mirror
/
activitypub-single-php-file
kopia lustrzana https://gitlab.com/edent/activitypub-single-php-file
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność
activitypub-single-php-file/index.php

1621 wiersze
55 KiB
PHP
Czysty Wina Historia

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?php
/*
* "This code is not a code of honour... no highly esteemed code is commemorated here... nothing valued is here."
* "What is here is dangerous and repulsive to us. This message is a warning about danger."
* This is a rudimentary, single-file, low complexity, minimum functionality, ActivityPub server.
* For educational purposes only.
* The Server produces an Actor who can be followed.
* The Actor can send messages to followers.
* The message can have linkable URls, hashtags, and mentions.
* An image and alt text can be attached to the message.
* The Actor can follow remote accounts.
* The Server saves logs about requests it receives and sends.
* This code is NOT suitable for production use.
* SPDX-License-Identifier: AGPL-3.0-or-later
* This code is also "licenced" under CRAPL v0 - https://matt.might.net/articles/crapl/
* "Any appearance of design in the Program is purely coincidental and should not in any way be mistaken for evidence of thoughtful software construction."
* For more information, please re-read.
*/
// Preamble: Set your details here
// This is where you set up your account's name and bio.
// You also need to provide a public/private keypair.
// The posting page is protected with a password that also needs to be set here.
// Set up the Actor's information
// Edit these:
$username = rawurlencode("example"); // Type the @ username that you want. Do not include an "@".
$realName = "E. Xample. Jr."; // This is the user's "real" name.
$summary = "Some text about the user."; // This is the bio of your user.
// Generate locally or from https://cryptotools.net/rsagen
// Newlines must be replaced with "\n"
$key_private = "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----";
$key_public = "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----";
// Password for sending messages
$password = "P4ssW0rd";
/** No need to edit anything below here. But please go exploring! **/
// Internal data
$server = $_SERVER["SERVER_NAME"]; // Do not change this!
// Some requests require a User-Agent string.
define("USERAGENT", "activitypub-single-php-file/0.0");
// Set up where logs and messages go.
// You can change these directories to something more suitable if you like.
$data = "data";
$directories = array(
"inbox" => "{$data}/inbox",
"followers" => "{$data}/followers",
"following" => "{$data}/following",
"logs" => "{$data}/logs",
"posts" => "posts",
"images" => "images",
);
// Create the directories if they don't already exist.
foreach ( $directories as $directory ) {
if( !is_dir( $directory ) ) { mkdir( $data ); mkdir( $directory ); }
}
// Get the information sent to this server
$input = file_get_contents( "php://input" );
$body = json_decode( $input,true );
$bodyData = print_r( $body, true );
// If the root has been requested, manually set the path to `/`
!empty( $_GET["path"] ) ? $path = $_GET["path"] : $path = "/";
// Routing:
// The .htaccess changes /whatever to /?path=whatever
// This runs the function of the path requested.
switch ( $path ) {
case ".well-known/webfinger":
webfinger(); // Mandatory. Static.
case rawurldecode( $username ):
case "@" . rawurldecode( $username ): // Some software assumes usernames start with an `@`
username(); // Mandatory. Static
case "following":
following(); // Mandatory. Can be static or dynamic.
case "followers":
followers(); // Mandatory. Can be static or dynamic.
case "inbox":
inbox(); // Mandatory.
case "outbox":
outbox(); // Optional. Dynamic.
case "write":
write(); // User interface for writing posts.
case "action/send":
send(); // API for posting content to the Fediverse.
case "users":
users(); // User interface for (un)following & (un)blocking an external user.
case "action/users":
action_users(); // API for following a user.
case "read":
view( "read" );// User interface for reading posts.
case ".well-known/nodeinfo":
wk_nodeinfo(); // Optional. Static.
case "nodeinfo/2.1":
nodeinfo(); // Optional. Static.
case "/":
view( "home" );// Optional. Can be dynamic
default:
die();
}
// The WebFinger Protocol is used to identify accounts.
// It is requested with `example.com/.well-known/webfinger?resource=acct:username@example.com`
// This server only has one user, so it ignores the query string and always returns the same details.
function webfinger() {
global $username, $server;
$webfinger = array(
"subject" => "acct:{$username}@{$server}",
"links" => array(
array(
"rel" => "self",
"type" => "application/activity+json",
"href" => "https://{$server}/{$username}"
)
)
);
header( "Content-Type: application/json" );
echo json_encode( $webfinger );
die();
}
// User:
// Requesting `example.com/username` returns a JSON document with the user's information.
function username() {
global $username, $realName, $summary, $server, $key_public;
$user = array(
"@context" => [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1"
],
"id" => "https://{$server}/{$username}",
"type" => "Person",
"following" => "https://{$server}/following",
"followers" => "https://{$server}/followers",
"inbox" => "https://{$server}/inbox",
"outbox" => "https://{$server}/outbox",
"preferredUsername" => rawurldecode( $username ),
"name" => "{$realName}",
"summary" => "{$summary}",
"url" => "https://{$server}/{$username}",
"manuallyApprovesFollowers" => false,
"discoverable" => true,
"published" => "2024-02-29T12:34:56Z",
"icon" => [
"type" => "Image",
"mediaType" => "image/png",
"url" => "https://{$server}/icon.png"
],
"image" => [
"type" => "Image",
"mediaType" => "image/png",
"url" => "https://{$server}/banner.png"
],
"publicKey" => [
"id" => "https://{$server}/{$username}#main-key",
"owner" => "https://{$server}/{$username}",
"publicKeyPem" => $key_public
]
);
header( "Content-Type: application/activity+json" );
echo json_encode( $user );
die();
}
// Follower / Following:
// These JSON documents show how many users are following / followers-of this account.
// The information here is self-attested. So you can lie and use any number you want.
function following() {
global $server, $directories;
// Get all the files
$following_files = glob( $directories["following"] . "/*.json");
// Number of users
$totalItems = count( $following_files );
// Create a list of all the followers
$items = array();
foreach ( $following_files as $following_file ) {
$following = json_decode( file_get_contents( $following_file ), true );
$items[] = $following["id"];
}
$following = array(
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/following",
"type" => "Collection",
"totalItems" => $totalItems,
"items" => $items
);
header( "Content-Type: application/activity+json" );
echo json_encode( $following );
die();
}
function followers() {
global $server, $directories;
// The number of followers is self-reported.
// You can set this to any number you like.
