From ea23f01df26f32201e96ab1554f922209a9b12c8 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 10:06:49 +0000
Subject: [PATCH 01/25] Actor validation for arriving posts

---
 outbox.py | 18 ++++++++++++++++++
 utils.py  |  8 +++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/outbox.py b/outbox.py
index 2c3fda855..11d595c6e 100644
--- a/outbox.py
+++ b/outbox.py
@@ -14,6 +14,7 @@ from posts import outboxMessageCreateWrap
 from posts import savePostToBox
 from posts import sendToFollowersThread
 from posts import sendToNamedAddresses
+from utils import getLocalNetworkAddresses
 from utils import getFullDomain
 from utils import removeIdEnding
 from utils import getDomainFromActor
@@ -114,6 +115,23 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
                           'Create does not have the "to" parameter ' +
                           str(messageJson))
             return False
+
+        # actor should be a string
+        if not isinstance(messageJson['actor'], str):
+            return False
+
+        # actor should look like a url
+        if '://' not in messageJson['actor'] or \
+           '.' not in messageJson['actor']:
+            return False
+
+        # sent by an actor on a local network address?
+        if not allowLocalNetworkAccess:
+            localNetworkPatternList = getLocalNetworkAddresses()
+            for localNetworkPattern in localNetworkPatternList:
+                if localNetworkPattern in messageJson['actor']:
+                    return False
+
         testDomain, testPort = getDomainFromActor(messageJson['actor'])
         testDomain = getFullDomain(testDomain, testPort)
         if isBlockedDomain(baseDir, testDomain):
diff --git a/utils.py b/utils.py
index f1247e898..8f2348062 100644
--- a/utils.py
+++ b/utils.py
@@ -605,6 +605,12 @@ def urlPermitted(url: str, federationList: []):
     return False
 
 
+def getLocalNetworkAddresses() -> []:
+    """Returns patterns for local network address detection
+    """
+    return ('localhost', '127.0.', '192.168', '10.0.')
+
+
 def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
     """Returns true if the given content contains dangerous html markup
     """
@@ -615,7 +621,7 @@ def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
     contentSections = content.split('<')
     invalidPartials = ()
     if not allowLocalNetworkAccess:
-        invalidPartials = ('localhost', '127.0.', '192.168', '10.0.')
+        invalidPartials = getLocalNetworkAddresses()
     invalidStrings = ('script', 'canvas', 'style', 'abbr',
                       'frame', 'iframe', 'html', 'body',
                       'hr', 'allow-popups', 'allow-scripts')

From 5285c11b70331c4cdb01fb940703b76aeafb7708 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 10:24:31 +0000
Subject: [PATCH 02/25] More validation on the actor of incoming posts

---
 daemon.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/daemon.py b/daemon.py
index 577afe37f..e87ce93e3 100644
--- a/daemon.py
+++ b/daemon.py
@@ -185,6 +185,7 @@ from shares import addShare
 from shares import removeShare
 from shares import expireShares
 from categories import setHashtagCategory
+from utils import getLocalNetworkAddresses
 from utils import decodedHost
 from utils import isPublicPost
 from utils import getLockedAccount
@@ -1154,6 +1155,32 @@ class PubServer(BaseHTTPRequestHandler):
         # check for blocked domains so that they can be rejected early
         messageDomain = None
         if messageJson.get('actor'):
+            # actor should be a string
+            if not isinstance(messageJson['actor'], str):
+                self._400()
+                self.server.POSTbusy = False
+                return 3
+
+            # actor should look like a url
+            if '://' not in messageJson['actor'] or \
+               '.' not in messageJson['actor']:
+                print('POST actor does not look like a url ' +
+                      messageJson['actor'])
+                self._400()
+                self.server.POSTbusy = False
+                return 3
+
+            # sent by an actor on a local network address?
+            if not self.server.allowLocalNetworkAccess:
+                localNetworkPatternList = getLocalNetworkAddresses()
+                for localNetworkPattern in localNetworkPatternList:
+                    if localNetworkPattern in messageJson['actor']:
+                        print('POST actor contains local network address ' +
+                              messageJson['actor'])
+                        self._400()
+                        self.server.POSTbusy = False
+                        return 3
+
             messageDomain, messagePort = \
                 getDomainFromActor(messageJson['actor'])
             if isBlockedDomain(self.server.baseDir, messageDomain):

From 30474d19c215ec45503a93cb48d34fe6eeb43c5b Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 10:30:53 +0000
Subject: [PATCH 03/25] Less indentation

---
 daemon.py | 70 +++++++++++++++++++++++++++----------------------------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/daemon.py b/daemon.py
index e87ce93e3..320f3fa78 100644
--- a/daemon.py
+++ b/daemon.py
@@ -1154,46 +1154,46 @@ class PubServer(BaseHTTPRequestHandler):
 
