ActivityPub: Add basic, read-only support for Outboxes, Notes, and Create/Announce Activities (#2197)

* Clean up collapsible components

* Expose user Outboxes and AS2 representations of statuses

* Save work thus far.

* Fix bad merge.

* Save my work

* Clean up pagination.

* First test working.

* Add tests.

* Add Forbidden error template.

* Revert yarn.lock changes.

* Fix code style deviations and use localized instead of hardcoded English text.

app/controllers/accounts_controller.rb

@@ -15,7 +15,9 @@ class AccountsController < ApplicationController
         render xml: AtomSerializer.render(AtomSerializer.new.feed(@account, @entries.to_a))
       end
 
-      format.activitystreams2
+      format.activitystreams2 do
+        headers['Access-Control-Allow-Origin'] = '*'
+      end
     end
   end
 

app/controllers/api/activitypub/activities_controller.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class Api::Activitypub::ActivitiesController < ApiController
+  # before_action :set_follow, only: [:show_follow]
+  before_action :set_status, only: [:show_status]
+
+  respond_to :activitystreams2
+
+  # Show a status in AS2 format, as either an Announce (reblog) or a Create (post) activity.
+  def show_status
+    headers['Access-Control-Allow-Origin'] = '*'
+
+    return forbidden unless @status.permitted?
+
+    if @status.reblog?
+      render :show_status_announce
+    else
+      render :show_status_create
+    end
+  end
+
+  private
+
+  def set_status
+    @status = Status.find(params[:id])
+  end
+end

app/controllers/api/activitypub/notes_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class Api::Activitypub::NotesController < ApiController
+  before_action :set_status
+
+  respond_to :activitystreams2
+
+  def show
+    headers['Access-Control-Allow-Origin'] = '*'
+
+    forbidden unless @status.permitted?
+  end
+
+  private
+
+  def set_status
+    @status = Status.find(params[:id])
+  end
+end

app/controllers/api/activitypub/outbox_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class Api::Activitypub::OutboxController < ApiController
+  before_action :set_account
+
+  respond_to :activitystreams2
+
+  def show
+    headers['Access-Control-Allow-Origin'] = '*'
+
+    @statuses = Status.as_outbox_timeline(@account).paginate_by_max_id(limit_param(DEFAULT_STATUSES_LIMIT), params[:max_id], params[:since_id])
+    @statuses = cache_collection(@statuses)
+
+    set_maps(@statuses)
+
+    # Since the statuses are in reverse chronological order, last is the lowest ID.
+    @next_path = api_activitypub_outbox_url(max_id: @statuses.last.id) if @statuses.size == limit_param(DEFAULT_STATUSES_LIMIT)
+
+    unless @statuses.empty?
+      if @statuses.first.id == 1
+        @prev_path = api_activitypub_outbox_url
+      elsif params[:max_id]
+        @prev_path = api_activitypub_outbox_url(since_id: @statuses.first.id)
+      end
+    end
+
+    @paginated = @next_path || @prev_path
+
+    set_pagination_headers(@next_path, @prev_path)
+  end
+
+  private
+
+  def cache_collection(raw)
+    super(raw, Status)
+  end
+
+  def set_account
+    @account = Account.find(params[:id])
+  end
+end

app/controllers/application_controller.rb

@@ -62,6 +62,13 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def forbidden
+    respond_to do |format|
+      format.any  { head 403 }
+      format.html { render 'errors/403', layout: 'error', status: 403 }
+    end
+  end
+
   def unprocessable_entity
     respond_to do |format|
       format.any  { head 422 }

app/helpers/activitystreams2_builder_helper.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Activitystreams2BuilderHelper
+  # Gets a usable name for an account, using display name or username.
+  def account_name(account)
+    account.display_name.empty? ? account.username : account.display_name
+  end
+end

app/models/status.rb

@@ -140,6 +140,10 @@ class Status < ApplicationRecord
       account.nil? ? filter_timeline_default(query) : filter_timeline_default(filter_timeline(query, account))
     end
 
