne({ actorUrl });
+ if (following) {
+ try {
+ // Fetch the original object being boosted (authenticated for Secure Mode servers)
+ const object = await announce.getObject({ documentLoader: authLoader });
+ if (!object) return;
+
+ // Skip non-content objects (Lemmy/PieFed like/create activities
+ // that resolve to activity IDs instead of actual Note/Article posts)
+ const hasContent = object.content?.toString() || object.name?.toString();
+ if (!hasContent) return;
+
+ // Get booster actor info
+ const boosterActor = await announce.getActor({ documentLoader: authLoader });
+ const boosterInfo = await extractActorInfo(boosterActor, { documentLoader: authLoader });
+
+ // Extract and store with boost metadata
+ const timelineItem = await extractObjectData(object, {
+ boostedBy: boosterInfo,
+ boostedAt: announce.published ? String(announce.published) : new Date().toISOString(),
+ documentLoader: authLoader,
+ });
+ timelineItem.visibility = computeVisibility(object);
+ await addTimelineItem(collections, timelineItem);
+
+ // Fire-and-forget quote enrichment for boosted posts
+ if (timelineItem.quoteUrl) {
+ fetchAndStoreQuote(collections, timelineItem.uid, timelineItem.quoteUrl, ctx, authLoader)
+ .catch((error) => {
+ console.error(`[inbox-handlers] Quote fetch failed for ${timelineItem.uid}:`, error.message);
+ });
+ }
+ } catch (error) {
+ // Remote object unreachable (timeout, Authorized Fetch, deleted, etc.) — skip
+ const cause = error?.cause?.code || error?.message || "unknown";
+ console.warn(`[inbox-handlers] Skipped boost from ${actorUrl}: ${cause}`);
+ }
+ }
+}
+
+/**
+ * Handle Create activity.
+ *
+ * Processes DMs, replies, mentions, and timeline storage.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleCreate(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let create;
+ try {
+ create = await Create.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Create from rawJson:", error.message);
+ return;
+ }
+
+ let object;
+ try {
+ object = await create.getObject({ documentLoader: authLoader });
+ } catch {
+ // Remote object not dereferenceable (deleted, etc.)
+ return;
+ }
+ if (!object) return;
+
+ const actorUrl = create.actorId?.href || "";
+ let actorObj;
+ try {
+ actorObj = await create.getActor({ documentLoader: authLoader });
+ } catch {
+ // Actor not dereferenceable — use URL as fallback
+ actorObj = null;
+ }
+ const actorName =
+ actorObj?.name?.toString() ||
+ actorObj?.preferredUsername?.toString() ||
+ actorUrl;
+
+ // --- DM detection ---
+ // Check if this is a direct message before processing as reply/mention/timeline.
+ // DMs are handled separately and stored in ap_messages instead of ap_timeline.
+ const ourActorUrl = ctx.getActorUri(handle).href;
+ const followersUrl = ctx.getFollowersUri(handle)?.href || "";
+
+ if (isDirectMessage(object, ourActorUrl, followersUrl)) {
+ const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
+ const rawHtml = object.content?.toString() || "";
+ const contentHtml = sanitizeContent(rawHtml);
+ const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 500);
+ const published = object.published ? String(object.published) : new Date().toISOString();
+ const inReplyToDM = object.replyTargetId?.href || null;
+
+ // Store as message
+ await addMessage(collections, {
+ uid: object.id?.href || `dm:${actorUrl}:${Date.now()}`,
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ content: {
+ text: contentText,
+ html: contentHtml,
+ },
+ inReplyTo: inReplyToDM,
+ conversationId: actorInfo.url,
+ direction: "inbound",
+ published,
+ createdAt: new Date().toISOString(),
+ });
+
+ // Also create a notification so DMs appear in the notification tab
+ await addNotification(collections, {
+ uid: `dm:${object.id?.href || `${actorUrl}:${Date.now()}`}`,
+ url: object.url?.href || object.id?.href || "",
+ type: "dm",
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ content: {
+ text: contentText,
+ html: contentHtml,
+ },
+ published,
+ createdAt: new Date().toISOString(),
+ });
+
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "DirectMessage",
+ actorUrl,
+ actorName,
+ actorAvatar: actorInfo.photo || "",
+ objectUrl: object.id?.href || "",
+ content: contentText.substring(0, 100),
+ summary: `${actorName} sent a direct message`,
+ });
+
+ return; // Don't process DMs as timeline/mention/reply
+ }
+
+ // Use replyTargetId (non-fetching) for the inReplyTo URL
+ const inReplyTo = object.replyTargetId?.href || null;
+
+ // Log replies to our posts (existing behavior for conversations)
+ const pubUrl = collections._publicationUrl;
+ if (inReplyTo) {
+ const content = object.content?.toString() || "";
+
+ // Extract actor info (including avatar) before logging so we can store it
+ const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
+
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Reply",
+ actorUrl,
+ actorName,
+ actorAvatar: actorInfo.photo || "",
+ objectUrl: object.id?.href || "",
+ targetUrl: inReplyTo,
+ content,
+ summary: `${actorName} replied to ${inReplyTo}`,
+ });
+
+ // Create notification if reply is to one of OUR posts
+ if (pubUrl && inReplyTo.startsWith(pubUrl)) {
+ const rawHtml = object.content?.toString() || "";
+ const contentHtml = sanitizeContent(rawHtml);
+ const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 200);
+
+ await addNotification(collections, {
+ uid: object.id?.href || `reply:${actorUrl}:${inReplyTo}`,
+ url: object.url?.href || object.id?.href || "",
+ type: "reply",
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ targetUrl: inReplyTo,
+ targetName: "",
+ content: {
+ text: contentText,
+ html: contentHtml,
+ },
+ published: object.published ? String(object.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+ }
+ }
+
+ // --- Recursive reply chain fetching ---
+ // Fetch and store ancestor posts so conversation threads have context.
+ // Each ancestor is stored with isContext: true to distinguish from organic timeline items.
+ if (inReplyTo) {
+ try {
+ await fetchReplyChain(object, collections, authLoader, 5);
+ } catch (error) {
+ // Non-critical — incomplete context is acceptable
+ console.warn("[inbox-handlers] Reply chain fetch failed:", error.message);
+ }
+ }
+
+ // Check for mentions of our actor
+ if (object.tag) {
+ const tags = Array.isArray(object.tag) ? object.tag : [object.tag];
+
+ for (const tag of tags) {
+ if (tag.type === "Mention" && tag.href?.href === ourActorUrl) {
+ const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
+ const rawMentionHtml = object.content?.toString() || "";
+ const mentionHtml = sanitizeContent(rawMentionHtml);
+ const contentText = rawMentionHtml.replace(/<[^>]*>/g, "").substring(0, 200);
+
+ await addNotification(collections, {
+ uid: object.id?.href || `mention:${actorUrl}:${object.id?.href}`,
+ url: object.url?.href || object.id?.href || "",
+ type: "mention",
+ actorUrl: actorInfo.url,
+ actorName: actorInfo.name,
+ actorPhoto: actorInfo.photo,
+ actorHandle: actorInfo.handle,
+ content: {
+ text: contentText,
+ html: mentionHtml,
+ },
+ published: object.published ? String(object.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+
+ break; // Only create one mention notification per post
+ }
+ }
+ }
+
+ // Store timeline items from accounts we follow (native storage)
+ const following = await collections.ap_following.findOne({ actorUrl });
+ if (following) {
+ try {
+ const timelineItem = await extractObjectData(object, {
+ actorFallback: actorObj,
+ documentLoader: authLoader,
+ });
+ timelineItem.visibility = computeVisibility(object);
+ await addTimelineItem(collections, timelineItem);
+
+ // Fire-and-forget OG unfurling for notes and articles (not boosts)
+ if (timelineItem.type === "note" || timelineItem.type === "article") {
+ fetchAndStorePreviews(collections, timelineItem.uid, timelineItem.content.html)
+ .catch((error) => {
+ console.error(`[inbox-handlers] OG unfurl failed for ${timelineItem.uid}:`, error);
+ });
+ }
+
+ // Fire-and-forget quote enrichment
+ if (timelineItem.quoteUrl) {
+ fetchAndStoreQuote(collections, timelineItem.uid, timelineItem.quoteUrl, ctx, authLoader)
+ .catch((error) => {
+ console.error(`[inbox-handlers] Quote fetch failed for ${timelineItem.uid}:`, error.message);
+ });
+ }
+ } catch (error) {
+ // Log extraction errors but don't fail the entire handler
+ console.error("[inbox-handlers] Failed to store timeline item:", error);
+ }
+ } else if (collections.ap_followed_tags) {
+ // Not a followed account — check if the post's hashtags match any followed tags
+ // so tagged posts from across the fediverse appear in the timeline
+ try {
+ const objectTags = Array.isArray(object.tag) ? object.tag : (object.tag ? [object.tag] : []);
+ const postHashtags = objectTags
+ .filter((t) => t.type === "Hashtag" && t.name)
+ .map((t) => t.name.toString().replace(/^#/, "").toLowerCase());
+
+ if (postHashtags.length > 0) {
+ const followedTags = await getFollowedTags(collections);
+ const followedSet = new Set(followedTags.map((t) => t.toLowerCase()));
+ const hasMatchingTag = postHashtags.some((tag) => followedSet.has(tag));
+
+ if (hasMatchingTag) {
+ const timelineItem = await extractObjectData(object, {
+ actorFallback: actorObj,
+ documentLoader: authLoader,
+ });
+ timelineItem.visibility = computeVisibility(object);
+ await addTimelineItem(collections, timelineItem);
+ }
+ }
+ } catch (error) {
+ // Non-critical — don't fail the handler
+ console.error("[inbox-handlers] Followed tag check failed:", error.message);
+ }
+ }
+}
+
+/**
+ * Handle Delete activity.
+ *
+ * Removes from ap_activities and timeline by object URL.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ */
+export async function handleDelete(item, collections) {
+ const objectId = item.objectUrl;
+ if (objectId) {
+ // Remove from activity log
+ await collections.ap_activities.deleteMany({ objectUrl: objectId });
+
+ // Remove from timeline
+ await deleteTimelineItem(collections, objectId);
+ }
+}
+
+/**
+ * Handle Move activity.
