NodeBB/src/activitypub/helpers.js

'use strict';

const { generateKeyPairSync } = require('crypto');
const winston = require('winston');
const nconf = require('nconf');
const validator = require('validator');

const posts = require('../posts');
const categories = require('../categories');
const request = require('../request');
const db = require('../database');
const ttl = require('../cache/ttl');
const user = require('../user');
const activitypub = require('.');

const webfingerCache = ttl({ ttl: 1000 * 60 * 60 * 24 }); // 24 hours

const Helpers = module.exports;

Helpers.isUri = (value) => {
	if (typeof value !== 'string') {
		value = String(value);
	}

	return validator.isURL(value, {
		require_protocol: true,
		require_host: true,
		protocols: activitypub._constants.acceptedProtocols,
		require_valid_protocol: true,
		require_tld: false, // temporary — for localhost
	});
};

Helpers.query = async (id) => {
	const isUri = Helpers.isUri(id);
	// username@host ids use acct: URI schema
	const uri = isUri ? new URL(id) : new URL(`acct:${id}`);
	// JS doesn't parse anything other than protocol and pathname from acct: URIs, so we need to just split id manually
	const [username, hostname] = isUri ? [uri.pathname || uri.href, uri.host] : id.split('@');
	if (!username || !hostname) {
		return false;
	}

	if (webfingerCache.has(id)) {
		return webfingerCache.get(id);
	}

	const query = new URLSearchParams({ resource: uri });

	// Make a webfinger query to retrieve routing information
	let response;
	let body;
	try {
		({ response, body } = await request.get(`https://${hostname}/.well-known/webfinger?${query}`));
	} catch (e) {
		return false;
	}

	if (response.statusCode !== 200 || !body.hasOwnProperty('links')) {
		return false;
	}

	// Parse links to find actor endpoint
	let actorUri = body.links.filter(link => activitypub._constants.acceptableTypes.includes(link.type) && link.rel === 'self');
	if (actorUri.length) {
		actorUri = actorUri.pop();
		({ href: actorUri } = actorUri);
	}

	const { subject, publicKey } = body;
	const payload = { subject, username, hostname, actorUri, publicKey };

	const claimedId = new URL(subject).pathname;
	webfingerCache.set(claimedId, payload);
	if (claimedId !== id) {
		webfingerCache.set(id, payload);
	}

	return payload;
};

Helpers.generateKeys = async (type, id) => {
	winston.verbose(`[activitypub] Generating RSA key-pair for ${type} ${id}`);
	const {
		publicKey,
		privateKey,
	} = generateKeyPairSync('rsa', {
		modulusLength: 2048,
		publicKeyEncoding: {
			type: 'spki',
			format: 'pem',
		},
		privateKeyEncoding: {
			type: 'pkcs8',
			format: 'pem',
		},
	});

	await db.setObject(`${type}:${id}:keys`, { publicKey, privateKey });
	return { publicKey, privateKey };
};

Helpers.resolveLocalId = async (input) => {
	if (Helpers.isUri(input)) {
		const { host, pathname, hash } = new URL(input);

		if (host === nconf.get('url_parsed').host) {
			const [prefix, value] = pathname.replace(nconf.get('relative_path'), '').split('/').filter(Boolean);

			let activityData = {};
			if (hash.startsWith('#activity')) {
				const [, activity, data] = hash.split('/', 3);
				activityData = { activity, data };
			}

			// https://bb.devnull.land/cid/2#activity/follow/activitypub@community.nodebb.org│
			switch (prefix) {
				case 'uid':
					return { type: 'user', id: value, ...activityData };

				case 'post':
					return { type: 'post', id: value, ...activityData };

				case 'cid':
				case 'category':
					return { type: 'category', id: value, ...activityData };

				case 'user': {
					const uid = await user.getUidByUserslug(value);
					return { type: 'user', id: uid, ...activityData };
				}
			}

			return { type: null, id: null, ...activityData };
		}

		return { type: null, id: null };
	} else if (String(input).indexOf('@') !== -1) { // Webfinger
		input = decodeURIComponent(input);
		const [slug] = input.replace(/^acct:/, '').split('@');
		const uid = await user.getUidByUserslug(slug);
		return { type: 'user', id: uid };
	}

	return { type: null, id: null };
};

