From d696a1f465f19147d31cff4587206cb303ed9c3b Mon Sep 17 00:00:00 2001 From: Darius Kazemi Date: Sat, 15 Sep 2018 00:01:19 -0700 Subject: [PATCH] First commit. --- .gitignore | 3 ++ README.md | 98 +++++++++++++++++++++++++++++++++++ config.json | 8 +++ index.js | 72 ++++++++++++++++++++++++++ package.json | 24 +++++++++ public/admin/index.html | 108 ++++++++++++++++++++++++++++++++++++++ routes/admin.js | 66 ++++++++++++++++++++++++ routes/api.js | 111 ++++++++++++++++++++++++++++++++++++++++ routes/inbox.js | 104 +++++++++++++++++++++++++++++++++++++ routes/index.js | 9 ++++ routes/user.js | 25 +++++++++ routes/webfinger.js | 24 +++++++++ 12 files changed, 652 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 config.json create mode 100644 index.js create mode 100644 package.json create mode 100644 public/admin/index.html create mode 100644 routes/admin.js create mode 100644 routes/api.js create mode 100644 routes/inbox.js create mode 100644 routes/index.js create mode 100644 routes/user.js create mode 100644 routes/webfinger.js diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4913e17 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +node_modules/ +package-lock.json +*.db diff --git a/README.md b/README.md new file mode 100644 index 0000000..8e3f0b5 --- /dev/null +++ b/README.md @@ -0,0 +1,98 @@ +# Express ActivityPub Server + +A very simple standalone ActivityPub server that supports: + +* creation of new Actors via API +* discovery of our Actors via webfinger (so you can find these accounts from other instances) +* notifying followers of new posts (so new posts show up in their timeline) + +_This is meant as a reference implementation!_ This code implements a very small subset of ActivityPub and is supposed to help you get your bearings when it comes to making your own barebones ActivityPub support in your own projects. (Of course you can still fork this and start building on it as well, but it's not exactly hardened production code.) + +Example use case: I own tinysubversions.com. I can have this server run on bots.tinysubversions.com. All of my bots are stored and published and discoverable there. If I want to create a new bot, I go to bots.tinysubversions.com/admin and enter an account name, enter my admin user/pass on prompt, and it creates an account record and it gives me back an API key. I then make POST calls to the API passing the API key in a header and it publishes those things to followers. + +## Requirements + +This requires Node.js v10.10.0 or above. + +## Installation + +Clone the repository, then `cd` into its root directory. Install dependencies: + +`npm i` + +Update your `config.json` file: + +```js +{ + "USER": "pickAUsername", + "PASS": "pickAPassword", + "DOMAIN": "mydomain.com", // your domain! this should be a discoverable domain of some kind like "example.com" + "PORT": "3000", // the port that Express runs on + "PRIVKEY_PATH": "/path/to/your/ssl/privkey.pem", // point this to your private key you got from Certbot or similar + "CERT_PATH": "/path/to/your/ssl/cert.pem" // point this to your cert you got from Certbot or similar +} +``` + +Run the server! + +`node index.js` + +Go to the admin page and create an account: + +`http://yourdomain.com/admin` + +Enter "test" in the "Create Account" section and hit the "Create Account" button. It will prompt you for the user/pass you just set in your config file, and then you should get a message with some verification instructions, pointing you to some URLs that should be serving some ActivityPub JSON now. + +## Local testing + +You can use a service like [ngrok](https://ngrok.com/) to test things out before you deploy on a real server. All you need to do is install ngrok and run `ngrok http 3000` (or whatever port you're using if you changed it). Then go to your `config.json` and update the `DOMAIN` field to whatever `abcdef.ngrok.io` domain that ngrok gives you and restart your server. + +## Admin Page + +For your convenience, if you go to the `/admin` endpoint in a browser, you will see an admin page. Don't worry, nothing is possible here unless either your admin user/pass (for creating accounts) or a valid API key (for sending messages as an account). This page provides a simple web form for both creating accounts and sending messages to followers. + +## API + +### Create Account + +Create a new account. This is a new ActivityPub Actor, along with its webfinger record. This creates a new row in the `accounts` table in the database. + +Send a POST to `/api/admin/create` using basic HTTP auth with the admin username/password. The form body needs an "account" field. An example CURL request: + +``` +curl -u adminUsername:adminPassword -d "account=test" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://example.com/api/admin/create +``` + +This will return a 200 status and `{msg: "ok", apikey: "yourapikey"}` if all goes well. + +### Send Message to Followers + +Send a message to