Fedify: ActivityPub server framework

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709

@fedify@hollo.social

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
#WebFinger client and server
HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
Middleware for handling webhooks
#NodeInfo protocol
#Node.js, #Deno, and #Bun support
CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

https://fedify.dev/

fedify.dev

Fedify

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards, so-called fediverse.

Hollo

@hollo@hollo.social

To #Hollo users: please update your #Hollo to 0.1.0-dev.46, a #security patch which addresses @fedify's #vulnerability CVE-2024-39687, as soon as possible!

hollo.social

[CVE-2024-39687], a vulnerabil…

[CVE-2024-39687], a vulnerability that could potentially allow a [Server Side Request Forgery][SSRF] (SSRF) attack, was discovered in #Fedify and a security patch has been applied to fix it. The patched versions are [0.9.2], [0.10.1], and [0.11.1], respectively. If you are using an earlier version, please update as soon as possible. Thanks to @thisismissem@hachyderm.io for reporting the vulnerability! [CVE-2024-39687]: https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx [SSRF]: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery [0.9.2]: https://github.com/dahlia/fedify/releases/tag/0.9.2 [0.10.1]: https://github.com/dahlia/fedify/releases/tag/0.10.1 [0.11.1]: https://github.com/dahlia/fedify/releases/tag/0.11.1

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709

@hongminhee@fosstodon.org

To #Fedify users: please update your Fedify as soon as possible!

hollo.social

[CVE-2024-39687], a vulnerabil…

[CVE-2024-39687], a vulnerability that could potentially allow a [Server Side Request Forgery][SSRF] (SSRF) attack, was discovered in Fedify and a security patch has been applied to fix it. The patched versions are [0.9.2], [0.10.1], and [0.11.1], respectively. If you are using an earlier version, please update as soon as possible. Thanks to @thisismissem@hachyderm.io for reporting the vulnerability! [CVE-2024-39687]: https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx [SSRF]: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery [0.9.2]: https://github.com/dahlia/fedify/releases/tag/0.9.2 [0.10.1]: https://github.com/dahlia/fedify/releases/tag/0.10.1 [0.11.1]: https://github.com/dahlia/fedify/releases/tag/0.11.1

@fedify@hollo.social

CVE-2024-39687, a vulnerability that could potentially allow a Server Side Request Forgery (SSRF) attack, was discovered in #Fedify and a security patch has been applied to fix it. The patched versions are 0.9.2, 0.10.1, and 0.11.1, respectively. If you are using an earlier version, please update as soon as possible.

Thanks to @thisismissem for reporting the vulnerability!

Release Fedify 0.11.1 · dahlia/fedify

Released on July 5, 2024. Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687] The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or...

@fedify@hollo.social

Hooray, #Fedify's GitHub repository just hit 300 stars!

ALT text
Fedify's GitHub repository, which has over 300 stars.

Anuj Ahooja

@quillmatiq@threads.net · Reply to Tim Chambers

I've been using fedify for the last few months and I'm absolutely loving it. It makes it really easy to prototype new ideas.

https://writings.hongminhee.org/2024/07/ghost-funds-fedify/

@hongminhee@fosstodon.org

I jsut wrote a detailed post on my blog about @ghost's #funding for @fedify! (Both English and Korean available.)

#Fedify #fedidev

writings.hongminhee.org

Ghost funds Fedify

https://unstable.fedify.dev/manual/inbox#making-inbox-listeners-non-blocking

@hongminhee@fosstodon.org · Reply to 洪民憙 (Hong Minhee)

#Fedify now has a queue for incoming activities and they are automatically retried when they fail. The default retry strategy is good enough (exponential backoff + decorrelated jitter), and it's even fully customizable. Updated also the docs:

You can give it a try by installing 0.12.0-dev.265+cb851932, the latest unstable release:

https://jsr.io/@fedify/fedify@0.12.0-dev.265+cb851932
https://www.npmjs.com/package/@fedify/fedify/v/0.12.0-dev.265

npmjs.com

@fedify/fedify

An ActivityPub server framework. Latest version: 0.11.0, last published: 4 days ago. Start using @fedify/fedify in your project by running `npm i @fedify/fedify`. There is 1 other project in the npm registry using @fedify/fedify.

@hongminhee@fosstodon.org

In the next version of #Fedify, the #RetryPolicy type is introduced to let you fully customize the retry policy of the task queue for incoming and outgoing activities. Of course, you can also simply adjust the parameters of the built-in exponential backoff + decorrelated jitter policy.

outboxRetryPolicy

This API is available since Fedify 0.12.0.

The retry policy for sending activities to recipients' inboxes.