// Get all the files
$follower_files = glob( $directories["followers"] . "/*.json");
// Number of users
$totalItems = count( $follower_files );
// Create a list of everyone being followed
$items = array();
foreach ( $follower_files as $follower_file ) {
$following = json_decode( file_get_contents( $follower_file ),true );
$items[] = $following["id"];
}
$followers = array(
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/followers",
"type" => "Collection",
"totalItems" => $totalItems,
"items" => $items
);
header( "Content-Type: application/activity+json" );
echo json_encode( $followers );
die();
}
// Inbox:
// The `/inbox` is the main server. It receives all requests.
function inbox() {
global $body, $server, $username, $key_private, $directories;
// Get the message and type
$inbox_message = $body;
$inbox_type = $inbox_message["type"];
// Messages to ignore.
// Some servers are very chatty. They send lots of irrelevant messages.
// Before even bothering to validate them, we can delete them.
// Lemmy sends lots of announce messages. The object contains details of what the message is.
if ( is_array( $inbox_message["object"] ) ) {
if ( match( $inbox_message["object"]["type"] ) {
"Follow", "Undo", "Dislike", "Like" => true,
default => false,
} ) {
// Discard it, no further processing.
die();
}
}
// Save any Follow, Create, Update, Announce, Like messages
// This ignores Delete, Undo, and anything else
if ( match( $inbox_type ) {
"Follow", "Create", "Update", "Announce", "Like" => true,
default => false,
} ) {
// Validate HTTP Message Signature
// This logs whether the signature was validated or not
if ( !verifyHTTPSignature() ) { die(); }
// If the message is valid, save the message in `/data/inbox/`
$uuid = uuid();
$inbox_filename = $uuid . "." . urlencode( $inbox_type ) . ".json";
file_put_contents( $directories["inbox"] . "/{$inbox_filename}", json_encode( $inbox_message ) );
}
// This inbox only responds to follow requests.
// A remote server sends the inbox follow request which is a JSON file saying who they are.
// The details of the remote user's server is saved to a file so that future messages can be delivered to the follower.
// An accept request is cryptographically signed and POST'd back to the remote server.
if ( "Follow" != $inbox_type ) { die(); }
// Get the parameters
$follower_id = $inbox_message["id"]; // E.g. https://mastodon.social/(unique id)
$follower_actor = $inbox_message["actor"]; // E.g. https://mastodon.social/users/Edent
// Get the actor's profile as JSON
$follower_actor_details = getDataFromURl( $follower_actor );
// Save the actor's data in `/data/followers/`
$follower_filename = urlencode( $follower_actor );
file_put_contents( $directories["followers"] . "/{$follower_filename}.json", json_encode( $follower_actor_details ) );
// Get the new follower's Inbox
$follower_inbox = $follower_actor_details["inbox"];
// Response Message ID
// This isn't used for anything important so could just be a random number
$guid = uuid();
// Create the Accept message to the new follower
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/{$guid}",
"type" => "Accept",
"actor" => "https://{$server}/{$username}",
"object" => [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => $follower_id,
"type" => $inbox_type,
"actor" => $follower_actor,
"object" => "https://{$server}/{$username}",
]
];
// The Accept is POSTed to the inbox on the server of the user who requested the follow
sentMessageToSingle( $follower_inbox, $message );
die();
}
// Unique ID:
// Every message sent should have a unique ID.
// This can be anything you like. Some servers use a random number.
// I prefer a date-sortable string.
function uuid() {
return sprintf( "%08x-%04x-%04x-%04x-%012x",
time(),
mt_rand(0, 0xffff),
mt_rand(0, 0xffff),
mt_rand(0, 0x3fff) | 0x8000,
mt_rand(0, 0xffffffffffff)
);
}
// Headers:
// Every message that your server sends needs to be cryptographically signed with your Private Key.
// This is a complicated process.
// Please read https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/ for more information.
function generate_signed_headers( $message, $host, $path, $method ) {
global $server, $username, $key_private;
// Location of the Public Key
$keyId = "https://{$server}/{$username}#main-key";
// Get the Private Key
$signer = openssl_get_privatekey( $key_private );
// Timestamp this message was sent
$date = date( "D, d M Y H:i:s \G\M\T" );
// There are subtly different signing requirements for POST and GET.
if ( "POST" == $method ) {
// Encode the message object to JSON
$message_json = json_encode( $message );
// Generate signing variables
$hash = hash( "sha256", $message_json, true );
$digest = base64_encode( $hash );
// Sign the path, host, date, and digest
$stringToSign = "(request-target): post $path\nhost: $host\ndate: $date\ndigest: SHA-256=$digest";
// The signing function returns the variable $signature
// https://www.php.net/manual/en/function.openssl-sign.php
openssl_sign(
$stringToSign,
$signature,
$signer,
OPENSSL_ALGO_SHA256
);
// Encode the signature
$signature_b64 = base64_encode( $signature );
// Full signature header
$signature_header = 'keyId="' . $keyId . '",algorithm="rsa-sha256",headers="(request-target) host date digest",signature="' . $signature_b64 . '"';
// Header for POST request
$headers = array(
"Host: {$host}",
"Date: {$date}",
"Digest: SHA-256={$digest}",
"Signature: {$signature_header}",
"Content-Type: application/activity+json",
"Accept: application/activity+json",
);
} else if ( "GET" == $method ) {
// Sign the path, host, date - NO DIGEST because there's no message sent.
$stringToSign = "(request-target): get $path\nhost: $host\ndate: $date";
// The signing function returns the variable $signature
// https://www.php.net/manual/en/function.openssl-sign.php
openssl_sign(
$stringToSign,
$signature,
$signer,
OPENSSL_ALGO_SHA256
);
// Encode the signature
$signature_b64 = base64_encode( $signature );
// Full signature header
$signature_header = 'keyId="' . $keyId . '",algorithm="rsa-sha256",headers="(request-target) host date",signature="' . $signature_b64 . '"';
// Header for GET request
$headers = array(
"Host: {$host}",
"Date: {$date}",
"Signature: {$signature_header}",
"Accept: application/activity+json, application/json",
);
}
return $headers;
}
// User Interface for Homepage.
