Fedify: an ActivityPub server framework's avatar

Fedify: an ActivityPub server framework

@[email protected] · 7 following · 375 followers

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards, so-called fediverse. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

WebsiteGitHubJSRnpm

https://fedify.dev/

https://github.com/dahlia/fedify

https://jsr.io/@fedify/fedify

https://www.npmjs.com/package/@fedify/fedify

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We released 0.9.2, 0.10.1, and 0.11.1, which patched the last reported , CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected] · Reply to Mitex Leo's post

@ml Apparently they (Ghost) have a bug. We'll inform them!

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We're releasing @fedify/h3! Now you can integrate with h3, an HTTP server framework behind Nitro, Analog, Vinxi, SolidStart, TanStack Start, and other many web frameworks.

https://github.com/dahlia/fedify-h3

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected] · Reply to Mitex Leo's post

@ml What Mastodon client app do you use?

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected] · Reply to silverpill's post

@silverpill Yeah, they apparently missed to wrap it with Image object! See their code:

https://github.com/TryGhost/ActivityPub/blob/c82715db4529f9a71de8853d159ae26d576c385f/src/dispatchers.ts#L40

It should be changed as like below (from @hollo):

https://github.com/dahlia/hollo/blob/7b51666bfdfd6efea511c03cd305432643e423b7/src/federation/index.ts#L86-L88

Alejandro Baez's avatar
Alejandro Baez

@[email protected]

Woah, is now live in the with @index.

Absolutely outstanding progress! definitely deserves a great deal of recognition for making this possible. 😎

Feeling like we now have tooling in place to fediverse all things. 😅

Ayo :webtools:'s avatar
Ayo :webtools:

@[email protected]

looks like there will be lighter-weight alternatives to mastodon, thanks to @fedify — maybe I’ll hack together a simple one? 🙃

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

Finally, @ghost has open sourced their implementation powered by ! For Fedify users, this means another production-grade example code.

If you'd like to follow updates on 's ActivityPub implementation, you can do so by following @index!

https://github.com/TryGhost/ActivityPub

Anuj Ahooja's avatar
Anuj Ahooja

@[email protected]

Two big pieces of news in Ghost's progress on ActivtyPub integration:

1. You can now follow their newsletter from the Fediverse at this address: @index
2. They've open sourced their ActivityPub work!

We're many steps closer to being able to follow Ghost newsletters on the rather than cluttering up your email inbox 🙏🏻

activitypub.ghost.org/lets-fix

Emelia 👸🏻's avatar
Emelia 👸🏻

@[email protected] · Reply to Fedify: an ActivityPub server framework's post

@fedify users of Fedify still need to keep potential for SSRF in mind when requesting any URLs in Activities/Objects not through these APIs, e.g., when downloading media from a remote server for caching

technicat's avatar
technicat

@[email protected]

I was planning to play around with but got sidetracked into learning ...

Hollo's avatar
Hollo

@[email protected]

To users: please update your to 0.1.0-dev.46, a patch which addresses @fedify's CVE-2024-39687, as soon as possible!

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected]

To users: please update your Fedify as soon as possible!

hollo.social/@fedify/019080c7-

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

CVE-2024-39687, a vulnerability that could potentially allow a Server Side Request Forgery (SSRF) attack, was discovered in and a security patch has been applied to fix it. The patched versions are 0.9.2, 0.10.1, and 0.11.1, respectively. If you are using an earlier version, please update as soon as possible.

Thanks to @thisismissem for reporting the vulnerability!

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

Hooray, 's GitHub repository just hit 300 stars!

Fedify's GitHub repository, which has over 300 stars.
Fedify's GitHub repository, which has over 300 stars.
Anuj Ahooja's avatar
Anuj Ahooja

@[email protected] · Reply to Tim Chambers's post

I've been using fedify for the last few months and I'm absolutely loving it. It makes it really easy to prototype new ideas.

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected]

I jsut wrote a detailed post on my blog about @ghost's for @fedify! (Both English and Korean available.)

writings.hongminhee.org/2024/0

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected] · Reply to 洪 民憙 (Hong Minhee)'s post

now has a queue for incoming activities and they are automatically retried when they fail. The default retry strategy is good enough (exponential backoff + decorrelated jitter), and it's even fully customizable. Updated also the docs:

unstable.fedify.dev/manual/inb

You can give it a try by installing 0.12.0-dev.265+cb851932, the latest unstable release:

jsr.io/@fedify/[email protected]
npmjs.com/package/@fedify/fedi

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected]

In the next version of , the type is introduced to let you fully customize the retry policy of the task queue for incoming and outgoing activities. Of course, you can also simply adjust the parameters of the built-in exponential backoff + decorrelated jitter policy.

outboxRetryPolicy

This API is available since Fedify 0.12.0.

The retry policy for sending activities to recipients' inboxes.

By default, this uses an exponential backoff strategy with a maximum of 10 attempts and a maximum delay of 12 hours.