followers. This is NOT a direct message or an @-mention. This simply means that the message you post via this endpoint will appear in the timelines (AKA inboxes) of every one of the account's followers. + +Send a POST to `api/sendMessage` with the form fields `acct`, `apikey`, and `message`. + +* `acct`: the account name in the form "myAccountName" (no domain or @'s needed) +* `apikey`: your hex API + +## Database + +This server uses a SQLite database to keep track of all the data. There is one table in the database: `accounts`. + +### `accounts` + +This table keeps track of all the data needed for the accounts. Columns: + +* `name` `TEXT PRIMARY KEY`: the account name, in the form `thename@example.com` +* `privkey` `TEXT`: the RSA private key for the account +* `pubkey` `TEXT`: the RSA public key for the account +* `webfinger` `TEXT`: the entire contents of the webfinger JSON served for this account +* `actor` `TEXT`: the entire contents of the actor JSON served for this account +* `apikey` `TEXT`: the API key associated with this account +* `followers` `TEXT`: a JSON-formatted array of the URL for the Actor JSON of all followers, in the form `["https://remote.server/users/somePerson", "https://another.remote.server/ourUsers/anotherPerson"]` +* `messages` `TEXT`: not yet used but will eventually store all messages so we can render them on a "profile" page + +## License + +Copyright (c) 2018 Darius Kazemi +Licensed under the MIT license. + diff --git a/config.json b/config.json new file mode 100644 index 0000000..a1c50a4 --- /dev/null +++ b/config.json @@ -0,0 +1,8 @@ +{ + "USER": "", + "PASS": "", + "DOMAIN": "", + "PORT": "3000", + "PRIVKEY_PATH": "", + "CERT_PATH": "" +} diff --git a/index.js b/index.js new file mode 100644 index 0000000..6f6b133 --- /dev/null +++ b/index.js @@ -0,0 +1,72 @@ +const config = require('./config.json'); +const { USER, PASS, DOMAIN, PRIVKEY_PATH, CERT_PATH, PORT } = config; +const express = require('express'); +const app = express(); +const sqlite3 = require('sqlite3').verbose(); +const db = new sqlite3.Database('bot-node.db'); +const fs = require('fs'); +const routes = require('./routes'), + bodyParser = require('body-parser'), + cors = require('cors'), + http = require('http'), + basicAuth = require('express-basic-auth'); +let sslOptions; + +try { + sslOptions = { + key: fs.readFileSync(PRIVKEY_PATH), + cert: fs.readFileSync(CERT_PATH) + }; +} catch(err) { + if (err.errno === -2) { + console.log('No SSL key and/or cert found, not enabling https server'); + } + else { + console.log(err); + } +} + +// if there is no `accounts` table in the DB, create an empty table +db.run('CREATE TABLE IF NOT EXISTS accounts (name TEXT PRIMARY KEY, privkey TEXT, pubkey TEXT, webfinger TEXT, actor TEXT, apikey TEXT, followers TEXT, messages TEXT)'); + +app.set('db', db); +app.set('domain', DOMAIN); +app.set('port', process.env.PORT || PORT || 3000); +app.set('port-https', process.env.PORT_HTTPS || 8443); +app.use(bodyParser.json({type: 'application/activity+json'})); // support json encoded bodies +app.use(bodyParser.urlencoded({ extended: true })); // support encoded bodies + +// basic http authorizer +let basicUserAuth = basicAuth({ + authorizer: asyncAuthorizer, + authorizeAsync: true, + challenge: true +}); + +function asyncAuthorizer(username, password, cb) { + let isAuthorized = false; + const isPasswordAuthorized = username === USER; + const isUsernameAuthorized = password === PASS; + isAuthorized = isPasswordAuthorized && isUsernameAuthorized; + if (isAuthorized) { + return cb(null, true); + } + else { + return cb(null, false); + } +} + +app.get('/', (req, res) => res.send('Hello World!')); + +// admin page +app.options('/api', cors()); +app.use('/api', cors(), routes.api); +app.use('/api/admin', cors({ credentials: true, origin: true }), basicUserAuth, routes.admin); +app.use('/admin', express.static('public/admin')); +app.use('/.well-known/webfinger', cors(), routes.webfinger); +app.use('/u', cors(), routes.user); +app.use('/api/inbox', cors(), routes.inbox); + +http.createServer(app).listen(app.get('port'), function(){ + console.log('Express server listening on port ' + app.get('port')); +}); diff --git a/package.json b/package.json new file mode 100644 index 0000000..7336416 --- /dev/null +++ b/package.json @@ -0,0 +1,24 @@ +{ + "name": "bot-node", + "version": "1.0.0", + "description": "", + "main": "index.js", + "dependencies": { + "body-parser": "^1.18.3", + "cors": "^2.8.4", + "express": "^4.16.3", + "express-basic-auth": "^1.1.5", + "generate-rsa-keypair": "^0.1.2", + "request": "^2.87.0", + "sqlite3": "^4.0.2" + }, + "engines": { + "node": ">=10.10.0" + }, + "devDependencies": {}, + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC" +} diff --git a/public/admin/index.html b/public/admin/index.html new file mode 100644 index 0000000..ea66339 --- /dev/null +++ b/public/admin/index.html @@ -0,0 +1,108 @@ + + + + + Admin Page + + + +