         # check for blocked domains so that they can be rejected early
         messageDomain = None
-        if messageJson.get('actor'):
-            # actor should be a string
-            if not isinstance(messageJson['actor'], str):
-                self._400()
-                self.server.POSTbusy = False
-                return 3
-
-            # actor should look like a url
-            if '://' not in messageJson['actor'] or \
-               '.' not in messageJson['actor']:
-                print('POST actor does not look like a url ' +
-                      messageJson['actor'])
-                self._400()
-                self.server.POSTbusy = False
-                return 3
-
-            # sent by an actor on a local network address?
-            if not self.server.allowLocalNetworkAccess:
-                localNetworkPatternList = getLocalNetworkAddresses()
-                for localNetworkPattern in localNetworkPatternList:
-                    if localNetworkPattern in messageJson['actor']:
-                        print('POST actor contains local network address ' +
-                              messageJson['actor'])
-                        self._400()
-                        self.server.POSTbusy = False
-                        return 3
-
-            messageDomain, messagePort = \
-                getDomainFromActor(messageJson['actor'])
-            if isBlockedDomain(self.server.baseDir, messageDomain):
-                print('POST from blocked domain ' + messageDomain)
-                self._400()
-                self.server.POSTbusy = False
-                return 3
-        else:
+        if not messageJson.get('actor'):
             print('Message arriving at inbox queue has no actor')
             self._400()
             self.server.POSTbusy = False
             return 3
 
+        # actor should be a string
+        if not isinstance(messageJson['actor'], str):
+            self._400()
+            self.server.POSTbusy = False
+            return 3
+
+        # actor should look like a url
+        if '://' not in messageJson['actor'] or \
+           '.' not in messageJson['actor']:
+            print('POST actor does not look like a url ' +
+                  messageJson['actor'])
+            self._400()
+            self.server.POSTbusy = False
+            return 3
+
+        # sent by an actor on a local network address?
+        if not self.server.allowLocalNetworkAccess:
+            localNetworkPatternList = getLocalNetworkAddresses()
+            for localNetworkPattern in localNetworkPatternList:
+                if localNetworkPattern in messageJson['actor']:
+                    print('POST actor contains local network address ' +
+                          messageJson['actor'])
+                    self._400()
+                    self.server.POSTbusy = False
+                    return 3
+
+        messageDomain, messagePort = \
+            getDomainFromActor(messageJson['actor'])
+        if isBlockedDomain(self.server.baseDir, messageDomain):
+            print('POST from blocked domain ' + messageDomain)
+            self._400()
+            self.server.POSTbusy = False
+            return 3
+
         # if the inbox queue is full then return a busy code
         if len(self.server.inboxQueue) >= self.server.maxQueueLength:
             if messageDomain:

From 3303840318e45b2023f67893043eab7149aa6563 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 11:53:19 +0000
Subject: [PATCH 04/25] Column icon size

---
 epicyon-profile.css | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/epicyon-profile.css b/epicyon-profile.css
index 473fbdb37..f5af28671 100644
--- a/epicyon-profile.css
+++ b/epicyon-profile.css
@@ -106,11 +106,11 @@
     --column-left-icons-margin: 0;
     --column-right-border-width: 0;
     --column-left-border-color: black;
-    --column-left-icon-size: 20%;
+    --column-left-icon-size: 2.1vw;
     --column-left-icon-size-mobile: 10%;
     --column-left-image-width-mobile: 40vw;
     --column-right-image-width-mobile: 100vw;
-    --column-right-icon-size: 20%;
+    --column-right-icon-size: 2.1vw;
     --column-right-icon-size-mobile: 10%;
     --newswire-date-color: white;
     --newswire-voted-background-color: black;

From 0f95961eaedbd1bb7b8accfe44bde62c5a4efc89 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:09:21 +0000
Subject: [PATCH 05/25] Line endings to more easily read html source

---
 theme.py        |  2 +-
 webapp_utils.py | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/theme.py b/theme.py
index 9a27ec6e6..676ff42c1 100644
--- a/theme.py
+++ b/theme.py
@@ -438,7 +438,7 @@ def getTextModeBanner(baseDir: str) -> str:
         with open(textModeBannerFilename, 'r') as fp:
             bannerStr = fp.read()
             if bannerStr:
-                return bannerStr.replace('\n', '<br>')
+                return bannerStr.replace('\n', '<br>\n')
     return None
 
 
diff --git a/webapp_utils.py b/webapp_utils.py
index 014b42a19..2bc847e4f 100644
--- a/webapp_utils.py
+++ b/webapp_utils.py
@@ -892,26 +892,26 @@ def htmlKeyboardNavigation(banner: str, links: {},
                            followApprovals=False) -> str:
     """Given a set of links return the html for keyboard navigation
     """
-    htmlStr = '<div class="transparent"><ul>'
+    htmlStr = '<div class="transparent"><ul>\n'
 
     if banner:
-        htmlStr += '<pre aria-label="">' + banner + '<br><br></pre>'
+        htmlStr += '<pre aria-label="">' + banner + '\n<br><br></pre>\n'
 
     if subHeading:
         htmlStr += '<strong><label class="transparent">' + \
-            subHeading + '</label></strong><br>'
+            subHeading + '</label></strong><br>\n'
 
