0.2.3

fix pleroma 500
fix user block
block html proxying

.gitignore

@@ -1,2 +1,3 @@
 node_modules
-keys.sqlite
+keys.sqlite
+.env

.npmignore

@@ -0,0 +1,2 @@
+keys.sqlite
+.env

README.md

@@ -8,19 +8,17 @@ The intended usage of this is as an alternative to using alt accounts or moving
 
 The major caveat with this particular implementation is that if you boost or reply to proxied posts, your followers will see and interact with those authors via masquerade as well, causing a bit of a mess. This is unless you limit the usage to whitelisted domains/users, which you will almost definitely have to do or someone will abuse it and get it blocked. In that case, anyone who isn't whitelisted just won't see the boosts.
 
-With that said, this initial implementation is more of an experimental proof-of-concept of what can be done with so little code, but to implement this concept properly, it probably needs to be rewritten with a deeper, stricter integration into the ActivityPub protocol. Access controls need to be more flexible and reliable, and a solution needs to be found for the boosting issue.
-
 
 ## Installation
 
 You will need a host with Node.js 15 or newer, and a wildcard domain with HTTPS pointed to your server. Cloudflare may be easiest, as you can bind the app to an extra IP address and connect Cloudflare directly to it.
 
-Download the repository and `npm i`. Then you can run it with the following environment variables.
+Download the repository and `npm i`. Then you can run it with the following environment variables (you can create a .env file).
 
 - `PORT`: The port to listen for HTTP, default: 80.
 - `BIND_IP`: The IP address to bind to. Default: all.
-- `DOMAIN_WHITELIST`: Comma-separated list of domains that can use the proxy. Recommended to use this to prevent abuse as otherwise anyone can proxy anything. Remember to include the domains you want to follow from as well as the domains you want to follow, as it needs to work both ways.
+- `DOMAIN_WHITELIST`: Comma-separated list of domains that can be proxied. Recommended to use this to prevent abuse as otherwise anyone can proxy anything. Remember to include the domains you want to follow from as well as the domains you want to follow, as it needs to work both ways. Default: any
-- `USER_WHITELIST`: Comma-separated list of names that can be looked up. Maybe useful if you don't want other users messing with other users... 🤷 Note that this only restricts the webfinger. (todo could be circumvented? 🤔) Default: any
+- `USER_WHITELIST`: Comma-separated list of usernames that can be proxied (case-sensitive, name only without `@`). Default: any
 - `NODE_ENV`: Set to `development` to see debug logs.
 
 Install by copying and pasting this example systemd file to `/etc/systemd/system/ap-proxy.service` (or similar), and editing as needed:

index.js

@@ -1,17 +1,23 @@
+import * as dotenv from "dotenv";
+dotenv.config();
+
 if (process.env.NODE_ENV != "development") {
 	process.env.NODE_ENV = "production";
 	console.debug = () => {};
 }
 
 if (process.env.DOMAIN_WHITELIST) var DOMAIN_WHITELIST = process.env.DOMAIN_WHITELIST.split(',').map(x=>x.trim().toLowerCase()).filter(x=>x);
-if (process.env.USER_WHITELIST) var USER_WHITELIST = process.env.USER_WHITELIST.split(',').map(x=>x.trim().toLowerCase()).filter(x=>x);
+if (process.env.USER_WHITELIST) var USER_WHITELIST = process.env.USER_WHITELIST.split(',').map(x=>x.trim()).filter(x=>x);
 
-var express = require("express");
+import express from "express";
-require("express-async-errors");
+import "express-async-errors";
-var fetch = require("node-fetch");
+import fetch from "node-fetch";
-var Keyv = require("keyv");
+import Keyv from "keyv";
-var crypto = require("crypto");
+import {Sha256Signer, Parser} from "activitypub-http-signatures";
-var generateKeyPair = require("util").promisify(crypto.generateKeyPair);
+import * as crypto from "crypto";
+import * as util from "util";
+var generateKeyPair = util.promisify(crypto.generateKeyPair);
+var parser = new Parser();
 
 var keystore = new Keyv("sqlite://keys.sqlite");
 