+ *
+ * Updates ap_followers to reflect the actor's new URL.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleMove(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let move;
+ try {
+ move = await Move.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Move from rawJson:", error.message);
+ return;
+ }
+
+ const oldActorObj = await move.getActor({ documentLoader: authLoader });
+ const oldActorUrl = oldActorObj?.id?.href || "";
+ const target = await move.getTarget({ documentLoader: authLoader });
+ const newActorUrl = target?.id?.href || "";
+
+ if (oldActorUrl && newActorUrl) {
+ await collections.ap_followers.updateOne(
+ { actorUrl: oldActorUrl },
+ { $set: { actorUrl: newActorUrl, movedFrom: oldActorUrl } },
+ );
+ }
+
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Move",
+ actorUrl: oldActorUrl,
+ objectUrl: newActorUrl,
+ summary: `${oldActorUrl} moved to ${newActorUrl}`,
+ });
+}
+
+/**
+ * Handle Update activity.
+ *
+ * PATH 1: If Note/Article → update timeline item content.
+ * PATH 2: Otherwise → refresh stored follower data.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleUpdate(item, collections, ctx, handle) {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let update;
+ try {
+ update = await Update.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Update from rawJson:", error.message);
+ return;
+ }
+
+ // Try to get the object being updated
+ let object;
+ try {
+ object = await update.getObject({ documentLoader: authLoader });
+ } catch {
+ object = null;
+ }
+
+ // PATH 1: If object is a Note/Article → Update timeline item content
+ if (object && (object instanceof Note || object instanceof Article)) {
+ const objectUrl = object.id?.href || "";
+ if (objectUrl) {
+ try {
+ // Extract updated content
+ const contentHtml = object.content?.toString() || "";
+ const contentText = object.source?.content?.toString() || contentHtml.replace(/<[^>]*>/g, "");
+
+ const updates = {
+ content: {
+ text: contentText,
+ html: contentHtml,
+ },
+ name: object.name?.toString() || "",
+ summary: object.summary?.toString() || "",
+ sensitive: object.sensitive || false,
+ };
+
+ await updateTimelineItem(collections, objectUrl, updates);
+ } catch (error) {
+ console.error("[inbox-handlers] Failed to update timeline item:", error);
+ }
+ }
+ return;
+ }
+
+ // PATH 2: Otherwise, assume profile update — refresh stored follower data
+ const actorObj = await update.getActor({ documentLoader: authLoader });
+ const actorUrl = actorObj?.id?.href || "";
+ if (!actorUrl) return;
+
+ const existing = await collections.ap_followers.findOne({ actorUrl });
+ if (existing) {
+ await collections.ap_followers.updateOne(
+ { actorUrl },
+ {
+ $set: {
+ name:
+ actorObj.name?.toString() ||
+ actorObj.preferredUsername?.toString() ||
+ actorUrl,
+ handle: actorObj.preferredUsername?.toString() || "",
+ avatar: actorObj.icon
+ ? (await actorObj.icon)?.url?.href || ""
+ : "",
+ updatedAt: new Date().toISOString(),
+ },
+ },
+ );
+ }
+}
+
+/**
+ * Handle Block activity.
+ *
+ * The synchronous inbox listener already handled follower removal.
+ * This async handler only logs the activity.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ */
+export async function handleBlock(item, collections) {
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Block",
+ actorUrl: item.actorUrl,
+ summary: `${item.actorUrl} block activity processed`,
+ });
+}
+
+/**
+ * Handle Flag (report) activity.
+ *
+ * Stores the report in ap_reports, creates a notification, and logs the activity.
+ *
+ * @param {object} item - Queue document
+ * @param {object} collections - MongoDB collections
+ * @param {import("@fedify/fedify").Context} ctx - Fedify context
+ * @param {string} handle - Actor handle
+ */
+export async function handleFlag(item, collections, ctx, handle) {
+ try {
+ const authLoader = await getAuthLoader(ctx, handle);
+
+ let flag;
+ try {
+ flag = await Flag.fromJsonLd(item.rawJson, { documentLoader: authLoader });
+ } catch (error) {
+ console.warn("[inbox-handlers] Failed to reconstruct Flag from rawJson:", error.message);
+ return;
+ }
+
+ const actorObj = await flag.getActor({ documentLoader: authLoader }).catch(() => null);
+
+ const reporterUrl = actorObj?.id?.href || flag.actorId?.href || "";
+ const reporterName = actorObj?.name?.toString() || actorObj?.preferredUsername?.toString() || reporterUrl;
+
+ // Extract reported objects — Flag can report actors or posts
+ const reportedIds = flag.objectIds?.map((u) => u.href) || [];
+ const reason = flag.content?.toString() || flag.summary?.toString() || "";
+
+ if (reportedIds.length === 0 && !reason) {
+ console.info("[inbox-handlers] Ignoring empty Flag from", reporterUrl);
+ return;
+ }
+
+ // Store report
+ if (collections.ap_reports) {
+ await collections.ap_reports.insertOne({
+ reporterUrl,
+ reporterName,
+ reportedUrls: reportedIds,
+ reason,
+ createdAt: new Date().toISOString(),
+ read: false,
+ });
+ }
+
+ // Create notification
+ if (collections.ap_notifications) {
+ await addNotification(collections, {
+ uid: `flag:${reporterUrl}:${Date.now()}`,
+ type: "report",
+ actorUrl: reporterUrl,
+ actorName: reporterName,
+ actorPhoto: actorObj?.iconUrl?.href || actorObj?.icon?.url?.href || "",
+ actorHandle: actorObj?.preferredUsername
+ ? `@${actorObj.preferredUsername}@${new URL(reporterUrl).hostname}`
+ : reporterUrl,
+ objectUrl: reportedIds[0] || "",
+ summary: reason ? reason.slice(0, 200) : "Report received",
+ published: new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+ }
+
+ await logActivity(collections, {
+ direction: "inbound",
+ type: "Flag",
+ actorUrl: reporterUrl,
+ objectUrl: reportedIds[0] || "",
+ summary: `Report from ${reporterName}: ${reason.slice(0, 100)}`,
+ });
+
+ console.info(`[inbox-handlers] Flag received from ${reporterName} — ${reportedIds.length} objects reported`);
+ } catch (error) {
+ console.warn("[inbox-handlers] Flag handler error:", error.message);
+ }
+}
diff --git a/lib/inbox-listeners.js b/lib/inbox-listeners.js
index 4376f3a..12c845e 100644
--- a/lib/inbox-listeners.js
+++ b/lib/inbox-listeners.js
@@ -1,39 +1,36 @@
/**
* Inbox listener registrations for the Fedify Federation instance.
*
- * Each listener handles a specific ActivityPub activity type received
- * in the actor's inbox (Follow, Undo, Like, Announce, Create, Delete, Move).
+ * Each listener is a thin shim that:
+ * 1. Checks server-level blocks (Redis, O(1))
+ * 2. Updates key freshness tracking
+ * 3. Performs synchronous-only work (Follow Accept, Block follower removal)
+ * 4. Enqueues the activity for async processing
*/
import {
Accept,
Add,
Announce,
- Article,
Block,
Create,
Delete,
Flag,
Follow,
- Hashtag,
Like,
- Mention,
Move,
- Note,
Reject,
Remove,
Undo,
Update,
- View,
} from "@fedify/fedify/vocab";
-import { logActivity as logActivityShared } from "./activity-log.js";
-import { sanitizeContent, extractActorInfo, extractObjectData } from "./timeline-store.js";
-import { addTimelineItem, deleteTimelineItem, updateTimelineItem } from "./storage/timeline.js";
+import { isServerBlocked } from "./storage/server-blocks.js";
+import { touchKeyFreshness } from "./key-refresh.js";
+import { resetDeliveryStrikes } from "./outbox-failure.js";
+import { enqueueActivity } from "./inbox-queue.js";
+import { extractActorInfo } from "./timeline-store.js";
import { addNotification } from "./storage/notifications.js";
-import { addMessage } from "./storage/messages.js";
-import { fetchAndStorePreviews, fetchAndStoreQuote } from "./og-unfurl.js";
-import { getFollowedTags } from "./storage/followed-tags.js";
/**
* Register all inbox listeners on a federation's inbox chain.
@@ -44,54 +41,21 @@ import { getFollowedTags } from "./storage/followed-tags.js";
* @param {string} options.handle - Actor handle
* @param {boolean} options.storeRawActivities - Whether to store raw JSON
*/
-/** @type {string} ActivityStreams Public Collection constant */
-const PUBLIC = "https://www.w3.org/ns/activitystreams#Public";
-
-/**
- * Determine if an object is a direct message (DM).
- * A DM is addressed only to specific actors — no PUBLIC_COLLECTION,
- * no followers collection, and includes our actor URL.
- *
- * @param {object} object - Fedify object (Note, Article, etc.)
- * @param {string} ourActorUrl - Our actor's URL
- * @param {string} followersUrl - Our followers collection URL
- * @returns {boolean}
- */
-function isDirectMessage(object, ourActorUrl, followersUrl) {
- const allAddressed = [
- ...object.toIds.map((u) => u.href),
- ...object.ccIds.map((u) => u.href),
- ...object.btoIds.map((u) => u.href),
- ...object.bccIds.map((u) => u.href),
- ];
-
- // Must be addressed to us
- if (!allAddressed.includes(ourActorUrl)) return false;
-
- // Must NOT include public collection
- if (allAddressed.some((u) => u === PUBLIC || u === "as:Public")) return false;
-
- // Must NOT include our followers collection
- if (followersUrl && allAddressed.includes(followersUrl)) return false;
-
- return true;
-}
-
export function registerInboxListeners(inboxChain, options) {
- const { collections, handle, storeRawActivities } = options;
+ const { collections, handle } = options;
- /**
- * Get an authenticated DocumentLoader that signs outbound fetches with
- * our actor's key. This allows .getActor()/.getObject() to succeed
- * against Authorized Fetch (Secure Mode) servers like hachyderm.io.
