shadowfacts.net/lib/activitypub/inbox.ts

import { Router, Request, Response } from "express";
import uuidv4 from "uuid/v4";
import {createActivity, getActor, signAndSend} from "./federate";
import { Activity, FollowActivity, AcceptActivity, UndoActivity, CreateActivity, NoteObject, DeleteActivity } from "./activity";
import sanitizeHtml from "sanitize-html";
import Note from "../entity/Note";
import { getConnection } from "typeorm";
import Actor from "../entity/Actor";
import Article from "../entity/Article";

const domain = process.env.DOMAIN;

export default function inbox(router: Router) {
	router.post("/ap/inbox", handleInbox);
	router.post("/inbox", handleInbox);
}

function handleInbox(req: Request, res: Response) {
	const activity = req.body as Activity;
	if (activity.type === "Follow") {
		handleFollow(activity, req, res);
	} else if (activity.type === "Create") {
		handleCreate(activity, req, res);
	} else if (activity.type === "Undo") {
		handleUndo(activity, req, res);
	} else if (activity.type === "Delete") {
		handleDelete(activity, req, res);
	} else {
		res.end(); // TODO: handle this better
	}
}

async function handleFollow(activity: Activity, req: Request, res: Response) {
	if (typeof req.body.object !== "string") {
		res.end(); // TODO: handle this better
		return;
	}
	const follow = activity as FollowActivity;
	if (follow.object !== `https://${domain}/ap/actor`) {
		res.end();
		return;
	}
	const actor = await getActor(follow.actor, true); // always force re-fetch the actor on follow
	if (!actor) {
		// if the actor ceases existing between the time the Follow is sent and when receive it, ignore it and end the request
		res.end();
		return;
	}
	const acceptObject = {
		"@context": "https://www.w3.org/ns/activitystreams",
		"id": `https://${domain}/ap/${uuidv4()}`,
		"type": "Accept",
		"actor": `https://${domain}/ap/actor`,
		"object": follow
	} as AcceptActivity;
	try {
		await signAndSend(acceptObject, actor.inbox);
		// prefer shared server inbox
		const serverInbox = actor.endpoints && actor.endpoints.sharedInbox ? actor.endpoints.sharedInbox : actor.inbox;
		await getConnection().createQueryBuilder()
			.update(Actor)
			.set({
				isFollower: true,
				inbox: serverInbox
			})
			.where("id = :id", {id: actor.id})
			.execute();
		res.end();
	} catch (err) {
		res.status(500).json({ message: "Encountered error handling follow.", error: err }).end();
	}
}

async function handleCreate(activity: Activity, req: Request, res: Response) {
	const create = activity as CreateActivity;
	if (create.object.type == "Note") {
		handleCreateNote(create, req, res);
	} else {
		res.end();
	}
}

function sanitizeStatus(content: string): string {
	return sanitizeHtml(content, {
		allowedTags: ["a", "span", "p", "br", "b", "strong", "i", "em", "s", "del", "u", "code", "pre", "ul", "ol", "li", "blockquote", "img"],
		allowedAttributes: {
			"a": ["href", "data-user"],
			"img": ["src"]
		},
		transformTags: {
			"a": sanitizeHtml.simpleTransform("a", { rel: "noopener", target: "_blank" })
		}
	});
}

async function handleCreateNote(create: CreateActivity, req: Request, res: Response) {
	const noteObject = create.object as NoteObject;
	const actor = await getActor(noteObject.attributedTo); // get and cache the actor if it's not already cached

	const asPublic = "https://www.w3.org/ns/activitystreams#Public";
	const article = await getConnection().getRepository(Article).findOne({ where: { conversation: noteObject.conversation } });
	if (!article) {
		console.log(`Ignoring message not in response to an article: ${noteObject.id}`);
		res.end();
	} else if (!process.env.ACCEPT_NON_PUBLIC_NOTES && !noteObject.to.includes(asPublic) && !noteObject.cc.includes(asPublic)) {
		console.log(`Ignoring non-public post: ${noteObject.id}`);