     # show new follower approvals
     if usersPath and translate and followApprovals:
         htmlStr += '<strong><label class="transparent">' + \
             '<a href="' + usersPath + '/followers#timeline">' + \
             translate['Approve follow requests'] + '</a>' + \
-            '</label></strong><br><br>'
+            '</label></strong><br><br>\n'
 
     # show the list of links
     for title, url in links.items():
         htmlStr += '<li><label class="transparent">' + \
             '<a href="' + str(url) + '">' + \
-            str(title) + '</a></label></li>'
-    htmlStr += '</ul></div>'
+            str(title) + '</a></label></li>\n'
+    htmlStr += '</ul></div>\n'
     return htmlStr

From e094e8d6028711e0741986632dcc647ca86975db Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:13:31 +0000
Subject: [PATCH 06/25] Extra newline

---
 webapp_utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapp_utils.py b/webapp_utils.py
index 2bc847e4f..64b1cae89 100644
--- a/webapp_utils.py
+++ b/webapp_utils.py
@@ -895,7 +895,7 @@ def htmlKeyboardNavigation(banner: str, links: {},
     htmlStr = '<div class="transparent"><ul>\n'
 
     if banner:
-        htmlStr += '<pre aria-label="">' + banner + '\n<br><br></pre>\n'
+        htmlStr += '<pre aria-label="">\n' + banner + '\n<br><br></pre>\n'
 
     if subHeading:
         htmlStr += '<strong><label class="transparent">' + \

From 3a39dc601206de803098acfca224dfd249974aad Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:26:12 +0000
Subject: [PATCH 07/25] Meta tags on website

---
 website/EN/index.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/website/EN/index.html b/website/EN/index.html
index 6ec59cc09..98e6e9b34 100644
--- a/website/EN/index.html
+++ b/website/EN/index.html
@@ -1,6 +1,9 @@
 <!DOCTYPE html>
 <html lang="en">
   <meta charset="utf-8">
+  <meta name="description" content="ActivityPub server written in Python, HTML and CSS, and suitable for self-hosting on single board computers">
+  <meta name="keywords" content="ActivityPub, Fediverse, Python, HTML, CSS">
+  <meta name="author" content="Bob Mottram">
   <style>
     @charset "UTF-8";
 
@@ -1141,6 +1144,9 @@
     }
 
   </style>
+  <head>
+    <title>Epicyon ActivityPub server</title>
+  </head>
   <body>
     <div class="timeline-banner"></div>
     <center>

From a85767ad58bcd5a5aa18cedfa4f84725fdb0fd3b Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:48:50 +0000
Subject: [PATCH 08/25] Detecting http

---
 daemon.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/daemon.py b/daemon.py
index 320f3fa78..71c426fd3 100644
--- a/daemon.py
+++ b/daemon.py
@@ -479,6 +479,10 @@ class PubServer(BaseHTTPRequestHandler):
             if 'text/html' not in self.headers['Accept']:
                 return False
         if self.headers['Accept'].startswith('*'):
+            if self.headers.get('User-Agent'):
+                if 'Elinks' in self.headers['User-Agent'] or \
+                   'Lynx' in self.headers['User-Agent']:
+                    return True
             return False
         if 'json' in self.headers['Accept']:
             return False

From 7e4eaab3cb76dffbd1e82e3eb694e8169f5dae45 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:51:49 +0000
Subject: [PATCH 09/25] Capital

---
 daemon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon.py b/daemon.py
index 71c426fd3..7bce1faec 100644
--- a/daemon.py
+++ b/daemon.py
@@ -480,7 +480,7 @@ class PubServer(BaseHTTPRequestHandler):
                 return False
         if self.headers['Accept'].startswith('*'):
             if self.headers.get('User-Agent'):
-                if 'Elinks' in self.headers['User-Agent'] or \
+                if 'ELinks' in self.headers['User-Agent'] or \
                    'Lynx' in self.headers['User-Agent']:
                     return True
             return False

From ae5bf31db3ade47e8aea4ce46ee8117ace049010 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 12:57:33 +0000
Subject: [PATCH 10/25] No newline

---
 theme.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/theme.py b/theme.py
index 676ff42c1..9a27ec6e6 100644
--- a/theme.py
+++ b/theme.py
@@ -438,7 +438,7 @@ def getTextModeBanner(baseDir: str) -> str:
         with open(textModeBannerFilename, 'r') as fp:
             bannerStr = fp.read()
             if bannerStr:
-                return bannerStr.replace('\n', '<br>\n')
+                return bannerStr.replace('\n', '<br>')
     return None
 
 

From 345df667c2ac319271e6a5ef54d209adfaf28382 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 13:10:08 +0000
Subject: [PATCH 11/25] Check that manifest is not a http request