+    def as_outbox_timeline(account)
+      where(account: account, visibility: :public)
+    end
+
     def favourites_map(status_ids, account_id)
       Favourite.select('status_id').where(status_id: status_ids).where(account_id: account_id).map { |f| [f.status_id, true] }.to_h
     end

app/views/accounts/show.activitystreams2.rabl

@@ -6,3 +6,4 @@ attributes display_name: :name, username: :preferredUsername, note: :summary
 
 node(:icon)   { |account| full_asset_url(account.avatar.url(:original)) }
 node(:image)  { |account| full_asset_url(account.header.url(:original)) }
+node(:outbox) { |account| api_activitypub_outbox_url(account.id) }

app/views/activitypub/types/announce.activitystreams2.rabl

@@ -0,0 +1,3 @@
+extends 'activitypub/intransient.activitystreams2.rabl'
+
+node(:type) { 'Announce' }

app/views/activitypub/types/collection.activitystreams2.rabl

@@ -0,0 +1,5 @@
+extends 'activitypub/intransient.activitystreams2.rabl'
+
+node(:type)       { 'Collection' }
+node(:items)      { [] }
+node(:totalItems) { 0 }

app/views/activitypub/types/create.activitystreams2.rabl

@@ -0,0 +1,3 @@
+extends 'activitypub/intransient.activitystreams2.rabl'
+
+node(:type) { 'Create' }

app/views/activitypub/types/note.activitystreams2.rabl

@@ -0,0 +1,3 @@
+extends 'activitypub/intransient.activitystreams2.rabl'
+
+node(:type) { 'Note' }

app/views/activitypub/types/ordered_collection.activitystreams2.rabl

@@ -0,0 +1,3 @@
+extends 'activitypub/types/collection.activitystreams2.rabl'
+
+node(:type) { 'OrderedCollection' }

app/views/activitypub/types/ordered_collection_page.activitystreams2.rabl

@@ -0,0 +1,4 @@
+extends 'activitypub/types/ordered_collection.activitystreams2.rabl'
+
+node(:type)     { 'OrderedCollectionPage' }
+node(:current)  { request.original_url }

app/views/api/activitypub/activities/_show_status.activitystreams2.rabl

@@ -0,0 +1,4 @@
+object @status
+
+node(:actor)     { |status| TagManager.instance.url_for(status.account) }
+node(:published) { |status| status.created_at.to_time.xmlschema }

app/views/api/activitypub/activities/show_status_announce.activitystreams2.rabl

@@ -0,0 +1,8 @@
+extends 'activitypub/types/announce.activitystreams2.rabl'
+extends 'api/activitypub/activities/_show_status.activitystreams2.rabl'
+
+object @status
+
+node(:name)   { |status| t('activitypub.activity.announce.name', account_name: account_name(status.account)) }
+node(:url)    { |status| TagManager.instance.url_for(status) }
+node(:object) { |status| api_activitypub_status_url(status.reblog_of_id) }

app/views/api/activitypub/activities/show_status_create.activitystreams2.rabl

@@ -0,0 +1,8 @@
+extends 'activitypub/types/create.activitystreams2.rabl'
+extends 'api/activitypub/activities/_show_status.activitystreams2.rabl'
+
+object @status
+
+node(:name)   { |status| t('activitypub.activity.create.name', account_name: account_name(status.account)) }
+node(:url)    { |status| TagManager.instance.url_for(status) }
+node(:object) { |status| api_activitypub_note_url(status) }

app/views/api/activitypub/notes/show.activitystreams2.rabl

@@ -0,0 +1,11 @@
+extends 'activitypub/types/note.activitystreams2.rabl'
+
+object @status
+
+attributes :content
+
+node(:name)         { |status| status.content }
+node(:url)          { |status| TagManager.instance.url_for(status) }
+node(:attributedTo) { |status| TagManager.instance.url_for(status.account) }
+node(:inReplyTo)    { |status| api_activitypub_note_url(status.thread) } if @status.thread
+node(:published)    { |status| status.created_at.to_time.xmlschema }

app/views/api/activitypub/outbox/show.activitystreams2.rabl

@@ -0,0 +1,23 @@
+if @paginated
+  extends 'activitypub/types/ordered_collection_page.activitystreams2.rabl'
+else
+  extends 'activitypub/types/ordered_collection.activitystreams2.rabl'
+end
+
+object @account
+
+node(:items) do
+  @statuses.map { |status| api_activitypub_status_url(status) }
+end
+
+node(:totalItems) { @statuses.count }
+node(:next)       { @next_path } if @next_path
+node(:prev)       { @prev_path } if @prev_path
+
+node(:name)       { |account| t('activitypub.outbox.name', account_name: account_name(account)) }
+node(:summary)    { |account| t('activitypub.outbox.summary', account_name: account_name(account)) }
+node(:updated) do |account|
+  times = @statuses.map { |status| status.updated_at.to_time }
+  times << account.created_at.to_time
+  times.max.xmlschema
+end

app/views/errors/403.html.haml

@@ -0,0 +1,5 @@
+- content_for :page_title do
+  = t('errors.403')
+
+- content_for :content do
+  = t('errors.403')

