import { actorDocument, announceActivity, createActivity, deleteActivity, followActivity, likeActivity, undoActivity, updatePersonActivity } from "./activitypub"; import { hashPassword, verifyPassword } from "./crypto"; import { addBookmark, addPin, countFollowers, countFollowing, countStatuses, deleteOAuthToken, findBookmark, findFavourite, findOutgoingFollow, findPin, findReblog, getActorByLocalId, getActorFromCache, getAdminUser, getAppByClientId, getStatus, getUserById, getUserByIdOrUsername, getUserByUsername, insertOAuthToken, listCachedStatusAttachments, listProfileFields, recordNotification, removeBookmark, removePin, replaceProfileFields, setUserAvatarKey, setUserHeaderKey, takeOAuthCode } from "./db"; import { deliverToInboxes, gatherFollowerInboxes, resolveDeliveryInboxes, resolveRemoteActor } from "./federation"; import { bodyArray, bodyString, cors, HttpError, html, json, readBody } from "./http"; import type { ParsedBody } from "./http"; import type { ActorCache, CachedStatus, Follow, Media, Mention, Notification, Session, Status, User } from "./types"; import { actorUrl, activityUrl, baseUrl, clampLimit, escapeHtml, hostFromBaseUrl, htmlContent, id, isLocalActor, mediaUrl, normalizeArray, objectUrl, safeFileName, tokenString } from "./util"; const TOKEN_TTL_SECONDS = 60 * 60 * 24 * 90; const MAX_STATUS_CHARS = 5000; const MAX_MEDIA_ATTACHMENTS = 4; const MAX_MEDIA_BYTES = 10 * 1024 * 1024; const SUPPORTED_MIME = ["image/jpeg", "image/png", "image/gif", "image/webp"]; function parseRedirectUris(value: string): string[] { return value.split(/\s+/).map((item) => item.trim()).filter(Boolean); } function selectRedirectUri(app: { redirect_uri: string }, requested: string | null | undefined): string | null { const allowed = parseRedirectUris(app.redirect_uri); const fallback = allowed[0] ?? "urn:ietf:wg:oauth:2.0:oob"; const candidate = (requested ?? "").trim() || fallback; return allowed.includes(candidate) ? candidate : null; } export async function instance(env: Env): Promise { const userCount = await env.DB.prepare("SELECT COUNT(*) AS count FROM users").first<{ count: number }>(); const statusCount = await env.DB.prepare("SELECT COUNT(*) AS count FROM statuses").first<{ count: number }>(); const admin = await getAdminUser(env); return json({ uri: hostFromBaseUrl(env), title: env.INSTANCE_NAME, short_description: "A single-user ActivityPub server on Cloudflare Workers.", description: "A single-user ActivityPub server on Cloudflare Workers.", email: "", version: "4.2.0-compatible (toot-worker)", urls: { streaming_api: `wss://${hostFromBaseUrl(env)}` }, stats: { user_count: userCount?.count ?? 0, status_count: statusCount?.count ?? 0, domain_count: 0 }, languages: ["en"], registrations: false, approval_required: false, invites_enabled: false, configuration: { statuses: { max_characters: MAX_STATUS_CHARS, max_media_attachments: MAX_MEDIA_ATTACHMENTS, characters_reserved_per_url: 23 }, media_attachments: { supported_mime_types: SUPPORTED_MIME, image_size_limit: MAX_MEDIA_BYTES, image_matrix_limit: 16777216 }, polls: { max_options: 4, max_characters_per_option: 50, min_expiration: 300, max_expiration: 2629746 } }, contact_account: await accountJson(env, admin), rules: [] }); } export async function instanceV2(env: Env): Promise { const admin = await getAdminUser(env); return json({ domain: hostFromBaseUrl(env), title: env.INSTANCE_NAME, version: "4.2.0-compatible (toot-worker)", source_url: "https://example.com", description: "A single-user ActivityPub server on Cloudflare Workers.", usage: { users: { active_month: 1 } }, thumbnail: { url: `${baseUrl(env)}/header.png` }, languages: ["en"], configuration: { urls: { streaming: `wss://${hostFromBaseUrl(env)}` }, accounts: { max_featured_tags: 0 }, statuses: { max_characters: MAX_STATUS_CHARS, max_media_attachments: MAX_MEDIA_ATTACHMENTS, characters_reserved_per_url: 23 }, media_attachments: { supported_mime_types: SUPPORTED_MIME, image_size_limit: MAX_MEDIA_BYTES, image_matrix_limit: 16777216 } }, registrations: { enabled: false, approval_required: false, message: null }, contact: { email: "", account: await accountJson(env, admin) }, rules: [] }); } export async function createApp(request: Request, env: Env): Promise { const body = await readBody(request); const now = new Date().toISOString(); const redirectUri = bodyString(body, "redirect_uris", bodyString(body, "redirect_uri", "urn:ietf:wg:oauth:2.0:oob")); const app = { id: id(), client_id: tokenString(32), client_secret: tokenString(48), name: bodyString(body, "client_name", bodyString(body, "name", "Mastodon App")), redirect_uri: redirectUri, scopes: bodyString(body, "scopes", "read write follow"), website: bodyString(body, "website", "") || null, created_at: now }; await env.DB.prepare( "INSERT INTO oauth_apps (id, client_id, client_secret, name, redirect_uri, scopes, website, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)" ) .bind(app.id, app.client_id, app.client_secret, app.name, app.redirect_uri, app.scopes, app.website, app.created_at) .run(); return json({ id: app.id, name: app.name, website: app.website, redirect_uri: app.redirect_uri, client_id: app.client_id, client_secret: app.client_secret, vapid_key: "" }); } export async function verifyAppCredentials(request: Request, env: Env): Promise { const auth = request.headers.get("authorization") ?? ""; const token = auth.match(/^Bearer\s+(.+)$/i)?.[1]; if (!token) throw new HttpError(401, "The access token is invalid"); const session = await env.KV.get(`token:${token}`, "json"); if (!session) throw new HttpError(401, "The access token is invalid"); const app = await env.DB.prepare("SELECT * FROM oauth_apps WHERE id = ?").bind(session.appId).first<{ name: string; website: string | null }>(); return json({ name: app?.name ?? "Mastodon App", website: app?.website ?? null, vapid_key: "" }); } export async function authorizePage(request: Request, env: Env): Promise { const url = new URL(request.url); const clientId = url.searchParams.get("client_id"); const app = clientId ? await getAppByClientId(env, clientId) : null; if (!app) return html("Unknown OAuth application", 400); const redirectUri = selectRedirectUri(app, url.searchParams.get("redirect_uri")); if (!redirectUri) return html("Invalid redirect URI", 400); return html(` Authorize

${escapeHtml(env.INSTANCE_NAME)}

Authorize ${escapeHtml(app.name)} to access your account.