---
 daemon.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/daemon.py b/daemon.py
index 7bce1faec..d0093cdcd 100644
--- a/daemon.py
+++ b/daemon.py
@@ -10130,9 +10130,11 @@ class PubServer(BaseHTTPRequestHandler):
 
         # manifest for progressive web apps
         if '/manifest.json' in self.path:
-            self._progressiveWebAppManifest(callingDomain,
-                                            GETstartTime, GETtimings)
-            return
+            if self._hasAccept(callingDomain):
+                if not self._requestHTTP():
+                    self._progressiveWebAppManifest(callingDomain,
+                                                    GETstartTime, GETtimings)
+                    return
 
         # default newswire favicon, for links to sites which
         # have no favicon

From 893c421e6fcd403a24293fb498d854d4e7fcc5d7 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 13:49:36 +0000
Subject: [PATCH 12/25] Use mobile links on keyboard menu

---
 webapp_timeline.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webapp_timeline.py b/webapp_timeline.py
index 0c0407520..d8c7df407 100644
--- a/webapp_timeline.py
+++ b/webapp_timeline.py
@@ -427,8 +427,8 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
         menuShares: usersPath + '/tlshares#timeline',
         menuBlogs: usersPath + '/tlblogs#timeline',
         # menuEvents: usersPath + '/tlevents#timeline',
-        menuNewswire: '#newswire',
-        menuLinks: '#links'
+        menuNewswire: usersPath + '/newswiremobile',
+        menuLinks: usersPath + '/linksmobile'
     }
     if moderator:
         navLinks[menuModeration] = usersPath + '/moderation#modtimeline'

From 5927a52c80e81a647b5a2c66bf7ddbbc7b517f7c Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 13:56:09 +0000
Subject: [PATCH 13/25] http manifest is the main path

---
 daemon.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/daemon.py b/daemon.py
index d0093cdcd..b8f763f33 100644
--- a/daemon.py
+++ b/daemon.py
@@ -10135,6 +10135,8 @@ class PubServer(BaseHTTPRequestHandler):
                     self._progressiveWebAppManifest(callingDomain,
                                                     GETstartTime, GETtimings)
                     return
+                else:
+                    self.path = '/'
 
         # default newswire favicon, for links to sites which
         # have no favicon

From bf12ad059b096e113b3599582f8a2cbb59550e2d Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 14:31:52 +0000
Subject: [PATCH 14/25] Avoid any confusion between timeline class and id

---
 webapp_timeline.py | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/webapp_timeline.py b/webapp_timeline.py
index d8c7df407..b5a9a41b0 100644
--- a/webapp_timeline.py
+++ b/webapp_timeline.py
@@ -416,17 +416,17 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
         translate['Mod']
     navLinks = {
         menuProfile: '/users/' + nickname,
-        menuInbox: usersPath + '/inbox#timeline',
+        menuInbox: usersPath + '/inbox#timelineposts',
         menuSearch: usersPath + '/search',
         menuNewPost: usersPath + '/newpost',
         menuCalendar: usersPath + '/calendar',
-        menuDM: usersPath + '/dm#timeline',
-        menuReplies: usersPath + '/tlreplies#timeline',
-        menuOutbox: usersPath + '/inbox#timeline',
-        menuBookmarks: usersPath + '/tlbookmarks#timeline',
-        menuShares: usersPath + '/tlshares#timeline',
-        menuBlogs: usersPath + '/tlblogs#timeline',
-        # menuEvents: usersPath + '/tlevents#timeline',
+        menuDM: usersPath + '/dm#timelineposts',
+        menuReplies: usersPath + '/tlreplies#timelineposts',
+        menuOutbox: usersPath + '/inbox#timelineposts',
+        menuBookmarks: usersPath + '/tlbookmarks#timelineposts',
+        menuShares: usersPath + '/tlshares#timelineposts',
+        menuBlogs: usersPath + '/tlblogs#timelineposts',
+        # menuEvents: usersPath + '/tlevents#timelineposts',
         menuNewswire: usersPath + '/newswiremobile',
         menuLinks: usersPath + '/linksmobile'
     }
@@ -502,7 +502,7 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
                                   calendarImage, followApprovals,
                                   iconsAsButtons)
 
-    tlStr += '  <div id="timeline" class="timeline-posts">\n'
+    tlStr += '  <div id="timelineposts" class="timeline-posts">\n'
 
     # second row of buttons for moderator actions
     if moderator and boxName == 'moderation':

From e06fd064b1a32a1cca7d9b4b291738a69d00301e Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 15:16:57 +0000
Subject: [PATCH 15/25] id on posts column

