Removed full support for the ActivityPub Outbox

ref https://linear.app/ghost/issue/PROD-1733

This was still reliant on the key_value table, which we want to remove support
for. As a first step we are reducing the support for the outbox, which isn't
used by our application, and isn't essential for federation. We still support
the endpoint, but it always returns an empty collection.

Our e2e cucumber tests had a lot of reliance on the outbox, so the tests and
step defs have been updated to preserve features and to keep the suite passing.

Author: allouis

features/create-article-from-post.feature

@@ -1,21 +1,21 @@
 Feature: Deliver Create(Article) activities when a post.published webhook is received
 
   Scenario: We recieve a webhook for the post.published event
-    Given a "post.published" webhook
+    Given we are followed by "Alice"
+    And a "post.published" webhook
     When it is sent to the webhook endpoint
     Then the request is accepted
-    Then a "Create(Article)" activity is in the Outbox
-    And the found "Create(Article)" has property "object.attributedTo"
+    Then A "Create(Article)" Activity is sent to all followers
 
   Scenario: We recieve a webhook for the post.published event and the post has no content
-    Given a "post.published" webhook:
+    Given we are followed by "Alice"
+    And a "post.published" webhook:
       | property             | value |
       | post.current.html    | null  |
       | post.current.excerpt | null  |
     When it is sent to the webhook endpoint
     Then the request is accepted
-    Then a "Create(Article)" activity is in the Outbox
-    And the found "Create(Article)" has property "object.attributedTo"
+    Then A "Create(Article)" Activity is sent to all followers
 
   Scenario: We recieve a webhook for the post.published event with an old signature
     Given a "post.published" webhook

features/create-note.feature

@@ -8,32 +8,27 @@ Feature: Creating a note
     When we attempt to create a note with invalid content
     Then the request is rejected with a 400
 
-  Scenario: Created note is added to the Outbox
-    When we create a note "Note" with the content
-      """
-      Hello, world!
-      """
-    Then "Note" is in our Outbox
-
   Scenario: Created note is formatted
+    Given we are followed by "Alice"
     When we create a note "Note" with the content
       """
       Hello
       World
       """
-    Then "Note" is in our Outbox
+    Then Activity with object "Note" is sent to all followers
     And "Note" has the content "<p>Hello<br />World</p>"
 
   Scenario: Created note has user provided HTML escaped
     If HTML is provided as user input, it should be escaped. The content
     should still be wrapped in an unescaped <p> though.
 
+    Given we are followed by "Alice"
     When we create a note "Note" with the content
       """
       <p>Hello, world!</p>
       <script>alert("Hello, world!");</script>
       """
-    Then "Note" is in our Outbox
+    Then Activity with object "Note" is sent to all followers
     And "Note" has the content "<p>&lt;p&gt;Hello, world!&lt;/p&gt;<br />&lt;script&gt;alert(\"Hello, world!\");&lt;/script&gt;</p>"
 
   Scenario: Created note is sent to followers
@@ -48,11 +43,12 @@ Feature: Creating a note
     Then Activity with object "Note" is sent to all followers
 
   Scenario: Creating a note with an image URL
+    Given we are followed by "Alice"
     When we create a note "Note" with imageUrl "http://localhost:4443/image.jpg" and content
       """
       Hello, world!
       """
-    Then "Note" is in our Outbox
+    Then Activity with object "Note" is sent to all followers
     And "Note" has the content "<p>Hello, world!</p>"
     And note "Note" has the image URL "http://localhost:4443/image.jpg"
 

features/create-reply.feature

@@ -25,7 +25,7 @@ Feature: Creating a reply
       """
       This is a great article!
       """
-    Then "Reply" is in our Outbox
+    Then Activity with object "Reply" is sent to all followers
     And "Reply" has the content "<p>This is a great article!</p>"
 
   Scenario: Created reply contains newlines
@@ -34,15 +34,15 @@ Feature: Creating a reply
       Hello
       World
       """
-    Then "Reply" is in our Outbox
+    Then Activity with object "Reply" is sent to all followers
     And "Reply" has the content "<p>Hello<br />World</p>"
 
   Scenario: Created reply has user provided HTML escaped
     When we reply "Reply" to "Article" with the content
       """
       This is a great article!<script>alert("Hello, world!");</script>
       """
-    Then "Reply" is in our Outbox
+    Then Activity with object "Reply" is sent to all followers
     And "Reply" has the content "<p>This is a great article!&lt;script&gt;alert(\"Hello, world!\");&lt;/script&gt;</p>"
 
