diff --git a/README.md b/README.md index 1a4ff85b..a907df79 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,7 @@ - `REDIS_URL` (recommended for production delivery queue durability) - Startup preflight `scripts/preflight-activitypub-rsa-key.mjs` ensures `ap_keys` contains a usable RSA key pair (`publicKeyPem` + `privateKeyPem`) so outgoing inbox deliveries are HTTP-signed and not rejected with `Request not signed`. - Startup preflight `scripts/preflight-activitypub-profile-urls.mjs` normalizes existing ActivityPub profile URL fields in MongoDB (`url`, `icon`, `image`, `alsoKnownAs`) so WebFinger/actor responses do not fail on invalid URL values. +- The ActivityPub private-url docloader patch (`scripts/patch-endpoint-activitypub-private-url-docloader.mjs`) allows Fedify lookups for your own publication hostname when split-horizon DNS resolves it to a private jail IP. - The ActivityPub locale patch creates/repairs `locales/de.json` from `locales/en.json` so backend UI keys do not render as raw `activitypub.*` translation strings when `SITE_LOCALE=de`. - Quick verification commands: - `curl -s "https://blog.giersig.eu/.well-known/webfinger?resource=acct:@blog.giersig.eu" | jq .` @@ -138,7 +139,7 @@ - `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed. - Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server). - Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely. -- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`). +- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-endpoint-activitypub-docloader-loglevel.mjs`, `scripts/patch-endpoint-activitypub-private-url-docloader.mjs`, `scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs`, `scripts/patch-endpoint-homepage-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`). - The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes. - One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash. - The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`. diff --git a/indiekit.config.mjs b/indiekit.config.mjs index f714ceb2..aca3319e 100644 --- a/indiekit.config.mjs +++ b/indiekit.config.mjs @@ -84,7 +84,7 @@ const blueskyHandle = (process.env.BLUESKY_HANDLE || "") .trim() .replace(/^@+/, ""); const blueskyPassword = process.env.BLUESKY_PASSWORD || ""; -const mastodonUrl = process.env.MASTODON_URL || "https://mastodon.social"; +const mastodonUrl = process.env.MASTODON_URL || "https://troet.cafe"; const mastodonUser = ( process.env.MASTODON_USER || process.env.MASTODON_USERNAME || "" ) diff --git a/package.json b/package.json index 15ee6c24..9bb1c0f4 100644 --- a/package.json +++ b/package.json @@ -4,8 +4,8 @@ "description": "", "main": "index.js", "scripts": { - "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs", - "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs", + "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs", + "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs && node scripts/patch-endpoint-activitypub-private-url-docloader.mjs && node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs && node scripts/patch-endpoint-homepage-locales.mjs && node scripts/patch-federation-unlisted-guards.mjs && node scripts/patch-endpoint-micropub-where-note-visibility.mjs && node scripts/patch-endpoint-posts-ai-fields.mjs && node scripts/patch-endpoint-posts-ai-cleanup.mjs && node scripts/patch-endpoint-podroll-opml-upload.mjs && node scripts/patch-preset-eleventy-ai-frontmatter.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-conversations-mastodon-disconnect.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs", "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], diff --git a/scripts/patch-endpoint-activitypub-private-url-docloader.mjs b/scripts/patch-endpoint-activitypub-private-url-docloader.mjs new file mode 100644 index 00000000..4b731017 --- /dev/null +++ b/scripts/patch-endpoint-activitypub-private-url-docloader.mjs @@ -0,0 +1,245 @@ +import { access, readFile, writeFile } from "node:fs/promises"; + +const patchSpecs = [ + { + name: "activitypub-compose-publication-private-docloader", + candidates: [ + "node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js", + "node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/controllers/compose.js", + ], + replacements: [ + { + oldSnippet: [ + "import { getToken, validateToken } from \"../csrf.js\";", + "import { sanitizeContent } from \"../timeline-store.js\";", + ].join("\n"), + newSnippet: [ + "import { getToken, validateToken } from \"../csrf.js\";", + "import { sanitizeContent } from \"../timeline-store.js\";", + "", + "function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {", + " if (typeof documentLoader !