		try {
			const note: NoteObject = {
				type: "Note",
				id: `https://${domain}/ap/object/${uuidv4()}`,
				to: [actor.id],
				cc: [],
				directMessage: true,
				attributedTo: `https://${domain}/ap/actor`,
				content: `<a href="${actor.url}" class="mention">@<span>${actor.preferredUsername}</span></a> Non-public posts are not accepted. To respond to a blog post, use either Public or Unlisted.`,
				published: new Date().toISOString(),
				inReplyTo: noteObject.id,
				conversation: noteObject.conversation || `https://${domain}/ap/conversation/${uuidv4()}`
			};
			const responseCreate = createActivity(note);
			signAndSend(responseCreate, actor.inbox);
		} catch (err) {
			console.error(`Couldn't send non-public reply Note to ${noteObject.id}`, err);
		}

		res.end();
	} else {
		const sanitizedContent = sanitizeStatus(noteObject.content);
		const note = new Note();
		note.id = noteObject.id;
		note.actor = await getConnection().getRepository(Actor).findOne(actor.id);
		note.content = sanitizedContent;
		note.attributedTo = noteObject.attributedTo;
		note.inReplyTo = noteObject.inReplyTo;
		note.conversation = noteObject.conversation;
		note.published = noteObject.published;
		try {
			await getConnection().getRepository(Note).save(note);
			res.end();
		} catch (err) {
			console.error(`Encountered error storing reply ${noteObject.id}`, err);
			res.status(500).end();
		}
	}
}

async function handleDelete(activity: Activity, req: Request, res: Response) {
	const deleteActivity = activity as DeleteActivity;
	try {
		await getConnection().getRepository(Note).createQueryBuilder()
			.delete()
			.from(Note, "note")
			.where("note.id = :id", { id: deleteActivity.object })
			.andWhere("note.\"actorId\" = :actor", { actor: deleteActivity.actor })
			.execute();
	} catch (err) {
		console.error(`Encountered error deleting ${deleteActivity.object}`, err);
	}
	res.end();
}

function handleUndo(activity: Activity, req: Request, res: Response) {
	const undo = activity as UndoActivity;
	if (undo.object.type === "Follow") {
		handleUndoFollow(undo, req, res);
	} else {
		res.end();
	}
}

async function handleUndoFollow(undo: UndoActivity, req: Request, res: Response) {
	const follow = undo.object as FollowActivity;
	if (follow.object !== `https://${domain}/ap/actor` || undo.actor !== follow.actor) {
		res.end();
		return;
	}
	try {
		await getConnection().createQueryBuilder()
			.update(Actor)
			.set({ isFollower: false })
			.where("id = :id", { id: follow.actor })
			.execute();
	} catch (err) {
		console.error(`Error handling unfollow from ${follow.actor}`, err);
	}
	res.end();
}
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`import { Router, Request, Response } from "express";`
			`import uuidv4 from "uuid/v4";`
More federation work 2019-08-18 22:09:28 +00:00			`import {createActivity, getActor, signAndSend} from "./federate";`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`import { Activity, FollowActivity, AcceptActivity, UndoActivity, CreateActivity, NoteObject, DeleteActivity } from "./activity";`
Store incoming Notes 2019-02-22 00:17:59 +00:00			`import sanitizeHtml from "sanitize-html";`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`import Note from "../entity/Note";`
			`import { getConnection } from "typeorm";`
			`import Actor from "../entity/Actor";`
More federation work 2019-08-18 22:09:28 +00:00			`import Article from "../entity/Article";`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00
			`const domain = process.env.DOMAIN;`

Validate HTTP signatures 2019-02-20 23:07:29 +00:00			`export default function inbox(router: Router) {`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`router.post("/ap/inbox", handleInbox);`
			`router.post("/inbox", handleInbox);`
			`}`