`); } export async function authorize(request: Request, env: Env): Promise { const body = await readBody(request); const app = await getAppByClientId(env, bodyString(body, "client_id")); if (!app) return json({ error: "invalid_client" }, 400); const redirectUri = selectRedirectUri(app, bodyString(body, "redirect_uri")); if (!redirectUri) return json({ error: "invalid_request" }, 400); const user = await getUserByUsername(env, bodyString(body, "username")); if (!user || !(await verifyPassword(bodyString(body, "password"), user.password_hash))) { return html("Invalid username or password", 401); } const code = tokenString(32); const scope = bodyString(body, "scope", app.scopes); await env.DB.prepare("INSERT INTO oauth_codes (code, app_id, user_id, redirect_uri, scopes, expires_at) VALUES (?, ?, ?, ?, ?, ?)") .bind(code, app.id, user.id, redirectUri, scope, Math.floor(Date.now() / 1000) + 600) .run(); if (redirectUri === "urn:ietf:wg:oauth:2.0:oob") return html(`

Authorization code:

${code}`); const url = new URL(redirectUri); url.searchParams.set("code", code); const state = bodyString(body, "state"); if (state) url.searchParams.set("state", state); return Response.redirect(url.toString(), 302); } export async function token(request: Request, env: Env): Promise { const body = await readBody(request); const app = await getAppByClientId(env, bodyString(body, "client_id")); if (!app || app.client_secret !== bodyString(body, "client_secret")) return json({ error: "invalid_client" }, 401); const grantType = bodyString(body, "grant_type", "authorization_code"); let userId = ""; let scopes = app.scopes; if (grantType === "password") { const user = await getUserByUsername(env, bodyString(body, "username")); if (!user || !(await verifyPassword(bodyString(body, "password"), user.password_hash))) return json({ error: "invalid_grant" }, 400); userId = user.id; scopes = bodyString(body, "scope", app.scopes); } else if (grantType === "client_credentials") { scopes = bodyString(body, "scope", "read"); } else { const row = await takeOAuthCode(env, bodyString(body, "code")); if (!row || row.app_id !== app.id) return json({ error: "invalid_grant" }, 400); const redirectUri = bodyString(body, "redirect_uri", row.redirect_uri); if (redirectUri !== row.redirect_uri || !parseRedirectUris(app.redirect_uri).includes(row.redirect_uri)) { return json({ error: "invalid_grant" }, 400); } userId = row.user_id; scopes = row.scopes; } const accessToken = tokenString(48); await env.KV.put(`token:${accessToken}`, JSON.stringify({ userId, appId: app.id, scopes } satisfies Session), { expirationTtl: TOKEN_TTL_SECONDS }); if (userId) await insertOAuthToken(env, accessToken, userId, app.id, scopes); return json({ access_token: accessToken, token_type: "Bearer", scope: scopes, created_at: Math.floor(Date.now() / 1000) }); } export async function revoke(request: Request, env: Env): Promise { const body = await readBody(request); const tokenValue = bodyString(body, "token"); if (tokenValue) { await env.KV.delete(`token:${tokenValue}`); await deleteOAuthToken(env, tokenValue); } return json({}); } export async function verifyCredentials(request: Request, env: Env): Promise { const user = await requireUser(request, env); const account = await accountJson(env, user) as Record; const fields = await listProfileFields(env, user.id); account.source = { privacy: "public", sensitive: false, language: "en", note: user.note, fields: fields.map((field) => ({ name: field.name, value: field.value })) }; return json(account); } export async function updateCredentials(request: Request, env: Env): Promise { const user = await requireUser(request, env); const contentType = (request.headers.get("content-type") ?? "").toLowerCase(); let form: FormData | null = null; let body: ParsedBody = {}; if (contentType.includes("multipart/form-data") || contentType.startsWith("application/x-www-form-urlencoded")) { form = await request.formData(); body = parsedBodyFromForm(form); } else { body = await readBody(request); } const displayName = bodyString(body, "display_name", user.display_name); const note = bodyString(body, "note", user.note); await env.DB.prepare("UPDATE users SET display_name = ?, note = ? WHERE id = ?").bind(displayName, note, user.id).run(); const password = bodyString(body, "password"); if (password) { const hash = await hashPassword(password); await env.DB.prepare("UPDATE users SET password_hash = ? WHERE id = ?").bind(hash, user.id).run(); } const fields = extractFieldsAttributes(body); if (fields !== null) { await replaceProfileFields(env, user.id, fields); } if (form) { const avatar = form.get("avatar"); if (avatar instanceof File && avatar.size > 0) { if (avatar.size > MAX_MEDIA_BYTES) return json({ error: "avatar too large" }, 413); const key = await storeProfileAsset(env, user.id, "avatar", avatar); await setUserAvatarKey(env, user.id, key); } const header = form.get("header"); if (header instanceof File && header.size > 0) { if (header.size > MAX_MEDIA_BYTES) return json({ error: "header too large" }, 413); const key = await storeProfileAsset(env, user.id, "header", header); await setUserHeaderKey(env, user.id, key); } } const refreshed = await getUserById(env, user.id); if (!refreshed) throw new HttpError(500, "user_missing"); const followerInboxes = await gatherFollowerInboxes(env, user.id); if (followerInboxes.length > 0) { await deliverToInboxes(env, refreshed, followerInboxes, updatePersonActivity(env, refreshed, await actorDocument(env, refreshed))); } return json(await accountJson(env, refreshed)); } async function storeProfileAsset(env: Env, userId: string, kind: "avatar" | "header", file: File): Promise { const ext = mimeExtension(file.type) ?? safeFileName(file.name).split(".").pop() ?? "bin"; const key = `${userId}/${kind}-${id()}.${ext}`; await env.MEDIA.put(key, file.stream(), { httpMetadata: { contentType: file.type || "application/octet-stream" } }); return key; } function mimeExtension(mime: string): string | null { switch (mime) { case "image/jpeg": case "image/jpg": return "jpg"; case "image/png": return "png"; case "image/gif": return "gif"; case "image/webp": return "webp"; case "image/avif": return "avif"; default: return null; } } function parsedBodyFromForm(form: FormData): ParsedBody { const data: ParsedBody = {}; for (const [key, value] of form) { const cleanKey = key.endsWith("[]") ? key.slice(0, -2) : key; const normalized = value instanceof File ? value : String(value); const existing = data[cleanKey]; if (existing === undefined) { data[cleanKey] = key.endsWith("[]") ? [normalized as string] : normalized; } else if (Array.isArray(existing)) { existing.push(normalized as string); } else { data[cleanKey] = [existing as string, normalized as string]; } } return data; } function extractFieldsAttributes(body: ParsedBody): { name: string; value: string }[] | null { const flat = body["fields_attributes"]; if (Array.isArray(flat)) { return flat.map((entry) => { if (typeof entry === "string") { try { const parsed = JSON.parse(entry) as { name?: string; value?: string }; return { name: String(parsed.name ?? ""), value: String(parsed.value ?? "") }; } catch { return { name: entry, value: "" }; } } const obj = entry as unknown as { name?: string; value?: string }; return { name: String(obj.name ?? ""), value: String(obj.value ?? "") }; }); } const indexed: { name: string; value: string }[] = []; let touched = false; for (const key of Object.keys(body)) { const match = key.match(/^fields_attributes\[(\d+)\]\[(name|value)\]$/); if (!match) continue; touched = true; const idx = Number(match[1]); indexed[idx] = indexed[idx] ?? { name: "", value: "" }; const v = body[key]; indexed[idx][match[2] as "name" | "value"] = typeof v === "string" ? v : Array.isArray(v) ? String(v[0] ?? "") : ""; } if (!touched) return null; return indexed.filter(Boolean); } export async function getAccount(env: Env, accountId: string): Promise { const local = await getUserByIdOrUsername(env, accountId); if (local) return json(await accountJson(env, local)); const byLocalId = await getActorByLocalId(env, accountId); if (byLocalId) return json(remoteAccountJson(byLocalId)); if (accountId.startsWith("http://") || accountId.startsWith("https://")) { const cache = await resolveRemoteActor(env, accountId); if (cache) return json(remoteAccountJson(cache)); } return json({ error: "Record not found" }, 404); } export async function lookupAccount(request: Request, env: Env): Promise { const acct = (new URL(request.url).searchParams.get("acct") ?? "").trim(); if (!acct) return json({ error: "acct parameter is required" }, 422); const resolved = await resolveAcct(env, acct); if (!resolved) return json({ error: "Record not found" }, 404); if (resolved.actorId.startsWith(baseUrl(env))) { const match = resolved.actorId.match(/\/users\/([^/?