Skip to content

ActivityPub Integration

Nathan Byrd edited this page Jan 2, 2023 · 30 revisions

Overview

Discussion and design of ActivityPub / Mastodon with ENiGMA½.

GitHub Issues

Desired Integrations

  • Act as both a server and a client
    • On behalf of users
    • As the BBS itself (bot)
  • Feed views
    • Local
    • Federated
    • Following
  • Inbox
    • Direct replies also land in user's inbox
    • User can again reply, or directly post to ActivityPub addresses
    • Similar to EchoMail
  • Message Areas
    • Ability to map a message area to a ActivityPub 'group'
    • Read and reply in message base
    • Similar to EchoMail
    • Bridged message areas, such as FTN (non-Mastodon node) <-> Local (Mastodon) <-> Fediverse

Mastodon

First class Mastodon support

Misc

  • Add additional info/debug/warn/error logging to web.js to help track down issues and to (long term) help identify abuse by logging IP, maybe correlation id, etc etc.
  • Looks like Mastodon is adding some Group functionality that might make my suggested workaround for message areas unnecessary (depends on timing, I see anything about when it will be released though it does look like it is funded work): https://github.com/mastodon/mastodon/pull/19059

Security

  • In order to interoperate with Mastodon, we need to implement HTTP Signatures. More info at: https://docs.joinmastodon.org/spec/security/
    • Implementation in activitypub-express
    • Based on node-http-signature - probably a good idea for us to use as well
    • Private / Public keypairs are generated with the Node.JS crypto library.
    • Notes on approach:
      1. Need to create a new public / private keypair and store in the db on account creation (or one-time during migration)
      2. As subscribe requests occur or lookups to other servers, the Actor object needs to be stored into the database
      3. On outbound requests from the the BBS that involve an actor, the private key is used to sign the requests
      4. On incoming requests that involve a remote actor, the public key stored for the actor is used to verify the signature
  • With increased usage of HTTP with ActivityPub/Mastodon support, we should look at additional security testing as well. See: Free for Open-Source App Security Tools for some tools that are free for Open Source projects.

Questions

  • Should we create a more generalized ActivityPub support/module/classes that Mastodon then extends?
  • Is the web part of this big enough that we should look into using something like express.js and a module like activitypub-express instead of rolling our own implementation

Design

core/
  servers/
    content/
      web.js
      web_handlers/
        webfinger.js
        mastodon.js
  • webfinger.js
    • Handles standard WebFinger requests via acct:
    • Handles standard profile request associated with WebFinger
    • Includes additional rel and aliases if an ActivityPub system is also enabled, such as Mastodon
      • It would be nice if these could be 'injected' by mastdon.js
  • mastodon.js

References

Implementations

Approach for web components

  • Build our own (maybe using https://github.com/jakelazaroff/dumbo as a guide)
    • Advantages
      1. No rework required, extending what we already have
      2. Can build it up a little at a time
    • Disadvantages
      1. We are totally on the hook for interoperability
      2. Maybe more work overall when some of it has already been done for us
  • Use existing activitypub-express module - https://github.com/immers-space/activitypub-express
    • Advantages
      1. Very complete
      2. Popular
      3. Interchangeable storage (that we would have to swap out)
      4. Active (last update Nov 11)
    • Disadvantages
      1. The completeness might lead to additional time to understand the full codebase
      2. Although storage is interchangeable, it is centered around ActivityPub, decent amount of work there to interface
Clone this wiki locally