@@ -41,40 +47,40 @@ app.use(async (req, res, next) => {
 	if (!req.subdomains[0]) return next();
 
 	var TARGET_NODE = req.subdomains[0].replaceAll(/(?<!-)-(?!-)/g, '.').replaceAll('--','-');
-	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(TARGET_NODE)) return res.status(403).send(`target ${TARGET_NODE} is not whitelisted`);
 	var TARGET_REGEXP = new RegExp(`(?<!\\.)${TARGET_NODE.replaceAll('.','\\.')}`, 'gi');
 	var TARGET_MASQUERADE = req.hostname;
+	var TARGET_URL = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
+	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(TARGET_NODE)) {
+		console.debug(`target ${TARGET_NODE} blocked by whitelist`);
+		//res.status(403).send(`target ${TARGET_NODE} is not whitelisted`);
+		res.redirect(308, TARGET_URL);
+		return;
+	}
 
 	var CLIENT_NODE = req.get("User-Agent").match(/(?<=https:\/\/)[a-z0-9-\.]+/i)?.[0];
-	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(CLIENT_NODE)) return res.status(403).send(`client ${CLIENT_NODE} is not whitelisted`);
 	if (CLIENT_NODE) {
+		if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(CLIENT_NODE)) {
+			console.debug(`client ${CLIENT_NODE} blocked by whitelist`);
+			//res.status(403).send(`client ${CLIENT_NODE} is not whitelisted`);
+			res.redirect(308, TARGET_URL);
+			return;
+		}
 		var CLIENT_REGEXP = new RegExp(`(?<!\\.)${CLIENT_NODE.replaceAll('.','\\.')}`, 'gi');
 		var CLIENT_MASQUERADE = [CLIENT_NODE.replaceAll('-','--').replaceAll('.','-'), ...req.hostname.split('.').slice(-2)].join('.');
 	}
 
-	if (USER_WHITELIST && req.url.startsWith("/.well-known/webfinger") && !USER_WHITELIST.includes(req.query.resource?.replace('acct:','').split('@')[0])) return res.status(403).send("user not whitelisted");
-
-	var url = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
 	var opts = {method: req.method, headers: {
-		host: TARGET_NODE,
+		"host": TARGET_NODE,
-		date: new Date().toUTCString()
+		"date": new Date().toUTCString(),
 	}};
 	
 	if (req.method == "POST") {
-		var {Sha256Signer, Parser} = await import("activitypub-http-signatures");
-		var parser = new Parser();
 		var signature = parser.parse({url: req.url, method: req.method, headers: req.headers});
 		console.debug({signature});
-		var publicKeyPem = (await keystore.get(signature.keyId))?.publicKey;
+
-		if (!publicKeyPem) {
+		var publicKeyPem = await getRemotePubkey(signature.keyId);
-			console.debug("fetching public key", signature.keyId);
+		if (!publicKeyPem) return res.status(400).send("could not get pubkey");
-			let user_res = await fetch(signature.keyId, {headers:{Accept:"application/json"}});
+
-			if (!user_res.ok || !user_res.headers.get("content-type").includes("json")) return res.status(400).send("cannot verify");
-			let user_json = await user_res.json();
-			console.debug({user_json});
-			publicKeyPem = user_json.publicKey.publicKeyPem;
-			keystore.set(signature.keyId, {publicKey: publicKeyPem});
-		}
 		if (!signature.verify(publicKeyPem)) {
 			res.status(400).send("bad signature");
 			console.debug("bad signature");
@@ -82,65 +88,62 @@ app.use(async (req, res, next) => {
 		}
 
 		var modifiedPayload = req.body.replaceAll(TARGET_MASQUERADE, TARGET_NODE).replaceAll(CLIENT_REGEXP, CLIENT_MASQUERADE);
-		console.debug({CLIENT_NODE,CLIENT_REGEXP,CLIENT_MASQUERADE,original:req.body,modified:modifiedPayload});
+		console.debug({CLIENT_NODE, CLIENT_REGEXP, CLIENT_MASQUERADE, original:req.body, modified:modifiedPayload});
 