#]+)$/); const user = match ? await getUserByUsername(env, match[1]) : null; if (!user) return json({ error: "Record not found" }, 404); return json(await accountJson(env, user)); } const cache = await resolveRemoteActor(env, resolved.actorId); if (!cache) return json({ error: "Record not found" }, 404); return json(remoteAccountJson(cache)); } export async function accountStatuses(request: Request, env: Env, accountId: string): Promise { const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const user = await getUserByIdOrUsername(env, accountId); if (user) { const excludeReplies = url.searchParams.get("exclude_replies") === "true"; const where: string[] = ["user_id = ?"]; const binds: unknown[] = [user.id]; if (excludeReplies) where.push("in_reply_to_id IS NULL"); pagedAppend(where, binds, url); const sql = `SELECT * FROM statuses WHERE ${where.join(" AND ")} ORDER BY created_at DESC LIMIT ?`; binds.push(limit); const rows = await env.DB.prepare(sql).bind(...binds).all(); const items = await serializeStatuses(env, rows.results, request, new Map([[user.id, user]])); return withPagination(json(items), request, rows.results.map((row) => row.id)); } const remote = await getActorByLocalId(env, accountId) ?? (accountId.startsWith("http://") || accountId.startsWith("https://") ? await resolveRemoteActor(env, accountId) : null); if (remote) { const rows = await env.DB.prepare( "SELECT * FROM cached_statuses WHERE actor = ? ORDER BY published DESC LIMIT ?" ).bind(remote.id, limit).all(); const items = await Promise.all(rows.results.map((row) => cachedStatusToMastodon(env, row))); return json(items); } return json({ error: "Record not found" }, 404); } export async function accountFollowers(request: Request, env: Env, accountId: string): Promise { const user = await getUserByIdOrUsername(env, accountId); if (!user) return remoteAccountListFallback(env, accountId); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 80); const where: string[] = ["local_user_id = ?", "accepted = 1"]; const binds: unknown[] = [user.id]; pagedAppendForTable(where, binds, url, "follows"); const rows = await env.DB.prepare( `SELECT * FROM follows WHERE ${where.join(" AND ")} ORDER BY created_at DESC LIMIT ?` ).bind(...binds, limit).all(); const accounts = await actorIdsToAccounts(env, rows.results.map((row) => row.follower_actor)); return withPagination(json(accounts), request, rows.results.map((row) => row.id)); } export async function accountFollowing(request: Request, env: Env, accountId: string): Promise { const user = await getUserByIdOrUsername(env, accountId); if (!user) return remoteAccountListFallback(env, accountId); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 80); const where: string[] = ["local_user_id = ?", "accepted = 1"]; const binds: unknown[] = [user.id]; pagedAppendForTable(where, binds, url, "outgoing_follows"); const rows = await env.DB.prepare( `SELECT * FROM outgoing_follows WHERE ${where.join(" AND ")} ORDER BY created_at DESC LIMIT ?` ).bind(...binds, limit).all<{ id: string; target_actor: string }>(); const accounts = await actorIdsToAccounts(env, rows.results.map((row) => row.target_actor)); return withPagination(json(accounts), request, rows.results.map((row) => row.id)); } async function remoteAccountListFallback(env: Env, accountId: string): Promise { const remote = await getActorByLocalId(env, accountId) ?? (accountId.startsWith("http://") || accountId.startsWith("https://") ? await resolveRemoteActor(env, accountId) : null); if (remote) return json([]); return json({ error: "Record not found" }, 404); } async function actorIdsToAccounts(env: Env, actorIds: string[]): Promise[]> { const accounts = await Promise.all(actorIds.map((actorId) => accountFromActorId(env, actorId))); return accounts.filter((account): account is Record => Boolean(account)); } async function accountFromActorId(env: Env, actorId: string): Promise | null> { if (actorId.startsWith(baseUrl(env))) { const match = actorId.match(/\/users\/([^/?#]+)$/); const user = match ? await getUserByUsername(env, match[1]) : null; return user ? accountJson(env, user) : null; } const cache = await resolveRemoteActor(env, actorId) ?? await getActorFromCache(env, actorId); return cache ? remoteAccountJson(cache) : null; } export async function createStatus(request: Request, env: Env): Promise { const user = await requireUser(request, env); const body = await readBody(request); const statusText = bodyString(body, "status").trim(); if (!statusText) return json({ error: "status can't be blank" }, 422); if (statusText.length > MAX_STATUS_CHARS) return json({ error: "status too long" }, 422); const summary = bodyString(body, "spoiler_text"); const sensitive = bodyString(body, "sensitive") === "true"; const visibility = bodyString(body, "visibility", "public"); const inReplyTo = bodyString(body, "in_reply_to_id"); const language = bodyString(body, "language", "en"); const mediaIds = bodyArray(body, "media_ids"); if (mediaIds.length > MAX_MEDIA_ATTACHMENTS) return json({ error: "too_many_attachments" }, 422); const now = new Date().toISOString(); const statusId = id(); const objectId = objectUrl(env, statusId); const activityId = activityUrl(env, statusId); const mentionsAcct = extractMentions(statusText); const hashtags = extractHashtags(statusText); const resolvedMentions: { acct: string; actorId: string; url: string }[] = []; for (const acct of mentionsAcct) { const resolved = await resolveAcct(env, acct); if (resolved) resolvedMentions.push(resolved); } const renderedContent = htmlContent(statusText, resolvedMentions.map(({ acct, url }) => ({ acct, url })), hashtags); await env.DB.prepare( "INSERT INTO statuses (id, user_id, content, summary, sensitive, language, visibility, in_reply_to_id, activity_id, object_id, created_at, url) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)" ) .bind( statusId, user.id, renderedContent, summary, sensitive ? 1 : 0, language, visibility, inReplyTo || null, activityId, objectId, now, objectId ) .run(); for (const mediaId of mediaIds) { await env.DB.prepare("UPDATE media SET status_id = ? WHERE id = ? AND user_id = ?").bind(statusId, mediaId, user.id).run(); } for (const mention of resolvedMentions) { await env.DB.prepare("INSERT OR IGNORE INTO mentions (status_id, actor, acct, url) VALUES (?, ?, ?, ?)") .bind(statusId, mention.actorId, mention.acct, mention.url).run(); } for (const tag of hashtags) { await env.DB.prepare("INSERT OR IGNORE INTO hashtags (status_id, tag) VALUES (?, ?)").bind(statusId, tag).run(); } let replyParent: Status | null = null; if (inReplyTo) { replyParent = await getStatus(env, inReplyTo); if (replyParent) { const parentUser = await getUserById(env, replyParent.user_id); if (parentUser && parentUser.id !== user.id) { await recordNotification(env, parentUser.id, "mention", actorUrl(env, user), statusId); } } } for (const mention of resolvedMentions) { if (mention.actorId.startsWith(baseUrl(env))) { const mentionedUser = await getUserByUsername(env, mention.acct.split("@")[0]); if (mentionedUser && mentionedUser.id !== user.id) { await recordNotification(env, mentionedUser.id, "mention", actorUrl(env, user), statusId); } } } const status = await getStatus(env, statusId); if (!status) throw new HttpError(500, "status_not_found"); if (visibility === "public" || visibility === "unlisted") { const inboxes = new Set(await gatherFollowerInboxes(env, user.id)); for (const mention of resolvedMentions) { if (!mention.actorId.startsWith(baseUrl(env))) { const cache = await resolveRemoteActor(env, mention.actorId); if (cache) inboxes.add(cache.shared_inbox ?? cache.inbox); } } const to = visibility === "public" ? ["https://www.w3.org/ns/activitystreams#Public"] : [`${actorUrl(env, user)}/followers`]; const cc = visibility === "public" ? [`${actorUrl(env, user)}/followers`, ...resolvedMentions.map((m) => m.actorId)] : ["https://www.w3.org/ns/activitystreams#Public", ...resolvedMentions.map((m) => m.actorId)]; const activity = createActivity(env, user, status, { to, cc }); await deliverToInboxes(env, user, inboxes, activity); } else if (visibility === "direct") { const inboxes = new Set(); for (const mention of resolvedMentions) { if (!mention.actorId.startsWith(baseUrl(env))) { const cache = await resolveRemoteActor(env, mention.actorId); if (cache) inboxes.add(cache.shared_inbox ?? cache.inbox); } } const activity = createActivity(env, user, status, { to: resolvedMentions.map((m) => m.actorId), cc: [] }); await deliverToInboxes(env, user, inboxes, activity); } return json(await statusJson(env, status, user, request)); } export async function getStatusEndpoint(request: Request, env: Env, statusId: string): Promise { const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const user = await getUserById(env, status.user_id); if (!user) return json({ error: "Record not found" }, 404); return json(await statusJson(env, status, user, request)); } export async function deleteStatusEndpoint(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status || status.user_id !