---
 webapp_timeline.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webapp_timeline.py b/webapp_timeline.py
index b5a9a41b0..b18e8754d 100644
--- a/webapp_timeline.py
+++ b/webapp_timeline.py
@@ -484,7 +484,7 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
         'id="links" tabindex="-1">' + \
         leftColumnStr + '  </td>\n'
     # center column containing posts
-    tlStr += '  <td valign="top" class="col-center">\n'
+    tlStr += '  <td id="timelineposts" valign="top" class="col-center">\n'
 
     if not fullWidthTimelineButtonHeader:
         tlStr += \
@@ -502,7 +502,7 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
                                   calendarImage, followApprovals,
                                   iconsAsButtons)
 
-    tlStr += '  <div id="timelineposts" class="timeline-posts">\n'
+    tlStr += '  <div class="timeline-posts">\n'
 
     # second row of buttons for moderator actions
     if moderator and boxName == 'moderation':

From 557ca1e787029e764060a44bf84ab42ae302a55a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 15:21:07 +0000
Subject: [PATCH 16/25] Back to previous id location

---
 webapp_timeline.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webapp_timeline.py b/webapp_timeline.py
index b18e8754d..b5a9a41b0 100644
--- a/webapp_timeline.py
+++ b/webapp_timeline.py
@@ -484,7 +484,7 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
         'id="links" tabindex="-1">' + \
         leftColumnStr + '  </td>\n'
     # center column containing posts
-    tlStr += '  <td id="timelineposts" valign="top" class="col-center">\n'
+    tlStr += '  <td valign="top" class="col-center">\n'
 
     if not fullWidthTimelineButtonHeader:
         tlStr += \
@@ -502,7 +502,7 @@ def htmlTimeline(cssCache: {}, defaultTimeline: str,
                                   calendarImage, followApprovals,
                                   iconsAsButtons)
 
-    tlStr += '  <div class="timeline-posts">\n'
+    tlStr += '  <div id="timelineposts" class="timeline-posts">\n'
 
     # second row of buttons for moderator actions
     if moderator and boxName == 'moderation':

From 721ff8ddf55ecf7d77543e17a1d340c70edeb01c Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 21:14:05 +0000
Subject: [PATCH 17/25] Instance level allow list

---
 blocking.py | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/blocking.py b/blocking.py
index f0759f963..982d4e14c 100644
--- a/blocking.py
+++ b/blocking.py
@@ -175,15 +175,27 @@ def isBlockedDomain(baseDir: str, domain: str) -> bool:
     if noOfSections > 2:
         shortDomain = domain[noOfSections-2] + '.' + domain[noOfSections-1]
 
-    globalBlockingFilename = baseDir + '/accounts/blocking.txt'
-    if os.path.isfile(globalBlockingFilename):
-        with open(globalBlockingFilename, 'r') as fpBlocked:
-            blockedStr = fpBlocked.read()
-            if '*@' + domain in blockedStr:
-                return True
-            if shortDomain:
-                if '*@' + shortDomain in blockedStr:
+    allowFilename = baseDir + '/accounts/allowedinstances.txt'
+    if not os.path.isfile(allowFilename):
+        # instance block list
+        globalBlockingFilename = baseDir + '/accounts/blocking.txt'
+        if os.path.isfile(globalBlockingFilename):
+            with open(globalBlockingFilename, 'r') as fpBlocked:
+                blockedStr = fpBlocked.read()
+                if '*@' + domain in blockedStr:
                     return True
+                if shortDomain:
+                    if '*@' + shortDomain in blockedStr:
+                        return True
+    else:
+        # instance allow list
+        if not shortDomain:
+            if domain not in open(allowFilename).read():
+                return True
+        else:
+            if shortDomain not in open(allowFilename).read():
+                return True
+
     return False
 
 

From 68d3f3ee91b7180a32ff234a5dfa617b4bcea4a4 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 22:06:53 +0000
Subject: [PATCH 18/25] Broch mode

---
 blocking.py          | 51 ++++++++++++++++++++++++++++++++++++++++++++
 daemon.py            | 18 +++++++++++++++-
 epicyon.py           | 13 ++++++++++-
 tests.py             | 12 ++++++++---
 translations/ar.json |  3 ++-
 translations/ca.json |  3 ++-
 translations/cy.json |  3 ++-
 translations/de.json |  3 ++-
 translations/en.json |  3 ++-
 translations/es.json |  3 ++-
 translations/fr.json |  3 ++-
 translations/ga.json |  3 ++-
 translations/hi.json |  3 ++-
 translations/it.json |  3 ++-
 translations/ja.json |  3 ++-
 translations/oc.json |  3 ++-
 translations/pt.json |  3 ++-
 translations/ru.json |  3 ++-
 translations/zh.json |  3 ++-
 webapp_profile.py    | 10 +++++++++
 20 files changed, 129 insertions(+), 20 deletions(-)

diff --git a/blocking.py b/blocking.py
index 982d4e14c..cfa885a79 100644
--- a/blocking.py
+++ b/blocking.py
@@ -7,6 +7,7 @@ __email__ = "bob@freedombone.net"
 __status__ = "Production"
 