- *
- * @param {import("@fedify/fedify").Context} ctx - Fedify context
- * @returns {Promise}
- */
const getAuthLoader = (ctx) => ctx.getDocumentLoader({ identifier: handle });
inboxChain
+ // ── Follow ──────────────────────────────────────────────────────
+ // Synchronous: Accept/Reject + follower storage (federation requirement)
+ // Async: notification + activity log
.on(Follow, async (ctx, follow) => {
+ const actorUrl = follow.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
const authLoader = await getAuthLoader(ctx);
const followerActor = await follow.getActor({ documentLoader: authLoader });
if (!followerActor?.id) return;
@@ -102,746 +66,291 @@ export function registerInboxListeners(inboxChain, options) {
followerActor.preferredUsername?.toString() ||
followerUrl;
- await collections.ap_followers.updateOne(
- { actorUrl: followerUrl },
- {
- $set: {
- actorUrl: followerUrl,
- handle: followerActor.preferredUsername?.toString() || "",
- name: followerName,
- avatar: followerActor.icon
- ? (await followerActor.icon)?.url?.href || ""
- : "",
- inbox: followerActor.inbox?.id?.href || "",
- sharedInbox: followerActor.endpoints?.sharedInbox?.href || "",
- followedAt: new Date().toISOString(),
- },
- },
- { upsert: true },
- );
-
- // Auto-accept: send Accept back
- await ctx.sendActivity(
- { identifier: handle },
- followerActor,
- new Accept({
- actor: ctx.getActorUri(handle),
- object: follow,
- }),
- { orderingKey: followerUrl },
- );
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Follow",
+ const followerData = {
actorUrl: followerUrl,
- actorName: followerName,
- summary: `${followerName} followed you`,
- });
+ handle: followerActor.preferredUsername?.toString() || "",
+ name: followerName,
+ avatar: followerActor.icon
+ ? (await followerActor.icon)?.url?.href || ""
+ : "",
+ inbox: followerActor.inbox?.id?.href || "",
+ sharedInbox: followerActor.endpoints?.sharedInbox?.href || "",
+ };
- // Store notification
- const followerInfo = await extractActorInfo(followerActor, { documentLoader: authLoader });
- await addNotification(collections, {
- uid: follow.id?.href || `follow:${followerUrl}`,
- type: "follow",
- actorUrl: followerInfo.url,
- actorName: followerInfo.name,
- actorPhoto: followerInfo.photo,
- actorHandle: followerInfo.handle,
- published: follow.published ? String(follow.published) : new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
- })
- .on(Undo, async (ctx, undo) => {
- const actorUrl = undo.actorId?.href || "";
- const authLoader = await getAuthLoader(ctx);
- let inner;
- try {
- inner = await undo.getObject({ documentLoader: authLoader });
- } catch {
- // Inner activity not dereferenceable — can't determine what was undone
- return;
- }
+ const profile = await collections.ap_profile.findOne({});
+ const manualApproval = profile?.manuallyApprovesFollowers || false;
- if (inner instanceof Follow) {
- await collections.ap_followers.deleteOne({ actorUrl });
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Undo(Follow)",
- actorUrl,
- summary: `${actorUrl} unfollowed you`,
- });
- } else if (inner instanceof Like) {
- const objectId = inner.objectId?.href || "";
- await collections.ap_activities.deleteOne({
- type: "Like",
- actorUrl,
- objectUrl: objectId,
- });
- } else if (inner instanceof Announce) {
- const objectId = inner.objectId?.href || "";
- await collections.ap_activities.deleteOne({
- type: "Announce",
- actorUrl,
- objectUrl: objectId,
- });
- } else {
- const typeName = inner?.constructor?.name || "unknown";
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: `Undo(${typeName})`,
- actorUrl,
- summary: `${actorUrl} undid ${typeName}`,
- });
- }
- })
- .on(Accept, async (ctx, accept) => {
- // Handle Accept(Follow) — remote server accepted our Follow request.
- // We don't inspect the inner object type because Fedify often resolves
- // it to a Person (the Follow's target) rather than the Follow itself.
- // Instead, we match directly against ap_following — if we have a
- // pending follow for this actor, any Accept from them confirms it.
- const authLoader = await getAuthLoader(ctx);
- const actorObj = await accept.getActor({ documentLoader: authLoader });
- const actorUrl = actorObj?.id?.href || "";
- if (!actorUrl) return;
-
- const result = await collections.ap_following.findOneAndUpdate(
- {
- actorUrl,
- source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
- },
- {
- $set: {
- source: "federation",
- acceptedAt: new Date().toISOString(),
- },
- $unset: {
- refollowAttempts: "",
- refollowLastAttempt: "",
- refollowError: "",
- },
- },
- { returnDocument: "after" },
- );
-
- if (result) {
- const actorName =
- result.name || result.handle || actorUrl;
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Accept(Follow)",
- actorUrl,
- actorName,
- summary: `${actorName} accepted our Follow`,
- });
- }
- })
- .on(Reject, async (ctx, reject) => {
- const authLoader = await getAuthLoader(ctx);
- const actorObj = await reject.getActor({ documentLoader: authLoader });
- const actorUrl = actorObj?.id?.href || "";
- if (!actorUrl) return;
-
- // Mark rejected follow in ap_following
- const result = await collections.ap_following.findOneAndUpdate(
- {
- actorUrl,
- source: { $in: ["refollow:sent", "reader", "microsub-reader"] },
- },
- {
- $set: {
- source: "rejected",
- rejectedAt: new Date().toISOString(),
- },
- },
- { returnDocument: "after" },
- );
-
- if (result) {
- const actorName = result.name || result.handle || actorUrl;
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Reject(Follow)",
- actorUrl,
- actorName,
- summary: `${actorName} rejected our Follow`,
- });
- }
- })
- .on(Like, async (ctx, like) => {
- // Use .objectId (non-fetching) for the liked URL — we only need the
- // URL to filter and log, not the full remote object.
- const objectId = like.objectId?.href || "";
-
- // Only log likes of our own content
- const pubUrl = collections._publicationUrl;
- if (!objectId || (pubUrl && !objectId.startsWith(pubUrl))) return;
-
- const authLoader = await getAuthLoader(ctx);
- const actorUrl = like.actorId?.href || "";
- let actorObj;
- try {
- actorObj = await like.getActor({ documentLoader: authLoader });
- } catch {
- actorObj = null;
- }
-
- const actorName =
- actorObj?.name?.toString() ||
- actorObj?.preferredUsername?.toString() ||
- actorUrl;
-
- // Extract actor info (including avatar) before logging so we can store it
- const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Like",
- actorUrl,
- actorName,
- actorAvatar: actorInfo.photo || "",
- objectUrl: objectId,
- summary: `${actorName} liked ${objectId}`,
- });
-
- // Store notification
- await addNotification(collections, {
- uid: like.id?.href || `like:${actorUrl}:${objectId}`,
- type: "like",
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- targetUrl: objectId,
- targetName: "", // Could fetch post title, but not critical
- published: like.published ? String(like.published) : new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
- })
- .on(Announce, async (ctx, announce) => {
- const objectId = announce.objectId?.href || "";
- if (!objectId) return;
-
- const authLoader = await getAuthLoader(ctx);
- const actorUrl = announce.actorId?.href || "";
- const pubUrl = collections._publicationUrl;
-
- // Dual path logic: Notification vs Timeline
-
- // PATH 1: Boost of OUR content → Notification
- if (pubUrl && objectId.startsWith(pubUrl)) {
- let actorObj;
- try {
- actorObj = await announce.getActor({ documentLoader: authLoader });
- } catch {
- actorObj = null;
- }
-
- const actorName =
- actorObj?.name?.toString() ||
- actorObj?.preferredUsername?.toString() ||
- actorUrl;
-
- // Extract actor info (including avatar) before logging so we can store it
- const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
-
- // Log the boost activity
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Announce",
- actorUrl,
- actorName,
- actorAvatar: actorInfo.photo || "",
- objectUrl: objectId,
- summary: `${actorName} boosted ${objectId}`,
- });
-
- // Create notification
- await addNotification(collections, {
- uid: announce.id?.href || `${actorUrl}#boost-${objectId}`,
- type: "boost",
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- targetUrl: objectId,
- targetName: "", // Could fetch post title, but not critical
- published: announce.published ? String(announce.published) : new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
-
- // Don't return — fall through to check if actor is also followed
- }
-
- // PATH 2: Boost from someone we follow → Timeline (store original post)
- const following = await collections.ap_following.findOne({ actorUrl });
- if (following) {
- try {
- // Fetch the original object being boosted (authenticated for Secure Mode servers)
- const object = await announce.getObject({ documentLoader: authLoader });
- if (!object) return;
-
- // Skip non-content objects (Lemmy/PieFed like/create activities
- // that resolve to activity IDs instead of actual Note/Article posts)
- const hasContent = object.content?.toString() || object.name?.toString();
- if (!hasContent) return;
-
- // Get booster actor info
- const boosterActor = await announce.getActor({ documentLoader: authLoader });
- const boosterInfo = await extractActorInfo(boosterActor, { documentLoader: authLoader });
-
- // Extract and store with boost metadata
- const timelineItem = await extractObjectData(object, {
- boostedBy: boosterInfo,
- boostedAt: announce.published ? String(announce.published) : new Date().toISOString(),
- documentLoader: authLoader,
- });
-
- await addTimelineItem(collections, timelineItem);
-
- // Fire-and-forget quote enrichment for boosted posts
- if (timelineItem.quoteUrl) {
- fetchAndStoreQuote(collections, timelineItem.uid, timelineItem.quoteUrl, ctx, authLoader)
- .catch((error) => {
- console.error(`[inbox] Quote fetch failed for ${timelineItem.uid}:`, error.message);
- });
- }
- } catch (error) {
- // Remote object unreachable (timeout, Authorized Fetch, deleted, etc.) — skip
- const cause = error?.cause?.code || error?.message || "unknown";
- console.warn(`[AP] Skipped boost from ${actorUrl}: ${cause}`);
- }
- }
- })
- .on(Create, async (ctx, create) => {
- const authLoader = await getAuthLoader(ctx);
- let object;
- try {
- object = await create.getObject({ documentLoader: authLoader });
- } catch {
- // Remote object not dereferenceable (deleted, etc.)
- return;
- }
- if (!object) return;
-
- const actorUrl = create.actorId?.href || "";
- let actorObj;
- try {
- actorObj = await create.getActor({ documentLoader: authLoader });
- } catch {
- // Actor not dereferenceable — use URL as fallback
- actorObj = null;
- }
- const actorName =
- actorObj?.name?.toString() ||
- actorObj?.preferredUsername?.toString() ||
- actorUrl;
-
- // --- DM detection ---
- // Check if this is a direct message before processing as reply/mention/timeline.
- // DMs are handled separately and stored in ap_messages instead of ap_timeline.