By default, this uses an exponential backoff strategy with a maximum of 10 attempts and a maximum delay of 12 hours.

You can fully customize the retry policy by providing a custom function that satisfies the RetryPolicy type. Or you can adjust the parameters of the createExponentialBackoffRetryPolicy() function, which is a default implementation of the retry policy. — ALT text
outboxRetryPolicy This API is available since Fedify 0.12.0. The retry policy for sending activities to recipients' inboxes. By default, this uses an exponential backoff strategy with a maximum of 10 attempts and a maximum delay of 12 hours. You can fully customize the retry policy by providing a custom function that satisfies the RetryPolicy type. Or you can adjust the parameters of the createExponentialBackoffRetryPolicy() function, which is a default implementation of the retry policy.

https://hollo.social/@fedify/0190687b-1a09-728b-8a0d-bcbd4dca54cd

@hongminhee@fosstodon.org

Basic implementation of the inbox queue is complete and documentation is being worked on.

#Fedify #fedidev

Making inbox listeners non-blocking

This API is available since Fedify 0.12.0.

Usually, processes inside an inbox listener should be non-blocking because they may involve long-running tasks. Fortunately, you can easily turn inbox listeners into non-blocking by providing a queue option to createFederation() function. If it is not present, incoming activities are processed immediately and block the response to the sender until the processing is done.

While the queue option is not mandatory, it is highly recommended to use it in production environments to prevent the server from being overwhelmed by incoming activities.

Note: Activities with invalid signatures/proofs are silently ignored and not queued. — ALT text
Making inbox listeners non-blocking This API is available since Fedify 0.12.0. Usually, processes inside an inbox listener should be non-blocking because they may involve long-running tasks. Fortunately, you can easily turn inbox listeners into non-blocking by providing a queue option to createFederation() function. If it is not present, incoming activities are processed immediately and block the response to the sender until the processing is done. While the queue option is not mandatory, it is highly recommended to use it in production environments to prevent the server from being overwhelmed by incoming activities. Note: Activities with invalid signatures/proofs are silently ignored and not queued.

https://github.com/dahlia/fedify/issues/66#issuecomment-2198967566

@fedify@hollo.social

In the next version of #Fedify, the Context.hostname, Context.host, and Context.origin properties will be added for better multitenancy/virtual hosting support.

github.com

Multiple domain support · Issue #66 · dahlia/fedify

Takahe is an ActivityPub server with support for multiple domains on the same server (“virtual hosting”). Virtual hosting of multiple domains on a single ActivityPub server removes the need to run ...

https://github.com/dahlia/fedify/issues/70

@fedify@hollo.social

#Fedify has always been queuing outgoing activities, but not incoming activities. Thanks to @ghost's sponsorship, we are now implementing queues for incoming activities!

github.com

Queue for incoming activities · Issue #70 · dahlia/fedify

For now, Fedify has the queue for outgoing activities, but there's no queue for the opposite. For better reliability, incoming activities also should be queued.

- Sharkey v2024.5.1
- Gancio v1.18.0
- Mitra v2.23.0
- neodb v0.10.2.3
- Castopod v1.12.0
- NodeBB v4.0.0-alpha (aka ActivityPub alpha release)
- Hollo: Federated single-user microblogging software powered by Fedify

@hongminhee@fosstodon.org · Reply to 洪民憙 (Hong Minhee)

It was trivial than I expected; #Fedify now supports #ChatMessage type!

洪民憙 (Hong Minhee) 🤏🏼

@hongminhee@todon.eu

Did you know? #Fedify offers the markdown-it plugins for parsing #Mastodon-style mentions and hashtags syntax.

• @fedify/markdown-it-mention: https://github.com/dahlia/markdown-it-mention
• @fedify/markdown-it-hashtag: https://github.com/dahlia/markdown-it-hashtag

Check it out!

github.com

GitHub - dahlia/markdown-it-hashtag: A markdown-it plugin that parses and renders Mastodon-style #hashtags

A markdown-it plugin that parses and renders Mastodon-style #hashtags - dahlia/markdown-it-hashtag

Week in Fediverse

@weekinfediverse@mitra.social

Week in Fediverse 2024-06-28

Servers

Clients

- IceCubesApp v1.10.43
- Tuba v0.8.1
- Pachli v2.6.0
- mlmym v0.0.46
- P2Play v0.8.1
- Phanpy changelog

Tools and Plugins

- FediFetcher v7.1.1
- Granary v7.0
- Fedify v0.11.0
- Betulon: A simple utility to add Mastodon bookmarks to Betula

