go-fed / apcore Goto Github PK

DB models support creating tables, but doesn't have a way currently to execute additional statements for creation of indices, etc.

Right now, the server uses a plain http.Client. Investigate its options and implement the appropriate configurations/defaults.

I think a reference is in the httpsig library, just copy/paste it over for comment completeness sake.

This entails:

• Framework allowing app.Application to add and modify arbitrary payloads
• Framework allowing app.Application to modify existing payloads (ex: pub.OnFollow behavior)
• Using OnFollow for the S2S behavior

Upon server startup, re-launch the failed outbound deliveries. Will probably require a modification of the table to support counting # of attempts made and time of last attempt, to skip retrying really old attempts.

The oauth2 library is at this time v4.1.2 and apcore is using v3.

Should be as simple as go mod init

This way, you can guarantee that a specific version of, for example, go-fed is used.

Potential features for v1:

• backoff retries
• persistent record between downtime

This version of go-fed/activity doesn't have the required github.com/go-fed/activity/streams/vocab package.

To update to the latest master, run go get github.com/go-fed/activity@master in the apcore directory.

• new enough version of go-fed/activity requested

This string is backwards. Trivial fix.

• fix order of user and db_name in "do you have a password" prompt

(side note: it would also be nice to be able to remember the password/lack of password in the config, even if it had to be added manually)

This always crashes because c is nil and the database config can't be guessed by the ini package.

Proposed fix:

diff --git a/config.go b/config.go
index 3d9cc38..14e11d7 100644
--- a/config.go
+++ b/config.go
@@ -145,6 +145,10 @@ func loadConfigFile(filename string, a Application, debug bool) (c *config, err
        if err != nil {
                return
        }
+       c, err = defaultConfig(cfg.Section("database").Key("db_database_kind").String())
+       if err != nil {
+               return
+       }
        err = cfg.MapTo(c)
        if err != nil {
                return

• don't crash at startup when reading the config file

it seems the current executable code path doesn't get any further than this, so I'll stop the review here for now

As mentioned in #36, an internal proxy is needed to manage the first party login page of applications using apcore. This means the underlying auth used is uniform for third and first parties, we can just provide a slightly different user experience for the first-party.

This page is a 404:
https://github.com/go-fed/activity/tree/v0.4.0/streams/vocab

you can go get github.com/go-fed/activity@master to update to the untagged latest version.

Be sure to add a configuration option to enable/disable it.

Such as the recursion flags (currently in Application interface, which need to be removed).

I know golang has a thing where you can go:

type S2SApp interface {
  ...
}
type C2SApp interface {
  ...
}

type Application interface {
  S2SApp
  C2SApp
}

Instead go-fed requires we implement a C2SEnabled/S2SEnabled function. I was thinking of making an AP server that had a GUI interface with no C2S at all, but because Application piles C2S and S2S functions all into one interface, it doesn't matter whether I return false from C2SEnabled. I still have to implement stubs for all the client to server functions, login, oauth, etc, and it still listens to URLs like /login for no reason.

if(C2SEnabled(app)) could always be written more like if(app.(C2SApp) !== nil) unless I seriously misunderstand the Go language, which is entirely possible.

Write PostgreSQL dialect SQL statements for apcore prepared statements.

There's quite a few.

Have keyboard interrupt call "stop".

Either:

• require a unique preferredUsername in the users model, for webfinger guarantees, or
• figure out a way to use human-friendly webfinger without requiring preferredUsername uniqueness.

Our users are not tied to preferredUsername so theoretically it should be changeable, but the webfinger integration is the only point where that may not be true.

Use prompting and services to initialize an administrative user in the database.