Admin Page

+

Create Account

+

Create a new ActivityPub Actor (account). Requires the admin user/pass on submit.

+

+ +

+ +

+

Send Message To Followers

+

Enter an account name, its API key, and a message. This message will send to all its followers.

+

+ +

+

+
a long hex key you got when you created your account +

+

+
+

+ +

+ + + + diff --git a/routes/admin.js b/routes/admin.js new file mode 100644 index 0000000..bec6d5e --- /dev/null +++ b/routes/admin.js @@ -0,0 +1,66 @@ +'use strict'; +const express = require('express'), + router = express.Router(), + crypto = require('crypto'), + generateRSAKeypair = require('generate-rsa-keypair'); + +function createActor(name, domain, pubkey) { + return { + '@context': [ + 'https://www.w3.org/ns/activitystreams', + 'https://w3id.org/security/v1' + ], + + 'id': `https://${domain}/u/${name}`, + 'type': 'Person', + 'preferredUsername': `${name}`, + 'inbox': `https://${domain}/api/inbox`, + + 'publicKey': { + 'id': `https://${domain}/u/${name}#main-key`, + 'owner': `https://${domain}/u/${name}`, + 'publicKeyPem': pubkey + } + }; +} + +function createWebfinger(name, domain) { + return { + 'subject': `acct:${name}@${domain}`, + + 'links': [ + { + 'rel': 'self', + 'type': 'application/activity+json', + 'href': `https://${domain}/u/${name}` + } + ] + }; +} + +router.post('/create', function (req, res) { + // pass in a name for an account, if the account doesn't exist, create it! + const account = req.body.account; + if (account === undefined) { + return res.status(400).json({msg: 'Bad request. Please make sure "account" is a property in the POST body.'}); + } + let db = req.app.get('db'); + let domain = req.app.get('domain'); + // create keypair + var pair = generateRSAKeypair(); + let actorRecord = createActor(account, domain, pair.public); + let webfingerRecord = createWebfinger(account, domain); + const apikey = crypto.randomBytes(16).toString('hex'); + db.run('insert or replace into accounts(name, actor, apikey, pubkey, privkey, webfinger) values($name, $actor, $apikey, $pubkey, $privkey, $webfinger)', { + $name: `${account}@${domain}`, + $apikey: apikey, + $pubkey: pair.public, + $privkey: pair.private, + $actor: JSON.stringify(actorRecord), + $webfinger: JSON.stringify(webfingerRecord) + }, (err, accounts) => { + res.status(200).json({msg: 'ok', apikey}); + }); +}); + +module.exports = router; diff --git a/routes/api.js b/routes/api.js new file mode 100644 index 0000000..d7a38f0 --- /dev/null +++ b/routes/api.js @@ -0,0 +1,111 @@ +'use strict'; +const express = require('express'), + router = express.Router(), + request = require('request'), + crypto = require('crypto'); + +router.post('/sendMessage', function (req, res) { + let db = req.app.get('db'); + let domain = req.app.get('domain'); + let acct = req.body.acct; + let apikey = req.body.apikey; + let message = req.body.message; + // check to see if your API key matches + db.get('select apikey from accounts where name = $name', {$name: `${acct}@${domain}`}, (err, result) => { + if (result.apikey === apikey) { + sendCreateMessage(message, acct, domain, req, res); + } + else { + res.status(403).json({msg: 'wrong api key'}); + } + }); +}); + +function signAndSend(message, name, domain, req, res, targetDomain, inbox) { + // get the private key + let db = req.app.get('db'); + let inboxFragment = inbox.replace('https://'+targetDomain,''); + db.get('select privkey from accounts where name = $name', {$name: `${name}@${domain}`}, (err, result) => { + if (result === undefined) { + console.log(`No record found for ${name}.