// This creates a basic HTML page. This content appears when someone visits the root of your site.
function view( $style ) {
global $username, $server, $realName, $summary, $directories;
$rawUsername = rawurldecode( $username );
// What sort of viewable page is this?
switch ( $style ) {
case "home":
$h1 = "HomePage";
$directory = "posts";
break;
case "read":
$h1 = "InBox";
$directory = "inbox";
break;
}
// Counters for followers, following, and posts
$follower_files = glob( $directories["followers"] . "/*.json" );
$totalFollowers = count( $follower_files );
$following_files = glob( $directories["following"] . "/*.json" );
$totalFollowing = count( $following_files );
// Show the HTML page
echo <<< HTML
<!DOCTYPE html>
<html lang="en-GB">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta property="og:url" content="https://{$server}">
<meta property="og:type" content="website">
<meta property="og:title" content="{$realName}">
<meta property="og:description" content="{$summary}">
<meta property="og:image" content="https://{$server}/banner.png">
<title>{$h1} {$realName}</title>
<style>
body { margin:0; padding: 0; font-family:sans-serif; }
@media screen and (max-width: 800px) { body { width: 100%; }}
@media screen and (min-width: 799px) { body { width: 800px; margin: 0 auto; }}
address { font-style: normal; }
img { max-width: 50%; }
.h-feed { margin:auto; width: 100%; }
.h-feed > header { text-align: center; margin: 0 auto; }
.h-feed .banner { text-align: center; margin:0 auto; max-width: 650px; }
.h-feed > h1, .h-feed > h2 { margin-top: 10px; margin-bottom: 0; }
.h-feed > header > h1:has(span.p-author), h2:has(a.p-nickname) { word-wrap: break-word; max-width: 90%; padding-left:20px; }
.h-feed .u-feature:first-child { margin-top: 10px; margin-bottom: -150px; max-width: 100%;}
.h-feed .u-photo { max-height: 8vw; max-width:100%; min-height: 120px; }
.h-feed .about { font-size: smaller; background-color: #F5F5F5; padding: 10px; border-top: dotted 1px #808080; border-bottom: dotted 1px #808080; }
.h-feed > ul { padding-left: 0; list-style-type: none; }
.h-feed > ul > li { padding: 10px; border-bottom: dotted 1px #808080; }
.h-entry { padding-right: 10px; }
.h-entry time { font-weight: bold; }
.h-entry .e-content a { word-wrap: break-word; }
</style>
</head>
<body>
<main class="h-feed">
<header>
<div class="banner">
<img src="banner.png" alt="" class="u-feature"><br>
<img src="icon.png" alt="icon" class="u-photo">
</div>
<address>
<h1 class="p-name p-author">{$realName}</h1>
<h2><a class="p-nickname u-url" rel="author" href="https://{$server}/{$username}">@{$rawUsername}@{$server}</a></h2>
</address>
<p class="p-summary">{$summary}</p>
<p>Following: {$totalFollowing} | Followers: {$totalFollowers}</p>
<div class="about">
<p><a href="https://gitlab.com/edent/activitypub-single-php-file/">This software is licenced under AGPL 3.0</a>.</p>
<p>This site is a basic <a href="https://www.w3.org/TR/activitypub/">ActivityPub</a> server designed to be <a href="https://shkspr.mobi/blog/2024/02/activitypub-server-in-a-single-file/">a lightweight educational tool</a>.</p>
</div>
</header>
<ul>
HTML;
// Get all the files in the directory
$message_files = array_reverse( glob( $directories[$directory] . "/*.json") );
// Keep the most recent 200
$message_files = array_slice( $message_files, 0, 200 );
// Loop through the messages:
// Remove any which have been updated.
// Ensure messages are in the right order.
$messages_ordered = [];
$messages_ids = [];
foreach ( $message_files as $message_file ) {
// Get the contents of the JSON
$message = json_decode( file_get_contents( $message_file ), true );
// Get the ID
if ( isset( $message["object"]["id"] ) ) {
$id = $message["object"]["id"];
} else if ( isset( $message["id"] ) ) {
$id = $message["id"];
}
// Has this message ID already been seen?
// If so, it's an older update. Skip displaying it
if ( !in_array( $id, $messages_ids ) ) {
$messages_ids[] = $id;
} else {
continue;
}
// Sometimes messages are received out of order.
// This sorts them by their published time or, if there is none, the received time.
// Use the timestamp of the message. If there is none, use the date in the filename
if ( isset( $message["published"] ) ) {
$published = $message["published"];
} else {
$segments = explode( "/", explode( "-", $message_file ?? "" )[0]);
$published_hexstamp = end( $segments );
$published_time = hexdec( $published_hexstamp );
$published = date( "c", $published_time );
}
// Place in an array where the key is the timestamp
$messages_ordered[$published] = $message;
}
// Sort with newest on top
krsort( $messages_ordered );
// HTML is *probably* sanitised by the sender. But let's not risk it, eh?
// Using the allow-list from https://docs.joinmastodon.org/spec/activitypub/#sanitization
$allowed_elements = ["p", "span", "br", "a", "del", "pre", "code", "em", "strong", "b", "i", "u", "ul", "ol", "li", "blockquote"];
// Print the items in a list
foreach ( $messages_ordered as $published=>$message ) {
// Received messages have an `object` which contains their data.
// Sent messages *are* their data
if ( isset( $message["object"] ) ) {
$object = $message["object"];
} else {
$object = $message;
}
if ( isset( $object["id"] ) ) {
$id = $object["id"];
$publishedHTML = "<a href=\"{$id}\">{$published}</a>";
} else {
$id = "";
$publishedHTML = $published;
}
// For displaying the post's information
$timeHTML = "<time datetime=\"{$published}\" class=\"u-url\" rel=\"bookmark\">{$publishedHTML}</time>";
// Get the actor who authored the message
if ( isset( $object["attributedTo"] ) ) {
$actor = $object["attributedTo"];
} else if ( isset( $message["actor"] ) ) {
// Usually found in Like and Announce messages
$actor = $message["actor"];
} else {
// Should never happen!
$actor = "https://example.com/anonymous";
}
// Assume that what comes after the final `/` in the URl is the name
$actorArray = explode( "/", $actor );
$actorName = end( $actorArray );
$actorServer = parse_url( $actor, PHP_URL_HOST );
$actorUsername = "@{$actorName}@{$actorServer}";
// Make i18n usernames readable and safe.
$actorName = htmlspecialchars( rawurldecode( $actorName ) );
$actorHTML = "<a href=\"$actor\">@{$actorName}</a>";
// Buttons to interact with a message.
// By default, just shows a "Follow User" button.
if ( "read" == $style ) {
$interactHTML = "<a href=\"/users?account=$actorUsername\"></a> ";
} else {
$interactHTML = "";
}
// What type of message is this?