You can fully customize the retry policy by providing a custom function that satisfies the RetryPolicy type. Or you can adjust the parameters of the createExponentialBackoffRetryPolicy() function, which is a default implementation of the retry policy.
outboxRetryPolicy This API is available since Fedify 0.12.0. The retry policy for sending activities to recipients' inboxes. By default, this uses an exponential backoff strategy with a maximum of 10 attempts and a maximum delay of 12 hours. You can fully customize the retry policy by providing a custom function that satisfies the RetryPolicy type. Or you can adjust the parameters of the createExponentialBackoffRetryPolicy() function, which is a default implementation of the retry policy.
洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected]

Basic implementation of the inbox queue is complete and documentation is being worked on.

hollo.social/@fedify/0190687b-

Making inbox listeners non-blocking

This API is available since Fedify 0.12.0.

Usually, processes inside an inbox listener should be non-blocking because they may involve long-running tasks. Fortunately, you can easily turn inbox listeners into non-blocking by providing a queue option to createFederation() function. If it is not present, incoming activities are processed immediately and block the response to the sender until the processing is done.

While the queue option is not mandatory, it is highly recommended to use it in production environments to prevent the server from being overwhelmed by incoming activities.

Note: Activities with invalid signatures/proofs are silently ignored and not queued.
Making inbox listeners non-blocking This API is available since Fedify 0.12.0. Usually, processes inside an inbox listener should be non-blocking because they may involve long-running tasks. Fortunately, you can easily turn inbox listeners into non-blocking by providing a queue option to createFederation() function. If it is not present, incoming activities are processed immediately and block the response to the sender until the processing is done. While the queue option is not mandatory, it is highly recommended to use it in production environments to prevent the server from being overwhelmed by incoming activities. Note: Activities with invalid signatures/proofs are silently ignored and not queued.
Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

In the next version of , the Context.hostname, Context.host, and Context.origin properties will be added for better multitenancy/virtual hosting support.

https://github.com/dahlia/fedify/issues/66#issuecomment-2198967566

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

has always been queuing outgoing activities, but not incoming activities. Thanks to @ghost's sponsorship, we are now implementing queues for incoming activities!

https://github.com/dahlia/fedify/issues/70

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@[email protected] · Reply to 洪 民憙 (Hong Minhee)'s post

It was trivial than I expected; now supports type!

洪 民憙 (Hong Minhee) 🤏🏼's avatar
洪 民憙 (Hong Minhee) 🤏🏼

@[email protected]

Did you know? offers the markdown-it plugins for parsing -style mentions and hashtags syntax.

• @fedify/markdown-it-mention: github.com/dahlia/markdown-it-
• @fedify/markdown-it-hashtag: github.com/dahlia/markdown-it-

Check it out!

Week in Fediverse's avatar
Week in Fediverse

@[email protected]

Week in Fediverse 2024-06-28

Servers

- Sharkey v2024.5.1
- Gancio v1.18.0
- Mitra v2.23.0
- neodb v0.10.2.3
- Castopod v1.12.0
- NodeBB v4.0.0-alpha (aka ActivityPub alpha release)
- Hollo: Federated single-user microblogging software powered by Fedify

Clients

- IceCubesApp v1.10.43
- Tuba v0.8.1
- Pachli v2.6.0
- mlmym v0.0.46
- P2Play v0.8.1
- Phanpy changelog

Tools and Plugins

- FediFetcher v7.1.1
- Granary v7.0
- Fedify v0.11.0
- Betulon: A simple utility to add Mastodon bookmarks to Betula

Articles

- Meta is connecting Threads more deeply with the fediverse

-----

#WeekInFediverse #Fediverse #ActivityPub

Previous edition: https://mitra.social/objects/01903bb6-c8eb-3a66-3305-460bf5a946d1

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

Version 0.11.0 of Fedify, an ActivityPub server framework, has been released! Here are the key changes:

https://github.com/dahlia/fedify/releases/tag/0.11.0

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected] · Reply to Fedify: an ActivityPub server framework's post

If you want a message queue backend for as well, please upvote this issue!

Hollo's avatar
Hollo

@[email protected]

is using this @fedify/redis package for caching and queuing. Battle tested!

https://hollo.social/@fedify/01905e6b-deec-785a-9bda-b72883031f8f

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

has supported optional queuing for outgoing activities, with two built-in message queue backends: InProcessMessageQueue, which is suitable for development, and DenoKvMessageQueue, which is only available in Deno.

Fedify has also had two built-in cache backends, MemoryKvStore, which is suitable for development, and DenoKvStore, which is only available in Deno.

Now, however, by installing the @fedify/redis package, you can use as both a message queue backend and a cache backend! Unlike DenoKvMessageQueue and DenoKvStore, it's also available for .js and .

This feature was made possible with the support of @ghost.

https://github.com/dahlia/fedify-redis

洪 民憙 (Hong Minhee) 🤏🏼's avatar
洪 民憙 (Hong Minhee) 🤏🏼

@[email protected]

We have a space on for the community, so if you have any questions, feel free to join us and ask!

matrix.to/#/#fedify:matrix.org

Older →