== user.id) return json({ error: "Record not found" }, 404); const serialized = await statusJson(env, status, user, request); const inboxes = new Set(await gatherFollowerInboxes(env, user.id)); const mentions = await listMentionsForStatus(env, status.id); for (const mention of mentions) { if (!mention.actor.startsWith(baseUrl(env))) { const cache = await resolveRemoteActor(env, mention.actor); if (cache) inboxes.add(cache.shared_inbox ?? cache.inbox); } } const media = await env.DB.prepare("SELECT r2_key FROM media WHERE status_id = ?").bind(status.id).all<{ r2_key: string }>(); const deleteResults = await Promise.allSettled(media.results.map((item) => env.MEDIA.delete(item.r2_key))); for (const result of deleteResults) { if (result.status === "rejected") console.warn("media-delete-failed", status.id, String(result.reason)); } await env.DB.prepare( "INSERT INTO deleted_statuses (id, user_id, object_id, url, deleted_at) VALUES (?, ?, ?, ?, ?)" ).bind(status.id, user.id, status.object_id, status.url, new Date().toISOString()).run(); await env.DB.prepare("DELETE FROM statuses WHERE id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM media WHERE status_id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM mentions WHERE status_id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM hashtags WHERE status_id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM favourites WHERE status_id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM reblogs WHERE status_id = ?").bind(status.id).run(); await env.DB.prepare("DELETE FROM notifications WHERE status_id = ?").bind(status.id).run(); await deliverToInboxes(env, user, inboxes, deleteActivity(env, user, status)); return json(serialized); } export async function statusContext(env: Env, statusId: string, request: Request): Promise { const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const ancestors: Status[] = []; let cursor = status.in_reply_to_id; while (cursor) { const parent = await getStatus(env, cursor); if (!parent) break; ancestors.unshift(parent); cursor = parent.in_reply_to_id; } const descRows = await env.DB.prepare("SELECT * FROM statuses WHERE in_reply_to_id = ? ORDER BY created_at ASC LIMIT 40").bind(statusId).all(); const serialized = await serializeStatuses(env, [...ancestors, ...descRows.results], request); const byId = new Map(serialized.map((item) => [String(item.id), item])); return json({ ancestors: ancestors.map((item) => byId.get(item.id)).filter(Boolean), descendants: descRows.results.map((item) => byId.get(item.id)).filter(Boolean) }); } export async function favouriteStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const actor = actorUrl(env, user); const existing = await findFavourite(env, status.id, actor); if (!existing) { const activityId = activityUrl(env, id()); await env.DB.prepare( "INSERT INTO favourites (id, status_id, actor, activity_id, created_at) VALUES (?, ?, ?, ?, ?)" ).bind(id(), status.id, actor, activityId, new Date().toISOString()).run(); const owner = await getUserById(env, status.user_id); if (owner && owner.id !== user.id) { await recordNotification(env, owner.id, "favourite", actor, status.id); } if (!isLocalActor(env, status.object_id)) { const inboxes = await resolveDeliveryInboxes(env, [status.object_id]); await deliverToInboxes(env, user, inboxes, likeActivity(env, user, status.object_id, activityId)); } } const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function unfavouriteStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const actor = actorUrl(env, user); const existing = await findFavourite(env, status.id, actor); if (existing) { await env.DB.prepare("DELETE FROM favourites WHERE id = ?").bind(existing.id).run(); if (!isLocalActor(env, status.object_id)) { const inboxes = await resolveDeliveryInboxes(env, [status.object_id]); await deliverToInboxes(env, user, inboxes, undoActivity(env, user, likeActivity(env, user, status.object_id, existing.activity_id))); } } const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function reblogStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const actor = actorUrl(env, user); const existing = await findReblog(env, status.id, actor); if (!existing) { const activityId = activityUrl(env, id()); await env.DB.prepare( "INSERT INTO reblogs (id, status_id, actor, activity_id, created_at) VALUES (?, ?, ?, ?, ?)" ).bind(id(), status.id, actor, activityId, new Date().toISOString()).run(); const owner = await getUserById(env, status.user_id); if (owner && owner.id !== user.id) { await recordNotification(env, owner.id, "reblog", actor, status.id); } const inboxes = new Set(await gatherFollowerInboxes(env, user.id)); if (!isLocalActor(env, status.object_id)) { for (const inbox of await resolveDeliveryInboxes(env, [status.object_id])) inboxes.add(inbox); } await deliverToInboxes(env, user, inboxes, announceActivity(env, user, status.object_id, activityId)); } const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function unreblogStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); const actor = actorUrl(env, user); const existing = await findReblog(env, status.id, actor); if (existing) { await env.DB.prepare("DELETE FROM reblogs WHERE id = ?").bind(existing.id).run(); const inboxes = new Set(await gatherFollowerInboxes(env, user.id)); if (!isLocalActor(env, status.object_id)) { for (const inbox of await resolveDeliveryInboxes(env, [status.object_id])) inboxes.add(inbox); } await deliverToInboxes(env, user, inboxes, undoActivity(env, user, announceActivity(env, user, status.object_id, existing.activity_id))); } const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function bookmarkStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); await addBookmark(env, user.id, status.id); const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function unbookmarkStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status) return json({ error: "Record not found" }, 404); await removeBookmark(env, user.id, status.id); const owner = await getUserById(env, status.user_id); if (!owner) throw new HttpError(500, "owner_missing"); return json(await statusJson(env, status, owner, request)); } export async function pinStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status || status.user_id !== user.id) return json({ error: "Record not found" }, 404); await addPin(env, user.id, status.id); return json(await statusJson(env, status, user, request)); } export async function unpinStatus(request: Request, env: Env, statusId: string): Promise { const user = await requireUser(request, env); const status = await getStatus(env, statusId); if (!status || status.user_id !== user.id) return json({ error: "Record not found" }, 404); await removePin(env, user.id, status.id); return json(await statusJson(env, status, user, request)); } export async function bookmarksList(request: Request, env: Env): Promise { const user = await requireUser(request, env); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const rows = await env.DB.prepare( `SELECT s.* FROM statuses s INNER JOIN bookmarks b ON b.status_id = s.id WHERE b.user_id = ? ORDER BY b.created_at DESC LIMIT ?` ).bind(user.id, limit).all(); const items = await serializeStatuses(env, rows.results, request); return withPagination(json(items), request, rows.results.map((s) => s.id)); } export async function favouritesList(request: Request, env: Env): Promise { const user = await requireUser(request, env); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const actor = actorUrl(env, user); const rows = await env.DB.prepare( `SELECT s.