$type = $message["type"];
// Render the message according to type
if ( "Create" == $type || "Update" == $type || "Note" == $type ) {
// Get the HTML content
// There is a slight difference between the formatting of sent and received messages
"Note" == $type ? $content = $message["content"] : $content = $object["content"];
// Sanitise the HTML
$content = strip_tags( $content, $allowed_elements );
// Is this a reply to something?
if ( isset( $object["inReplyTo"] ) ) {
$replyToURl = $object["inReplyTo"];
$replyTo = "in reply to <a href=\"{$replyToURl}\">$replyToURl</a>";
} else {
$replyTo = "";
}
// Has the user has been specifically CC'd?
if ( isset( $object["cc"] ) ) {
$reply = in_array( "https://{$server}/{$username}", $object["cc"] );
} else {
$reply = false;
}
// Is there is a Content Warning?
if ( isset( $object["summary"] ) ) {
$summary = $object["summary"];
$summary = strip_tags( $summary, $allowed_elements );
// Hide the content until the user interacts with it.
$content = "<details><summary>{$summary}</summary>{$content}</details>";
}
// Is there a poll?
// ActivityPub specification - https://www.w3.org/TR/activitystreams-vocabulary/#questions
// Mastodon documentation - https://docs.joinmastodon.org/spec/activitypub/#Question
if ( isset( $object["oneOf"] ) ) {
$content .= "<h3>Poll Results:</h3>";
foreach ( $object["oneOf"] as $pollOption ) {
$pollOptionName = htmlspecialchars( $pollOption["name"] );
$pollOptionValue = htmlspecialchars( $pollOption["replies"]["totalItems"] );
$content .= "{$pollOptionName}: $pollOptionValue<br>";
}
}
if ( isset( $object["anyOf"] ) ) {
$content .= "<h3>Poll Results</h3>";
foreach ( $object["anyOf"] as $pollOption ) {
$pollOptionName = htmlspecialchars( $pollOption["name"] );
$pollOptionValue = htmlspecialchars( $pollOption["replies"]["totalItems"] );
$content .= "{$pollOptionName}: $pollOptionValue<br>";
}
}
// Add any images
if ( isset( $object["attachment"] ) ) {
foreach ( $object["attachment"] as $attachment ) {
// Only use things which have a MIME Type set
if ( isset( $attachment["mediaType"] ) ) {
$mediaURl = $attachment["url"];
$mime = $attachment["mediaType"];
// Use the first half of the MIME Type.
// For example `image/png` or `video/mp4`
$mediaType = explode( "/", $mime )[0];
if ( "image" == $mediaType ) {
// Get the alt text
isset( $attachment["name"] ) ? $alt = $attachment["name"] : $alt = "";
$content .= "<img src='{$mediaURl}' alt='{$alt}'>";
} else if ( "video" == $mediaType ) {
$content .= "<video controls><source src='{$mediaURl}' type='{$mime}'></video>";
}else if ( "audio" == $mediaType ) {
$content .= "<audio controls src='{$mediaURl}' type='{$mime}'></audio>";
}
}
}
}
// What sort of message is this?
switch ( $type ) {
case "Create":
case "Note":
$verb = "wrote";
break;
case "Update":
$verb = "updated";
break;
default:
$verb = "said";
break;
}
// Add some interaction buttons
$interactHTML .= "<a href=\"/write?reply=$id\">↩️</a> " .
"<a href=\"/write?announce=$id\">🔁</a> " .
"<a href=\"/write?like=$id\"></a> ";
if ( $reply ) {
// Highlight that this is a reply
$messageHTML = "<mark>{$timeHTML} {$actorHTML} {$verb} {$replyTo}:</mark> <blockquote class=\"e-content\">{$content}</blockquote>";
} else {
$messageHTML = "{$timeHTML} {$actorHTML} {$verb} {$replyTo}: <blockquote class=\"e-content\">{$content}</blockquote>";
}
} else if ( "Follow" == $type ) {
$messageHTML = "<mark>{$timeHTML} {$actorHTML} followed you</mark>";
} else if ( "Like" == $type ) {
$object = $message["object"];
$objectHTML = "<a href=\"$object\">{$object}</a>";
$messageHTML = "{$timeHTML} {$actorHTML} liked {$objectHTML}";
} else if ( "Announce" == $type ) {
$object = $message["object"];
$objectHTML = "<a href=\"$object\">{$object}</a>";
$messageHTML = "{$timeHTML} {$actorHTML} boosted {$objectHTML}";
}
echo "<li><article class=\"h-entry\">{$messageHTML}<br>{$interactHTML}</article></li>";
}
echo <<< HTML
</ul>
</main>
</body>
</html>
HTML;
die();
}
// User Interface for Writing:
// This creates a basic HTML form. Type in your message and your password. It then POSTs the data to the `/send` endpoint.
function write() {
if ( isset( $_GET["announce"] ) && filter_var( $_GET["announce"], FILTER_VALIDATE_URL ) ) {
$announceURl = $_GET["announce"];
} else {
$announceURl = "";
}
if ( isset( $_GET["like"] ) && filter_var( $_GET["like"], FILTER_VALIDATE_URL ) ) {
$likeURl = $_GET["like"];
} else {
$likeURl = "";
}
if ( isset( $_GET["reply"] ) && filter_var( $_GET["reply"], FILTER_VALIDATE_URL ) ) {
$replyURl = $_GET["reply"];
} else {
$replyURl = "";
}
echo <<< HTML
<!DOCTYPE html>
<html lang="en-GB">
<head>
<meta charset="UTF-8">
<title>Send Message</title>
<style>
*{font-family:sans-serif;font-size:1.1em;}
</style>
</head>
<body>
<fieldset>
<legend>Send a message</legend>
<form action="/action/send" method="post" enctype="multipart/form-data">
<input type="hidden" id="type" name="type" value="Create">
<label for="content">Your message:</label><br>
<textarea id="content" name="content" rows="5" cols="32"></textarea><br>
<label for="inReplyTo">Reply to URl:</label>
<input type="url" name="inReplyTo" id="inReplyTo" size="32" value="{$replyURl}"><br>
<label for="image">Attach an image</label><br>
<input type="file" name="image" id="image" accept="image/*"><br>
<label for="alt">Alt Text</label>
<input type="text" name="alt" id="alt" size="32" /><br>
<label for="password">Password</label><br>
<input type="password" name="password" id="password" size="32"><br><br>
<input type="submit" value="Post Message">
</form>
</fieldset>
<fieldset>
<legend>Like a post</legend>
<form action="/send" method="post" enctype="multipart/form-data">
<input type="hidden" id="type" name="type" value="Like">
<label for="postURl">URl of post to like:</label>
<input type="url" name="postURl" id="postURl" size="32" value="{$likeURl}"><br>
<label for="password">Password</label><br>
<input type="password" name="password" id="password" size="32"><br><br>
<input type="submit" value="Like the message">
</form>
</fieldset>
<fieldset>
<legend>Boost a post</legend>
<form action="/send" method="post" enctype="multipart/form-data">
<input type="hidden" id="type" name="type" value="Announce">
<label for="postURl">URl of post to boost:</label>
<input type="url" name="postURl" id="postURl" size="32" value="{$announceURl}"><br>
<label for="password">Password</label><br>
<input type="password" name="password" id="password" size="32"><br><br>
<input type="submit" value="Boost the Message">
</form>
</fieldset>
</body>
</html>
HTML;
die();
}
// Send Endpoint:
// This takes the submitted message and checks the password is correct.