 import os
+from utils import setConfigParam
 from utils import hasUsersPath
 from utils import getFullDomain
 from utils import removeIdEnding
@@ -356,3 +357,53 @@ def outboxUndoBlock(baseDir: str, httpPrefix: str,
                 nicknameBlocked, domainBlockedFull)
     if debug:
         print('DEBUG: post undo blocked via c2s - ' + postFilename)
+
+
+def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
+    """Broch mode can be used to lock down the instance during
+    a period of time when it is temporarily under attack.
+    For example, where an adversary is constantly spinning up new
+    instances.
+    It surveys the following lists of all accounts and uses that
+    to construct an instance level allow list. Anything arriving
+    which is then not from one of the allowed domains will be dropped
+    """
+    allowFilename = baseDir + '/accounts/allowedinstances.txt'
+
+    if not enabled:
+        # remove instance allow list
+        if os.path.isfile(allowFilename):
+            os.remove(allowFilename)
+    else:
+        # generate instance allow list
+        allowedDomains = [domainFull]
+        for subdir, dirs, files in os.walk(baseDir + '/accounts'):
+            for acct in dirs:
+                if '@' not in acct:
+                    continue
+                if 'inbox@' in acct or 'news@' in acct:
+                    continue
+                accountDir = os.path.join(baseDir + '/accounts', acct)
+                followingFilename = accountDir + '/following.txt'
+                if not os.path.isfile(followingFilename):
+                    continue
+                with open(followingFilename, "r") as f:
+                    followList = f.readlines()
+                    for handle in followList:
+                        if '@' not in handle:
+                            continue
+                        handle = handle.replace('\n', '')
+                        handleDomain = handle.split('@')[1]
+                        if handleDomain not in allowedDomains:
+                            allowedDomains.append(handleDomain)
+            break
+
+        # write the allow file
+        allowFile = open(allowFilename, "w+")
+        if allowFile:
+            allowFile.write(domainFull + '\n')
+            for d in allowedDomains:
+                allowFile.write(d + '\n')
+            allowFile.close()
+
+    setConfigParam(baseDir, "brochMode", enabled)
diff --git a/daemon.py b/daemon.py
index b8f763f33..9d3014250 100644
--- a/daemon.py
+++ b/daemon.py
@@ -109,6 +109,7 @@ from threads import threadWithTrace
 from threads import removeDormantThreads
 from media import replaceYouTube
 from media import attachMedia
+from blocking import setBrochMode
 from blocking import addBlock
 from blocking import removeBlock
 from blocking import addGlobalBlock
@@ -4543,6 +4544,17 @@ class PubServer(BaseHTTPRequestHandler):
                             setConfigParam(baseDir, "verifyAllSignatures",
                                            verifyAllSignatures)
 
+                            brochMode = False
+                            if fields.get('brochMode'):
+                                if fields['brochMode'] == 'on':
+                                    brochMode = True
+                            if brochMode != self.server.brochMode:
+                                setBrochMode(self.server.baseDir,
+                                             self.server.domainFull,
+                                             brochMode)
+                                self.server.brochMode = brochMode
+                                setConfigParam(baseDir, "brochMode", brochMode)
+
                         # change moderators list
                         if fields.get('moderators'):
                             if path.startswith('/users/' +
@@ -13924,7 +13936,8 @@ def loadTokens(baseDir: str, tokensDict: {}, tokensLookup: {}) -> None:
         break
 
 
-def runDaemon(verifyAllSignatures: bool,
+def runDaemon(brochMode: bool,
+              verifyAllSignatures: bool,
               sendThreadsTimeoutMins: int,
               dormantMonths: int,
               maxNewswirePosts: int,
@@ -14007,6 +14020,9 @@ def runDaemon(verifyAllSignatures: bool,
     # maximum number of posts to appear in the newswire on the right column
     httpd.maxNewswirePosts = maxNewswirePosts
 
+    # whether to enable broch mode, which locks down the instance
+    httpd.brochMode = brochMode
+
     # whether to require that all incoming posts have valid jsonld signatures
     httpd.verifyAllSignatures = verifyAllSignatures
 
diff --git a/epicyon.py b/epicyon.py
index 1a741302c..cf0289c65 100644
--- a/epicyon.py
+++ b/epicyon.py
@@ -279,6 +279,11 @@ parser.add_argument("--verifyAllSignatures",
                     const=True, default=False,
                     help="Whether to require that all incoming " +
                     "posts have valid jsonld signatures")
+parser.add_argument("--brochMode",
+                    dest='brochMode',
+                    type=str2bool, nargs='?',
+                    const=True, default=False,
+                    help="Enable broch mode")
 parser.add_argument("--noapproval", type=str2bool, nargs='?',
                     const=True, default=False,
                     help="Allow followers without approval")
@@ -2292,6 +2297,11 @@ verifyAllSignatures = \
 if verifyAllSignatures is not None:
     args.verifyAllSignatures = bool(verifyAllSignatures)
 
