0.2.3

fix pleroma 500
fix user block
block html proxying

.gitignore

@@ -1,2 +1,3 @@
 node_modules
 keys.sqlite
+.env

.npmignore

@@ -0,0 +1,2 @@
+keys.sqlite
+.env

README.md

@@ -1,19 +1,24 @@
 # ActivityPub Proxy
 
-A **simple** proxy for ActivityPub that lets you circumvent blocks by masquerading as another domain name. All it does is replace all hostnames in the text proxied through, and for signed POST requests, it swaps the public keys and re-signs the requests.
+A brutally-simple proxy for ActivityPub that lets you circumvent instance blocks by masquerading as another domain name. All it does is replace all hostnames in the text proxied through, and for signed POST requests, it swaps the public keys and re-signs the requests.
+
+Suppose you have a server at *.proxy.example, your handle is @bob@mastodon.one and you want to follow a friend at @alice@mastodon.two, but mastodon.two blocks mastodon.one for irrelevant reasons. You can change the handle to @alice@mastodon-two.proxy.example and theoretically will be able to fully interact with the other user (and vice-versa) by being masqueraded as @bob@mastodon-one.proxy.example. (If the domain has hyphens, replace with double hyphens.)
+
+The intended usage of this is as an alternative to using alt accounts or moving your account to circumvent whole-server blocks that have nothing to do with you and are unfairly cutting you off from mutuals, despite your particular account being compliant with their rules. Of course, you are entirely responsible for your behavior and compliance whether it's an alt account or a mirror, as there is no practical difference to the other end. ActivityPub Proxy is not intended for nefarious usage.
+
+The major caveat with this particular implementation is that if you boost or reply to proxied posts, your followers will see and interact with those authors via masquerade as well, causing a bit of a mess. This is unless you limit the usage to whitelisted domains/users, which you will almost definitely have to do or someone will abuse it and get it blocked. In that case, anyone who isn't whitelisted just won't see the boosts.
 
-To use it, type a user's handle, replace the dots in their domain with hyphens, and add `.yourproxydomain` to the end. (If the domain already has hyphens, replace them with double hypens.) So for example, say you want to follow @kingu_platypus_gidora@octodon.social but the woke administrator has blocked you (or your instance blocked them wtf mastodon.social??), and you have a proxy at *.activitypub-proxy.cf: that would make @kingu_platypus_gidora@octodon-social.activitypub-proxy.cf which you can theoretically follow and fully interact with just like the real user. The person on the other side will see your tag proxied the same way, `@yourname@your-domain.your.proxy`, and they can follow and interact with you back.
 
 ## Installation
 
 You will need a host with Node.js 15 or newer, and a wildcard domain with HTTPS pointed to your server. Cloudflare may be easiest, as you can bind the app to an extra IP address and connect Cloudflare directly to it.
 
-Download the repository and `npm i`. Then you can run it with the following environment variables.
+Download the repository and `npm i`. Then you can run it with the following environment variables (you can create a .env file).
 
 - `PORT`: The port to listen for HTTP, default: 80.
 - `BIND_IP`: The IP address to bind to. Default: all.
-- `DOMAIN_WHITELIST`: Comma-separated list of domains that can use the proxy. Recommended to use this to prevent abuse as otherwise anyone can proxy anything. Remember to include the domains you want to follow from as well as the domains you want to follow, as it needs to work both ways.
-- `USER_WHITELIST`: Comma-separated list of names that can be looked up. Maybe useful if you don't want other users messing with other users... 🤷 Note that this only restricts the webfinger. (todo could be circumvented? 🤔) Default: any
+- `DOMAIN_WHITELIST`: Comma-separated list of domains that can be proxied. Recommended to use this to prevent abuse as otherwise anyone can proxy anything. Remember to include the domains you want to follow from as well as the domains you want to follow, as it needs to work both ways. Default: any
+- `USER_WHITELIST`: Comma-separated list of usernames that can be proxied (case-sensitive, name only without `@`). Default: any
 - `NODE_ENV`: Set to `development` to see debug logs.
 