Helpers.resolveActor = (type, id) => {
	switch (type) {
		case 'user':
		case 'uid': {
			return `${nconf.get('url')}${id > 0 ? `/uid/${id}` : '/actor'}`;
		}

		case 'category':
		case 'cid': {
			return `${nconf.get('url')}/category/${id}`;
		}

		default:
			throw new Error('[[error:activitypub.invalid-id]]');
	}
};

Helpers.resolveActivity = async (activity, data, id, resolved) => {
	switch (activity.toLowerCase()) {
		case 'follow': {
			const actor = await Helpers.resolveActor(resolved.type, resolved.id);
			const { actorUri: targetUri } = await Helpers.query(data);
			return {
				'@context': 'https://www.w3.org/ns/activitystreams',
				actor,
				id,
				type: 'Follow',
				object: targetUri,
			};
		}
		case 'announce':
		case 'create': {
			const object = await Helpers.resolveObjects(resolved.id);
			// local create activities are assumed to come from the user who created the underlying object
			const actor = object.attributedTo || object.actor;
			return {
				'@context': 'https://www.w3.org/ns/activitystreams',
				actor,
				id,
				type: 'Create',
				object,
			};
		}
		default: {
			throw new Error('[[error:activitypub.not-implemented]]');
		}
	}
};

Helpers.mapToLocalType = (type) => {
	if (type === 'Person') {
		return 'user';
	}
	if (type === 'Group') {
		return 'category';
	}
	if (type === 'Hashtag') {
		return 'tag';
	}
	if (activitypub._constants.acceptedPostTypes.includes(type)) {
		return 'post';
	}
};

Helpers.resolveObjects = async (ids) => {
	if (!Array.isArray(ids)) {
		ids = [ids];
	}
	const objects = await Promise.all(ids.map(async (id) => {
		// try to get a local ID first
		const { type, id: resolvedId, activity, data: activityData } = await Helpers.resolveLocalId(id);
		// activity data is only resolved for local IDs - so this will be false for remote posts
		if (activity) {
			return Helpers.resolveActivity(activity, activityData, id, { type, id: resolvedId });
		}
		switch (type) {
			case 'user': {
				if (!await user.exists(resolvedId)) {
					throw new Error('[[error:activitypub.invalid-id]]');
				}
				return activitypub.mocks.actors.user(resolvedId);
			}
			case 'post': {
				const post = (await posts.getPostSummaryByPids(
					[resolvedId],
					activitypub._constants.uid,
					{ stripTags: false }
				)).pop();
				if (!post) {
					throw new Error('[[error:activitypub.invalid-id]]');
				}
				return activitypub.mocks.note(post);
			}
			case 'category': {
				if (!await categories.exists(resolvedId)) {
					throw new Error('[[error:activitypub.invalid-id]]');
				}
				return activitypub.mocks.actors.category(resolvedId);
			}
			// if the type is not recognized, assume it's not a local ID and fetch the object from its origin
			default: {
				return activitypub.get('uid', 0, id);
			}
		}
	}));
	return objects.length === 1 ? objects[0] : objects;
};
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`'use strict';`

feat: actor cache, method to resolve inboxes, stub code for sending requests. Now base64 encoding digest as expected by Mastodon 2023-06-23 14:59:47 -04:00			`const { generateKeyPairSync } = require('crypto');`
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00			`const winston = require('winston');`
feat: follow/unfollow logic and receipt 2023-06-28 14:59:39 -04:00			`const nconf = require('nconf');`
feat: update activitypub helper resolveLocalUid to accept both webfinger name and full URL as input 2023-12-11 14:35:04 -05:00			`const validator = require('validator');`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`const posts = require('../posts');`
fix: throw errors when local objects don't exist 2024-04-10 18:50:41 +02:00			`const categories = require('../categories');`
refactor: update ap libs to use core request lib 2023-12-19 14:33:38 -05:00			`const request = require('../request');`
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00			`const db = require('../database');`
feat: add webfinger ttl cache 2023-06-16 11:26:25 -04:00			`const ttl = require('../cache/ttl');`
feat: follow/unfollow logic and receipt 2023-06-28 14:59:39 -04:00			`const user = require('../user');`
fix: support ldjson with ActivityStreams profile in actor queries 2024-04-08 20:06:26 +02:00			`const activitypub = require('.');`
feat: add webfinger ttl cache 2023-06-16 11:26:25 -04:00
			`const webfingerCache = ttl({ ttl: 1000 * 60 * 60 * 24 }); // 24 hours`

feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`const Helpers = module.exports;`

fix: isUri helper so that it passes ci tests 2024-01-05 11:38:26 -05:00			`Helpers.isUri = (value) => {`
			`if (typeof value !== 'string') {`
			`value = String(value);`
			`}`

			`return validator.isURL(value, {`
			`require_protocol: true,`
			`require_host: true,`
fix: better logic for choosing webfinger lookups 2024-04-25 20:05:53 +02:00			`protocols: activitypub._constants.acceptedProtocols,`
fix: isUri helper so that it passes ci tests 2024-01-05 11:38:26 -05:00			`require_valid_protocol: true,`
			`require_tld: false, // temporary — for localhost`
			`});`
			`};`
refactor: validator check to helper method 2024-01-04 16:23:09 -05:00
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`Helpers.query = async (id) => {`
fix: handle URI actor IDs 2024-04-25 12:59:05 +02:00			`const isUri = Helpers.isUri(id);`
fix: handle requests to URI IDs correctly 2024-04-25 17:16:30 +02:00			`// username@host ids use acct: URI schema`
			const uri = isUri ? new URL(id) : new URL(`acct:${id}`);
			`// JS doesn't parse anything other than protocol and pathname from acct: URIs, so we need to just split id manually`
			`const [username, hostname] = isUri ? [uri.pathname \|\| uri.href, uri.host] : id.split('@');`
			`if (!username \|\| !hostname) {`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`return false;`
			`}`

feat: add webfinger ttl cache 2023-06-16 11:26:25 -04:00			`if (webfingerCache.has(id)) {`
			`return webfingerCache.get(id);`
			`}`

fix: handle requests to URI IDs correctly 2024-04-25 17:16:30 +02:00			`const query = new URLSearchParams({ resource: uri });`
fix: handle URI actor IDs 2024-04-25 12:59:05 +02:00
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`// Make a webfinger query to retrieve routing information`
fix: handle fetch failures on helpers.query 2024-03-11 14:41:05 -04:00			`let response;`
			`let body;`
			`try {`
refactor: use URLSearchParams instead of multiple encodeURIComponent 2024-04-25 13:16:05 +02:00			({ response, body } = await request.get(`https://${hostname}/.well-known/webfinger?${query}`));
fix: handle fetch failures on helpers.query 2024-03-11 14:41:05 -04:00			`} catch (e) {`
			`return false;`
			`}`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00
refactor: update ap libs to use core request lib 2023-12-19 14:33:38 -05:00			`if (response.statusCode !== 200 \|\| !body.hasOwnProperty('links')) {`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`return false;`
			`}`

			`// Parse links to find actor endpoint`
fix: support ldjson with ActivityStreams profile in actor queries 2024-04-08 20:06:26 +02:00			`let actorUri = body.links.filter(link => activitypub._constants.acceptableTypes.includes(link.type) && link.rel === 'self');`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`if (actorUri.length) {`
			`actorUri = actorUri.pop();`
			`({ href: actorUri } = actorUri);`
			`}`

feat: allow user.search to handle remote handles, beginning of mentions support 2024-03-05 09:56:15 -05:00			`const { subject, publicKey } = body;`
			`const payload = { subject, username, hostname, actorUri, publicKey };`
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00
fix: handle requests to URI IDs correctly 2024-04-25 17:16:30 +02:00			`const claimedId = new URL(subject).pathname;`
feat: allow user.search to handle remote handles, beginning of mentions support 2024-03-05 09:56:15 -05:00			`webfingerCache.set(claimedId, payload);`
			`if (claimedId !== id) {`
			`webfingerCache.set(id, payload);`
			`}`

