|
6 | 6 | // read outbox → GET /ap/<user>/outbox OrderedCollection contains it |
7 | 7 | // be followed → POST /ap/<user>/inbox a Follow activity |
8 | 8 | // list followers→ GET /ap/<user>/followers contains the follower |
| 9 | +// read inbox → GET /ap/<user>/inbox owner Bearer pages the log |
| 10 | +// (newest first, published |
| 11 | +// stamped); anon → 401 |
9 | 12 | // auth boundary → POST /ap/<user>/outbox no Bearer → 401 |
10 | 13 | // |
11 | 14 | // Same probe-port-then-boot dance as mastodon/: the plugin needs its origin |
@@ -199,6 +202,107 @@ describe('activitypub plugin', () => { |
199 | 202 | assert.strictEqual(res.status, 200); |
200 | 203 | }); |
201 | 204 |
|
| 205 | + // ---- THE INBOX LOG (owner-read surface for mastodon/ timelines) ----------- |
| 206 | + |
| 207 | + it('GET /ap/<user>/inbox anonymous is 401 (the log is the owner\'s private mail)', async () => { |
| 208 | + const res = await fetch(`${base}/ap/${USER}/inbox`); |
| 209 | + assert.strictEqual(res.status, 401); |
| 210 | + const page = await fetch(`${base}/ap/${USER}/inbox?page=true`); |
| 211 | + assert.strictEqual(page.status, 401); |
| 212 | + }); |
| 213 | + |
| 214 | + it('GET /ap/<user>/inbox (owner Bearer) pages the log newest-first; the Follow carries published', async () => { |
| 215 | + const res = await fetch(`${base}/ap/${USER}/inbox`, { |
| 216 | + headers: { authorization: `Bearer ${token}`, accept: 'application/activity+json' }, |
| 217 | + }); |
| 218 | + assert.strictEqual(res.status, 200); |
| 219 | + const coll = await res.json(); |
| 220 | + assert.strictEqual(coll.type, 'OrderedCollection'); |
| 221 | + assert.ok(coll.totalItems >= 2, `expected the Follow + Create in the log, got ${coll.totalItems}`); |
| 222 | + |
| 223 | + const page = await (await fetch(`${base}/ap/${USER}/inbox?page=true`, { |
| 224 | + headers: { authorization: `Bearer ${token}` }, |
| 225 | + })).json(); |
| 226 | + assert.strictEqual(page.type, 'OrderedCollectionPage'); |
| 227 | + assert.ok(Array.isArray(page.orderedItems), 'no orderedItems'); |
| 228 | + // The earlier Follow (POSTed with no published) is in the log, stamped at ingest. |
| 229 | + const follow = page.orderedItems.find((a) => a.type === 'Follow' && a.actor === REMOTE_FOLLOWER); |
| 230 | + assert.ok(follow, 'earlier Follow not in the inbox log'); |
| 231 | + assert.ok(follow.published, 'stored Follow carries no published stamp'); |
| 232 | + // Newest first: the Create was POSTed after the Follow. |
| 233 | + const iCreate = page.orderedItems.findIndex((a) => a.type === 'Create'); |
| 234 | + const iFollow = page.orderedItems.findIndex((a) => a.type === 'Follow'); |
| 235 | + assert.ok(iCreate < iFollow, `log not newest-first (Create at ${iCreate}, Follow at ${iFollow})`); |
| 236 | + }); |
| 237 | + |
| 238 | + it('a Like and an Announce POSTed to the inbox land in the log with type intact', async () => { |
| 239 | + for (const activity of [ |
| 240 | + { type: 'Like', id: `${REMOTE_FOLLOWER}#likes/1`, actor: REMOTE_FOLLOWER, object: `${base}/${USER}/public/statuses/x.jsonld` }, |
| 241 | + { type: 'Announce', id: `${REMOTE_FOLLOWER}#boosts/1`, actor: REMOTE_FOLLOWER, object: `${base}/${USER}/public/statuses/x.jsonld` }, |
| 242 | + ]) { |
| 243 | + const res = await fetch(`${base}/ap/${USER}/inbox`, { |
| 244 | + method: 'POST', |
| 245 | + headers: { 'content-type': 'application/activity+json' }, |
| 246 | + body: JSON.stringify({ '@context': 'https://www.w3.org/ns/activitystreams', ...activity }), |
| 247 | + }); |
| 248 | + assert.strictEqual(res.status, 200); |
| 249 | + } |
| 250 | + const page = await (await fetch(`${base}/ap/${USER}/inbox?page=true`, { |