 Install by copying and pasting this example systemd file to `/etc/systemd/system/ap-proxy.service` (or similar), and editing as needed:
@@ -34,11 +39,3 @@ WantedBy=multi-user.target
 ```
 
 `systemctl enable --now ap-proxy` and Bob's your uncle.
-
-
-## Known issues
-
-- Sending AP messages to Pleroma makes it 500 Internal Server Error for no obvious reason
-- Since it simply replaces all instances of the domain names in the raw JSON text, mentions of those names in post content will be replaced as well. Although this makes it more likely to work with _anything_ with less code, a stricter version that parses deeper into the protocol might be of better quality.
-
-If any issues please submit!

index.js

@@ -1,17 +1,23 @@
+import * as dotenv from "dotenv";
+dotenv.config();
+
 if (process.env.NODE_ENV != "development") {
 	process.env.NODE_ENV = "production";
 	console.debug = () => {};
 }
 
 if (process.env.DOMAIN_WHITELIST) var DOMAIN_WHITELIST = process.env.DOMAIN_WHITELIST.split(',').map(x=>x.trim().toLowerCase()).filter(x=>x);
-if (process.env.USER_WHITELIST) var USER_WHITELIST = process.env.USER_WHITELIST.split(',').map(x=>x.trim().toLowerCase()).filter(x=>x);
+if (process.env.USER_WHITELIST) var USER_WHITELIST = process.env.USER_WHITELIST.split(',').map(x=>x.trim()).filter(x=>x);
 
-var express = require("express");
-require("express-async-errors");
-var fetch = require("node-fetch");
-var Keyv = require("keyv");
-var crypto = require("crypto");
-var generateKeyPair = require("util").promisify(crypto.generateKeyPair);
+import express from "express";
+import "express-async-errors";
+import fetch from "node-fetch";
+import Keyv from "keyv";
+import {Sha256Signer, Parser} from "activitypub-http-signatures";
+import * as crypto from "crypto";
+import * as util from "util";
+var generateKeyPair = util.promisify(crypto.generateKeyPair);
+var parser = new Parser();
 
 var keystore = new Keyv("sqlite://keys.sqlite");
 
@@ -41,103 +47,103 @@ app.use(async (req, res, next) => {
 	if (!req.subdomains[0]) return next();
 
 	var TARGET_NODE = req.subdomains[0].replaceAll(/(?<!-)-(?!-)/g, '.').replaceAll('--','-');
-	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(TARGET_NODE)) return res.status(403).send(`target ${TARGET_NODE} is not whitelisted`);
-	var TARGET_MASQUERADE = req.hostname;
 	var TARGET_REGEXP = new RegExp(`(?<!\\.)${TARGET_NODE.replaceAll('.','\\.')}`, 'gi');
+	var TARGET_MASQUERADE = req.hostname;
+	var TARGET_URL = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
+	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(TARGET_NODE)) {
+		console.debug(`target ${TARGET_NODE} blocked by whitelist`);
+		//res.status(403).send(`target ${TARGET_NODE} is not whitelisted`);
+		res.redirect(308, TARGET_URL);
+		return;
+	}
 
 	var CLIENT_NODE = req.get("User-Agent").match(/(?<=https:\/\/)[a-z0-9-\.]+/i)?.[0];
-	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(CLIENT_NODE)) return res.status(403).send(`client ${CLIENT_NODE} is not whitelisted`);
-	if (CLIENT_NODE) var CLIENT_MASQUERADE = [CLIENT_NODE.replaceAll('-','--').replaceAll('.','-'), ...req.hostname.split('.').slice(-2)].join('.');
+	if (CLIENT_NODE) {
+		if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(CLIENT_NODE)) {
+			console.debug(`client ${CLIENT_NODE} blocked by whitelist`);
+			//res.status(403).send(`client ${CLIENT_NODE} is not whitelisted`);
+			res.redirect(308, TARGET_URL);
+			return;
+		}
+		var CLIENT_REGEXP = new RegExp(`(?<!\\.)${CLIENT_NODE.replaceAll('.','\\.')}`, 'gi');
+		var CLIENT_MASQUERADE = [CLIENT_NODE.replaceAll('-','--').replaceAll('.','-'), ...req.hostname.split('.').slice(-2)].join('.');
+	}
 
-	if (USER_WHITELIST && req.url.startsWith("/.well-known/webfinger") && !USER_WHITELIST.includes(req.query.resource?.replace('acct:','').split('@')[0])) return res.status(403).send("user not whitelisted");
-
-	var url = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
 	var opts = {method: req.method, headers: {
-		host: TARGET_NODE,
-		date: new Date().toUTCString()
+		"host": TARGET_NODE,
+		"date": new Date().toUTCString(),
 	}};
 	