- const ourActorUrl = ctx.getActorUri(handle).href;
- const followersUrl = ctx.getFollowersUri(handle)?.href || "";
-
- if (isDirectMessage(object, ourActorUrl, followersUrl)) {
- const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
- const rawHtml = object.content?.toString() || "";
- const contentHtml = sanitizeContent(rawHtml);
- const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 500);
- const published = object.published ? String(object.published) : new Date().toISOString();
- const inReplyToDM = object.replyTargetId?.href || null;
-
- // Store as message
- await addMessage(collections, {
- uid: object.id?.href || `dm:${actorUrl}:${Date.now()}`,
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- content: {
- text: contentText,
- html: contentHtml,
- },
- inReplyTo: inReplyToDM,
- conversationId: actorInfo.url,
- direction: "inbound",
- published,
- createdAt: new Date().toISOString(),
- });
-
- // Also create a notification so DMs appear in the notification tab
- await addNotification(collections, {
- uid: `dm:${object.id?.href || `${actorUrl}:${Date.now()}`}`,
- url: object.url?.href || object.id?.href || "",
- type: "dm",
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- content: {
- text: contentText,
- html: contentHtml,
- },
- published,
- createdAt: new Date().toISOString(),
- });
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "DirectMessage",
- actorUrl,
- actorName,
- actorAvatar: actorInfo.photo || "",
- objectUrl: object.id?.href || "",
- content: contentText.substring(0, 100),
- summary: `${actorName} sent a direct message`,
- });
-
- return; // Don't process DMs as timeline/mention/reply
- }
-
- // Use replyTargetId (non-fetching) for the inReplyTo URL
- const inReplyTo = object.replyTargetId?.href || null;
-
- // Log replies to our posts (existing behavior for conversations)
- const pubUrl = collections._publicationUrl;
- if (inReplyTo) {
- const content = object.content?.toString() || "";
-
- // Extract actor info (including avatar) before logging so we can store it
- const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Reply",
- actorUrl,
- actorName,
- actorAvatar: actorInfo.photo || "",
- objectUrl: object.id?.href || "",
- targetUrl: inReplyTo,
- content,
- summary: `${actorName} replied to ${inReplyTo}`,
- });
-
- // Create notification if reply is to one of OUR posts
- if (pubUrl && inReplyTo.startsWith(pubUrl)) {
- const rawHtml = object.content?.toString() || "";
- const contentHtml = sanitizeContent(rawHtml);
- const contentText = rawHtml.replace(/<[^>]*>/g, "").substring(0, 200);
-
- await addNotification(collections, {
- uid: object.id?.href || `reply:${actorUrl}:${inReplyTo}`,
- url: object.url?.href || object.id?.href || "",
- type: "reply",
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- targetUrl: inReplyTo,
- targetName: "",
- content: {
- text: contentText,
- html: contentHtml,
- },
- published: object.published ? String(object.published) : new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
- }
- }
-
- // Check for mentions of our actor
- {
- const ourActorUrl = ctx.getActorUri(handle).href;
-
- // Detect direct/private visibility: no public collection in `to` or `cc`
- const PUBLIC_COLLECTION = "https://www.w3.org/ns/activitystreams#Public";
- const toHrefs = (object.toIds || []).map((u) => u?.href || String(u));
- const ccHrefs = (object.ccIds || []).map((u) => u?.href || String(u));
- const isDirect =
- !toHrefs.includes(PUBLIC_COLLECTION) &&
- !ccHrefs.includes(PUBLIC_COLLECTION);
-
- for await (const tag of object.getTags()) {
- if (tag instanceof Mention && tag.href?.href === ourActorUrl) {
- const actorInfo = await extractActorInfo(actorObj, { documentLoader: authLoader });
- const rawMentionHtml = object.content?.toString() || "";
- const mentionHtml = sanitizeContent(rawMentionHtml);
- const contentText = rawMentionHtml.replace(/<[^>]*>/g, "").substring(0, 200);
-
- await addNotification(collections, {
- uid: object.id?.href || `mention:${actorUrl}:${object.id?.href}`,
- url: object.url?.href || object.id?.href || "",
- type: "mention",
- actorUrl: actorInfo.url,
- actorName: actorInfo.name,
- actorPhoto: actorInfo.photo,
- actorHandle: actorInfo.handle,
- isDirect,
- senderActorUrl: actorInfo.url,
- content: {
- text: contentText,
- html: mentionHtml,
- },
- published: object.published ? String(object.published) : new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
-
- break; // Only create one mention notification per post
- }
- }
- }
-
- // Store timeline items from accounts we follow (native storage)
- const following = await collections.ap_following.findOne({ actorUrl });
- if (following) {
- try {
- const timelineItem = await extractObjectData(object, {
- actorFallback: actorObj,
- documentLoader: authLoader,
- });
- await addTimelineItem(collections, timelineItem);
-
- // Fire-and-forget OG unfurling for notes and articles (not boosts)
- if (timelineItem.type === "note" || timelineItem.type === "article") {
- fetchAndStorePreviews(collections, timelineItem.uid, timelineItem.content.html)
- .catch((error) => {
- console.error(`[inbox] OG unfurl failed for ${timelineItem.uid}:`, error);
- });
- }
-
- // Fire-and-forget quote enrichment
- if (timelineItem.quoteUrl) {
- fetchAndStoreQuote(collections, timelineItem.uid, timelineItem.quoteUrl, ctx, authLoader)
- .catch((error) => {
- console.error(`[inbox] Quote fetch failed for ${timelineItem.uid}:`, error.message);
- });
- }
- } catch (error) {
- // Log extraction errors but don't fail the entire handler
- console.error("Failed to store timeline item:", error);
- }
- } else if (collections.ap_followed_tags) {
- // Not a followed account — check if the post's hashtags match any followed tags
- // so tagged posts from across the fediverse appear in the timeline
- try {
- const postHashtags = [];
- for await (const t of object.getTags()) {
- if (t instanceof Hashtag && t.name) {
- postHashtags.push(t.name.toString().replace(/^#/, "").toLowerCase());
- }
- }
-
- if (postHashtags.length > 0) {
- const followedTags = await getFollowedTags(collections);
- const followedSet = new Set(followedTags.map((t) => t.toLowerCase()));
- const hasMatchingTag = postHashtags.some((tag) => followedSet.has(tag));
-
- if (hasMatchingTag) {
- const timelineItem = await extractObjectData(object, {
- actorFallback: actorObj,
- documentLoader: authLoader,
- });
- await addTimelineItem(collections, timelineItem);
- }
- }
- } catch (error) {
- // Non-critical — don't fail the handler
- console.error("[inbox] Followed tag check failed:", error.message);
- }
- }
-
- })
- .on(Delete, async (ctx, del) => {
- const objectId = del.objectId?.href || "";
- if (objectId) {
- // Remove from activity log
- await collections.ap_activities.deleteMany({ objectUrl: objectId });
-
- // Remove from timeline
- await deleteTimelineItem(collections, objectId);
- }
- })
- .on(Move, async (ctx, move) => {
- const authLoader = await getAuthLoader(ctx);
- const oldActorObj = await move.getActor({ documentLoader: authLoader });
- const oldActorUrl = oldActorObj?.id?.href || "";
- const target = await move.getTarget({ documentLoader: authLoader });
- const newActorUrl = target?.id?.href || "";
-
- if (oldActorUrl && newActorUrl) {
- await collections.ap_followers.updateOne(
- { actorUrl: oldActorUrl },
- { $set: { actorUrl: newActorUrl, movedFrom: oldActorUrl } },
- );
- }
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Move",
- actorUrl: oldActorUrl,
- objectUrl: newActorUrl,
- summary: `${oldActorUrl} moved to ${newActorUrl}`,
- });
- })
- .on(Update, async (ctx, update) => {
- // Update can be for a profile OR for a post (edited content)
- const authLoader = await getAuthLoader(ctx);
-
- // Try to get the object being updated
- let object;
- try {
- object = await update.getObject({ documentLoader: authLoader });
- } catch {
- object = null;
- }
-
- // PATH 1: If object is a Note/Article → Update timeline item content
- if (object && (object instanceof Note || object instanceof Article)) {
- const objectUrl = object.id?.href || "";
- if (objectUrl) {
- try {
- // Extract updated content
- const contentHtml = object.content?.toString() || "";
- const contentText = object.source?.content?.toString() || contentHtml.replace(/<[^>]*>/g, "");
-
- const updates = {
- content: {
- text: contentText,
- html: contentHtml,
- },
- name: object.name?.toString() || "",
- summary: object.summary?.toString() || "",
- sensitive: object.sensitive || false,
- };
-
- await updateTimelineItem(collections, objectUrl, updates);
- } catch (error) {
- console.error("Failed to update timeline item:", error);
- }
- }
- return;
- }
-
- // PATH 2: Otherwise, assume profile update — refresh stored follower data
- const actorObj = await update.getActor({ documentLoader: authLoader });
- const actorUrl = actorObj?.id?.href || "";
- if (!actorUrl) return;
-
- const existing = await collections.ap_followers.findOne({ actorUrl });
- if (existing) {
- await collections.ap_followers.updateOne(
- { actorUrl },
+ if (manualApproval && collections.ap_pending_follows) {
+ await collections.ap_pending_follows.updateOne(
+ { actorUrl: followerUrl },
{
$set: {
- name:
- actorObj.name?.toString() ||
- actorObj.preferredUsername?.toString() ||
- actorUrl,
- handle: actorObj.preferredUsername?.toString() || "",
- avatar: actorObj.icon
- ? (await actorObj.icon)?.url?.href || ""
- : "",
- updatedAt: new Date().toISOString(),
+ ...followerData,
+ followActivityId: follow.id?.href || "",
+ requestedAt: new Date().toISOString(),
},
},
+ { upsert: true },
);
+
+ // Notification for follow request (synchronous — needed for UI)
+ const followerInfo = await extractActorInfo(followerActor, { documentLoader: authLoader });
+ await addNotification(collections, {
+ uid: follow.id?.href || `follow_request:${followerUrl}`,
+ type: "follow_request",
+ actorUrl: followerInfo.url,
+ actorName: followerInfo.name,
+ actorPhoto: followerInfo.photo,
+ actorHandle: followerInfo.handle,
+ published: follow.published ? String(follow.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
+ } else {
+ await collections.ap_followers.updateOne(
+ { actorUrl: followerUrl },
+ {
+ $set: {
+ ...followerData,
+ followedAt: new Date().toISOString(),
+ },
+ },
+ { upsert: true },
+ );
+
+ await ctx.sendActivity(
+ { identifier: handle },
+ followerActor,
+ new Accept({
+ actor: ctx.getActorUri(handle),
+ object: follow,
+ }),
+ { orderingKey: followerUrl },
+ );
+
+ // Notification for follow (synchronous — needed for UI)
+ const followerInfo = await extractActorInfo(followerActor, { documentLoader: authLoader });
+ await addNotification(collections, {
+ uid: follow.id?.href || `follow:${followerUrl}`,
+ type: "follow",
+ actorUrl: followerInfo.url,
+ actorName: followerInfo.name,
+ actorPhoto: followerInfo.photo,
+ actorHandle: followerInfo.handle,
+ published: follow.published ? String(follow.published) : new Date().toISOString(),
+ createdAt: new Date().toISOString(),
+ });
}
+
+ // Enqueue async portion (activity log)
+ await enqueueActivity(collections, {
+ activityType: "Follow",
+ actorUrl,
+ rawJson: await follow.toJsonLd(),
+ });
})
+
+ // ── Undo ────────────────────────────────────────────────────────
+ .on(Undo, async (ctx, undo) => {
+ const actorUrl = undo.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Undo",
+ actorUrl,
+ rawJson: await undo.toJsonLd(),
+ });
+ })
+
+ // ── Accept ──────────────────────────────────────────────────────
+ .on(Accept, async (ctx, accept) => {
+ const actorUrl = accept.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Accept",
+ actorUrl,
+ rawJson: await accept.toJsonLd(),
+ });
+ })
+
+ // ── Reject ──────────────────────────────────────────────────────
+ .on(Reject, async (ctx, reject) => {
+ const actorUrl = reject.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Reject",
+ actorUrl,
+ rawJson: await reject.toJsonLd(),
+ });
+ })
+
+ // ── Like ────────────────────────────────────────────────────────
+ .on(Like, async (ctx, like) => {
+ const actorUrl = like.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Like",
+ actorUrl,
+ objectUrl: like.objectId?.href || "",
+ rawJson: await like.toJsonLd(),
+ });
+ })
+
+ // ── Announce ────────────────────────────────────────────────────
+ .on(Announce, async (ctx, announce) => {
+ const actorUrl = announce.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Announce",
+ actorUrl,
+ objectUrl: announce.objectId?.href || "",
+ rawJson: await announce.toJsonLd(),
+ });
+ })
+
+ // ── Create ──────────────────────────────────────────────────────
+ .on(Create, async (ctx, create) => {
+ const actorUrl = create.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ // Forward public replies to our posts to our followers.