| 251 | + headers: { authorization: `Bearer ${token}` }, |
| 252 | + })).json(); |
| 253 | + const like = page.orderedItems.find((a) => a.id === `${REMOTE_FOLLOWER}#likes/1`); |
| 254 | + const boost = page.orderedItems.find((a) => a.id === `${REMOTE_FOLLOWER}#boosts/1`); |
| 255 | + assert.ok(like, 'Like not retained in the inbox log'); |
| 256 | + assert.strictEqual(like.type, 'Like'); |
| 257 | + assert.ok(like.published, 'Like carries no published stamp'); |
| 258 | + assert.ok(boost, 'Announce not retained in the inbox log'); |
| 259 | + assert.strictEqual(boost.type, 'Announce'); |
| 260 | + assert.ok(boost.published, 'Announce carries no published stamp'); |
| 261 | + // Newest first: the Announce was POSTed last, so it heads the page. |
| 262 | + assert.strictEqual(page.orderedItems[0].id, `${REMOTE_FOLLOWER}#boosts/1`); |
| 263 | + }); |
| 264 | + |
| 265 | + it('read-time backfill: a legacy inbox entry without published is stamped from receivedAt', async () => { |
| 266 | + // Entries stored BEFORE ingest-time stamping existed have no published; |
| 267 | + // inject one straight into the state file (the format the plugin persists) |
| 268 | + // and assert the read path backfills it. statePath/readState are defined |
| 269 | + // with the security regressions below — same describe scope. |
| 270 | + const state = readState(); |
| 271 | + state.inbox.push({ |
| 272 | + receivedAt: '2020-01-01T00:00:00.000Z', |
| 273 | + activity: { type: 'Like', id: 'urn:legacy:unstamped', actor: REMOTE_FOLLOWER }, |
| 274 | + }); |
| 275 | + fs.writeFileSync(statePath(), JSON.stringify(state, null, 2)); |
| 276 | + const page = await (await fetch(`${base}/ap/${USER}/inbox?page=true`, { |
| 277 | + headers: { authorization: `Bearer ${token}` }, |
| 278 | + })).json(); |
| 279 | + const legacy = page.orderedItems.find((a) => a.id === 'urn:legacy:unstamped'); |
| 280 | + assert.ok(legacy, 'legacy entry not served'); |
| 281 | + assert.strictEqual(legacy.published, '2020-01-01T00:00:00.000Z'); |
| 282 | + }); |
| 283 | + |
| 284 | + it('inReplyTo survives outbox POST → pod resource → outbox collection (threading)', async () => { |
| 285 | + const parent = 'https://remote.example/users/bob/statuses/12345'; |
| 286 | + const res = await fetch(`${base}/ap/${USER}/outbox`, { |
| 287 | + method: 'POST', |
| 288 | + headers: { authorization: `Bearer ${token}`, 'content-type': 'application/activity+json' }, |
| 289 | + body: JSON.stringify({ type: 'Note', content: 'a threaded reply', inReplyTo: parent }), |
| 290 | + }); |
| 291 | + assert.ok([200, 201].includes(res.status), `outbox POST: ${res.status}`); |
| 292 | + const create = await res.json(); |
| 293 | + assert.strictEqual(create.object.inReplyTo, parent, 'returned Create lost inReplyTo'); |
| 294 | + |
| 295 | + // The stored pod resource carries it… |
| 296 | + const raw = await (await fetch(create.object.id, { headers: { authorization: `Bearer ${token}` } })).json(); |
| 297 | + assert.strictEqual(raw.inReplyTo, parent, 'pod Note lost inReplyTo'); |
| 298 | + |
| 299 | + // …and so does the outbox collection item. |
| 300 | + const page = await (await fetch(`${base}/ap/${USER}/outbox?page=true`)).json(); |
| 301 | + const item = page.orderedItems.find((it) => it.object?.content === 'a threaded reply'); |
| 302 | + assert.ok(item, 'reply Note not in outbox'); |
| 303 | + assert.strictEqual(item.object.inReplyTo, parent, 'outbox item lost inReplyTo'); |
| 304 | + }); |
| 305 | + |
202 | 306 | // ---- SECURITY REGRESSIONS ------------------------------------------------- |
203 | 307 |
|
204 | 308 | // Path to the per-actor state file. No explicit `id` is passed for the entry; |
|
0 commit comments