== \"function\") {", + " return documentLoader;", + " }", + "", + " let publicationHost = \"\";", + " try {", + " publicationHost = new URL(publicationUrl).hostname;", + " } catch {", + " return documentLoader;", + " }", + "", + " return (url, options = {}) => {", + " try {", + " const parsed = new URL(", + " typeof url === \"string\" ? url : (url?.href || String(url)),", + " );", + " if (parsed.hostname === publicationHost) {", + " return documentLoader(url, { ...options, allowPrivateAddress: true });", + " }", + " } catch {", + " // Fall through to default loader behavior.", + " }", + "", + " return documentLoader(url, options);", + " };", + "}", + ].join("\n"), + }, + { + oldSnippet: [ + " const documentLoader = await ctx.getDocumentLoader({", + " identifier: handle,", + " });", + " const remoteObject = await ctx.lookupObject(new URL(replyTo), {", + " documentLoader,", + " });", + ].join("\n"), + newSnippet: [ + " const rawDocumentLoader = await ctx.getDocumentLoader({", + " identifier: handle,", + " });", + " const documentLoader = createPublicationAwareDocumentLoader(", + " rawDocumentLoader,", + " plugin._publicationUrl,", + " );", + " const remoteObject = await ctx.lookupObject(new URL(replyTo), {", + " documentLoader,", + " });", + ].join("\n"), + }, + ], + }, + { + name: "activitypub-resolve-author-publication-private-docloader", + candidates: [ + "node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js", + "node_modules/@indiekit/indiekit/node_modules/@rmdes/indiekit-endpoint-activitypub/lib/resolve-author.js", + ], + replacements: [ + { + oldSnippet: [ + "}", + "", + "/**", + " * Resolve the author Actor for a given post URL.", + ].join("\n"), + newSnippet: [ + "}", + "", + "function createPublicationAwareDocumentLoader(documentLoader, publicationUrl) {", + " if (typeof documentLoader !== \"function\") {", + " return documentLoader;", + " }", + "", + " let publicationHost = \"\";", + " try {", + " publicationHost = new URL(publicationUrl).hostname;", + " } catch {", + " return documentLoader;", + " }", + "", + " return (url, options = {}) => {", + " try {", + " const parsed = new URL(", + " typeof url === \"string\" ? url : (url?.href || String(url)),", + " );", + " if (parsed.hostname === publicationHost) {", + " return documentLoader(url, { ...options, allowPrivateAddress: true });", + " }", + " } catch {", + " // Fall through to default loader behavior.", + " }", + "", + " return documentLoader(url, options);", + " };", + "}", + "", + "/**", + " * Resolve the author Actor for a given post URL.", + ].join("\n"), + }, + { + oldSnippet: [ + "export async function resolveAuthor(", + " postUrl,", + " ctx,", + " documentLoader,", + " collections,", + ") {", + " // Strategy 1: Look up remote post via Fedify (signed request)", + ].join("\n"), + newSnippet: [ + "export async function resolveAuthor(", + " postUrl,", + " ctx,", + " documentLoader,", + " collections,", + ") {", + " const publicationLoader = createPublicationAwareDocumentLoader(", + " documentLoader,", + " ctx?.url?.href || \"\",", + " );", + "", + " // Strategy 1: Look up remote post via Fedify (signed request)", + ].join("\n"), + }, + { + oldSnippet: [ + " const remoteObject = await ctx.lookupObject(new URL(postUrl), {", + " documentLoader,", + " });", + " if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {", + " const author = await remoteObject.getAttributedTo({ documentLoader });", + ].join("\n"), + newSnippet: [ + " const remoteObject = await ctx.lookupObject(new URL(postUrl), {", + " documentLoader: publicationLoader,", + " });", + " if (remoteObject && typeof remoteObject.getAttributedTo === \"function\") {", + " const author = await remoteObject.getAttributedTo({", + " documentLoader: publicationLoader,", + " });", + ].join("\n"), + }, + { + oldSnippet: [ + " const actor = await ctx.lookupObject(new URL(authorUrl), {", + " documentLoader,", + " });", + ].join("\n"), + newSnippet: [ + " const actor = await ctx.lookupObject(new URL(authorUrl), {", + " documentLoader: publicationLoader,", + " });", + ].join("\n"), + }, + { + oldSnippet: [ + " const actor = await ctx.lookupObject(new URL(extractedUrl), {", + " documentLoader,", + " });", + ].join("\n"), + newSnippet: [ + " const actor = await ctx.lookupObject(new URL(extractedUrl), {", + " documentLoader: publicationLoader,", + " });", + ].join("\n"), + }, + ], + }, +]; + +async function exists(filePath) { + try { + await access(filePath); + return true; + } catch { + return false; + } +} + +let filesChecked = 0; +let filesPatched = 0; + +for (const patchSpec of patchSpecs) { + for (const filePath of patchSpec.candidates) { + if (!(await exists(filePath))) { + continue; + } + + filesChecked += 1; + + const source = await readFile(filePath, "utf8"); + let updated = source; + + for (const replacement of patchSpec.replacements) { + if (updated.includes(replacement.newSnippet)) { + continue; + } + + if (!updated.includes(replacement.oldSnippet)) { + continue; + } + + updated = updated.replace(replacement.oldSnippet, replacement.newSnippet); + } + + if (updated === source) { + continue; + } + + await writeFile(filePath, updated, "utf8"); + filesPatched += 1; + } +} + +if (filesChecked === 0) { + console.log("[postinstall] No activitypub private-url patch targets found"); +} else if (filesPatched === 0) { + console.log("[postinstall] activitypub private-url docloader patch already applied"); +} else { + console.log( + `[postinstall] Patched activitypub publication-host private-url handling in ${filesPatched}/${filesChecked} file(s)`, + ); +} \ No newline at end of file diff --git a/start.example.sh b/start.example.sh index af3b1c2c..d8c73607 100644 --- a/start.example.sh +++ b/start.example.sh @@ -60,6 +60,7 @@ unset DEBUG /usr/local/bin/node scripts/patch-endpoint-files-upload-locales.mjs /usr/local/bin/node scripts/patch-endpoint-activitypub-locales.mjs /usr/local/bin/node scripts/patch-endpoint-activitypub-docloader-loglevel.mjs +/usr/local/bin/node scripts/patch-endpoint-activitypub-private-url-docloader.mjs /usr/local/bin/node scripts/patch-endpoint-activitypub-migrate-alias-clear.mjs /usr/local/bin/node scripts/patch-endpoint-homepage-locales.mjs /usr/local/bin/node scripts/patch-frontend-serviceworker-file.mjs