 		var digest = crypto.createHash("sha256").update(modifiedPayload, "utf-8").digest("base64");
-		opts.headers.digest = `sha-256=${digest}`;
+		opts.headers["digest"] = `sha-256=${digest}`;
 
 		var clientMasqueradeKeyId = signature.keyId.replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-		var clientMasqueradePrivateKeyPem = (await keystore.get(clientMasqueradeKeyId))?.privateKey;
+		var clientMasqueradePrivateKeyPem = (await getLocalKeypair(clientMasqueradeKeyId))?.privateKey;
-		if (!clientMasqueradePrivateKeyPem) {
-			console.debug("making new masquerade key (client)");
-			var {publicKey, privateKey} = await generateKeyPair('rsa', {
-				publicKeyEncoding: {type:'pkcs1', format: 'pem'},
-				privateKeyEncoding: {type:'pkcs1', format: 'pem'},
-				modulusLength: 2048
-			});
-			clientMasqueradePrivateKeyPem = privateKey;
-			await keystore.set(clientMasqueradeKeyId, {publicKey, privateKey});
-		}
 		
 		var signer = new Sha256Signer({
 			publicKeyId: clientMasqueradeKeyId,
 			privateKey: clientMasqueradePrivateKeyPem,
 			headerNames: ['(request-target)', 'host', 'date', 'digest']
 		});
-		opts.headers.signature = signer.sign({url, method: opts.method, headers: opts.headers});
+
+		opts.headers["signature"] = signer.sign({url: TARGET_URL, method: opts.method, headers: opts.headers});
+		opts.headers["content-tength"] = modifiedPayload.length;
+		if (req.get("Content-Type")) opts.headers["content-type"] = req.get("Content-Type");
 		opts.body = modifiedPayload;
 	}
 