config/locales/en.yml

@@ -40,6 +40,15 @@ en:
     posts: Posts
     remote_follow: Remote follow
     unfollow: Unfollow
+  activitypub:
+    outbox:
+      name: "%{account_name}'s Outbox"
+      summary: "A collection of activities from user %{account_name}."
+    activity:
+      create:
+        name: "%{account_name} created a note."
+      announce:
+        name: "%{account_name} announced an activity."
   admin:
     accounts:
       are_you_sure: Are you sure?
@@ -206,6 +215,7 @@ en:
       x_months: "%{count}mo"
       x_seconds: "%{count}s"
   errors:
+    '403': You don't have permission to view this page.
     '404': The page you were looking for doesn't exist.
     '410': The page you were looking for doesn't exist anymore.
     '422':

config/routes.rb

@@ -106,6 +106,15 @@ Rails.application.routes.draw do
     # OEmbed
     get '/oembed', to: 'oembed#show', as: :oembed
 
+    # ActivityPub
+    namespace :activitypub do
+      get '/users/:id/outbox', to: 'outbox#show', as: :outbox
+
+      get '/statuses/:id', to: 'activities#show_status', as: :status
+
+      resources :notes, only: [:show]
+    end
+
     # JSON / REST API
     namespace :v1 do
       resources :statuses, only: [:create, :show, :destroy] do

spec/controllers/api/activitypub/activities_controller_spec.rb

@@ -0,0 +1,77 @@
+require 'rails_helper'
+
+RSpec.describe Api::Activitypub::ActivitiesController, type: :controller do
+  render_views
+
+  let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+
+  describe 'GET #show' do
+    describe 'normal status' do
+      public_status = nil
+
+      before do
+        public_status = Status.create!(account: user.account, text: 'Hello world', visibility: :public)
+
+        @request.env['HTTP_ACCEPT'] = 'application/activity+json'
+        get :show_status, id: public_status.id
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'sets Content-Type header to AS2' do
+        expect(response.header['Content-Type']).to include 'application/activity+json'
+      end
+
+      it 'sets Access-Control-Allow-Origin header to *' do
+        expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+      end
+
+      it 'returns http success' do
+        json_data = JSON.parse(response.body)
+        expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+        expect(json_data).to include('type' => 'Create')
+        expect(json_data).to include('id' => @request.url)
+        expect(json_data).to include('type' => 'Create')
+        expect(json_data).to include('object' => api_activitypub_note_url(public_status))
+        expect(json_data).to include('url' => TagManager.instance.url_for(public_status))
+      end
+    end
+
+    describe 'reblog' do
+      original = nil
+      reblog = nil
+
+      before do
+        original = Status.create!(account: user.account, text: 'Hello world', visibility: :public)
+        reblog = Status.create!(account: user.account, reblog_of_id: original.id, visibility: :public)
+
+        @request.env['HTTP_ACCEPT'] = 'application/activity+json'
+        get :show_status, id: reblog.id
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'sets Content-Type header to AS2' do
+        expect(response.header['Content-Type']).to include 'application/activity+json'
+      end
+
+      it 'sets Access-Control-Allow-Origin header to *' do
+        expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+      end
+
+      it 'returns http success' do
+        json_data = JSON.parse(response.body)
+        expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+        expect(json_data).to include('type' => 'Announce')
+        expect(json_data).to include('id' => @request.url)
+        expect(json_data).to include('type' => 'Announce')
+        expect(json_data).to include('object' => api_activitypub_status_url(original))
+        expect(json_data).to include('url' => TagManager.instance.url_for(reblog))
+      end
+    end
+  end
+end