+ // Must happen here (not in async handler) because forwardActivity
+ // is only available on InboxContext, not base Context.
+ const objectUrl = create.objectId?.href || "";
+ try {
+ const obj = await create.getObject();
+ const inReplyTo = obj?.replyTargetId?.href || "";
+ if (
+ inReplyTo &&
+ collections._publicationUrl &&
+ inReplyTo.startsWith(collections._publicationUrl)
+ ) {
+ // Check if the reply is public (to/cc includes PUBLIC collection)
+ const toUrls = (obj.toIds || []).map((u) => u.href);
+ const ccUrls = (obj.ccIds || []).map((u) => u.href);
+ const isPublic = [...toUrls, ...ccUrls].includes(
+ "https://www.w3.org/ns/activitystreams#Public",
+ );
+ if (isPublic) {
+ await ctx.forwardActivity(
+ { identifier: handle },
+ "followers",
+ {
+ skipIfUnsigned: true,
+ preferSharedInbox: true,
+ excludeBaseUris: [new URL(ctx.origin)],
+ },
+ );
+ }
+ }
+ } catch (error) {
+ // Non-critical — forwarding failure shouldn't block processing
+ console.warn("[inbox-listeners] Reply forwarding failed:", error.message);
+ }
+
+ await enqueueActivity(collections, {
+ activityType: "Create",
+ actorUrl,
+ objectUrl,
+ rawJson: await create.toJsonLd(),
+ });
+ })
+
+ // ── Delete ──────────────────────────────────────────────────────
+ .on(Delete, async (ctx, del) => {
+ const actorUrl = del.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Delete",
+ actorUrl,
+ objectUrl: del.objectId?.href || "",
+ rawJson: await del.toJsonLd(),
+ });
+ })
+
+ // ── Move ────────────────────────────────────────────────────────
+ .on(Move, async (ctx, move) => {
+ const actorUrl = move.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Move",
+ actorUrl,
+ rawJson: await move.toJsonLd(),
+ });
+ })
+
+ // ── Update ──────────────────────────────────────────────────────
+ .on(Update, async (ctx, update) => {
+ const actorUrl = update.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
+
+ await enqueueActivity(collections, {
+ activityType: "Update",
+ actorUrl,
+ rawJson: await update.toJsonLd(),
+ });
+ })
+
+ // ── Block ───────────────────────────────────────────────────────
+ // Synchronous: remove from followers (immediate)
+ // Async: activity log
.on(Block, async (ctx, block) => {
- // Remote actor blocked us — remove them from followers
+ const actorUrl = block.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+
+ // Synchronous: remove from followers immediately
const authLoader = await getAuthLoader(ctx);
const actorObj = await block.getActor({ documentLoader: authLoader });
- const actorUrl = actorObj?.id?.href || "";
- if (actorUrl) {
- await collections.ap_followers.deleteOne({ actorUrl });
+ const resolvedUrl = actorObj?.id?.href || "";
+ if (resolvedUrl) {
+ await collections.ap_followers.deleteOne({ actorUrl: resolvedUrl });
}
+
+ await enqueueActivity(collections, {
+ activityType: "Block",
+ actorUrl: resolvedUrl || actorUrl,
+ rawJson: await block.toJsonLd(),
+ });
})
- .on(Add, async () => {
- // Mastodon uses Add for pinning posts to featured collections — safe to ignore
- })
- .on(Remove, async () => {
- // Mastodon uses Remove for unpinning posts from featured collections — safe to ignore
- })
- // ── Flag (Report) ──────────────────────────────────────────────
+
+ // ── Add / Remove (no-ops) ───────────────────────────────────────
+ .on(Add, async () => {})
+ .on(Remove, async () => {})
+
+ // ── Flag ────────────────────────────────────────────────────────
.on(Flag, async (ctx, flag) => {
- try {
- const authLoader = await getAuthLoader(ctx);
- const actorObj = await flag.getActor({ documentLoader: authLoader }).catch(() => null);
+ const actorUrl = flag.actorId?.href || "";
+ if (await isServerBlocked(actorUrl, collections)) return;
+ await touchKeyFreshness(collections, actorUrl);
+ await resetDeliveryStrikes(collections, actorUrl);
- const reporterUrl = actorObj?.id?.href || flag.actorId?.href || "";
- const reporterName = actorObj?.name?.toString() || actorObj?.preferredUsername?.toString() || reporterUrl;
-
- // Extract reported objects — Flag can report actors or posts
- const reportedIds = flag.objectIds?.map((u) => u.href) || [];
- const reason = flag.content?.toString() || flag.summary?.toString() || "";
-
- if (reportedIds.length === 0 && !reason) {
- console.info("[ActivityPub] Ignoring empty Flag from", reporterUrl);
- return;
- }
-
- // Store report
- if (collections.ap_reports) {
- await collections.ap_reports.insertOne({
- reporterUrl,
- reporterName,
- reportedUrls: reportedIds,
- reason,
- createdAt: new Date().toISOString(),
- read: false,
- });
- }
-
- // Create notification
- if (collections.ap_notifications) {
- await addNotification(collections, {
- uid: `flag:${reporterUrl}:${Date.now()}`,
- type: "report",
- actorUrl: reporterUrl,
- actorName: reporterName,
- actorPhoto: actorObj?.iconUrl?.href || actorObj?.icon?.url?.href || "",
- actorHandle: actorObj?.preferredUsername
- ? `@${actorObj.preferredUsername}@${new URL(reporterUrl).hostname}`
- : reporterUrl,
- objectUrl: reportedIds[0] || "",
- summary: reason ? reason.slice(0, 200) : "Report received",
- published: new Date().toISOString(),
- createdAt: new Date().toISOString(),
- });
- }
-
- await logActivity(collections, storeRawActivities, {
- direction: "inbound",
- type: "Flag",
- actorUrl: reporterUrl,
- objectUrl: reportedIds[0] || "",
- summary: `Report from ${reporterName}: ${reason.slice(0, 100)}`,
- });
-
- console.info(`[ActivityPub] Flag received from ${reporterName} — ${reportedIds.length} objects reported`);
- } catch (error) {
- console.warn("[ActivityPub] Flag handler error:", error.message);
- }
- })
- // ── View (PeerTube watch) ─────────────────────────────────────────────
- // PeerTube broadcasts View (WatchAction) activities to all followers
- // whenever someone watches a video. Fedify has no built-in handler for
- // this type, producing noisy "Unsupported activity type" log errors.
- // Silently accept and discard.
- .on(View, async () => {});
+ await enqueueActivity(collections, {
+ activityType: "Flag",
+ actorUrl,
+ rawJson: await flag.toJsonLd(),
+ });
+ });
}
-
-/**
- * Log an activity to the ap_activities collection.
- * Wrapper around the shared utility that accepts the (collections, storeRaw, record) signature
- * used throughout this file.
- */
-async function logActivity(collections, storeRaw, record, rawJson) {
- await logActivityShared(
- collections.ap_activities,
- record,
- storeRaw && rawJson ? { rawJson } : {},
- );
-}
-
diff --git a/lib/inbox-queue.js b/lib/inbox-queue.js
new file mode 100644
index 0000000..920a0a6
--- /dev/null
+++ b/lib/inbox-queue.js
@@ -0,0 +1,99 @@
+/**
+ * MongoDB-backed inbox processing queue.
+ * Runs a setInterval-based processor that dequeues and processes
+ * one activity at a time from ap_inbox_queue.
+ * @module inbox-queue
+ */
+
+import { routeToHandler } from "./inbox-handlers.js";
+
+/**
+ * Process the next pending item from the inbox queue.
+ * Uses findOneAndUpdate for atomic claim (prevents double-processing).
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {object} ctx - Fedify context
+ * @param {string} handle - Our actor handle
+ */
+async function processNextItem(collections, ctx, handle) {
+ const { ap_inbox_queue } = collections;
+ if (!ap_inbox_queue) return;
+
+ const item = await ap_inbox_queue.findOneAndUpdate(
+ { status: "pending" },
+ { $set: { status: "processing" } },
+ { sort: { receivedAt: 1 }, returnDocument: "after" },
+ );
+ if (!item) return;
+
+ try {
+ await routeToHandler(item, collections, ctx, handle);
+ await ap_inbox_queue.updateOne(
+ { _id: item._id },
+ { $set: { status: "completed", processedAt: new Date().toISOString() } },
+ );
+ } catch (error) {
+ const attempts = (item.attempts || 0) + 1;
+ await ap_inbox_queue.updateOne(
+ { _id: item._id },
+ {
+ $set: {
+ status: attempts >= (item.maxAttempts || 3) ? "failed" : "pending",
+ attempts,
+ error: error.message,
+ },
+ },
+ );
+ console.error(`[inbox-queue] Failed processing ${item.activityType} from ${item.actorUrl}: ${error.message}`);
+ }
+}
+
+/**
+ * Enqueue an activity for async processing.