`); + } + else { + let privkey = result.privkey; + const signer = crypto.createSign('sha256'); + let d = new Date(); + let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + signer.update(stringToSign); + signer.end(); + const signature = signer.sign(privkey); + const signature_b64 = signature.toString('base64'); + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + request({ + url: inbox, + headers: { + 'Host': targetDomain, + 'Date': d.toUTCString(), + 'Signature': header + }, + method: 'POST', + json: true, + body: message + }, function (error, response){ + console.log(`Sent message to an inbox at ${targetDomain}!`); + if (error) { + console.log('Error:', error, response); + } + else { + console.log('Response Status Code:', response.statusCode); + } + }); + } + }); +} + +function createMessage(text, name, domain) { + const guid = crypto.randomBytes(16).toString('hex'); + let d = new Date(); + + return { + '@context': 'https://www.w3.org/ns/activitystreams', + + 'id': `https://${domain}/${guid}`, + 'type': 'Create', + 'actor': `https://${domain}/u/${name}`, + + 'object': { + 'id': `https://${domain}/${guid}`, + 'type': 'Note', + 'published': d.toISOString(), + 'attributedTo': `https://${domain}/u/${name}`, + 'content': text, + 'to': 'https://www.w3.org/ns/activitystreams#Public' + } + }; +} + +function sendCreateMessage(text, name, domain, req, res) { + let message = createMessage(text, name, domain); + let db = req.app.get('db'); + + db.get('select followers from accounts where name = $name', {$name: `${name}@${domain}`}, (err, result) => { + let followers = JSON.parse(result.followers); + console.log(followers); + console.log('type',typeof followers); + if (followers === null) { + console.log('aaaa'); + res.status(400).json({msg: `No followers for account ${name}@${domain}`}); + } + else { + for (let follower of followers) { + let inbox = follower+'/inbox'; + let myURL = new URL(follower); + let targetDomain = myURL.hostname; + signAndSend(message, name, domain, req, res, targetDomain, inbox); + } + res.status(200).json({msg: 'ok'}); + } + }); +} + +module.exports = router; diff --git a/routes/inbox.js b/routes/inbox.js new file mode 100644 index 0000000..e8f39a7 --- /dev/null +++ b/routes/inbox.js @@ -0,0 +1,104 @@ +'use strict'; +const express = require('express'), + crypto = require('crypto'), + request = require('request'), + router = express.Router(); + +function signAndSend(message, name, domain, req, res, targetDomain) { + // get the private key + let db = req.app.get('db'); + db.get('select privkey from accounts where name = $name', {$name: `${name}@${domain}`}, (err, result) => { + if (result === undefined) { + return res.status(404).send(`No record found for ${name}.`); + } + else { + let privkey = result.privkey; + const signer = crypto.createSign('sha256'); + let d = new Date(); + let stringToSign = `(request-target): post /inbox\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + signer.update(stringToSign); + signer.end(); + const signature = signer.sign(privkey); + const signature_b64 = signature.toString('base64'); + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + request({ + url: `https://${targetDomain}/inbox`, + headers: { + 'Host': targetDomain, + 'Date': d.toUTCString(), + 'Signature': header + }, + method: 'POST', + json: true, + body: message + }, function (error, response){ + if (error) { + console.log('Error:', error, response.body); + } + else { + console.log('Response:', response.body); + } + }); + return res.status(200); + } + }); +} + +function sendAcceptMessage(thebody, name, domain, req, res, targetDomain) { + const guid = crypto.randomBytes(16).toString('hex'); + let message = { + '@context': 