			`return payload;`
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00			`};`

refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`Helpers.generateKeys = async (type, id) => {`
			winston.verbose(`[activitypub] Generating RSA key-pair for ${type} ${id}`);
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00			`const {`
			`publicKey,`
			`privateKey,`
			`} = generateKeyPairSync('rsa', {`
			`modulusLength: 2048,`
			`publicKeyEncoding: {`
			`type: 'spki',`
			`format: 'pem',`
			`},`
			`privateKeyEncoding: {`
			`type: 'pkcs8',`
			`format: 'pem',`
			`},`
			`});`

refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			await db.setObject(`${type}:${id}:keys`, { publicKey, privateKey });
feat: http signatures support, .sign() and .verify() AP helper methods 2023-06-19 17:29:22 -04:00			`return { publicKey, privateKey };`
feat: ability to view federated profiles via url manipulation 2023-05-29 17:42:44 -04:00			`};`
feat: follow/unfollow logic and receipt 2023-06-28 14:59:39 -04:00
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`Helpers.resolveLocalId = async (input) => {`
refactor: validator check to helper method 2024-01-04 16:23:09 -05:00			`if (Helpers.isUri(input)) {`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`const { host, pathname, hash } = new URL(input);`
feat: update activitypub helper resolveLocalUid to accept both webfinger name and full URL as input 2023-12-11 14:35:04 -05:00
			`if (host === nconf.get('url_parsed').host) {`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`const [prefix, value] = pathname.replace(nconf.get('relative_path'), '').split('/').filter(Boolean);`

feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`let activityData = {};`
			`if (hash.startsWith('#activity')) {`
			`const [, activity, data] = hash.split('/', 3);`
			`activityData = { activity, data };`
			`}`

refactor: stub routes for category synchronization, refactor remote follow logic to allow categories to conduct follows as well 2024-04-15 14:40:26 -04:00			`// https://bb.devnull.land/cid/2#activity/follow/activitypub@community.nodebb.org│`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`switch (prefix) {`
			`case 'uid':`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return { type: 'user', id: value, ...activityData };`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00
			`case 'post':`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return { type: 'post', id: value, ...activityData };`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00
refactor: stub routes for category synchronization, refactor remote follow logic to allow categories to conduct follows as well 2024-04-15 14:40:26 -04:00			`case 'cid':`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`case 'category':`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return { type: 'category', id: value, ...activityData };`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00
			`case 'user': {`
			`const uid = await user.getUidByUserslug(value);`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return { type: 'user', id: uid, ...activityData };`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`}`
fix: move all actor object urls to immutable variants 2024-01-29 16:59:13 -05:00			`}`

feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return { type: null, id: null, ...activityData };`
feat: update activitypub helper resolveLocalUid to accept both webfinger name and full URL as input 2023-12-11 14:35:04 -05:00			`}`
fix: resolveLocalId to return null values instead of throwing for no resolution 2024-02-09 11:15:03 -05:00
			`return { type: null, id: null };`
fix: crash in resolveLocalId if Number is passed in 2024-02-28 12:54:54 -05:00			`} else if (String(input).indexOf('@') !== -1) { // Webfinger`
refactor: split activitypub tests to subfolder files 2024-04-26 11:30:08 -04:00			`input = decodeURIComponent(input);`
refactor: activitypub sending to handle signed requests from categories 2024-02-05 16:57:17 -05:00			`const [slug] = input.replace(/^acct:/, '').split('@');`
			`const uid = await user.getUidByUserslug(slug);`
			`return { type: 'user', id: uid };`
feat: Like(Note) and Undo(Like); federating likes 2024-02-01 15:59:29 -05:00			`}`

fix: resolveLocalId to return null values instead of throwing for no resolution 2024-02-09 11:15:03 -05:00			`return { type: null, id: null };`
feat: Like(Note) and Undo(Like); federating likes 2024-02-01 15:59:29 -05:00			`};`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00
			`Helpers.resolveActor = (type, id) => {`
			`switch (type) {`
			`case 'user':`
			`case 'uid': {`
			return `${nconf.get('url')}${id > 0 ? `/uid/${id}` : '/actor'}`;
			`}`