spec/controllers/api/activitypub/notes_controller_spec.rb

@@ -0,0 +1,81 @@
+require 'rails_helper'
+
+RSpec.describe Api::Activitypub::NotesController, type: :controller do
+  render_views
+
+  let(:user_alice)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+  let(:user_bob)  { Fabricate(:user, account: Fabricate(:account, username: 'bob')) }
+
+  describe 'GET #show' do
+    describe 'normal status' do
+      public_status = nil
+
+      before do
+        public_status = Status.create!(account: user_alice.account, text: 'Hello world', visibility: :public)
+
+        @request.env['HTTP_ACCEPT'] = 'application/activity+json'
+        get :show, id: public_status.id
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'sets Content-Type header to AS2' do
+        expect(response.header['Content-Type']).to include 'application/activity+json'
+      end
+
+      it 'sets Access-Control-Allow-Origin header to *' do
+        expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+      end
+
+      it 'returns http success' do
+        json_data = JSON.parse(response.body)
+        expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+        expect(json_data).to include('type' => 'Note')
+        expect(json_data).to include('id' => @request.url)
+        expect(json_data).to include('name' => 'Hello world')
+        expect(json_data).to include('content' => 'Hello world')
+        expect(json_data).to include('published')
+        expect(json_data).to include('url' => TagManager.instance.url_for(public_status))
+      end
+    end
+
+    describe 'reply' do
+      original = nil
+      reply = nil
+
+      before do
+        original = Status.create!(account: user_alice.account, text: 'Hello world', visibility: :public)
+        reply = Status.create!(account: user_bob.account, text: 'Hello world', in_reply_to_id: original.id, visibility: :public)
+
+        @request.env['HTTP_ACCEPT'] = 'application/activity+json'
+        get :show, id: reply.id
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'sets Content-Type header to AS2' do
+        expect(response.header['Content-Type']).to include 'application/activity+json'
+      end
+
+      it 'sets Access-Control-Allow-Origin header to *' do
+        expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+      end
+
+      it 'returns http success' do
+        json_data = JSON.parse(response.body)
+        expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+        expect(json_data).to include('type' => 'Note')
+        expect(json_data).to include('id' => @request.url)
+        expect(json_data).to include('name' => 'Hello world')
+        expect(json_data).to include('content' => 'Hello world')
+        expect(json_data).to include('published')
+        expect(json_data).to include('url' => TagManager.instance.url_for(reply))
+        expect(json_data).to include('inReplyTo' => api_activitypub_note_url(original))
+      end
+    end
+  end
+end

spec/controllers/api/activitypub/outbox_controller_spec.rb

@@ -0,0 +1,92 @@
+require 'rails_helper'
+
+RSpec.describe Api::Activitypub::OutboxController, type: :controller do
+  render_views
+
+  let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+
+  describe 'GET #show' do
+    before do
+      @request.env['HTTP_ACCEPT'] = 'application/activity+json'
+    end
+
+    describe 'small number of statuses' do
+      public_status = nil
+
+      before do
+        public_status = Status.create!(account: user.account, text: 'Hello world', visibility: :public)
+        Status.create!(account: user.account, text: 'Hello world', visibility: :private)
+        Status.create!(account: user.account, text: 'Hello world', visibility: :unlisted)
+        Status.create!(account: user.account, text: 'Hello world', visibility: :direct)
+
+        get :show, id: user.account.id
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'sets Content-Type header to AS2' do
+        expect(response.header['Content-Type']).to include 'application/activity+json'
+      end
+
+      it 'sets Access-Control-Allow-Origin header to *' do
+        expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+      end
+
+      it 'returns AS2 JSON body' do
+        json_data = JSON.parse(response.body)
+        expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+        expect(json_data).to include('id' => @request.url)
+        expect(json_data).to include('type' => 'OrderedCollection')
+        expect(json_data).to include('totalItems' => 1)
+        expect(json_data).to include('items')
+        expect(json_data['items'].count).to eq(1)
+        expect(json_data['items']).to include(api_activitypub_status_url(public_status))
+      end
+    end
+
+    describe 'large number of statuses' do
+      before do
+        30.times do
+          Status.create!(account: user.account, text: 'Hello world', visibility: :public)
+        end
+
+        Status.create!(account: user.account, text: 'Hello world', visibility: :private)
+        Status.create!(account: user.account, text: 'Hello world', visibility: :unlisted)
+        Status.create!(account: user.account, text: 'Hello world', visibility: :direct)
+      end
+
+      describe 'first page' do
+        before do
+          get :show, id: user.account.id
+        end
+
+        it 'returns http success' do
+          expect(response).to have_http_status(:success)
+        end
+
+        it 'sets Content-Type header to AS2' do
+          expect(response.header['Content-Type']).to include 'application/activity+json'
+        end
+
+        it 'sets Access-Control-Allow-Origin header to *' do
+          expect(response.header['Access-Control-Allow-Origin']).to eq '*'
+        end
+
+        it 'returns AS2 JSON body' do
+          json_data = JSON.parse(response.body)
+          expect(json_data).to include('@context' => 'https://www.w3.org/ns/activitystreams')
+          expect(json_data).to include('id' => @request.url)
+          expect(json_data).to include('type' => 'OrderedCollectionPage')
+          expect(json_data).to include('totalItems' => 20)
+          expect(json_data).to include('items')
+          expect(json_data['items'].count).to eq(20)
+          expect(json_data).to include('current' => @request.url)
+          expect(json_data).to include('next')
+          expect(json_data).to_not include('prev')
+        end
+      end
+    end
+  end
+end