'https://www.w3.org/ns/activitystreams', + 'id': `https://${domain}/${guid}`, + 'type': 'Accept', + 'actor': `https://${domain}/u/${name}`, + 'object': thebody, + }; + signAndSend(message, name, domain, req, res, targetDomain); +} + +function parseJSON(text) { + try { + return JSON.parse(text); + } catch(e) { + return null; + } +} + +router.post('/', function (req, res) { + // pass in a name for an account, if the account doesn't exist, create it! + let domain = req.app.get('domain'); + const myURL = new URL(req.body.actor); + let targetDomain = myURL.hostname; + // TODO: add "Undo" follow event + if (typeof req.body.object === 'string' && req.body.type === 'Follow') { + let name = req.body.object.replace(`https://${domain}/u/`,''); + sendAcceptMessage(req.body, name, domain, req, res, targetDomain); + // Add the user to the DB of accounts that follow the account + let db = req.app.get('db'); + // get the followers JSON for the user + db.get('select followers from accounts where name = $name', {$name: `${name}@${domain}`}, (err, result) => { + if (result === undefined) { + console.log(`No record found for ${name}.`); + } + else { + // update followers + let followers = parseJSON(result.followers); + if (followers) { + followers.push(req.body.actor); + // unique items + followers = [...new Set(followers)]; + } + else { + followers = [req.body.actor]; + } + let followersText = JSON.stringify(followers); + // update into DB + db.run('update accounts set followers=$followers where name = $name', {$name: `${name}@${domain}`, $followers: followersText}, (err, result) => { + console.log('updated followers!', err, result); + }); + } + }); + } +}); + +module.exports = router; diff --git a/routes/index.js b/routes/index.js new file mode 100644 index 0000000..2b97780 --- /dev/null +++ b/routes/index.js @@ -0,0 +1,9 @@ +'use strict'; + +module.exports = { + api: require('./api'), + admin: require('./admin'), + user: require('./user'), + inbox: require('./inbox'), + webfinger: require('./webfinger'), +}; diff --git a/routes/user.js b/routes/user.js new file mode 100644 index 0000000..062e931 --- /dev/null +++ b/routes/user.js @@ -0,0 +1,25 @@ +'use strict'; +const express = require('express'), + router = express.Router(); + +router.get('/:name', function (req, res) { + let name = req.params.name; + if (!name) { + return res.status(400).send('Bad request.'); + } + else { + let db = req.app.get('db'); + let domain = req.app.get('domain'); + name = `${name}@${domain}`; + db.get('select actor from accounts where name = $name', {$name: name}, (err, result) => { + if (result === undefined) { + return res.status(404).send(`No record found for ${name}.`); + } + else { + res.json(JSON.parse(result.actor)); + } + }); + } +}); + +module.exports = router; diff --git a/routes/webfinger.js b/routes/webfinger.js new file mode 100644 index 0000000..9cc67dd --- /dev/null +++ b/routes/webfinger.js @@ -0,0 +1,24 @@ +'use strict'; +const express = require('express'), + router = express.Router(); + +router.get('/', function (req, res) { + let resource = req.query.resource; + if (!resource || !resource.includes('acct:')) { + return res.status(400).send('Bad request. Please make sure "acct:USER@DOMAIN" is what you are sending as the "resource" query parameter.'); + } + else { + let name = resource.replace('acct:',''); + let db = req.app.get('db'); + db.get('select webfinger from accounts where name = $name', {$name: name}, (err, result) => { + if (result === undefined) { + return res.status(404).send(`No record found for ${name}.`); + } + else { + res.json(JSON.parse(result.webfinger)); + } + }); + } +}); + +module.exports = router;