 	if (req.method == "POST") {
-		var {Sha256Signer, Parser} = await import("activitypub-http-signatures");
-		var parser = new Parser();
 		var signature = parser.parse({url: req.url, method: req.method, headers: req.headers});
 		console.debug({signature});
-		var publicKeyPem = (await keystore.get(signature.keyId))?.publicKey;
-		if (!publicKeyPem) {
-			console.debug("fetching public key", signature.keyId);
-			let user_res = await fetch(signature.keyId, {headers:{Accept:"application/json"}});
-			if (!user_res.ok || !user_res.headers.get("content-type").includes("json")) return res.status(400).send("cannot verify");
-			let user_json = await user_res.json();
-			console.debug({user_json});
-			publicKeyPem = user_json.publicKey.publicKeyPem;
-			keystore.set(signature.keyId, {publicKey: publicKeyPem});
-		}
+
+		var publicKeyPem = await getRemotePubkey(signature.keyId);
+		if (!publicKeyPem) return res.status(400).send("could not get pubkey");
+
 		if (!signature.verify(publicKeyPem)) {
 			res.status(400).send("bad signature");
 			console.debug("bad signature");
 			return;
 		}
 
-		var modifiedPayload = req.body.replaceAll(TARGET_MASQUERADE, TARGET_NODE).replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-		console.debug({CLIENT_NODE,CLIENT_MASQUERADE,original:req.body,modified:modifiedPayload});
+		var modifiedPayload = req.body.replaceAll(TARGET_MASQUERADE, TARGET_NODE).replaceAll(CLIENT_REGEXP, CLIENT_MASQUERADE);
+		console.debug({CLIENT_NODE, CLIENT_REGEXP, CLIENT_MASQUERADE, original:req.body, modified:modifiedPayload});
 
 		var digest = crypto.createHash("sha256").update(modifiedPayload, "utf-8").digest("base64");
-		opts.headers.digest = `sha-256=${digest}`;
+		opts.headers["digest"] = `sha-256=${digest}`;
 
 		var clientMasqueradeKeyId = signature.keyId.replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-		var clientMasqueradePrivateKeyPem = (await keystore.get(clientMasqueradeKeyId))?.privateKey;
-		if (!clientMasqueradePrivateKeyPem) {
-			console.debug("making new masquerade key (client)");
-			var {publicKey, privateKey} = await generateKeyPair('rsa', {
-				publicKeyEncoding: {type:'pkcs1', format: 'pem'},
-				privateKeyEncoding: {type:'pkcs1', format: 'pem'},
-				modulusLength: 2048
-			});
-			clientMasqueradePrivateKeyPem = privateKey;
-			await keystore.set(clientMasqueradeKeyId, {publicKey, privateKey});
-		}
+		var clientMasqueradePrivateKeyPem = (await getLocalKeypair(clientMasqueradeKeyId))?.privateKey;
 		
 		var signer = new Sha256Signer({
 			publicKeyId: clientMasqueradeKeyId,
 			privateKey: clientMasqueradePrivateKeyPem,
 			headerNames: ['(request-target)', 'host', 'date', 'digest']
 		});
-		opts.headers.signature = signer.sign({url, method: opts.method, headers: opts.headers});
+
+		opts.headers["signature"] = signer.sign({url: TARGET_URL, method: opts.method, headers: opts.headers});
+		opts.headers["content-tength"] = modifiedPayload.length;
+		if (req.get("Content-Type")) opts.headers["content-type"] = req.get("Content-Type");
 		opts.body = modifiedPayload;
 	}
 
-	if (req.get("Accept")) opts.headers.Accept = req.get("Accept");
-	var target_res = await fetch(url, opts);
-	console.debug(target_res.status, target_res.statusText, target_res.headers.get("content-type"));
+	if (req.get("User-Agent")) opts.headers["user-agent"] = req.get("User-Agent").replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
+	if (req.get("Accept")) opts.headers["accept"] = req.get("Accept");
+
+	var target_res = await fetch(TARGET_URL, opts);
+	var contentType = target_res.headers.get("content-type");
+	console.debug(target_res.status, target_res.statusText, contentType);
+
+	//note this affects html attachments from pleroma
+	if (contentType.startsWith("text/html")) {
+		//res.status(403).send("html is not allowed");
+		res.redirect(308, TARGET_URL);
+		return;
+	}
 
 	if ([
 		"application/jrd+json",
 		"application/activity+json",
 		"application/json",
 		"application/xrd+xml",
-		"application/xml",
-		"text/",
-		"charset=utf-8"
-	].some(t => target_res.headers.get("content-type")?.toLowerCase().includes(t))) {