// It reads all the followers' data in `data/followers`.
// It constructs a list of shared inboxes and unique inboxes.
// It sends the message to every server that is following this account.
function send() {
global $password, $server, $username, $key_private, $directories;
// Does the posted password match the stored password?
if( $password != $_POST["password"] ) { die(); }
// What sort of message is being sent?
$type = $_POST["type"];
// Likes and Announces have an identical message structure
if ( "Like" == $type || "Announce" == $type ) {
// Was a URl sent?
if ( isset( $_POST["postURl"] ) && filter_var( $_POST["postURl"], FILTER_VALIDATE_URL ) ) {
$postURl = $_POST["postURl"];
} else {
echo "No valid URl sent.";
die();
}
if ( "Like" == $type ) {
// The message will need to be sent to the inbox of the author of the message
$inbox_single = getInboxFromMessageURl( $postURl );
}
// Outgoing Message ID
$guid = uuid();
// Construct the Message
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/posts/{$guid}.json",
"type" => $type,
"actor" => "https://{$server}/{$username}",
"published"=> date( "c" ),
"object" => $postURl
];
// Announces are sent to an audience
// The audience is public and it is sent to all followers
// TODO: Let the original poster know we boosted them
if ( $type == "Announce" ) {
$message = array_merge( $message,
array(
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => ["https://{$server}/followers"])
);
}
// Construct the Note
// This is for saving in the logs
$note = $message;
} else if ( $type == "Create" ) {
// Get the posted content
$content = $_POST["content"];
// Is this a reply?
if ( isset( $_POST["inReplyTo"] ) && filter_var( $_POST["inReplyTo"], FILTER_VALIDATE_URL ) ) {
$inReplyTo = $_POST["inReplyTo"];
} else {
$inReplyTo = null;
}
// Process the content into HTML to get hashtags etc
list( "HTML" => $content, "TagArray" => $tags ) = process_content( $content );
// Is there an image attached?
if ( isset( $_FILES['image']['tmp_name'] ) && ( "" != $_FILES['image']['tmp_name'] ) ) {
// Get information about the image
$image = $_FILES['image']['tmp_name'];
$image_info = getimagesize( $image );
$image_ext = image_type_to_extension( $image_info[2] );
$image_mime = $image_info["mime"];
// Files are stored according to their hash
// A hash of "abc123" is stored in "/images/abc123.jpg"
$sha1 = sha1_file( $image );
$image_full_path = $directories["images"] . "/{$sha1}.{$image_ext}";
// Move media to the correct location
move_uploaded_file( $image, $image_full_path );
// Get the alt text
if ( isset( $_POST["alt"] ) ) {
$alt = $_POST["alt"];
} else {
$alt = "";
}
// Construct the attachment value for the post
$attachment = array( [
"type" => "Image",
"mediaType" => "{$image_mime}",
"url" => "https://{$server}/{$image_full_path}",
"name" => $alt
] );
} else {
$attachment = [];
}
// Current time - ISO8601
$timestamp = date( "c" );
// Outgoing Message ID
$guid = uuid();
// Construct the Note
// `contentMap` is used to prevent unnecessary "translate this post" pop ups
// hardcoded to English
$note = [
"@context" => array(
"https://www.w3.org/ns/activitystreams"
),
"id" => "https://{$server}/posts/{$guid}.json",
"type" => "Note",
"published" => $timestamp,
"attributedTo" => "https://{$server}/{$username}",
"inReplyTo" => $inReplyTo,
"content" => $content,
"contentMap" => ["en" => $content],
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"tag" => $tags,
"attachment" => $attachment
];
// Construct the Message
// The audience is public and it is sent to all followers
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/posts/{$guid}.json",
"type" => "Create",
"actor" => "https://{$server}/{$username}",
"to" => [
"https://www.w3.org/ns/activitystreams#Public"
],
"cc" => [
"https://{$server}/followers"
],
"object" => $note
];
}
// Save the permalink
$note_json = json_encode( $note );
file_put_contents( $directories["posts"] . "/{$guid}.json", print_r( $note_json, true ) );
// Is this message going to one user? (Usually a Like)
if ( isset( $inbox_single ) ) {
$messageSent = sentMessageToSingle( $inbox_single, $message );
} else { // Send to all the user's followers
$messageSent = sendMessageToFollowers( $message );
}
// Render the JSON so the user can see the POST has worked
if ( $messageSent ) {
header( "Location: https://{$server}/posts/{$guid}.json" );
die();
} else {
echo "ERROR!";
die();
}
}
// POST a signed message to a single inbox
function sentMessageToSingle( $inbox, $message ) {
global $directories;
$inbox_host = parse_url( $inbox, PHP_URL_HOST );
$inbox_path = parse_url( $inbox, PHP_URL_PATH );
// Generate the signed headers
$headers = generate_signed_headers( $message, $inbox_host, $inbox_path, "POST" );
// POST the message and header to the requester's inbox
$ch = curl_init( $inbox );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_CUSTOMREQUEST, "POST" );
curl_setopt( $ch, CURLOPT_POSTFIELDS, json_encode( $message ) );
curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers );
curl_setopt( $ch, CURLOPT_USERAGENT, USERAGENT );
curl_exec( $ch );
// Check for errors
if( curl_errno( $ch ) ) {
$timestamp = ( new DateTime() )->format( DATE_RFC3339_EXTENDED );
file_put_contents( $directories["logs"] . "/{$timestamp}.Error.txt", curl_error( $ch ) );
return false;
}
curl_close( $ch );
return true;
}
// POST a signed message to the inboxes of all followers
function sendMessageToFollowers( $message ) {
global $directories;
// Read existing followers
$followers = glob( $directories["followers"] . "/*.json" );
// Get all the inboxes
$inboxes = [];
foreach ( $followers as $follower ) {
// Get the data about the follower
$follower_info = json_decode( file_get_contents( $follower ), true );
// Some servers have "Shared inboxes"
// If you have lots of followers on a single server, you only need to send the message once.