+brochMode = \
+    getConfigParam(baseDir, 'brochMode')
+if brochMode is not None:
+    args.brochMode = bool(brochMode)
+
 YTDomain = getConfigParam(baseDir, 'youtubedomain')
 if YTDomain:
     if '://' in YTDomain:
@@ -2305,7 +2315,8 @@ if setTheme(baseDir, themeName, domain, args.allowLocalNetworkAccess):
     print('Theme set to ' + themeName)
 
 if __name__ == "__main__":
-    runDaemon(args.verifyAllSignatures,
+    runDaemon(args.brochMode,
+              args.verifyAllSignatures,
               args.sendThreadsTimeoutMins,
               args.dormantMonths,
               args.maxNewswirePosts,
diff --git a/tests.py b/tests.py
index 7186012a1..5a4bd233e 100644
--- a/tests.py
+++ b/tests.py
@@ -325,8 +325,10 @@ def createServerAlice(path: str, domain: str, port: int,
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
     verifyAllSignatures = True
+    brochMode = False
     print('Server running: Alice')
-    runDaemon(verifyAllSignatures,
+    runDaemon(brochMode,
+              verifyAllSignatures,
               sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
@@ -420,8 +422,10 @@ def createServerBob(path: str, domain: str, port: int,
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
     verifyAllSignatures = True
+    brochMode = False
     print('Server running: Bob')
-    runDaemon(verifyAllSignatures,
+    runDaemon(brochMode,
+              verifyAllSignatures,
               sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
@@ -469,8 +473,10 @@ def createServerEve(path: str, domain: str, port: int, federationList: [],
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
     verifyAllSignatures = True
+    brochMode = False
     print('Server running: Eve')
-    runDaemon(verifyAllSignatures,
+    runDaemon(brochMode,
+              verifyAllSignatures,
               sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
diff --git a/translations/ar.json b/translations/ar.json
index 605d5b98b..fd4f8fbbe 100644
--- a/translations/ar.json
+++ b/translations/ar.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "انتقل إلى Newswire",
     "Skip to Links": "تخطي إلى روابط الويب",
     "Publish a blog article": "نشر مقال بلوق",
-    "Featured writer": "كاتب متميز"
+    "Featured writer": "كاتب متميز",
+    "Broch mode": "وضع الكتيب"
 }
diff --git a/translations/ca.json b/translations/ca.json
index 3c8846bbf..2965f88d8 100644
--- a/translations/ca.json
+++ b/translations/ca.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Vés a Newswire",
     "Skip to Links": "Vés als enllaços web",
     "Publish a blog article": "Publicar un article del bloc",
-    "Featured writer": "Escriptor destacat"
+    "Featured writer": "Escriptor destacat",
+    "Broch mode": "Mode Broch"
 }
diff --git a/translations/cy.json b/translations/cy.json
index 6e45de39d..f1e31b718 100644
--- a/translations/cy.json
+++ b/translations/cy.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Neidio i Newswire",
     "Skip to Links": "Neidio i Dolenni Gwe",
     "Publish a blog article": "Cyhoeddi erthygl blog",
-    "Featured writer": "Awdur dan sylw"
+    "Featured writer": "Awdur dan sylw",
+    "Broch mode": "Modd Broch"
 }
diff --git a/translations/de.json b/translations/de.json
index c15cb492f..4053a453c 100644
--- a/translations/de.json
+++ b/translations/de.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Springe zu Newswire",
     "Skip to Links": "Springe zu Weblinks",
     "Publish a blog article": "Veröffentlichen Sie einen Blog-Artikel",
-    "Featured writer": "Ausgewählter Schriftsteller"
+    "Featured writer": "Ausgewählter Schriftsteller",
+    "Broch mode": "Broch-Modus"
 }
diff --git a/translations/en.json b/translations/en.json
index 3fbbfdd34..d376154ee 100644
--- a/translations/en.json
+++ b/translations/en.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Skip to Newswire",
     "Skip to Links": "Skip to Links",
     "Publish a blog article": "Publish a blog article",
-    "Featured writer": "Featured writer"
+    "Featured writer": "Featured writer",
+    "Broch mode": "Broch mode"
 }
diff --git a/translations/es.json b/translations/es.json
index 3566d06b0..135ff9c13 100644
--- a/translations/es.json
+++ b/translations/es.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Saltar a Newswire",
     "Skip to Links": "Saltar a enlaces web",
     "Publish a blog article": "Publica un artículo de blog",
-    "Featured writer": "Escritora destacada"
+    "Featured writer": "Escritora destacada",
+    "Broch mode": "Modo broche"
 }
diff --git a/translations/fr.json b/translations/fr.json
index 78c7ff547..308ba5e9b 100644
--- a/translations/fr.json
+++ b/translations/fr.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Passer à Newswire",