   Scenario: Created reply is sent to followers
@@ -58,7 +58,7 @@ Feature: Creating a reply
       """
       This is a great article!
       """
-    Then "Reply" is in our Outbox
+    Then Activity with object "Reply" is sent to all followers
     And "Reply" has the content "<p>This is a great article!</p>"
     And note "Reply" has the image URL "http://localhost:4443/image.jpg"
 

features/delete-post.feature

@@ -11,7 +11,6 @@ Feature: Delete a post
       Hello
       World
       """
-    And "OurNote" is in our Outbox
     And an authenticated request is made to "/.ghost/activitypub/feed"
     And the request is accepted
     And "OurNote" is in the feed
@@ -23,7 +22,6 @@ Feature: Delete a post
     When an authenticated request is made to "/.ghost/activitypub/feed"
     Then the request is accepted
     And "OurNote" is not in the feed
-    And "OurNote" is not in our Outbox
     And a "Delete(OurNote)" activity is sent to "Alice"
 
   Scenario: Attempting to delete another user's post

features/handle-replies.feature

@@ -1,19 +1,8 @@
 Feature: Create(Note<inReplyTo>)
   We want to handle incoming replies to our content and add them to the inbox.
 
-  Scenario: We recieve a Create(Note) in response to our content from someone we don't follow
-    # Setup our article
-    Given a "post.published" webhook
-    When it is sent to the webhook endpoint
-    Then the request is accepted
-    Then a "Create(Article)" activity is in the Outbox
-
-    Given the found "Create(Article)" as "ArticleCreate(OurArticle)"
-
-    Given an Actor "Person(Alice)"
-    Given a "Note" Object "Reply" by "Alice"
-    And "Reply" is a reply to "OurArticle"
-    And a "Create(Reply)" Activity "A" by "Alice"
-    When "Alice" sends "A" to the Inbox
-    Then the request is accepted
-    Then "A" is in our Inbox
+  Scenario: We recieve a reply to our content from someone we don't follow
+    Given we are not following "Alice"
+    And we publish an article
+    When "Alice" sends us a reply to our article
+    Then the reply is in our notifications

features/step_definitions/activitypub_steps.js

@@ -2,12 +2,7 @@ import assert from 'node:assert';
 
 import { Given, Then, When } from '@cucumber/cucumber';
 
-import {
-    findInOutbox,
-    waitForInboxActivity,
-    waitForOutboxActivity,
-    waitForOutboxObject,
-} from '../support/activitypub.js';
+import { waitForInboxActivity } from '../support/activitypub.js';
 import {
     createActivity,
     createActor,
@@ -266,72 +261,6 @@ Then(
     },
 );
 
-Then('{string} is not in our Outbox', async function (activityName) {
-    const activity = this.activities[activityName];
-    const found = await findInOutbox(activity);
-    assert(
-        !found,
-        `Expected not to find activity "${activityName}" in outbox, but it was found`,
-    );
-});
-
-Then('{string} is in our Outbox', async function (name) {
-    const activity = this.activities[name];
-    if (activity) return waitForOutboxActivity(activity);
-    const object = this.objects[name];
-    if (object) return waitForOutboxObject(object);
-});
-
-async function waitForOutboxActivityType(
-    activityType,
-    objectType,
-    options = {
-        retryCount: 0,
-        delay: 0,
-    },
-) {
-    const MAX_RETRIES = 5;
-
-    const initialResponse = await fetchActivityPub(
-        'http://fake-ghost-activitypub.test/.ghost/activitypub/outbox/index',
-        {
-            headers: {
-                Accept: 'application/ld+json',
-            },
-        },
-    );
-    const initialResponseJson = await initialResponse.json();
-    const firstPageReponse = await fetchActivityPub(initialResponseJson.first, {
-        headers: {
-            Accept: 'application/ld+json',
-        },
-    });
-    const outbox = await firstPageReponse.json();
-
-    const found = (outbox.orderedItems || []).find((item) => {
-        return item.type === activityType && item.object?.type === objectType;
-    });
-
-    if (found) {
-        return found;
-    }
-
-    if (options.retryCount === MAX_RETRIES) {
-        throw new Error(
-            `Max retries reached (${MAX_RETRIES}) when waiting for ${activityType}(${objectType}) in the outbox`,
-        );
-    }
-
-    if (options.delay > 0) {
-        await new Promise((resolve) => setTimeout(resolve, options.delay));
-    }
-
-    return waitForOutboxActivityType(activityType, objectType, {
-        retryCount: options.retryCount + 1,
-        delay: options.delay + 500,
-    });
-}
-
 Then(
     'Activity {string} is sent to {string}',
     async function (activityName, actorName) {
@@ -388,6 +317,52 @@ Then(
     },
 );
 