* FROM statuses s INNER JOIN favourites f ON f.status_id = s.id WHERE f.actor = ? ORDER BY f.created_at DESC LIMIT ?` ).bind(actor, limit).all(); const items = await serializeStatuses(env, rows.results, request); return withPagination(json(items), request, rows.results.map((s) => s.id)); } export async function publicTimeline(request: Request, env: Env): Promise { const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const where: string[] = ["visibility = 'public'"]; const binds: unknown[] = []; pagedAppend(where, binds, url); const sql = `SELECT * FROM statuses WHERE ${where.join(" AND ")} ORDER BY created_at DESC LIMIT ?`; binds.push(limit); const rows = await env.DB.prepare(sql).bind(...binds).all(); const items = await serializeStatuses(env, rows.results, request); return withPagination(json(items), request, rows.results.map((s) => s.id)); } export async function homeTimeline(request: Request, env: Env): Promise { const user = await requireUser(request, env); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const localRows = await env.DB.prepare( "SELECT * FROM statuses WHERE user_id = ? ORDER BY created_at DESC LIMIT ?" ).bind(user.id, limit).all(); const cachedRows = await env.DB.prepare( `SELECT cs.* FROM cached_statuses cs INNER JOIN outgoing_follows of ON of.target_actor = cs.actor WHERE of.local_user_id = ? AND of.accepted = 1 ORDER BY cs.published DESC LIMIT ?` ).bind(user.id, limit).all(); const localItems = await serializeStatuses(env, localRows.results, request); const cachedItems = await Promise.all(cachedRows.results.map((row) => cachedStatusToMastodon(env, row))); const merged = [...localItems, ...cachedItems].sort((a, b) => { const at = String(a.created_at ?? ""); const bt = String(b.created_at ?? ""); return bt.localeCompare(at); }).slice(0, limit); return json(merged); } export async function hashtagTimeline(request: Request, env: Env, tag: string): Promise { const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 20, 40); const where: string[] = ["s.visibility = 'public'", "h.tag = ?"]; const binds: unknown[] = [tag.toLowerCase()]; const maxId = url.searchParams.get("max_id"); if (maxId) { where.push("s.created_at < (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(maxId); } const sinceId = url.searchParams.get("since_id"); if (sinceId) { where.push("s.created_at > (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(sinceId); } const minId = url.searchParams.get("min_id"); if (minId) { where.push("s.created_at > (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(minId); } const sql = `SELECT s.* FROM statuses s INNER JOIN hashtags h ON h.status_id = s.id WHERE ${where.join(" AND ")} ORDER BY s.created_at DESC LIMIT ?`; binds.push(limit); const rows = await env.DB.prepare(sql).bind(...binds).all(); const items = await serializeStatuses(env, rows.results, request); return withPagination(json(items), request, rows.results.map((s) => s.id)); } export async function hashtagInfo(env: Env, tag: string): Promise { const normalized = tag.toLowerCase(); const row = await env.DB.prepare("SELECT COUNT(DISTINCT status_id) AS count FROM hashtags WHERE tag = ?").bind(normalized).first<{ count: number }>(); return json({ name: normalized, url: `${baseUrl(env)}/tags/${encodeURIComponent(normalized)}`, history: [], following: false, statuses_count: row?.count ?? 0 }); } export async function uploadMedia(request: Request, env: Env): Promise { const user = await requireUser(request, env); const form = await request.formData(); const file = form.get("file"); if (!(file instanceof File)) return json({ error: "file is required" }, 422); if (file.size > MAX_MEDIA_BYTES) return json({ error: "file too large" }, 413); const mediaId = id(); const key = `${user.id}/${mediaId}/${safeFileName(file.name || "upload")}`; await env.MEDIA.put(key, file.stream(), { httpMetadata: { contentType: file.type || "application/octet-stream" } }); await env.DB.prepare( "INSERT INTO media (id, user_id, status_id, r2_key, mime_type, description, size, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)" ) .bind(mediaId, user.id, null, key, file.type || "application/octet-stream", form.get("description")?.toString() ?? null, file.size, new Date().toISOString()) .run(); const media = await env.DB.prepare("SELECT * FROM media WHERE id = ?").bind(mediaId).first(); return json(mediaJson(env, media!), 200); } export async function updateMedia(request: Request, env: Env, mediaId: string): Promise { const user = await requireUser(request, env); const body = await readBody(request); const description = bodyString(body, "description", ""); await env.DB.prepare("UPDATE media SET description = ? WHERE id = ? AND user_id = ?").bind(description, mediaId, user.id).run(); const media = await env.DB.prepare("SELECT * FROM media WHERE id = ?").bind(mediaId).first(); if (!media) return json({ error: "Record not found" }, 404); return json(mediaJson(env, media)); } export async function serveMedia(env: Env, key: string): Promise { const object = await env.MEDIA.get(decodeURIComponent(key)); if (!object) return new Response("Not found", { status: 404 }); return cors(new Response(object.body, { headers: { "content-type": object.httpMetadata?.contentType ?? "application/octet-stream", "cache-control": "public, max-age=86400" } })); } export async function notificationsList(request: Request, env: Env): Promise { const user = await requireUser(request, env); const url = new URL(request.url); const limit = clampLimit(url.searchParams.get("limit"), 15, 80); const types = normalizeArray(url.searchParams.getAll("types[]")); const excludeTypes = normalizeArray(url.searchParams.getAll("exclude_types[]")); const where: string[] = ["user_id = ?"]; const binds: unknown[] = [user.id]; if (types.length > 0) { where.push(`type IN (${types.map(() => "?").join(",")})`); binds.push(...types); } if (excludeTypes.length > 0) { where.push(`type NOT IN (${excludeTypes.map(() => "?").join(",")})`); binds.push(...excludeTypes); } const maxId = url.searchParams.get("max_id"); if (maxId) { where.push("created_at < (SELECT created_at FROM notifications WHERE id = ?)"); binds.push(maxId); } const sinceId = url.searchParams.get("since_id"); if (sinceId) { where.push("created_at > (SELECT created_at FROM notifications WHERE id = ?)"); binds.push(sinceId); } const sql = `SELECT * FROM notifications WHERE ${where.join(" AND ")} ORDER BY created_at DESC LIMIT ?`; binds.push(limit); const rows = await env.DB.prepare(sql).bind(...binds).all(); const out = await serializeNotifications(env, rows.results, request); return withPagination(json(out), request, rows.results.map((n) => n.id)); } export async function notificationClear(request: Request, env: Env): Promise { const user = await requireUser(request, env); await env.DB.prepare("DELETE FROM notifications WHERE user_id = ?").bind(user.id).run(); return json({}); } export async function notificationDismiss(request: Request, env: Env, notificationId: string): Promise { const user = await requireUser(request, env); await env.DB.prepare("DELETE FROM notifications WHERE id = ? AND user_id = ?").bind(notificationId, user.id).run(); return json({}); } export async function getRelationships(request: Request, env: Env): Promise { const user = await requireUser(request, env); const url = new URL(request.url); const ids = url.searchParams.getAll("id[]").concat(url.searchParams.getAll("id")); const out = []; for (const target of ids) { out.push(await relationshipFor(env, user, target)); } return json(out); } export async function followAccount(request: Request, env: Env, accountId: string): Promise { const user = await requireUser(request, env); const target = await resolveAccountTarget(env, accountId); if (!target) return json({ error: "Record not found" }, 404); if (target.kind === "local") { await env.DB.prepare( "INSERT OR REPLACE INTO outgoing_follows (id, local_user_id, target_actor, target_inbox, activity_id, accepted, created_at) VALUES (?, ?, ?, ?, ?, 1, ?)" ).bind(id(), user.id, target.actorId, `${target.actorId}/inbox`, "", new Date().toISOString()).run(); await env.DB.prepare( "INSERT OR REPLACE INTO follows (id, follower_actor, local_user_id, inbox, accepted, created_at) VALUES (?, ?, ?, ?, 1, ?)" ).bind(id(), actorUrl(env, user), target.userId, `${actorUrl(env, user)}/inbox`, new Date().toISOString()).run(); } else { const activityId = activityUrl(env, id()); const cache = await resolveRemoteActor(env, target.actorId); if (!cache) return json({ error: "remote_actor_unreachable" }, 502); await env.DB.prepare( "INSERT OR REPLACE INTO outgoing_follows (id, local_user_id, target_actor, target_inbox, activity_id, accepted, created_at) VALUES (?, ?, ?, ?, ?, 0, ?)" ).bind(id(), user.id, cache.id, cache.inbox, activityId, new Date().toISOString()).run(); await deliverToInboxes(env, user, [cache.inbox], followActivity(env, user, cache.id, activityId)); } return json(await relationshipFor(env, user, accountId)); } export async function unfollowAccount(request: Request, env: Env, accountId: string): Promise { const user = await requireUser(request, env); const target = await resolveAccountTarget(env, accountId); if (!target) return json({ error: "Record not found" }, 404); const existing = await findOutgoingFollow(env, user.id, target.actorId); await env.DB.prepare("DELETE FROM outgoing_follows WHERE local_user_id = ? AND target_actor = ?").bind(user.id, target.actorId).run(); if (target.kind === "local") { await env.DB.prepare("DELETE FROM follows WHERE follower_actor = ? AND local_user_id = ?").bind(actorUrl(env, user), target.userId).run(); } else if (existing) { const cache = await resolveRemoteActor(env, target.actorId); if (cache) { await deliverToInboxes(env, user, [cache.inbox], undoActivity(env, user, followActivity(env, user, target.actorId, existing.activity_id))); } } return json(await relationshipFor(env, user, accountId)); } export async function followRequestsList(request: Request, env: Env): Promise { await requireUser(request, env); return json([]); } export async function authorizeFollowRequest(request: Request, env: Env, _accountId: string): Promise { await requireUser(request, env); return json({ id: _accountId, following: true, requested: false }); } export async function rejectFollowRequest(request: Request, env: Env, _accountId: string): Promise { await requireUser(request, env); return json({ id: _accountId, following: false, requested: false }); } export async function search(request: Request, env: Env): Promise { const url = new URL(request.url); const q = (url.searchParams.get("q") ?? "").trim(); const type = url.searchParams.get("type"); const accounts: unknown[] = []; const statuses: unknown[] = []; const hashtags: unknown[] = []; if (!q) return json({ accounts, statuses, hashtags }); if (!type || type === "accounts") { if (q.startsWith("@") || q.includes("@")) { const acct = q.replace(/^@/, ""); const resolved = await resolveAcct(env, acct); if (resolved) { if (resolved.actorId.startsWith(baseUrl(env))) { const local = await getUserByUsername(env, resolved.acct.split("@")[0]); if (local) accounts.push(await accountJson(env, local)); } else { const cache = await resolveRemoteActor(env, resolved.actorId); if (cache) accounts.push(remoteAccountJson(cache)); } } } else { const rows = await env.DB.prepare("SELECT * FROM users WHERE username LIKE ? LIMIT 20").bind(`%${q}%`).all(); for (const row of rows.results) accounts.push(await accountJson(env, row)); } } if (!type || type === "statuses") { const rows = await env.DB.prepare("SELECT * FROM statuses WHERE content LIKE ? ORDER BY created_at DESC LIMIT 20").bind(`%${escapeHtml(q)}%`).all(); statuses.push(...await serializeStatuses(env, rows.results, request)); } if (!type || type === "hashtags") { const tag = q.replace(/^#/, ""); const rows = await env.DB.prepare("SELECT tag, COUNT(*) AS count FROM hashtags WHERE tag LIKE ? GROUP BY tag LIMIT 20").bind(`%${tag}%`).all<{ tag: string; count: number }>(); for (const row of rows.results) hashtags.push({ name: row.tag, url: `${baseUrl(env)}/tags/${encodeURIComponent(row.tag)}`, history: [] }); } return json({ accounts, statuses, hashtags }); } export async function customEmojis(env: Env): Promise { void env; return json([]); } export async function filtersV1(_request: Request, env: Env): Promise { void env; return json([]); } export async function trendsTags(env: Env): Promise { void env; return json([]); } export async function pushSubscription(): Promise { return json({ error: "push subscriptions not supported" }, 422); } export async function markersList(request: Request, env: Env): Promise { void request; void env; return json({}); } type StatusSerializationContext = { usersById: Map; accountByUserId: Map>; mediaByStatusId: Map; mentionsByStatusId: Map; hashtagsByStatusId: Map; favouriteCountByStatusId: Map; favouritedStatusIds: Set; reblogCountByStatusId: Map; rebloggedStatusIds: Set; replyCountByStatusId: Map; bookmarkedStatusIds: Set; pinnedStatusIds: Set; }; async function cachedStatusToMastodon(env: Env, row: CachedStatus): Promise> { const cache = await resolveRemoteActor(env, row.actor); const account = cache ? remoteAccountJson(cache) : { id: row.actor, acct: row.actor, username: row.actor }; const attachments = await listCachedStatusAttachments(env, row.id); return { id: row.object_id, uri: row.object_id, url: row.url, account, in_reply_to_id: null, in_reply_to_account_id: null, content: row.content, text: row.content, created_at: row.published, edited_at: null, visibility: "public", language: row.language, sensitive: Boolean(row.sensitive), spoiler_text: row.summary, media_attachments: attachments.map((att) => ({ id: `${row.id}:${att.position}`, type: att.mime_type.startsWith("image/") ? "image" : att.mime_type.startsWith("video/") ? "video" : att.mime_type.startsWith("audio/") ? "audio" : "unknown", url: att.url, preview_url: att.preview_url ?? att.url, remote_url: att.url, text_url: null, meta: {}, description: att.description, blurhash: null })), mentions: [], tags: [], emojis: [], reblogs_count: 0, favourites_count: 0, replies_count: 0, reblog: null, application: null, favourited: false, reblogged: false, muted: false, bookmarked: false, pinned: false, card: null, poll: null }; } async function statusJson( env: Env, status: Status, user: User, request: Request, context?: StatusSerializationContext ): Promise> { const resolvedContext = context ?? await buildStatusSerializationContext(env, [status], request, new Map([[user.id, user]])); return statusRecord(env, status, user, resolvedContext); } function statusRecord(env: Env, status: Status, user: User, context: StatusSerializationContext): Record { const media = context.mediaByStatusId.get(status.id) ?? []; const mentions = context.mentionsByStatusId.get(status.id) ?? []; const tags = context.hashtagsByStatusId.get(status.id) ?? []; return { id: status.id, uri: status.object_id, url: status.url, account: context.accountByUserId.get(user.id) ?? { id: user.id, username: user.username, acct: user.username, display_name: user.display_name }, in_reply_to_id: status.in_reply_to_id, in_reply_to_account_id: null, content: status.content, text: status.content, created_at: status.created_at, edited_at: null, visibility: status.visibility, language: status.language, sensitive: Boolean(status.sensitive), spoiler_text: status.summary, media_attachments: media.map((item) => mediaJson(env, item)), mentions: mentions.map((mention) => ({ id: mention.actor, username: mention.acct.split("@")[0], acct: mention.acct, url: mention.url })), tags: tags.map((tag) => ({ name: tag, url: `${baseUrl(env)}/tags/${encodeURIComponent(tag)}` })), emojis: [], reblogs_count: context.reblogCountByStatusId.get(status.id) ?? 0, favourites_count: context.favouriteCountByStatusId.get(status.id) ?? 0, replies_count: context.replyCountByStatusId.get(status.id) ?? 