if( isset( $follower_info["endpoints"]["sharedInbox"] ) ) {
$sharedInbox = $follower_info["endpoints"]["sharedInbox"];
if ( !in_array( $sharedInbox, $inboxes ) ) {
$inboxes[] = $sharedInbox;
}
} else {
// If not, use the individual inbox
$inbox = $follower_info["inbox"];
if ( !in_array( $inbox, $inboxes ) ) {
$inboxes[] = $inbox;
}
}
}
// Prepare to use the multiple cURL handle
// This makes it more efficient to send many simultaneous messages
$mh = curl_multi_init();
// Loop through all the inboxes of the followers
// Each server needs its own cURL handle
// Each POST to an inbox needs to be signed separately
foreach ( $inboxes as $inbox ) {
$inbox_host = parse_url( $inbox, PHP_URL_HOST );
$inbox_path = parse_url( $inbox, PHP_URL_PATH );
// Generate the signed headers
$headers = generate_signed_headers( $message, $inbox_host, $inbox_path, "POST" );
// POST the message and header to the requester's inbox
$ch = curl_init( $inbox );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_CUSTOMREQUEST, "POST" );
curl_setopt( $ch, CURLOPT_POSTFIELDS, json_encode( $message ) );
curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers );
curl_setopt( $ch, CURLOPT_USERAGENT, USERAGENT );
// Add the handle to the multi-handle
curl_multi_add_handle( $mh, $ch );
}
// Execute the multi-handle
do {
$status = curl_multi_exec( $mh, $active );
if ( $active ) {
curl_multi_select( $mh );
}
} while ( $active && $status == CURLM_OK );
// Close the multi-handle
curl_multi_close( $mh );
return true;
}
// Content can be plain text. But to add clickable links and hashtags, it needs to be turned into HTML.
// Tags are also included separately in the note
function process_content( $content ) {
global $server;
// Convert any URls into hyperlinks
$link_pattern = '/\bhttps?:\/\/\S+/iu'; // Sloppy regex
$replacement = function ( $match ) {
$url = htmlspecialchars( $match[0], ENT_QUOTES, "UTF-8" );
return "<a href=\"$url\">$url</a>";
};
$content = preg_replace_callback( $link_pattern, $replacement, $content );
// Get any hashtags
$hashtags = [];
$hashtag_pattern = '/(?:^|\s)\#(\w+)/'; // Beginning of string, or whitespace, followed by #
preg_match_all( $hashtag_pattern, $content, $hashtag_matches );
foreach ( $hashtag_matches[1] as $match ) {
$hashtags[] = $match;
}
// Construct the tag value for the note object
$tags = [];
foreach ( $hashtags as $hashtag ) {
$tags[] = array(
"type" => "Hashtag",
"name" => "#{$hashtag}",
);
}
// Add HTML links for hashtags into the text
// Todo: Make these links do something.
$content = preg_replace(
$hashtag_pattern,
" <a href='https://{$server}/tag/$1'>#$1</a>",
$content
);
// Detect user mentions
$usernames = [];
$usernames_pattern = '/@(\S+)@(\S+)/'; // This is a *very* sloppy regex
preg_match_all( $usernames_pattern, $content, $usernames_matches );
foreach ( $usernames_matches[0] as $match ) {
$usernames[] = $match;
}
// Construct the mentions value for the note object
// This goes in the generic "tag" property
// TODO: Add this to the CC field & appropriate inbox
foreach ( $usernames as $username ) {
list( , $user, $domain ) = explode( "@", $username );
$tags[] = array(
"type" => "Mention",
"href" => "https://{$domain}/@{$user}",
"name" => "{$username}"
);
// Add HTML links to usernames
$username_link = "<a href=\"https://{$domain}/@{$user}\">$username</a>";
$content = str_replace( $username, $username_link, $content );
}
// Construct HTML breaks from carriage returns and line breaks
$linebreak_patterns = array( "\r\n", "\r", "\n" ); // Variations of line breaks found in raw text
$content = str_replace( $linebreak_patterns, "<br/>", $content );
// Construct the content
$content = "<p>{$content}</p>";
return [
"HTML" => $content,
"TagArray" => $tags
];
}
// When given the URl of a post, this looks up the post, finds the user, then returns their inbox or shared inbox
function getInboxFromMessageURl( $url ) {
// Get details about the message
$messageData = getDataFromURl( $url );
// The author is the user who the message is attributed to
if ( isset ( $messageData["attributedTo"] ) && filter_var( $messageData["attributedTo"], FILTER_VALIDATE_URL) ) {
$profileData = getDataFromURl( $messageData["attributedTo"] );
} else {
return null;
}
// Get the shared inbox or personal inbox
if( isset( $profileData["endpoints"]["sharedInbox"] ) ) {
$inbox = $profileData["endpoints"]["sharedInbox"];
} else {
// If not, use the individual inbox
$inbox = $profileData["inbox"];
}
// Return the destination inbox if it is valid
if ( filter_var( $inbox, FILTER_VALIDATE_URL) ) {
return $inbox;
} else {
return null;
}
}
// GET a request to a URl and returns structured data
function getDataFromURl ( $url ) {
// Check this is a valid https address
if(
( filter_var( $url, FILTER_VALIDATE_URL) != true) ||
( parse_url( $url, PHP_URL_SCHEME ) != "https" )
) { die(); }
// Split the URL
$url_host = parse_url( $url, PHP_URL_HOST );
$url_path = parse_url( $url, PHP_URL_PATH );
// Generate signed headers for this request
$headers = generate_signed_headers( null, $url_host, $url_path, "GET" );
// Set cURL options
$ch = curl_init( $url );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers );
curl_setopt( $ch, CURLOPT_USERAGENT, USERAGENT );
// Execute the cURL session
$urlJSON = curl_exec( $ch );
// Check for errors
if (curl_errno( $ch )) {
// Handle cURL error
die();
}
// Close cURL session
curl_close( $ch );
return json_decode( $urlJSON, true );
}
// The Outbox contains a date-ordered list (newest first) of all the user's posts
// This is optional.