+Then(
+    'A {string} Activity is sent to all followers',
+    async function (activityString) {
+        const followersResponse = await fetchActivityPub(
+            'http://fake-ghost-activitypub.test/.ghost/activitypub/followers/index',
+        );
+        const followersResponseJson = await followersResponse.json();
+
+        const [match, activity, object] = activityString.match(
+            /(\w+)\((\w+)\)/,
+        ) || [null];
+        if (!match) {
+            throw new Error(`Could not match ${activityString} to an activity`);
+        }
+
+        const followers = followersResponseJson.orderedItems;
+
+        for (const followerUrl of followers) {
+            const follower = await (await fetchActivityPub(followerUrl)).json();
+            const inbox = new URL(follower.inbox);
+
+            const found = await waitForRequest(
+                'POST',
+                inbox.pathname,
+                (call) => {
+                    const json = JSON.parse(call.request.body);
+
+                    return (
+                        json.type === activity && json.object.type === object
+                    );
+                },
+            );
+
+            if (!this.found) {
+                this.found = {};
+            }
+            this.found[activityString] = found;
+
+            assert(
+                found,
+                `Activity "${activityString}" was not sent to "${follower.name}"`,
+            );
+        }
+    },
+);
+
 Then(
     'Activity with object {string} is sent to all followers',
     async function (objectName) {
@@ -422,21 +397,6 @@ Then(
     },
 );
 
-Then('a {string} activity is in the Outbox', async function (string) {
-    const [match, activity, object] = string.match(/(\w+)\((\w+)\)/) || [null];
-    if (!match) {
-        throw new Error(`Could not match ${string} to an activity`);
-    }
-
-    const found = await waitForOutboxActivityType(activity, object);
-
-    if (!this.found) {
-        this.found = {};
-    }
-    this.found[string] = found;
-    assert.ok(found);
-});
-
 Then('the found {string} as {string}', function (foundName, name) {
     const found = this.found[foundName];
 

features/step_definitions/content_steps.js

@@ -0,0 +1,31 @@
+import { createHmac } from 'node:crypto';
+import { Given } from '@cucumber/cucumber';
+import { createWebhookPost, getWebhookSecret } from '../support/fixtures.js';
+import { fetchActivityPub } from '../support/request.js';
+
+Given('we publish an article', async function () {
+    if (this.articleId) {
+        throw new Error('This step does not support multiple articles');
+    }
+    const endpoint =
+        'http://fake-ghost-activitypub.test/.ghost/activitypub/webhooks/post/published';
+    const payload = createWebhookPost();
+    const body = JSON.stringify(payload);
+    const timestamp = Date.now();
+    const hmac = createHmac('sha256', getWebhookSecret())
+        .update(body + timestamp)
+        .digest('hex');
+
+    const response = await fetchActivityPub(endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'X-Ghost-Signature': `sha256=${hmac}, t=${timestamp}`,
+        },
+        body: body,
+    });
+
+    const post = await response.json();
+
+    this.articleId = post.id;
+});

features/step_definitions/follow_steps.js

@@ -29,6 +29,21 @@ async function getActor(input) {
     };
 }
 
+Given('we are not following {string}', async function (input) {
+    const { actor } = await getActor.call(this, input);
+
+    const unfollowResponse = await fetchActivityPub(
+        `http://fake-ghost-activitypub.test/.ghost/activitypub/actions/unfollow/${actor.handle}`,
+        {
+            method: 'POST',
+        },
+    );
+
+    if (!unfollowResponse.ok && unfollowResponse.status !== 409) {
+        throw new Error('Something went wrong');
+    }
+});
+
 Given('we are following {string}', async function (input) {
     const { actor } = await getActor.call(this, input);