0, reblog: null, application: { name: "Toot Worker", website: null }, favourited: context.favouritedStatusIds.has(status.id), reblogged: context.rebloggedStatusIds.has(status.id), muted: false, bookmarked: context.bookmarkedStatusIds.has(status.id), pinned: context.pinnedStatusIds.has(status.id), card: null, poll: null }; } async function serializeStatuses( env: Env, statuses: Status[], request: Request, usersById?: Map ): Promise[]> { if (statuses.length === 0) return []; const context = await buildStatusSerializationContext(env, statuses, request, usersById); return statuses.flatMap((status) => { const user = context.usersById.get(status.user_id); return user ? [statusRecord(env, status, user, context)] : []; }); } async function buildStatusSerializationContext( env: Env, statuses: Status[], request: Request, initialUsersById: Map = new Map() ): Promise { const statusIds = uniqueStrings(statuses.map((status) => status.id)); const usersById = new Map(initialUsersById); const missingUserIds = uniqueStrings(statuses.map((status) => status.user_id).filter((userId) => !usersById.has(userId))); if (missingUserIds.length > 0) { for (const user of await loadUsersByIds(env, missingUserIds)) usersById.set(user.id, user); } const viewer = await viewerActor(request, env); const viewerId = await viewerUserId(request, env); const [mediaByStatusId, mentionsByStatusId, hashtagsByStatusId, favouriteSummary, reblogSummary, replyCountByStatusId, bookmarkedStatusIds, pinnedStatusIds] = await Promise.all([ loadMediaByStatusIds(env, statusIds), loadMentionsByStatusIds(env, statusIds), loadHashtagsByStatusIds(env, statusIds), loadStatusInteractionSummary(env, "favourites", statusIds, viewer), loadStatusInteractionSummary(env, "reblogs", statusIds, viewer), loadReplyCountByStatusIds(env, statusIds), viewerId ? loadBookmarkedStatusIds(env, viewerId, statusIds) : Promise.resolve(new Set()), viewerId ? loadPinnedStatusIds(env, viewerId, statusIds) : Promise.resolve(new Set()) ]); const accountByUserId = new Map>(); for (const user of usersById.values()) { accountByUserId.set(user.id, await accountJson(env, user)); } return { usersById, accountByUserId, mediaByStatusId, mentionsByStatusId, hashtagsByStatusId, favouriteCountByStatusId: favouriteSummary.countByStatusId, favouritedStatusIds: favouriteSummary.viewerMatchedStatusIds, reblogCountByStatusId: reblogSummary.countByStatusId, rebloggedStatusIds: reblogSummary.viewerMatchedStatusIds, replyCountByStatusId, bookmarkedStatusIds, pinnedStatusIds }; } async function accountJson(env: Env, user: User): Promise> { const [followersCount, followingCount, statusesCount, fields] = await Promise.all([ countFollowers(env, user.id), countFollowing(env, user.id), countStatuses(env, user.id), listProfileFields(env, user.id) ]); const acct = `${user.username}`; const avatar = user.avatar_r2_key ? mediaUrl(env, user.avatar_r2_key) : `${baseUrl(env)}/avatar.png`; const header = user.header_r2_key ? mediaUrl(env, user.header_r2_key) : `${baseUrl(env)}/header.png`; return { id: user.id, username: user.username, acct, display_name: user.display_name, locked: false, bot: false, discoverable: true, group: false, created_at: user.created_at, note: user.note, url: actorUrl(env, user), avatar, avatar_static: avatar, header, header_static: header, followers_count: followersCount, following_count: followingCount, statuses_count: statusesCount, last_status_at: null, emojis: [], fields: fields.map((field) => ({ name: field.name, value: field.value, verified_at: null })) }; } function remoteAccountJson(cache: ActorCache): Record { const host = (() => { try { return new URL(cache.id).host; } catch { return "remote"; } })(); const username = cache.preferred_username ?? cache.id.split("/").pop() ?? "user"; return { id: cache.local_id ?? cache.id, username, acct: `${username}@${host}`, display_name: cache.name ?? username, locked: false, bot: false, discoverable: true, group: false, created_at: cache.fetched_at, note: cache.summary ?? "", url: cache.id, avatar: cache.icon_url ?? "", avatar_static: cache.icon_url ?? "", header: "", header_static: "", followers_count: 0, following_count: 0, statuses_count: 0, last_status_at: null, emojis: [], fields: [] }; } function mediaJson(env: Env, media: Media): Record { const url = mediaUrl(env, media.r2_key); return { id: media.id, type: media.mime_type.startsWith("image/") ? "image" : media.mime_type.startsWith("video/") ? "video" : "unknown", url, preview_url: url, remote_url: null, text_url: null, meta: {}, description: media.description, blurhash: null }; } async function relationshipFor(env: Env, user: User, target: string): Promise> { const resolved = await resolveAccountTarget(env, target); const actorId = resolved?.actorId ?? target; const outgoing = await findOutgoingFollow(env, user.id, actorId); const incoming = await env.DB.prepare("SELECT * FROM follows WHERE follower_actor = ? AND local_user_id = ?").bind(actorId, user.id).first(); return { id: target, following: Boolean(outgoing && outgoing.accepted), showing_reblogs: true, notifying: false, languages: null, followed_by: Boolean(incoming), blocking: false, blocked_by: false, muting: false, muting_notifications: false, requested: Boolean(outgoing && !outgoing.accepted), domain_blocking: false, endorsed: false, note: "" }; } type AccountTarget = { kind: "local"; userId: string; actorId: string } | { kind: "remote"; actorId: string }; async function resolveAccountTarget(env: Env, key: string): Promise { const local = await getUserByIdOrUsername(env, key); if (local) return { kind: "local", userId: local.id, actorId: actorUrl(env, local) }; const byLocalId = await getActorByLocalId(env, key); if (byLocalId) return { kind: "remote", actorId: byLocalId.id }; if (key.startsWith("http://") || key.startsWith("https://")) { if (key.startsWith(baseUrl(env))) { const match = key.match(/\/users\/([^/?#]+)$/); const u = match ? await getUserByUsername(env, match[1]) : null; if (u) return { kind: "local", userId: u.id, actorId: actorUrl(env, u) }; } await resolveRemoteActor(env, key); return { kind: "remote", actorId: key }; } if (key.includes("@")) { const resolved = await resolveAcct(env, key); if (!resolved) return null; if (resolved.actorId.startsWith(baseUrl(env))) { const match = resolved.actorId.match(/\/users\/([^/?#]+)$/); const localUser = match ? await getUserByUsername(env, match[1]) : null; if (localUser) return { kind: "local", userId: localUser.id, actorId: resolved.actorId }; } await resolveRemoteActor(env, resolved.actorId); return { kind: "remote", actorId: resolved.actorId }; } return null; } async function resolveAcct(env: Env, acct: string): Promise<{ acct: string; actorId: string; url: string } | null> { const trimmed = acct.replace(/^@/, ""); const [name, host] = trimmed.split("@"); if (!name) return null; const targetHost = host ?? hostFromBaseUrl(env); if (targetHost.toLowerCase() === hostFromBaseUrl(env).toLowerCase()) { const user = await getUserByUsername(env, name); if (!user) return null; return { acct: name, actorId: actorUrl(env, user), url: actorUrl(env, user) }; } try { const wf = await fetch(`https://${targetHost}/.well-known/webfinger?resource=acct:${name}@${targetHost}`, { headers: { accept: "application/jrd+json, application/json" } }); if (!wf.ok) return null; const doc = await wf.json() as { links?: { rel: string; type?: string; href: string }[] }; const self = doc.links?.find((link) => link.rel === "self" && (link.type ?? "").includes("activity+json")); if (!self?.href) return null; return { acct: `${name}@${targetHost}`, actorId: self.href, url: self.href }; } catch { return null; } } async function listMentionsForStatus(env: Env, statusId: string): Promise { const rows = await env.DB.prepare("SELECT * FROM mentions WHERE status_id = ?").bind(statusId).all(); return rows.results; } async function listHashtagsForStatus(env: Env, statusId: string): Promise { const rows = await env.DB.prepare("SELECT tag FROM hashtags WHERE status_id = ?").bind(statusId).all<{ tag: string }>(); return rows.results.map((row) => row.tag); } function extractMentions(text: string): string[] { const re = /@([A-Za-z0-9._-]+(?:@[A-Za-z0-9.-]+\.[A-Za-z]{2,})?)/g; const out = new Set(); let match: RegExpExecArray | null; while ((match = re.exec(text)) !== null) out.add(match[1]); return [...out]; } function extractHashtags(text: string): string[] { const re = /(?:^|\s)#([\p{L}\p{N}_]{1,64})/gu; const out = new Set(); let match: RegExpExecArray | null; while ((match = re.exec(text)) !