+ * @param {object} collections - MongoDB collections
+ * @param {object} params
+ * @param {string} params.activityType - Activity type name
+ * @param {string} params.actorUrl - Actor URL
+ * @param {string} [params.objectUrl] - Object URL
+ * @param {object} params.rawJson - Full activity JSON-LD
+ */
+export async function enqueueActivity(collections, { activityType, actorUrl, objectUrl, rawJson }) {
+ const { ap_inbox_queue } = collections;
+ if (!ap_inbox_queue) return;
+
+ await ap_inbox_queue.insertOne({
+ activityType,
+ actorUrl: actorUrl || "",
+ objectUrl: objectUrl || "",
+ rawJson,
+ status: "pending",
+ attempts: 0,
+ maxAttempts: 3,
+ receivedAt: new Date().toISOString(),
+ processedAt: null,
+ error: null,
+ });
+}
+
+/**
+ * Start the background inbox processor.
+ * @param {object} collections - MongoDB collections
+ * @param {Function} getCtx - Function returning a Fedify context
+ * @param {string} handle - Our actor handle
+ * @returns {NodeJS.Timeout} Interval ID (for cleanup)
+ */
+export function startInboxProcessor(collections, getCtx, handle) {
+ const intervalId = setInterval(async () => {
+ try {
+ const ctx = getCtx();
+ if (ctx) {
+ await processNextItem(collections, ctx, handle);
+ }
+ } catch (error) {
+ console.error("[inbox-queue] Processor error:", error.message);
+ }
+ }, 3_000); // Every 3 seconds
+
+ console.info("[ActivityPub] Inbox queue processor started (3s interval)");
+ return intervalId;
+}
diff --git a/lib/jf2-to-as2.js b/lib/jf2-to-as2.js
index 693703a..03932a7 100644
--- a/lib/jf2-to-as2.js
+++ b/lib/jf2-to-as2.js
@@ -189,6 +189,12 @@ export function jf2ToActivityStreams(properties, actorUrl, publicationUrl, optio
object.sensitive = true;
}
+ // Content warning text for Mastodon CW display
+ if (properties["content-warning"]) {
+ object.summary = properties["content-warning"];
+ object.sensitive = true;
+ }
+
if (properties["in-reply-to"]) {
object.inReplyTo = properties["in-reply-to"];
}
@@ -360,9 +366,9 @@ export function jf2ToAS2Activity(properties, actorUrl, publicationUrl, options =
if (properties["post-status"] === "sensitive") {
noteOptions.sensitive = true;
}
- // Summary doubles as CW text in Mastodon (notes only — articles already use summary for description)
- if (properties.summary && !isArticle) {
- noteOptions.summary = properties.summary;
+ // Content warning text for Mastodon CW display
+ if (properties["content-warning"]) {
+ noteOptions.summary = properties["content-warning"];
noteOptions.sensitive = true;
}
diff --git a/lib/key-refresh.js b/lib/key-refresh.js
new file mode 100644
index 0000000..c5fa4a5
--- /dev/null
+++ b/lib/key-refresh.js
@@ -0,0 +1,138 @@
+/**
+ * Proactive key refresh for remote actors.
+ * Periodically re-fetches actor documents for active followers
+ * whose keys may have rotated, keeping Fedify's KV cache fresh.
+ * @module key-refresh
+ */
+
+import { lookupWithSecurity } from "./lookup-helpers.js";
+
+/**
+ * Update key freshness tracking after successfully processing
+ * an activity from a remote actor.
+ * @param {object} collections - MongoDB collections
+ * @param {string} actorUrl - Remote actor URL
+ */
+export async function touchKeyFreshness(collections, actorUrl) {
+ if (!actorUrl || !collections.ap_key_freshness) return;
+ try {
+ await collections.ap_key_freshness.updateOne(
+ { actorUrl },
+ {
+ $set: { lastSeenAt: new Date().toISOString() },
+ $setOnInsert: { lastRefreshedAt: new Date().toISOString() },
+ },
+ { upsert: true },
+ );
+ } catch {
+ // Non-critical
+ }
+}
+
+/**
+ * Refresh stale keys for active followers.
+ * Finds followers whose keys haven't been refreshed in 7+ days
+ * and re-fetches their actor documents (up to 10 per cycle).
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {object} ctx - Fedify context (for lookupObject)
+ * @param {string} handle - Our actor handle
+ */
+export async function refreshStaleKeys(collections, ctx, handle) {
+ if (!collections.ap_key_freshness || !collections.ap_followers) return;
+
+ const sevenDaysAgo = new Date(Date.now() - 7 * 86_400_000).toISOString();
+
+ // Find actors with stale keys who are still our followers
+ const staleActors = await collections.ap_key_freshness
+ .aggregate([
+ {
+ $match: {
+ lastRefreshedAt: { $lt: sevenDaysAgo },
+ },
+ },
+ {
+ $lookup: {
+ from: "ap_followers",
+ localField: "actorUrl",
+ foreignField: "actorUrl",
+ as: "follower",
+ },
+ },
+ { $match: { "follower.0": { $exists: true } } },
+ { $limit: 10 },
+ ])
+ .toArray();
+
+ if (staleActors.length === 0) return;
+
+ console.info(`[ActivityPub] Refreshing keys for ${staleActors.length} stale actors`);
+
+ const documentLoader = await ctx.getDocumentLoader({ identifier: handle });
+
+ for (const entry of staleActors) {
+ try {
+ const result = await lookupWithSecurity(ctx, new URL(entry.actorUrl), {
+ documentLoader,
+ });
+
+ await collections.ap_key_freshness.updateOne(
+ { actorUrl: entry.actorUrl },
+ { $set: { lastRefreshedAt: new Date().toISOString() } },
+ );
+
+ if (!result) {
+ // Actor gone — log as stale
+ await collections.ap_activities?.insertOne({
+ direction: "system",
+ type: "StaleActor",
+ actorUrl: entry.actorUrl,
+ summary: `Actor ${entry.actorUrl} could not be resolved during key refresh`,
+ receivedAt: new Date().toISOString(),
+ });
+ }
+ } catch (error) {
+ const status = error?.cause?.status || error?.message || "unknown";
+ if (status === 410 || String(status).includes("410")) {
+ // 410 Gone — actor deleted
+ await collections.ap_activities?.insertOne({
+ direction: "system",
+ type: "StaleActor",
+ actorUrl: entry.actorUrl,
+ summary: `Actor ${entry.actorUrl} returned 410 Gone during key refresh`,
+ receivedAt: new Date().toISOString(),
+ });
+ }
+ // Update lastRefreshedAt even on failure to avoid retrying every cycle
+ await collections.ap_key_freshness.updateOne(
+ { actorUrl: entry.actorUrl },
+ { $set: { lastRefreshedAt: new Date().toISOString() } },
+ );
+ }
+ }
+}
+
+/**
+ * Schedule key refresh job (runs on startup + every 24h).
+ * @param {object} collections - MongoDB collections
+ * @param {Function} getCtx - Function returning a Fedify context
+ * @param {string} handle - Our actor handle
+ */
+export function scheduleKeyRefresh(collections, getCtx, handle) {
+ const run = async () => {
+ try {
+ const ctx = getCtx();
+ if (ctx) {
+ await refreshStaleKeys(collections, ctx, handle);
+ }
+ } catch (error) {
+ console.error("[ActivityPub] Key refresh failed:", error.message);
+ }
+ };
+
+ // Run once on startup (delayed to let federation initialize)
+ setTimeout(run, 30_000);
+
+ // Then every 24 hours
+ setInterval(run, 86_400_000);
+}
diff --git a/lib/lookup-helpers.js b/lib/lookup-helpers.js
new file mode 100644
index 0000000..149c932
--- /dev/null
+++ b/lib/lookup-helpers.js
@@ -0,0 +1,27 @@
+/**
+ * Centralized wrapper for ctx.lookupObject() with FEP-fe34 origin-based
+ * security. All lookupObject calls MUST go through this helper so the
+ * crossOrigin policy is applied consistently.
+ *
+ * @module lookup-helpers
+ */
+
+/**
+ * Look up a remote ActivityPub object with cross-origin security.
+ *
+ * FEP-fe34 prevents spoofed attribution attacks by verifying that a
+ * fetched object's `id` matches the origin of the URL used to fetch it.
+ * Using `crossOrigin: "ignore"` tells Fedify to silently discard objects
+ * whose id doesn't match the fetch origin, rather than throwing.
+ *
+ * @param {object} ctx - Fedify Context
+ * @param {string|URL} input - URL or handle to look up
+ * @param {object} [options] - Additional options passed to lookupObject
+ * @returns {Promise} Resolved object or null
+ */
+export function lookupWithSecurity(ctx, input, options = {}) {
+ return ctx.lookupObject(input, {
+ crossOrigin: "ignore",
+ ...options,
+ });
+}
diff --git a/lib/og-unfurl.js b/lib/og-unfurl.js
index 0d219eb..a3505c0 100644
--- a/lib/og-unfurl.js
+++ b/lib/og-unfurl.js
@@ -5,6 +5,7 @@
import { unfurl } from "unfurl.js";
import { extractObjectData } from "./timeline-store.js";
+import { lookupWithSecurity } from "./lookup-helpers.js";
const USER_AGENT =
"Mozilla/5.0 (compatible; Indiekit/1.0; +https://getindiekit.com)";
@@ -262,7 +263,7 @@ export async function fetchAndStorePreviews(collections, uid, html) {
*/
export async function fetchAndStoreQuote(collections, uid, quoteUrl, ctx, documentLoader) {
try {
- const object = await ctx.lookupObject(new URL(quoteUrl), { documentLoader });
+ const object = await lookupWithSecurity(ctx,new URL(quoteUrl), { documentLoader });
if (!object) return;
const quoteData = await extractObjectData(object, { documentLoader });
@@ -270,7 +271,7 @@ export async function fetchAndStoreQuote(collections, uid, quoteUrl, ctx, docume
// If author photo is empty, try fetching the actor directly
if (!quoteData.author.photo && quoteData.author.url) {
try {
- const actor = await ctx.lookupObject(new URL(quoteData.author.url), { documentLoader });
+ const actor = await lookupWithSecurity(ctx,new URL(quoteData.author.url), { documentLoader });
if (actor) {
const { extractActorInfo } = await import("./timeline-store.js");
const actorInfo = await extractActorInfo(actor, { documentLoader });
diff --git a/lib/outbox-failure.js b/lib/outbox-failure.js
new file mode 100644
index 0000000..9cadc74
--- /dev/null
+++ b/lib/outbox-failure.js
@@ -0,0 +1,139 @@
+/**
+ * Outbox permanent failure handling.
+ * Cleans up dead followers when delivery permanently fails.