In a federated context, the go-fed library uses mutexes associated with specific IRIs before running associated business logic. However, this still doesn't prevent sql transactional conflicts at the service layer since it is not aware of mutexes. This can lead to transactional conflicts, which are not currently addressed. There are some different ways of approaching this:

0. Make a conceptual layer above service aware of the mutexes to lock in advance. I don't like this due to the open-ended nature of client code, which can lead to a leaky abstraction via opaque deadlocks. No fun for anyone.
1. Do not actually lock any mutexes in federated contexts, and introduce transactions instead into federated contexts, so that everything is tx-based, as Contexts can map 1 request to 1 tx. So a tx conflict is simply a matter of re-trying all the logic since that mapping is instantiated.
2. Refactor go-fed/activity to be transaction-aware instead of mutex-based, but as seen above, we can in theory make our implementation of go-fed/activity tx-based instead of mutex-based. I'm not confident a refactor of go-fed/activity to be tx-based would permit the lightweight mutex-based approach (which has its own benefits like enabling lightweight apps such as the testsuite).

It's labelled as a feature enhancement right now because it should result in a stability improvement in case of high sustained QPS / burst of QPS.

The oauth2 server framework does not support passing Context types around its signatures, so need to engineer a way to properly ensure that the request context is propagating through. Since it relies on database calls, it would be nice for OAuth2 requests to properly be cancelled when incoming requests are also cancelled. Without doing this, database calls will wastefully complete for cancelled requests.

Enforce the configuration's outbound rate-limit of outbound requests.

This entails:

• Framework allowing app.Application to add and modify arbitrary payloads
• Framework allowing app.Application to modify existing payloads

Fully encapsulate the go-fed/activity/pub library. Don't leak it out.

I don't know if the oauth2 server library is using PKCE under the hood, per the Oauth 2.1 recommendations.

Already occurring, but now tracked in this issue:

• 20b07c5
• aca6d80

Not straightforward since ActivityStreams id usually contains the scheme, so will need to make clear that no cross-over is possible (ex: cannot use debug mode on a productionized server creating data on a server serving https protocol). Lookups and the like will fail. This design choice should not be mistaken as a protection, because any new data will be created with http which would pollute the db, for any debugging/non-debugging mode.

So flipping that flag deserves a big ol' warning & confirmation.

For Cookie Auth and Encryption signing, in the config prompt.

From the APConf 2020 talk by Aaron Parecki it sounds like dynamic scope support would be very useful for ActivityPub related servers. I don't believe it is finalized yet, need more investigation.

Read in the database connection secret from config, not from stdin.

Be sure to add a configuration option to enable/disable it.

Have each config definition be able to self-validate. Ensure it is being called at config load time. Move the validation (ex: in server.go) into these functions.

Add a single special actor supporting server-level behavior.

Investigate how other software supports this actor and conform to their conventions, if possible.

When the database returns nothing, we need to return an error in such a case.

We then need to propagate that up to the handlers to properly render the "not found" page.

Currently, I don't think they're that great.

Probably need a division between:

• role (an agent)
• acl (a policy)

And the resolution would be the triple of (role, acl, data).

Ensure other parts of the oauth2 server library conform to the OAuth 2.1 spec, which is more of a compilation of best practices and learnings from OAuth2.

The major differences from OAuth 2.0 are listed below.

• PKCE is required for all OAuth clients using the authorization code flow
• Redirect URIs must be compared using exact string matching
• The Implicit grant (response_type=token) is omitted from this specification
• The Resource Owner Password Credentials grant is omitted from this specification
• Bearer token usage omits the use of bearer tokens in the query string of URIs
• Refresh tokens for public clients must either be sender-constrained or one-time use

• PKCE is #36 because I think it may be possible to do so w/o forking the oauth2 library
• All other above bullets are this issue
• Separate issue for upgrading to the latest version of the oauth2 library #37

Reviewing the go-fed/activity integration, in common there is the issue where the common utility function authenticateGetRequest is hardcoded to ask for the GetInbox scope, and never the GetOutbox scope. Both auths for GetInbox and GetOutbox call into this helper, so the GetOutbox is incorrect.