More federation work 2019-08-18 22:09:28 +00:00			`function handleInbox(req: Request, res: Response) {`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`const activity = req.body as Activity;`
			`if (activity.type === "Follow") {`
			`handleFollow(activity, req, res);`
			`} else if (activity.type === "Create") {`
			`handleCreate(activity, req, res);`
			`} else if (activity.type === "Undo") {`
			`handleUndo(activity, req, res);`
Try to handle Deletes (not currently working) 2019-02-22 00:26:24 +00:00			`} else if (activity.type === "Delete") {`
			`handleDelete(activity, req, res);`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`} else {`
			`res.end(); // TODO: handle this better`
			`}`
			`}`

			`async function handleFollow(activity: Activity, req: Request, res: Response) {`
			`if (typeof req.body.object !== "string") {`
			`res.end(); // TODO: handle this better`
			`return;`
			`}`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const follow = activity as FollowActivity;`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			if (follow.object !== `https://${domain}/ap/actor`) {
			`res.end();`
			`return;`
			`}`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const actor = await getActor(follow.actor, true); // always force re-fetch the actor on follow`
Fix federation issues caused by Delete actor activities 2019-06-30 18:59:39 +00:00			`if (!actor) {`
			`// if the actor ceases existing between the time the Follow is sent and when receive it, ignore it and end the request`
			`res.end();`
			`return;`
			`}`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const acceptObject = {`
			`"@context": "https://www.w3.org/ns/activitystreams",`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			"id": `https://${domain}/ap/${uuidv4()}`,
			`"type": "Accept",`
			"actor": `https://${domain}/ap/actor`,
			`"object": follow`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`} as AcceptActivity;`
More federation work 2019-08-18 22:09:28 +00:00			`try {`
			`await signAndSend(acceptObject, actor.inbox);`
			`// prefer shared server inbox`
			`const serverInbox = actor.endpoints && actor.endpoints.sharedInbox ? actor.endpoints.sharedInbox : actor.inbox;`
			`await getConnection().createQueryBuilder()`
			`.update(Actor)`
			`.set({`
			`isFollower: true,`
			`inbox: serverInbox`
			`})`
			`.where("id = :id", {id: actor.id})`
			`.execute();`
			`res.end();`
			`} catch (err) {`
			`res.status(500).json({ message: "Encountered error handling follow.", error: err }).end();`
			`}`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`}`

			`async function handleCreate(activity: Activity, req: Request, res: Response) {`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const create = activity as CreateActivity;`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`if (create.object.type == "Note") {`
			`handleCreateNote(create, req, res);`
			`} else {`
			`res.end();`
			`}`
			`}`

Store incoming Notes 2019-02-22 00:17:59 +00:00			`function sanitizeStatus(content: string): string {`
			`return sanitizeHtml(content, {`
			`allowedTags: ["a", "span", "p", "br", "b", "strong", "i", "em", "s", "del", "u", "code", "pre", "ul", "ol", "li", "blockquote", "img"],`
			`allowedAttributes: {`
			`"a": ["href", "data-user"],`
			`"img": ["src"]`
			`},`
			`transformTags: {`
			`"a": sanitizeHtml.simpleTransform("a", { rel: "noopener", target: "_blank" })`
			`}`
			`});`
			`}`

Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`async function handleCreateNote(create: CreateActivity, req: Request, res: Response) {`
			`const noteObject = create.object as NoteObject;`
Fix not accepting deletes 2019-08-18 21:15:39 +00:00			`const actor = await getActor(noteObject.attributedTo); // get and cache the actor if it's not already cached`
More federation work 2019-08-18 22:09:28 +00:00
			`const asPublic = "https://www.w3.org/ns/activitystreams#Public";`
			`const article = await getConnection().getRepository(Article).findOne({ where: { conversation: noteObject.conversation } });`
			`if (!article) {`
			console.log(`Ignoring message not in response to an article: ${noteObject.id}`);
			`res.end();`
			`} else if (!process.env.ACCEPT_NON_PUBLIC_NOTES && !noteObject.to.includes(asPublic) && !noteObject.cc.includes(asPublic)) {`
			console.log(`Ignoring non-public post: ${noteObject.id}`);