			`case 'category':`
			`case 'cid': {`
			return `${nconf.get('url')}/category/${id}`;
			`}`

			`default:`
			`throw new Error('[[error:activitypub.invalid-id]]');`
			`}`
			`};`

			`Helpers.resolveActivity = async (activity, data, id, resolved) => {`
			`switch (activity.toLowerCase()) {`
			`case 'follow': {`
			`const actor = await Helpers.resolveActor(resolved.type, resolved.id);`
			`const { actorUri: targetUri } = await Helpers.query(data);`
			`return {`
			`'@context': 'https://www.w3.org/ns/activitystreams',`
			`actor,`
			`id,`
			`type: 'Follow',`
			`object: targetUri,`
			`};`
			`}`
feat: resolve Crate and Announce activities 2024-04-17 19:19:09 +02:00			`case 'announce':`
			`case 'create': {`
			`const object = await Helpers.resolveObjects(resolved.id);`
			`// local create activities are assumed to come from the user who created the underlying object`
			`const actor = object.attributedTo \|\| object.actor;`
			`return {`
			`'@context': 'https://www.w3.org/ns/activitystreams',`
			`actor,`
			`id,`
			`type: 'Create',`
			`object,`
			`};`
			`}`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`default: {`
			`throw new Error('[[error:activitypub.not-implemented]]');`
			`}`
			`}`
			`};`

fix: support reporting remote content in Flag 2024-04-14 02:42:30 +02:00			`Helpers.mapToLocalType = (type) => {`
			`if (type === 'Person') {`
			`return 'user';`
			`}`
			`if (type === 'Group') {`
			`return 'category';`
			`}`
			`if (type === 'Hashtag') {`
			`return 'tag';`
			`}`
			`if (activitypub._constants.acceptedPostTypes.includes(type)) {`
			`return 'post';`
			`}`
			`};`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00
			`Helpers.resolveObjects = async (ids) => {`
			`if (!Array.isArray(ids)) {`
			`ids = [ids];`
			`}`
			`const objects = await Promise.all(ids.map(async (id) => {`
feat: resolve Crate and Announce activities 2024-04-17 19:19:09 +02:00			`// try to get a local ID first`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`const { type, id: resolvedId, activity, data: activityData } = await Helpers.resolveLocalId(id);`
feat: resolve Crate and Announce activities 2024-04-17 19:19:09 +02:00			`// activity data is only resolved for local IDs - so this will be false for remote posts`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`if (activity) {`
			`return Helpers.resolveActivity(activity, activityData, id, { type, id: resolvedId });`
			`}`
			`switch (type) {`
			`case 'user': {`
fix: throw errors when local objects don't exist 2024-04-10 18:50:41 +02:00			`if (!await user.exists(resolvedId)) {`
			`throw new Error('[[error:activitypub.invalid-id]]');`
			`}`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`return activitypub.mocks.actors.user(resolvedId);`
			`}`
			`case 'post': {`
			`const post = (await posts.getPostSummaryByPids(`
			`[resolvedId],`
			`activitypub._constants.uid,`
			`{ stripTags: false }`
			`)).pop();`
			`if (!post) {`
fix: throw errors when local objects don't exist 2024-04-10 18:50:41 +02:00			`throw new Error('[[error:activitypub.invalid-id]]');`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`}`
			`return activitypub.mocks.note(post);`
			`}`
			`case 'category': {`
fix: throw errors when local objects don't exist 2024-04-10 18:50:41 +02:00			`if (!await categories.exists(resolvedId)) {`
			`throw new Error('[[error:activitypub.invalid-id]]');`
			`}`
			`return activitypub.mocks.actors.category(resolvedId);`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`}`
feat: resolve Crate and Announce activities 2024-04-17 19:19:09 +02:00			`// if the type is not recognized, assume it's not a local ID and fetch the object from its origin`
feat: resolve objects from ids in middleware 2024-04-09 23:58:00 +02:00			`default: {`
			`return activitypub.get('uid', 0, id);`
			`}`
			`}`
			`}));`
			`return objects.length === 1 ? objects[0] : objects;`
			`};`