-	if (req.get("Accept")) opts.headers.Accept = req.get("Accept");
+	if (req.get("User-Agent")) opts.headers["user-agent"] = req.get("User-Agent").replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-	var target_res = await fetch(url, opts);
+	if (req.get("Accept")) opts.headers["accept"] = req.get("Accept");
-	console.debug(target_res.status, target_res.statusText, target_res.headers.get("content-type"));
+
-	
+	var target_res = await fetch(TARGET_URL, opts);
+	var contentType = target_res.headers.get("content-type");
+	console.debug(target_res.status, target_res.statusText, contentType);
+
+	//note this affects html attachments from pleroma
+	if (contentType.startsWith("text/html")) {
+		//res.status(403).send("html is not allowed");
+		res.redirect(308, TARGET_URL);
+		return;
+	}
+
 	if ([
 		"application/jrd+json",
 		"application/activity+json",
 		"application/json",
 		"application/xrd+xml",
-		"application/xml",
+		"application/xml"
-		"text/",
+	].some(t => contentType?.toLowerCase().startsWith(t))) {
-		"charset=utf-8"
-	].some(t => target_res.headers.get("content-type")?.toLowerCase().includes(t))) {
 		var originalText = await target_res.text(), modifiedText = originalText;
 		console.debug({originalText})
-		if (target_res.headers.get("content-type").includes("json")) {
+		if (contentType.includes("json")) {
 			var json = JSON.parse(originalText);
+			if (json.preferredUsername && USER_WHITELIST && !USER_WHITELIST.includes(json.preferredUsername)) {
+				console.debug(`user ${json.preferredUsername} blocked by whitelist`);
+				//res.status(403).send(`${json.preferredUsername} is not whitelisted`);
+				res.redirect(308, TARGET_URL);
+				return;
+			}
 			if (json.publicKey) {
 				console.debug("has key");
 				await keystore.set(json.publicKey.id, {publicKey: json.publicKey.publicKeyPem});
 				var masqueradeKeyId = json.publicKey.id.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
-				var masqueradeKeyPem = (await keystore.get(masqueradeKeyId))?.publicKey;
+				var masqueradeKeyPem = (await getLocalKeypair(masqueradeKeyId)).publicKey;
-				if (!masqueradeKeyPem) {
-					console.debug("making new masquerade key (target)");
-					var {publicKey, privateKey} = await generateKeyPair('rsa', {
-						publicKeyEncoding: {type:'pkcs1', format: 'pem'},
-						privateKeyEncoding: {type:'pkcs1', format: 'pem'},
-						modulusLength: 2048
-					});
-					masqueradeKeyPem = publicKey;
-					await keystore.set(masqueradeKeyId, {publicKey, privateKey});
-				}
 				json.publicKey.id = masqueradeKeyId;
 				json.publicKey.publicKeyPem = masqueradeKeyPem;
 				modifiedText = JSON.stringify(json);
@@ -148,9 +151,42 @@ app.use(async (req, res, next) => {
 		}
 		modifiedText = modifiedText.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
 		console.debug({modifiedText});
-	} else console.debug("binary");
+	} else console.debug("passthrough");
+	if (!target_res.ok && !modifiedText && contentType.startsWith("text/")) console.debug("response:", await target_res.text());
 	res.status(target_res.status);
-	res.header("Content-Type", target_res.headers.get("content-type"));
+	res.header("Content-Type", contentType);
 	if (modifiedText) res.send(modifiedText);
 	else target_res.body.pipe(res);
 });
+
+
+
+async function getLocalKeypair(id) {
+	var keys = await keystore.get(id);
+	if (keys) return keys;
+	console.debug("making new masquerade key");
+	keys = await generateKeyPair('rsa', {
+		publicKeyEncoding: {type:'pkcs1', format: 'pem'},
+		privateKeyEncoding: {type:'pkcs1', format: 'pem'},
+		modulusLength: 2048
+	});
+	await keystore.set(id, keys);
+	return keys;
+}
+
+async function getRemotePubkey(id) {
+	var publicKey = (await keystore.get(id))?.publicKey;
+	if (publicKey) return publicKey;
+	console.debug("fetching public key", id);
+	var res = await fetch(id, {headers: {Accept: "application/activity+json"}});
+	console.debug(res.status, res.statusText, res.headers.get("content-type"));
+	if (!res.ok || !res.headers.get("content-type").includes("json")) {
+		console.debug("could not get key");
+		return false;
+	};
+	var json = await res.json();
+	console.debug(json);
+	var publicKey = json?.publicKey?.publicKeyPem;
+	if (publicKey) keystore.set(id, {publicKey});
+	return publicKey;
+}

package.json

@@ -1,10 +1,30 @@
 {
-  "dependencies": {
+	"name": "activitypub-proxy",
-    "@keyv/sqlite": "^3.6.4",
+	"version": "0.2.3",
-    "activitypub-http-signatures": "^2.0.1",
+	"keywords": [
-    "express": "^4.18.2",
+		"activitypub",
-    "express-async-errors": "^3.1.1",
+		"mastodon",
-    "keyv": "^4.5.2",
+		"misskey",
-    "node-fetch": "^2.6.7"
+		"pleroma",
-  }
+		"fediblock"
+	],
+	"homepage": "https://activitypub-proxy.cf",
+	"bugs": "https://gitea.moe/lamp/activitypub-proxy/issues",
+	"repository": {
+		"type": "git",
+		"url": "https://gitea.moe/lamp/activitypub-proxy"
+	},
+	"dependencies": {
+		"@keyv/sqlite": "^3.6.4",
+		"activitypub-http-signatures": "^2.0.1",
+		"dotenv": "^16.0.3",
+		"express": "^4.18.2",
+		"express-async-errors": "^3.1.1",
+		"keyv": "^4.5.2",
+		"node-fetch": "^3.3.0"
+	},
+	"type": "module",
+	"engines": {
+		"node": ">=15.0.0"
+	}
 }