function outbox() {
global $server, $username, $directories;
// Get all posts
$posts = array_reverse( glob( $directories["posts"] . "/*.json") );
// Number of posts
$totalItems = count( $posts );
// Create an ordered list
$orderedItems = [];
foreach ( $posts as $post ) {
$orderedItems[] = array(
"type" => "Create",
"actor" => "https://{$server}/{$username}",
"object" => "https://{$server}/{$post}"
);
}
// Create User's outbox
$outbox = array(
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/outbox",
"type" => "OrderedCollection",
"totalItems" => $totalItems,
"summary" => "All the user's posts",
"orderedItems" => $orderedItems
);
// Render the page
header( "Content-Type: application/activity+json" );
echo json_encode( $outbox );
die();
}
// This creates a UI for the user to follow another user
function users() {
if ( isset( $_GET["account"] ) ) {
$accountURl = htmlspecialchars( $_GET["account"] );
} else {
$accountURl = "";
}
echo <<< HTML
<!DOCTYPE html>
<html lang="en-GB">
<head>
<meta charset="UTF-8">
<title>Follow</title>
<style>
*{font-family:sans-serif;font-size:1.1em;}
</style>
</head>
<body>
<form action="/action/users" method="post" enctype="multipart/form-data">
<label for="user">User:</label>
<input name="user" id="user" type="text" size="32" placeholder="@user@example.com" value="{$accountURl}"><br>
<label for="action">action</label><br>
<select name="action" id="action">
<option value="">--Please choose an option--</option>
<option value="Follow">Follow</option>
<option value="Unfollow">Unfollow</option>
<option value="Block">Block</option>
<option value="Unblock">Unblock</option>
</select><br>
<label for="password">Password</label><br>
<input name="password" id="password" type="password" size="32"><br>
<input type="submit" value="Send User Request">
</form>
</body>
</html>
HTML;
die();
}
// This receives a request to follow an external user
// It looks up the external user's details
// Then it sends a follow request
// If the request is accepted, it saves the details in `data/following/` as a JSON file
function action_users() {
global $password, $server, $username, $key_private, $directories;
// Does the posted password match the stored password?
if( $password != $_POST["password"] ) { echo "Wrong Password!"; die(); }
// Get the posted content
$user = $_POST["user"];
$action = $_POST["action"];
// Is this a valid action?
if ( match( $action ) {
"Follow", "Unfollow", "Block", "Unblock" => false,
default => true,
} ) {
// Discard it, no further processing.
echo "{$action} not supported";
die();
}
// Split the user (@user@example.com) into username and server
list( , $follow_name, $follow_server ) = explode( "@", $user );
// Get the Webfinger
// This request does not always need to be signed, but safest to do so anyway.
$webfingerURl = "https://{$follow_server}/.well-known/webfinger?resource=acct:{$follow_name}@{$follow_server}";
$webfinger = getDataFromURl( $webfingerURl );
// Get the link to the user
foreach( $webfinger["links"] as $link ) {
if ( "self" == $link["rel"] ) {
$profileURl = $link["href"];
}
}
if ( !isset( $profileURl ) ) { echo "No profile" . print_r( $webfinger, true ); die(); }
// Get the user's details
$profileData = getDataFromURl( $profileURl );
// Get the user's inbox
$profileInbox = $profileData["inbox"];
// Create a user request
$guid = uuid();
// Different user actions have subtly different messages to send.
if ( "Follow" == $action ) {
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/{$guid}",
"type" => "Follow",
"actor" => "https://{$server}/{$username}",
"object" => $profileURl
];
} else if ( "Unfollow" == $action ) {
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/{$guid}",
"type" => "Undo",
"actor" => "https://{$server}/{$username}",
"object" => array(
//"id" => null, // Should be the original ID if possible, but not necessary https://www.w3.org/wiki/ActivityPub/Primer/Referring_to_activities
"type" => "Follow",
"actor" => "https://{$server}/{$username}",
"object" => $profileURl
)
];
} else if ( "Block" == $action ) {
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/{$guid}",
"type" => "Block",
"actor" => "https://{$server}/{$username}",
"object" => $profileURl,
"to" => $profileURl
];
} else if ( "Unblock" == $action ) {
$message = [
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "https://{$server}/{$guid}",
"type" => "Undo",
"actor" => "https://{$server}/{$username}",
"object" => array(
//"id" => null, // Should be the original ID if possible, but not necessary https://www.w3.org/wiki/ActivityPub/Primer/Referring_to_activities
"type" => "Block",
"actor" => "https://{$server}/{$username}",
"object" => $profileURl
)
];
}
// Sign & send the request
sentMessageToSingle( $profileInbox, $message );
if ( "Follow" == $action ) {
// Save the user's details
$following_filename = urlencode( $profileURl );
file_put_contents( $directories["following"] . "/{$following_filename}.json", json_encode( $profileData ) );
// Render the JSON so the user can see the POST has worked
header( "Location: https://{$server}/data/following/" . urlencode( $following_filename ) . ".json" );
} else if ( "Block" == $action || "Unfollow" == $action ) {
// Delete the user if they exist in the following directory.
$following_filename = urlencode( $profileURl );
unlink( $directories["following"] . "/{$following_filename}.json" );
// Let the user know it worked
echo "{$user} {$action}ed!";
} else if ( "Unblock" == $action ) {
// Let the user know it worked
echo "{$user} {$action}ed!";
}
die();
}
// Verify the signature sent with the message.
// This is optional
// It is very confusing
function verifyHTTPSignature() {
global $input, $body, $server, $directories;
// Get the headers send with the request
$headers = getallheaders();
// Ensure the header keys match the format expected by the signature
$headers = array_change_key_case( $headers, CASE_LOWER );
// Validate the timestamp is within ±30 seconds
if ( !isset( $headers["date"] ) ) { return null; } // No date set
$dateHeader = $headers["date"];
$headerDatetime = DateTime::createFromFormat('D, d M Y H:i:s T', $dateHeader);
$currentDatetime = new DateTime();
// Calculate the time difference in seconds
$timeDifference = abs( $currentDatetime->getTimestamp() - $headerDatetime->getTimestamp() );
if ( $timeDifference > 30 ) {
// Write a log detailing the error
$timestamp = ( new DateTime() )->format( DATE_RFC3339_EXTENDED );
// Filename for the log
$filename = "{$timestamp}.Signature.Time_Failure.txt";
// Save headers and request data to the timestamped file in the logs directory
file_put_contents( $directories["logs"] . "/{$filename}",
"Original Date:\n" . print_r( $dateHeader, true ) . "\n" .
"Local Date:\n" . print_r( $currentDatetime->format('D, d M Y H:i:s T'), true ) . "\n"
);
return false;
}
// Validate the Digest
// It is the hash of the raw input string, in binary, encoded as base64.