			`try {`
			`const note: NoteObject = {`
			`type: "Note",`
			id: `https://${domain}/ap/object/${uuidv4()}`,
			`to: [actor.id],`
			`cc: [],`
			`directMessage: true,`
			attributedTo: `https://${domain}/ap/actor`,
			content: `<a href="${actor.url}" class="mention">@<span>${actor.preferredUsername}</span></a> Non-public posts are not accepted. To respond to a blog post, use either Public or Unlisted.`,
			`published: new Date().toISOString(),`
			`inReplyTo: noteObject.id,`
			conversation: noteObject.conversation \|\| `https://${domain}/ap/conversation/${uuidv4()}`
			`};`
			`const responseCreate = createActivity(note);`
			`signAndSend(responseCreate, actor.inbox);`
			`} catch (err) {`
			console.error(`Couldn't send non-public reply Note to ${noteObject.id}`, err);
			`}`

			`res.end();`
			`} else {`
			`const sanitizedContent = sanitizeStatus(noteObject.content);`
			`const note = new Note();`
			`note.id = noteObject.id;`
			`note.actor = await getConnection().getRepository(Actor).findOne(actor.id);`
			`note.content = sanitizedContent;`
			`note.attributedTo = noteObject.attributedTo;`
			`note.inReplyTo = noteObject.inReplyTo;`
			`note.conversation = noteObject.conversation;`
			`note.published = noteObject.published;`
			`try {`
			`await getConnection().getRepository(Note).save(note);`
			`res.end();`
			`} catch (err) {`
			console.error(`Encountered error storing reply ${noteObject.id}`, err);
			`res.status(500).end();`
			`}`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`}`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`}`

Try to handle Deletes (not currently working) 2019-02-22 00:26:24 +00:00			`async function handleDelete(activity: Activity, req: Request, res: Response) {`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const deleteActivity = activity as DeleteActivity;`
			`try {`
			`await getConnection().getRepository(Note).createQueryBuilder()`
			`.delete()`
			`.from(Note, "note")`
			`.where("note.id = :id", { id: deleteActivity.object })`
Fix not accepting deletes 2019-08-18 21:15:39 +00:00			`.andWhere("note.\"actorId\" = :actor", { actor: deleteActivity.actor })`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`.execute();`
			`} catch (err) {`
			console.error(`Encountered error deleting ${deleteActivity.object}`, err);
			`}`
			`res.end();`
Try to handle Deletes (not currently working) 2019-02-22 00:26:24 +00:00			`}`

More federation work 2019-08-18 22:09:28 +00:00			`function handleUndo(activity: Activity, req: Request, res: Response) {`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`const undo = activity as UndoActivity;`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`if (undo.object.type === "Follow") {`
			`handleUndoFollow(undo, req, res);`
			`} else {`
			`res.end();`
			`}`
			`}`

Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`async function handleUndoFollow(undo: UndoActivity, req: Request, res: Response) {`
			`const follow = undo.object as FollowActivity;`
			if (follow.object !== `https://${domain}/ap/actor` \|\| undo.actor !== follow.actor) {
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`res.end();`
			`return;`
			`}`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`try {`
			`await getConnection().createQueryBuilder()`
			`.update(Actor)`
			`.set({ isFollower: false })`
			`.where("id = :id", { id: follow.actor })`
			`.execute();`
			`} catch (err) {`
			console.error(`Error handling unfollow from ${follow.actor}`, err);
			`}`
ActivityPub attempt 2: it actually works this time Use Node.js Express app to serve both statically generated content and dynamic AP stuff 2019-02-20 22:12:29 +00:00			`res.end();`
Replaces sqlite with postgres and TypeORM 2019-08-17 18:50:18 +00:00			`}`