+ *
+ * - 410 Gone: Immediate full cleanup (actor is permanently gone)
+ * - 404: Strike system — 3 failures over 7+ days triggers full cleanup
+ *
+ * @module outbox-failure
+ */
+
+import { logActivity } from "./activity-log.js";
+
+const STRIKE_THRESHOLD = 3;
+const STRIKE_WINDOW_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+/**
+ * Clean up all data associated with an actor.
+ * Removes follower record, their timeline items, and their notifications.
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {string} actorUrl - Actor URL to clean up
+ * @param {string} reason - Reason for cleanup (for logging)
+ */
+async function cleanupActor(collections, actorUrl, reason) {
+ const { ap_followers, ap_timeline, ap_notifications } = collections;
+
+ // Remove from followers
+ const deleted = await ap_followers.deleteOne({ actorUrl });
+
+ // Remove their timeline items
+ if (ap_timeline) {
+ await ap_timeline.deleteMany({ "author.url": actorUrl });
+ }
+
+ // Remove their notifications
+ if (ap_notifications) {
+ await ap_notifications.deleteMany({ actorUrl });
+ }
+
+ if (deleted.deletedCount > 0) {
+ console.info(`[outbox-failure] Cleaned up actor ${actorUrl}: ${reason}`);
+ }
+}
+
+/**
+ * Handle permanent outbox delivery failure.
+ * Called by Fedify's setOutboxPermanentFailureHandler.
+ *
+ * @param {number} statusCode - HTTP status code (404, 410, etc.)
+ * @param {readonly URL[]} actorIds - Array of actor ID URLs
+ * @param {URL} inbox - The inbox URL that failed
+ * @param {object} collections - MongoDB collections
+ */
+export async function onOutboxPermanentFailure(statusCode, actorIds, inbox, collections) {
+ const inboxUrl = inbox?.href || String(inbox);
+
+ for (const actorId of actorIds) {
+ const actorUrl = actorId?.href || String(actorId);
+
+ if (statusCode === 410) {
+ // 410 Gone — immediate full cleanup
+ await cleanupActor(collections, actorUrl, `410 Gone from ${inboxUrl}`);
+
+ await logActivity(collections.ap_activities, {
+ direction: "outbound",
+ type: "DeliveryFailed:410",
+ actorUrl,
+ objectUrl: inboxUrl,
+ summary: `Permanent delivery failure (410 Gone) to ${inboxUrl} — actor cleaned up`,
+ }, {});
+ } else {
+ // 404 or other — strike system
+ const now = new Date();
+ const result = await collections.ap_followers.findOneAndUpdate(
+ { actorUrl },
+ {
+ $inc: { deliveryFailures: 1 },
+ $setOnInsert: { firstFailureAt: now.toISOString() },
+ $set: { lastFailureAt: now.toISOString() },
+ },
+ { returnDocument: "after" },
+ );
+
+ if (!result) {
+ // Not a follower — nothing to track or clean up
+ continue;
+ }
+
+ const failures = result.deliveryFailures || 1;
+ const firstFailure = result.firstFailureAt
+ ? new Date(result.firstFailureAt)
+ : now;
+ const windowElapsed = now.getTime() - firstFailure.getTime() >= STRIKE_WINDOW_MS;
+
+ if (failures >= STRIKE_THRESHOLD && windowElapsed) {
+ // Confirmed dead — full cleanup
+ await cleanupActor(
+ collections,
+ actorUrl,
+ `${failures} failures over ${Math.round((now.getTime() - firstFailure.getTime()) / 86400000)}d (HTTP ${statusCode})`,
+ );
+
+ await logActivity(collections.ap_activities, {
+ direction: "outbound",
+ type: `DeliveryFailed:${statusCode}:cleanup`,
+ actorUrl,
+ objectUrl: inboxUrl,
+ summary: `${failures} delivery failures over 7+ days — actor cleaned up`,
+ }, {});
+ } else {
+ // Strike recorded, not yet confirmed dead
+ await logActivity(collections.ap_activities, {
+ direction: "outbound",
+ type: `DeliveryFailed:${statusCode}:strike`,
+ actorUrl,
+ objectUrl: inboxUrl,
+ summary: `Delivery strike ${failures}/${STRIKE_THRESHOLD} for ${actorUrl} (HTTP ${statusCode})`,
+ }, {});
+ }
+ }
+ }
+}
+
+/**
+ * Reset delivery failure strikes for an actor.
+ * Called when we receive an inbound activity from an actor,
+ * proving they are alive despite previous delivery failures.
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {string} actorUrl - Actor URL
+ */
+export async function resetDeliveryStrikes(collections, actorUrl) {
+ if (!actorUrl) return;
+ // Only update if the fields exist — avoid unnecessary writes
+ await collections.ap_followers.updateOne(
+ { actorUrl, deliveryFailures: { $exists: true } },
+ { $unset: { deliveryFailures: "", firstFailureAt: "", lastFailureAt: "" } },
+ );
+}
diff --git a/lib/redis-cache.js b/lib/redis-cache.js
index 5d3a465..97e07f6 100644
--- a/lib/redis-cache.js
+++ b/lib/redis-cache.js
@@ -96,3 +96,19 @@ export async function cacheExists(key) {
return false;
}
}
+
+/**
+ * Cache-aside wrapper for query functions.
+ * Returns cached result if available, otherwise runs queryFn and caches result.
+ * @param {string} key - Cache key (without prefix — cacheGet/cacheSet add it)
+ * @param {number} ttlSeconds - TTL in seconds
+ * @param {Function} queryFn - Async function to run on cache miss
+ * @returns {Promise}
+ */
+export async function cachedQuery(key, ttlSeconds, queryFn) {
+ const cached = await cacheGet(key);
+ if (cached !== null) return cached;
+ const result = await queryFn();
+ await cacheSet(key, result, ttlSeconds);
+ return result;
+}
diff --git a/lib/resolve-author.js b/lib/resolve-author.js
index 4d5dc24..051a5ef 100644
--- a/lib/resolve-author.js
+++ b/lib/resolve-author.js
@@ -10,6 +10,8 @@
* 3. Extract author URL from post URL pattern → lookupObject
*/
+import { lookupWithSecurity } from "./lookup-helpers.js";
+
/**
* Extract a probable author URL from a post URL using common fediverse patterns.
*
@@ -51,47 +53,6 @@ export function extractAuthorUrl(postUrl) {
}
}
-/**
- * Wraps a Fedify document loader to allow private/loopback addresses for
- * requests targeting the publication's own hostname.
- *
- * Fedify blocks requests to private IP ranges by default. When the publication
- * is self-hosted (e.g. localhost or a private IP), author lookups for posts on
- * that same host fail with a private-address error. This wrapper opts in to
- * allowPrivateAddress only when the target URL is on the publication's own host.
- *
- * @param {Function} documentLoader - Fedify authenticated document loader
- * @param {string} publicationUrl - The publication's canonical URL (e.g. ctx.url.href)
- * @returns {Function} Wrapped document loader
- */
-function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {
- if (typeof documentLoader !== "function") {
- return documentLoader;
- }
-
- let publicationHost = "";
- try {
- publicationHost = new URL(publicationUrl).hostname;
- } catch {
- return documentLoader;
- }
-
- return (url, options = {}) => {
- try {
- const parsed = new URL(
- typeof url === "string" ? url : (url?.href || String(url)),
- );
- if (parsed.hostname === publicationHost) {
- return documentLoader(url, { ...options, allowPrivateAddress: true });
- }
- } catch {
- // Fall through to default loader behavior.
- }
-
- return documentLoader(url, options);
- };
-}
-
/**
* Resolve the author Actor for a given post URL.
*
@@ -107,20 +68,13 @@ export async function resolveAuthor(
documentLoader,
collections,
) {
- const publicationLoader = createPublicationAwareDocumentLoader(
- documentLoader,
- ctx?.url?.href || "",
- );
-
// Strategy 1: Look up remote post via Fedify (signed request)
try {
- const remoteObject = await ctx.lookupObject(new URL(postUrl), {
- documentLoader: publicationLoader,
+ const remoteObject = await lookupWithSecurity(ctx,new URL(postUrl), {
+ documentLoader,
});
if (remoteObject && typeof remoteObject.getAttributedTo === "function") {
- const author = await remoteObject.getAttributedTo({
- documentLoader: publicationLoader,
- });
+ const author = await remoteObject.getAttributedTo({ documentLoader });
const recipient = Array.isArray(author) ? author[0] : author;
if (recipient) {
console.info(
@@ -160,8 +114,8 @@ export async function resolveAuthor(
if (authorUrl) {
try {
- const actor = await ctx.lookupObject(new URL(authorUrl), {
- documentLoader: publicationLoader,
+ const actor = await lookupWithSecurity(ctx,new URL(authorUrl), {
+ documentLoader,
});
if (actor) {
console.info(
@@ -182,8 +136,8 @@ export async function resolveAuthor(
const extractedUrl = extractAuthorUrl(postUrl);
if (extractedUrl) {
try {
- const actor = await ctx.lookupObject(new URL(extractedUrl), {
- documentLoader: publicationLoader,
+ const actor = await lookupWithSecurity(ctx,new URL(extractedUrl), {
+ documentLoader,
});
if (actor) {
console.info(
diff --git a/lib/storage/notifications.js b/lib/storage/notifications.js
index 020805b..42b61eb 100644
--- a/lib/storage/notifications.js
+++ b/lib/storage/notifications.js
@@ -65,8 +65,11 @@ export async function getNotifications(collections, options = {}) {
// Type filter
if (options.type) {
// "reply" tab shows replies only; mentions have their own "mention" tab
+ // "follow" tab shows both follows and follow_requests
if (options.type === "reply") {
query.type = "reply";
+ } else if (options.type === "follow") {
+ query.type = { $in: ["follow", "follow_request"] };
} else {
query.type = options.type;
}
@@ -133,6 +136,8 @@ export async function getNotificationCountsByType(collections, unreadOnly = fals
counts.reply += count;
} else if (_id === "mention") {
counts.mention += count;
+ } else if (_id === "follow_request") {
+ counts.follow += count;
} else if (counts[_id] !== undefined) {
counts[_id] = count;
}
diff --git a/lib/storage/server-blocks.js b/lib/storage/server-blocks.js
new file mode 100644
index 0000000..6dd6e33
--- /dev/null
+++ b/lib/storage/server-blocks.js
@@ -0,0 +1,121 @@
+/**
+ * Server-level blocking storage operations.
+ * Blocks entire instances by hostname, checked in inbox listeners
+ * before any expensive work is done.
+ * @module storage/server-blocks
+ */
+
+import { getRedisClient } from "../redis-cache.js";
+
+const REDIS_KEY = "indiekit:blocked_servers";
+
+/**
+ * Add a server block by hostname.