$digestString = $headers["digest"];
// Usually in the form `SHA-256=Ofv56Jm9rlowLR9zTkfeMGLUG1JYQZj0up3aRPZgT0c=`
// The Base64 encoding may have multiple `=` at the end. So split this at the first `=`
$digestData = explode( "=", $digestString, 2 );
$digestAlgorithm = $digestData[0];
$digestHash = $digestData[1];
// There might be many different hashing algorithms
// TODO: Find a way to transform these automatically
// See https://github.com/superseriousbusiness/gotosocial/issues/1186#issuecomment-1976166659 and https://github.com/snarfed/bridgy-fed/issues/430 for hs2019
if ( "SHA-256" == $digestAlgorithm || "hs2019" == $digestAlgorithm ) {
$digestAlgorithm = "sha256";
} else if ( "SHA-512" == $digestAlgorithm ) {
$digestAlgorithm = "sha512";
}
// Manually calculate the digest based on the data sent
$digestCalculated = base64_encode( hash( $digestAlgorithm, $input, true ) );
// Does our calculation match what was sent?
if ( !( $digestCalculated == $digestHash ) ) {
// Write a log detailing the error
$timestamp = ( new DateTime() )->format( DATE_RFC3339_EXTENDED );
// Filename for the log
$filename = "{$timestamp}.Signature.Digest_Failure.txt";
// Save headers and request data to the timestamped file in the logs directory
file_put_contents( $directories["logs"] . "/{$filename}",
"Original Input:\n" . print_r( $input, true ) . "\n" .
"Original Digest:\n" . print_r( $digestString, true ) . "\n" .
"Calculated Digest:\n" . print_r( $digestCalculated, true ) . "\n"
);
return false;
}
// Examine the signature
$signatureHeader = $headers["signature"];
// Extract key information from the Signature header
$signatureParts = [];
// Converts 'a=b,c=d e f' into ["a"=>"b", "c"=>"d e f"]
// word="text"
preg_match_all('/(\w+)="([^"]+)"/', $signatureHeader, $matches);
foreach ( $matches[1] as $index => $key ) {
$signatureParts[$key] = $matches[2][$index];
}
// Manually reconstruct the header string
$signatureHeaders = explode(" ", $signatureParts["headers"] );
$signatureString = "";
foreach ( $signatureHeaders as $signatureHeader ) {
if ( "(request-target)" == $signatureHeader ) {
$method = strtolower( $_SERVER["REQUEST_METHOD"] );
$target = $_SERVER["REQUEST_URI"];
$signatureString .= "(request-target): {$method} {$target}\n";
} else if ( "host" == $signatureHeader ) {
$host = strtolower( $_SERVER["HTTP_HOST"] );
$signatureString .= "host: {$host}\n";
} else {
$signatureString .= "{$signatureHeader}: " . $headers[$signatureHeader] . "\n";
}
}
// Remove trailing newline
$signatureString = trim( $signatureString );
// Get the Public Key
// The link to the key might be sent with the body, but is always sent in the Signature header.
$publicKeyURL = $signatureParts["keyId"];
// This is usually in the form `https://example.com/user/username#main-key`
// This is to differentiate if the user has multiple keys
// TODO: Check the actual key
$userData = getDataFromURl( $publicKeyURL );
$publicKey = $userData["publicKey"]["publicKeyPem"];
// Get the remaining parts
$signature = base64_decode( $signatureParts["signature"] );
$algorithm = $signatureParts["algorithm"];
// There might be many different signing algorithms
// TODO: Find a way to transform these automatically
// See https://github.com/superseriousbusiness/gotosocial/issues/1186#issuecomment-1976166659 and https://github.com/snarfed/bridgy-fed/issues/430 for hs2019
if ( "hs2019" == $algorithm ) {
$algorithm = "sha256";
}
// Finally! Calculate whether the signature is valid
// Returns 1 if verified, 0 if not, false or -1 if an error occurred
$verified = openssl_verify(
$signatureString,
$signature,
$publicKey,
$algorithm
);
// Convert to boolean
if ( $verified === 1 ) {
$verified = true;
} elseif ( $verified === 0 ) {
$verified = false;
} else {
$verified = null;
}
// Write a log detailing the signature verification process
$timestamp = ( new DateTime() )->format( DATE_RFC3339_EXTENDED );
// Filename for the log
$filename = "{$timestamp}.Signature.". json_encode( $verified ) . ".txt";
// Save headers and request data to the timestamped file in the logs directory
file_put_contents( $directories["logs"] . "/{$filename}",
"Original Body:\n" . print_r( $body, true ) . "\n\n" .
"Original Headers:\n" . print_r( $headers, true ) . "\n\n" .
"Signature Headers:\n" . print_r( $signatureHeaders, true ) . "\n\n" .
"Calculated signatureString:\n" . print_r( $signatureString, true ) . "\n\n" .
"Calculated algorithm:\n" . print_r( $algorithm, true ) . "\n\n" .
"publicKeyURL:\n" . print_r( $publicKeyURL, true ) . "\n\n" .
"publicKey:\n" . print_r( $publicKey, true ) . "\n"
);
return $verified;
}
// The NodeInfo Protocol is used to identify servers.
// It is looked up with `example.com/.well-known/nodeinfo`
// See https://nodeinfo.diaspora.software/
function wk_nodeinfo() {
global $server;
$nodeinfo = array(
"links" => array(
array(
"rel" => "self",
"type" => "http://nodeinfo.diaspora.software/ns/schema/2.1",
"href" => "https://{$server}/nodeinfo/2.1"
)
)
);
header( "Content-Type: application/json" );
echo json_encode( $nodeinfo );
die();
}
// The NodeInfo Protocol is used to identify servers.
// It is looked up with `example.com/.well-known/nodeinfo` which points to this resource
// See http://nodeinfo.diaspora.software/docson/index.html#/ns/schema/2.0#$$expand
function nodeinfo() {
global $server, $directories;
// Get all posts
$posts = glob( $directories["posts"] . "/*.json") ;
// Number of posts
$totalItems = count( $posts );
$nodeinfo = array(
"version" => "2.1", // Version of the schema, not the software
"software" => array(
"name" => "Single File ActivityPub Server in PHP",
"version" => "0.000000001",
"repository" => "https://gitlab.com/edent/activitypub-single-php-file/"
),
"protocols" => array( "activitypub"),
"services" => array(
"inbound" => array(),
"outbound" => array()
),
"openRegistrations" => false,
"usage" => array(
"users" => array(
"total" => 1
),
"localPosts" => $totalItems
),
"metadata"=> array(
"nodeName" => "activitypub-single-php-file",
"nodeDescription" => "This is a single PHP file which acts as an extremely basic ActivityPub server.",
"spdx" => "AGPL-3.0-or-later"
)
);
header( "Content-Type: application/json" );
echo json_encode( $nodeinfo );
die();
}
// "One to stun, two to kill, three to make sure"
die();
die();
die();
Reference in New Issue View Git Blame Kopiuj bezpośredni odnośnik