+		"application/xml"
+	].some(t => contentType?.toLowerCase().startsWith(t))) {
 		var originalText = await target_res.text(), modifiedText = originalText;
 		console.debug({originalText})
-		if (target_res.headers.get("content-type").includes("json")) {
+		if (contentType.includes("json")) {
 			var json = JSON.parse(originalText);
+			if (json.preferredUsername && USER_WHITELIST && !USER_WHITELIST.includes(json.preferredUsername)) {
+				console.debug(`user ${json.preferredUsername} blocked by whitelist`);
+				//res.status(403).send(`${json.preferredUsername} is not whitelisted`);
+				res.redirect(308, TARGET_URL);
+				return;
+			}
 			if (json.publicKey) {
 				console.debug("has key");
 				await keystore.set(json.publicKey.id, {publicKey: json.publicKey.publicKeyPem});
 				var masqueradeKeyId = json.publicKey.id.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
-				var masqueradeKeyPem = (await keystore.get(masqueradeKeyId))?.publicKey;
-				if (!masqueradeKeyPem) {
-					console.debug("making new masquerade key (target)");
-					var {publicKey, privateKey} = await generateKeyPair('rsa', {
-						publicKeyEncoding: {type:'pkcs1', format: 'pem'},
-						privateKeyEncoding: {type:'pkcs1', format: 'pem'},
-						modulusLength: 2048
-					});
-					masqueradeKeyPem = publicKey;
-					await keystore.set(masqueradeKeyId, {publicKey, privateKey});
-				}
+				var masqueradeKeyPem = (await getLocalKeypair(masqueradeKeyId)).publicKey;
 				json.publicKey.id = masqueradeKeyId;
 				json.publicKey.publicKeyPem = masqueradeKeyPem;
 				modifiedText = JSON.stringify(json);
@@ -145,9 +151,42 @@ app.use(async (req, res, next) => {
 		}
 		modifiedText = modifiedText.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
 		console.debug({modifiedText});
-	} else console.debug("binary");
+	} else console.debug("passthrough");
+	if (!target_res.ok && !modifiedText && contentType.startsWith("text/")) console.debug("response:", await target_res.text());
 	res.status(target_res.status);
-	res.header("Content-Type", target_res.headers.get("content-type"));
+	res.header("Content-Type", contentType);
 	if (modifiedText) res.send(modifiedText);
 	else target_res.body.pipe(res);
 });
+
+
+
+async function getLocalKeypair(id) {
+	var keys = await keystore.get(id);
+	if (keys) return keys;
+	console.debug("making new masquerade key");
+	keys = await generateKeyPair('rsa', {
+		publicKeyEncoding: {type:'pkcs1', format: 'pem'},
+		privateKeyEncoding: {type:'pkcs1', format: 'pem'},
+		modulusLength: 2048
+	});
+	await keystore.set(id, keys);
+	return keys;
+}
+
+async function getRemotePubkey(id) {
+	var publicKey = (await keystore.get(id))?.publicKey;
+	if (publicKey) return publicKey;
+	console.debug("fetching public key", id);
+	var res = await fetch(id, {headers: {Accept: "application/activity+json"}});
+	console.debug(res.status, res.statusText, res.headers.get("content-type"));
+	if (!res.ok || !res.headers.get("content-type").includes("json")) {
+		console.debug("could not get key");
+		return false;
+	};
+	var json = await res.json();
+	console.debug(json);
+	var publicKey = json?.publicKey?.publicKeyPem;
+	if (publicKey) keystore.set(id, {publicKey});
+	return publicKey;
+}

package.json

@@ -1,10 +1,30 @@
 {
-  "dependencies": {
-    "@keyv/sqlite": "^3.6.4",
-    "activitypub-http-signatures": "^2.0.1",
-    "express": "^4.18.2",
-    "express-async-errors": "^3.1.1",
-    "keyv": "^4.5.2",
-    "node-fetch": "^2.6.7"
-  }
+	"name": "activitypub-proxy",
+	"version": "0.2.3",
+	"keywords": [
+		"activitypub",
+		"mastodon",
+		"misskey",
+		"pleroma",
+		"fediblock"
+	],
+	"homepage": "https://activitypub-proxy.cf",
+	"bugs": "https://gitea.moe/lamp/activitypub-proxy/issues",
+	"repository": {
+		"type": "git",
+		"url": "https://gitea.moe/lamp/activitypub-proxy"
+	},
+	"dependencies": {
+		"@keyv/sqlite": "^3.6.4",
+		"activitypub-http-signatures": "^2.0.1",
+		"dotenv": "^16.0.3",
+		"express": "^4.18.2",
+		"express-async-errors": "^3.1.1",
+		"keyv": "^4.5.2",
+		"node-fetch": "^3.3.0"
+	},
+	"type": "module",
+	"engines": {
+		"node": ">=15.0.0"
+	}
 }