Articles

- Meta is connecting Threads more deeply with the fediverse

-----

#WeekInFediverse #Fediverse #ActivityPub

Previous edition: https://mitra.social/objects/01903bb6-c8eb-3a66-3305-460bf5a946d1

mitra.social

Mitra | Federated social network

Federated social network

https://github.com/dahlia/fedify/releases/tag/0.11.0

@fedify@hollo.social

Version 0.11.0 of Fedify, an ActivityPub server framework, has been released! Here are the key changes:

Followed up changes in eddsa-jcs-2022 spec for Object Integrity Proofs.
Frequently used JSON-LD contexts are now bundled with Fedify.
Inbox, linked, featured, and featured tags collection dispatchers are introduced. (Thanks to @ghost!)
Activity Vocabulary API now has better runtime type error messages.
The items property of OrderedCollection and OrderedCollectionPage is now represented as orderedItems (was items) in JSON-LD.
Added Invite, Join, Leave, Listen, Offer classes. (Thanks to Randy Wressell & @moreal!)

Release Fedify 0.11.0 · dahlia/fedify

Released on June 29, 2024. Improved runtime type error messages for Activity Vocabulary API. [#79] Added suppressError option to dereferencing accessors of Activity Vocabulary classes. Added...

https://hollo.social/@fedify/01905e6b-deec-785a-9bda-b72883031f8f

@fedify@hollo.social · Reply to Fedify: ActivityPub server framework

If you want a message queue backend for #RabbitMQ as well, please upvote this issue!

#Fedify

github.com

RabbitMQ implementation · Issue #83 · dahlia/fedify

A RabbitMQ implementation of MessageQueue just like the one for Redis would be great as a message broker. Thanks!

Hollo

@hollo@hollo.social

#Hollo is using this @fedify/redis package for caching and queuing. Battle tested!

hollo.social

#Fedify has supported optional…

#Fedify has supported optional queuing for outgoing activities, with two built-in message queue backends: [`InProcessMessageQueue`](https://jsr.io/@fedify/fedify/doc/~/InProcessMessageQueue), which is suitable for development, and [`DenoKvMessageQueue`](https://jsr.io/@fedify/fedify/doc/x/denokv/~/DenoKvMessageQueue), which is only available in Deno. Fedify has also had two built-in cache backends, [`MemoryKvStore`](https://jsr.io/@fedify/fedify/doc/~/MemoryKvStore), which is suitable for development, and [`DenoKvStore`](https://jsr.io/@fedify/fedify/doc/x/denokv/~/DenoKvStore), which is only available in Deno. Now, however, by installing the [@fedify/redis](https://github.com/dahlia/fedify-redis) package, you can use #Redis as both a message queue backend and a cache backend! Unlike `DenoKvMessageQueue` and `DenoKvStore`, it's also available for #Node.js and #Bun. This feature was made possible with the support of @ghost@threads.net. https://github.com/dahlia/fedify-redis #fedidev

https://github.com/dahlia/fedify-redis

@fedify@hollo.social

#Fedify has supported optional queuing for outgoing activities, with two built-in message queue backends: InProcessMessageQueue, which is suitable for development, and DenoKvMessageQueue, which is only available in Deno.

Fedify has also had two built-in cache backends, MemoryKvStore, which is suitable for development, and DenoKvStore, which is only available in Deno.

Now, however, by installing the @fedify/redis package, you can use #Redis as both a message queue backend and a cache backend! Unlike DenoKvMessageQueue and DenoKvStore, it's also available for #Node.js and #Bun.

This feature was made possible with the support of @ghost.

#fedidev

github.com

GitHub - dahlia/fedify-redis: Redis drivers for Fedify

Redis drivers for Fedify. Contribute to dahlia/fedify-redis development by creating an account on GitHub.

洪民憙 (Hong Minhee) 🤏🏼

@hongminhee@todon.eu

We have a space on #Matrix for the #Fedify community, so if you have any questions, feel free to join us and ask!

https://matrix.to/#/#fedify:matrix.org

matrix.to

You're invited to talk on Matrix

@fedify@hollo.social

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
#WebFinger client and server
HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
Middleware for handling webhooks
#NodeInfo protocol
#Node.js, #Deno, and #Bun support
CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

https://fedify.dev/

fedify.dev

Fedify

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards, so-called fediverse.

https://hollo.social/@fedify/01905d6a-5d70-75bc-881e-d6c155a5051c

@hongminhee@fosstodon.org

#Fedify now has the official #Hollo account! Please follow @fedify!

#fedidev

hollo.social

Hello, #fediverse! It's the of…

Hello, #fediverse! It's the official fedi account of the [Fedify](https://fedify.dev/), an #ActivityPub server framework! #Fedify #fedidev