== null) out.add(match[1].toLowerCase()); return [...out]; } function uniqueStrings(values: Array): string[] { return [...new Set(values.filter((value): value is string => Boolean(value)))]; } function placeholders(count: number): string { return Array.from({ length: count }, () => "?").join(","); } async function loadUsersByIds(env: Env, userIds: string[]): Promise { if (userIds.length === 0) return []; const rows = await env.DB.prepare(`SELECT * FROM users WHERE id IN (${placeholders(userIds.length)})`).bind(...userIds).all(); return rows.results; } async function loadStatusesByIds(env: Env, statusIds: string[]): Promise { if (statusIds.length === 0) return []; const rows = await env.DB.prepare(`SELECT * FROM statuses WHERE id IN (${placeholders(statusIds.length)})`).bind(...statusIds).all(); return rows.results; } async function loadMediaByStatusIds(env: Env, statusIds: string[]): Promise> { const grouped = new Map(); if (statusIds.length === 0) return grouped; const rows = await env.DB.prepare( `SELECT * FROM media WHERE status_id IN (${placeholders(statusIds.length)}) ORDER BY created_at ASC` ).bind(...statusIds).all(); for (const row of rows.results) { if (!row.status_id) continue; const bucket = grouped.get(row.status_id); if (bucket) bucket.push(row); else grouped.set(row.status_id, [row]); } return grouped; } async function loadMentionsByStatusIds(env: Env, statusIds: string[]): Promise> { const grouped = new Map(); if (statusIds.length === 0) return grouped; const rows = await env.DB.prepare( `SELECT * FROM mentions WHERE status_id IN (${placeholders(statusIds.length)})` ).bind(...statusIds).all(); for (const row of rows.results) { const bucket = grouped.get(row.status_id); if (bucket) bucket.push(row); else grouped.set(row.status_id, [row]); } return grouped; } async function loadHashtagsByStatusIds(env: Env, statusIds: string[]): Promise> { const grouped = new Map(); if (statusIds.length === 0) return grouped; const rows = await env.DB.prepare( `SELECT status_id, tag FROM hashtags WHERE status_id IN (${placeholders(statusIds.length)})` ).bind(...statusIds).all<{ status_id: string; tag: string }>(); for (const row of rows.results) { const bucket = grouped.get(row.status_id); if (bucket) bucket.push(row.tag); else grouped.set(row.status_id, [row.tag]); } return grouped; } async function loadStatusInteractionSummary( env: Env, table: "favourites" | "reblogs", statusIds: string[], viewer: string | null ): Promise<{ countByStatusId: Map; viewerMatchedStatusIds: Set }> { const countByStatusId = new Map(); const viewerMatchedStatusIds = new Set(); if (statusIds.length === 0) return { countByStatusId, viewerMatchedStatusIds }; const viewerSql = viewer ? ", MAX(CASE WHEN actor = ? THEN 1 ELSE 0 END) AS viewer_match" : ""; const sql = `SELECT status_id, COUNT(*) AS count${viewerSql} FROM ${table} WHERE status_id IN (${placeholders(statusIds.length)}) GROUP BY status_id`; const binds = viewer ? [viewer, ...statusIds] : statusIds; const rows = await env.DB.prepare(sql).bind(...binds).all<{ status_id: string; count: number; viewer_match?: number }>(); for (const row of rows.results) { countByStatusId.set(row.status_id, row.count); if (row.viewer_match) viewerMatchedStatusIds.add(row.status_id); } return { countByStatusId, viewerMatchedStatusIds }; } async function loadReplyCountByStatusIds(env: Env, statusIds: string[]): Promise> { const counts = new Map(); if (statusIds.length === 0) return counts; const rows = await env.DB.prepare( `SELECT in_reply_to_id AS status_id, COUNT(*) AS count FROM statuses WHERE in_reply_to_id IN (${placeholders(statusIds.length)}) GROUP BY in_reply_to_id` ).bind(...statusIds).all<{ status_id: string; count: number }>(); for (const row of rows.results) counts.set(row.status_id, row.count); return counts; } async function serializeNotifications(env: Env, notifications: Notification[], request: Request): Promise[]> { if (notifications.length === 0) return []; const statuses = await loadStatusesByIds(env, uniqueStrings(notifications.map((notification) => notification.status_id))); const serializedStatuses = await serializeStatuses(env, statuses, request); const serializedStatusById = new Map(serializedStatuses.map((item) => [String(item.id), item])); const remoteActorIds = uniqueStrings( notifications.map((notification) => notification.actor).filter((actorId) => !actorId.startsWith(baseUrl(env))) ); const remoteAccounts = new Map>(); const remoteResults = await Promise.all(remoteActorIds.map(async (actorId) => [actorId, await resolveRemoteActor(env, actorId)] as const)); for (const [actorId, actorCache] of remoteResults) { remoteAccounts.set(actorId, actorCache ? remoteAccountJson(actorCache) : { id: actorId, acct: actorId, username: actorId }); } const localAccounts = new Map>(); const out: Record[] = []; for (const notification of notifications) { let account = localAccounts.get(notification.actor) ?? remoteAccounts.get(notification.actor); if (!account) { const match = notification.actor.match(/\/users\/([^/?#]+)$/); const localUser = match ? await getUserByUsername(env, match[1]) : null; account = localUser ? await accountJson(env, localUser) : { id: notification.actor, acct: notification.actor }; localAccounts.set(notification.actor, account); } out.push({ id: notification.id, type: notification.type, created_at: notification.created_at, account, status: notification.status_id ? serializedStatusById.get(notification.status_id) ?? null : null }); } return out; } function pagedAppend(where: string[], binds: unknown[], url: URL): void { const maxId = url.searchParams.get("max_id"); if (maxId) { where.push("created_at < (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(maxId); } const sinceId = url.searchParams.get("since_id"); if (sinceId) { where.push("created_at > (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(sinceId); } const minId = url.searchParams.get("min_id"); if (minId) { where.push("created_at > (SELECT created_at FROM statuses WHERE id = ?)"); binds.push(minId); } } function pagedAppendForTable(where: string[], binds: unknown[], url: URL, table: "follows" | "outgoing_follows"): void { const maxId = url.searchParams.get("max_id"); if (maxId) { where.push(`created_at < (SELECT created_at FROM ${table} WHERE id = ?)`); binds.push(maxId); } const sinceId = url.searchParams.get("since_id"); if (sinceId) { where.push(`created_at > (SELECT created_at FROM ${table} WHERE id = ?)`); binds.push(sinceId); } const minId = url.searchParams.get("min_id"); if (minId) { where.push(`created_at > (SELECT created_at FROM ${table} WHERE id = ?)`); binds.push(minId); } } function withPagination(response: Response, request: Request, ids: string[]): Response { if (ids.length === 0) return response; const url = new URL(request.url); const nextUrl = new URL(url); nextUrl.searchParams.set("max_id", ids[ids.length - 1]); const prevUrl = new URL(url); prevUrl.searchParams.set("since_id", ids[0]); const link = `<${nextUrl}>; rel="next", <${prevUrl}>; rel="prev"`; const headers = new Headers(response.headers); headers.set("link", link); return new Response(response.body, { status: response.status, statusText: response.statusText, headers }); } async function viewerActor(request: Request, env: Env): Promise { const auth = request.headers.get("authorization") ?? ""; const token = auth.match(/^Bearer\s+(.+)$/i)?.[1]; if (!token) return null; const session = await env.KV.get(`token:${token}`, "json"); if (!session) return null; const user = await getUserById(env, session.userId); return user ? actorUrl(env, user) : null; } async function viewerUserId(request: Request, env: Env): Promise { const auth = request.headers.get("authorization") ?? ""; const token = auth.match(/^Bearer\s+(.+)$/i)?.[1]; if (!token) return null; const session = await env.KV.get(`token:${token}`, "json"); return session?.userId ?? null; } async function loadBookmarkedStatusIds(env: Env, userId: string, statusIds: string[]): Promise> { if (statusIds.length === 0) return new Set(); const placeholders = statusIds.map(() => "?").join(","); const rows = await env.DB.prepare( `SELECT status_id FROM bookmarks WHERE user_id = ? AND status_id IN (${placeholders})` ).bind(userId, ...statusIds).all<{ status_id: string }>(); return new Set(rows.results.map((row) => row.status_id)); } async function loadPinnedStatusIds(env: Env, userId: string, statusIds: string[]): Promise> { if (statusIds.length === 0) return new Set(); const placeholders = statusIds.map(() => "?").join(","); const rows = await env.DB.prepare( `SELECT status_id FROM pinned_statuses WHERE user_id = ? AND status_id IN (${placeholders})` ).bind(userId, ...statusIds).all<{ status_id: string }>(); return new Set(rows.results.map((row) => row.status_id)); } async function requireUser(request: Request, env: Env): Promise { const auth = request.headers.get("authorization") ?? ""; const token = auth.match(/^Bearer\s+(.+)$/i)?.[1]; if (!token) throw new HttpError(401, "The access token is invalid"); const session = await env.KV.get(`token:${token}`, "json"); if (!session) throw new HttpError(401, "The access token is invalid"); const user = await getUserById(env, session.userId); if (!user) throw new HttpError(401, "The access token is invalid"); return user; } export { requireUser };