+ * @param {object} collections - MongoDB collections
+ * @param {string} hostname - Hostname to block (lowercase, no protocol)
+ * @param {string} [reason] - Optional admin note
+ */
+export async function addBlockedServer(collections, hostname, reason) {
+ const { ap_blocked_servers } = collections;
+ const normalized = hostname.toLowerCase().trim();
+
+ await ap_blocked_servers.updateOne(
+ { hostname: normalized },
+ {
+ $setOnInsert: {
+ hostname: normalized,
+ blockedAt: new Date().toISOString(),
+ ...(reason ? { reason } : {}),
+ },
+ },
+ { upsert: true },
+ );
+
+ // Incremental Redis update
+ const redis = getRedisClient();
+ if (redis) {
+ try {
+ await redis.sadd(REDIS_KEY, normalized);
+ } catch {
+ // Non-critical
+ }
+ }
+}
+
+/**
+ * Remove a server block by hostname.
+ * @param {object} collections - MongoDB collections
+ * @param {string} hostname - Hostname to unblock
+ */
+export async function removeBlockedServer(collections, hostname) {
+ const { ap_blocked_servers } = collections;
+ const normalized = hostname.toLowerCase().trim();
+
+ await ap_blocked_servers.deleteOne({ hostname: normalized });
+
+ const redis = getRedisClient();
+ if (redis) {
+ try {
+ await redis.srem(REDIS_KEY, normalized);
+ } catch {
+ // Non-critical
+ }
+ }
+}
+
+/**
+ * Get all blocked servers.
+ * @param {object} collections - MongoDB collections
+ * @returns {Promise} Array of block entries
+ */
+export async function getAllBlockedServers(collections) {
+ const { ap_blocked_servers } = collections;
+ return await ap_blocked_servers.find({}).sort({ blockedAt: -1 }).toArray();
+}
+
+/**
+ * Check if a server is blocked by actor URL.
+ * Uses Redis Set (O(1)) with MongoDB fallback.
+ * @param {string} actorUrl - Full actor URL
+ * @param {object} collections - MongoDB collections (fallback only)
+ * @returns {Promise}
+ */
+export async function isServerBlocked(actorUrl, collections) {
+ if (!actorUrl) return false;
+ try {
+ const hostname = new URL(actorUrl).hostname.toLowerCase();
+ const redis = getRedisClient();
+ if (redis) {
+ return (await redis.sismember(REDIS_KEY, hostname)) === 1;
+ }
+ // Fallback: direct MongoDB check
+ const { ap_blocked_servers } = collections;
+ return !!(await ap_blocked_servers.findOne({ hostname }));
+ } catch {
+ return false;
+ }
+}
+
+/**
+ * Load all blocked hostnames into Redis Set on startup.
+ * Replaces existing set contents entirely.
+ * @param {object} collections - MongoDB collections
+ */
+export async function loadBlockedServersToRedis(collections) {
+ const redis = getRedisClient();
+ if (!redis) return;
+
+ try {
+ const { ap_blocked_servers } = collections;
+ const docs = await ap_blocked_servers.find({}).toArray();
+ const hostnames = docs.map((d) => d.hostname);
+
+ // Replace: delete existing set, then add all
+ await redis.del(REDIS_KEY);
+ if (hostnames.length > 0) {
+ await redis.sadd(REDIS_KEY, ...hostnames);
+ }
+ } catch {
+ // Non-critical — isServerBlocked falls back to MongoDB
+ }
+}
diff --git a/lib/storage/timeline.js b/lib/storage/timeline.js
index 515f6c9..109c5d4 100644
--- a/lib/storage/timeline.js
+++ b/lib/storage/timeline.js
@@ -73,6 +73,18 @@ export async function getTimelineItems(collections, options = {}) {
const query = {};
+ // Exclude context-only items (ancestors fetched for thread reconstruction)
+ // unless explicitly requested via options.includeContext
+ if (!options.includeContext) {
+ query.isContext = { $ne: true };
+ }
+
+ // Exclude private/direct posts from the main timeline feed —
+ // these belong in messages/notifications, not the public reader
+ if (!options.includePrivate) {
+ query.visibility = { $nin: ["private", "direct"] };
+ }
+
// Type filter
if (options.type) {
query.type = options.type;
@@ -252,7 +264,11 @@ export async function countNewItems(collections, after, options = {}) {
const { ap_timeline } = collections;
if (!after || Number.isNaN(new Date(after).getTime())) return 0;
- const query = { published: { $gt: after } };
+ const query = {
+ published: { $gt: after },
+ isContext: { $ne: true },
+ visibility: { $nin: ["private", "direct"] },
+ };
if (options.type) query.type = options.type;
if (options.excludeReplies) {
query.$or = [
@@ -289,5 +305,9 @@ export async function markItemsRead(collections, uids) {
*/
export async function countUnreadItems(collections) {
const { ap_timeline } = collections;
- return await ap_timeline.countDocuments({ read: { $ne: true } });
+ return await ap_timeline.countDocuments({
+ read: { $ne: true },
+ isContext: { $ne: true },
+ visibility: { $nin: ["private", "direct"] },
+ });
}
diff --git a/lib/timeline-store.js b/lib/timeline-store.js
index ce206e1..28b05bf 100644
--- a/lib/timeline-store.js
+++ b/lib/timeline-store.js
@@ -33,6 +33,29 @@ export function sanitizeContent(html) {
});
}
+/**
+ * Replace custom emoji :shortcode: placeholders with inline ![]()
tags.
+ * Applied AFTER sanitization — the ![]()
tags are controlled output from
+ * trusted emoji data, not user-supplied HTML.
+ *
+ * @param {string} html - Content HTML (already sanitized)
+ * @param {Array<{shortcode: string, url: string}>} emojis - Custom emoji data
+ * @returns {string} HTML with shortcodes replaced by ![]()
tags
+ */
+export function replaceCustomEmoji(html, emojis) {
+ if (!emojis?.length || !html) return html;
+ let result = html;
+ for (const { shortcode, url } of emojis) {
+ const escaped = shortcode.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+ const pattern = new RegExp(`:${escaped}:`, "g");
+ result = result.replace(
+ pattern,
+ `
`,
+ );
+ }
+ return result;
+}
+
/**
* Extract actor information from Fedify Person/Application/Service object
* @param {object} actor - Fedify actor object
@@ -104,7 +127,10 @@ export async function extractActorInfo(actor, options = {}) {
// Bot detection — Service and Application actors are automated accounts
const bot = actor instanceof Service || actor instanceof Application;
- return { name, url, photo, handle, emojis, bot };
+ // Replace custom emoji shortcodes in display name with ![]()
tags
+ const nameHtml = replaceCustomEmoji(name, emojis);
+
+ return { name, nameHtml, url, photo, handle, emojis, bot };
}
/**
@@ -336,6 +362,10 @@ export async function extractObjectData(object, options = {}) {
if (shares?.totalItems != null) counts.boosts = shares.totalItems;
} catch { /* ignore */ }
+ // Replace custom emoji :shortcode: in content with inline ![]()
tags.
+ // Applied after sanitization — these are trusted emoji from the post's tags.
+ content.html = replaceCustomEmoji(content.html, emojis);
+
// Build base timeline item
const item = {
uid,
diff --git a/locales/en.json b/locales/en.json
index 7034ee0..98ce7da 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -10,6 +10,13 @@
"noActivity": "No activity yet. Once your actor is federated, interactions will appear here.",
"noFollowers": "No followers yet.",
"noFollowing": "Not following anyone yet.",
+ "pendingFollows": "Pending",
+ "noPendingFollows": "No pending follow requests.",
+ "approve": "Approve",
+ "reject": "Reject",
+ "followApproved": "Follow request approved.",
+ "followRejected": "Follow request rejected.",
+ "followRequest": "requested to follow you",
"followerCount": "%d follower",
"followerCount_plural": "%d followers",
"followingCount": "%d following",
diff --git a/package.json b/package.json
index 8ba941d..cce331b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "@rmdes/indiekit-endpoint-activitypub",
- "version": "2.12.2",
+ "version": "2.15.4",
"description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
"keywords": [
"indiekit",
diff --git a/views/activitypub-followers.njk b/views/activitypub-followers.njk
index 9f6964a..534058e 100644
--- a/views/activitypub-followers.njk
+++ b/views/activitypub-followers.njk
@@ -6,19 +6,67 @@
{% from "pagination/macro.njk" import pagination with context %}
{% block content %}
- {% if followers.length > 0 %}
- {% for follower in followers %}
- {{ card({
- title: follower.name or follower.handle or follower.actorUrl,
- url: follower.actorUrl,
- photo: { url: follower.avatar, alt: follower.name } if follower.avatar,
- description: { text: "@" + follower.handle if follower.handle },
- published: follower.followedAt
- }) }}
- {% endfor %}
+ {# Tab navigation — only show if there are pending requests #}
+ {% if pendingCount > 0 %}
+ {% set followersBase = mountPath + "/admin/followers" %}
+
+ {% endif %}
- {{ pagination(cursor) if cursor }}
+ {% if tab == "pending" %}
+ {# Pending follow requests #}
+ {% if pendingFollows.length > 0 %}
+ {% for pending in pendingFollows %}
+
+ {{ card({
+ title: pending.name or pending.handle or pending.actorUrl,
+ url: pending.actorUrl,
+ photo: { url: pending.avatar, alt: pending.name } if pending.avatar,
+ description: { text: "@" + pending.handle if pending.handle }
+ }) }}
+
+
+
+
+
+ {% endfor %}
+
+ {{ pagination(cursor) if cursor }}
+ {% else %}
+ {{ prose({ text: __("activitypub.noPendingFollows") }) }}
+ {% endif %}
{% else %}
- {{ prose({ text: __("activitypub.noFollowers") }) }}
+ {# Accepted followers #}
+ {% if followers.length > 0 %}
+ {% for follower in followers %}
+ {{ card({
+ title: follower.name or follower.handle or follower.actorUrl,
+ url: follower.actorUrl,
+ photo: { url: follower.avatar, alt: follower.name } if follower.avatar,
+ description: { text: "@" + follower.handle if follower.handle },
+ published: follower.followedAt
+ }) }}
+ {% endfor %}
+
+ {{ pagination(cursor) if cursor }}
+ {% else %}
+ {{ prose({ text: __("activitypub.noFollowers") }) }}
+ {% endif %}
{% endif %}
{% endblock %}
diff --git a/views/activitypub-moderation.njk b/views/activitypub-moderation.njk
index b8fb18d..e229ca9 100644
--- a/views/activitypub-moderation.njk
+++ b/views/activitypub-moderation.njk
@@ -26,6 +26,38 @@