     "Skip to Links": "Passer aux liens Web",
     "Publish a blog article": "Publier un article de blog",
-    "Featured writer": "Écrivain en vedette"
+    "Featured writer": "Écrivain en vedette",
+    "Broch mode": "Mode Broch"
 }
diff --git a/translations/ga.json b/translations/ga.json
index 75f87780c..92f67c50f 100644
--- a/translations/ga.json
+++ b/translations/ga.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Scipeáil chuig Newswire",
     "Skip to Links": "Scipeáil chuig Naisc Ghréasáin",
     "Publish a blog article": "Foilsigh alt blagála",
-    "Featured writer": "Scríbhneoir mór le rá"
+    "Featured writer": "Scríbhneoir mór le rá",
+    "Broch mode": "Modh broch"
 }
diff --git a/translations/hi.json b/translations/hi.json
index acf417f88..82c401422 100644
--- a/translations/hi.json
+++ b/translations/hi.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Newswire पर जाएं",
     "Skip to Links": "वेब लिंक पर जाएं",
     "Publish a blog article": "एक ब्लॉग लेख प्रकाशित करें",
-    "Featured writer": "फीचर्ड लेखक"
+    "Featured writer": "फीचर्ड लेखक",
+    "Broch mode": "ब्रोच मोड"
 }
diff --git a/translations/it.json b/translations/it.json
index f2bc1e1ed..c189c2335 100644
--- a/translations/it.json
+++ b/translations/it.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Passa a Newswire",
     "Skip to Links": "Passa a collegamenti Web",
     "Publish a blog article": "Pubblica un articolo sul blog",
-    "Featured writer": "Scrittore in primo piano"
+    "Featured writer": "Scrittore in primo piano",
+    "Broch mode": "Modalità Broch"
 }
diff --git a/translations/ja.json b/translations/ja.json
index 9f1275544..49bfffbef 100644
--- a/translations/ja.json
+++ b/translations/ja.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Newswireにスキップ",
     "Skip to Links": "Webリンクにスキップ",
     "Publish a blog article": "ブログ記事を公開する",
-    "Featured writer": "注目の作家"
+    "Featured writer": "注目の作家",
+    "Broch mode": "ブロッホモード"
 }
diff --git a/translations/oc.json b/translations/oc.json
index c9e3717a0..fa4620d9a 100644
--- a/translations/oc.json
+++ b/translations/oc.json
@@ -364,5 +364,6 @@
     "Skip to Newswire": "Skip to Newswire",
     "Skip to Links": "Skip to Links",
     "Publish a blog article": "Publish a blog article",
-    "Featured writer": "Featured writer"
+    "Featured writer": "Featured writer",
+    "Broch mode": "Broch mode"
 }
diff --git a/translations/pt.json b/translations/pt.json
index b2a29ca2d..52694082b 100644
--- a/translations/pt.json
+++ b/translations/pt.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Pular para Newswire",
     "Skip to Links": "Pular para links da web",
     "Publish a blog article": "Publique um artigo de blog",
-    "Featured writer": "Escritor em destaque"
+    "Featured writer": "Escritor em destaque",
+    "Broch mode": "Modo broch"
 }
diff --git a/translations/ru.json b/translations/ru.json
index 618c5cbf0..41c2d5a91 100644
--- a/translations/ru.json
+++ b/translations/ru.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "Перейти к ленте новостей",
     "Skip to Links": "Перейти к веб-ссылкам",
     "Publish a blog article": "Опубликовать статью в блоге",
-    "Featured writer": "Избранный писатель"
+    "Featured writer": "Избранный писатель",
+    "Broch mode": "Брош режим"
 }
diff --git a/translations/zh.json b/translations/zh.json
index e7fab5755..f63deb616 100644
--- a/translations/zh.json
+++ b/translations/zh.json
@@ -368,5 +368,6 @@
     "Skip to Newswire": "跳到新闻专线",
     "Skip to Links": "跳到网页链接",
     "Publish a blog article": "发布博客文章",
-    "Featured writer": "特色作家"
+    "Featured writer": "特色作家",
+    "Broch mode": "断点模式"
 }
diff --git a/webapp_profile.py b/webapp_profile.py
index 8c7704390..0d2fe362d 100644
--- a/webapp_profile.py
+++ b/webapp_profile.py
@@ -1278,6 +1278,16 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str,
                     '      <input type="checkbox" class="profilecheckbox" ' + \
                     'name="verifyallsignatures"> ' + \
                     translate['Verify all signatures'] + '<br>\n'
+            if getConfigParam(baseDir, "brochMode"):
+                instanceStr += \
+                    '      <input type="checkbox" class="profilecheckbox" ' + \
+                    'name="brochMode" checked> ' + \
+                    translate['Broch mode'] + '<br>\n'
+            else:
+                instanceStr += \
+                    '      <input type="checkbox" class="profilecheckbox" ' + \
+                    'name="brochMode"> ' + \
+                    translate['Broch mode'] + '<br>\n'
             instanceStr += '</div>'
 
             moderators = ''

From 6b55ceab12a701a296c64bec4d7da39c531e77f6 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 22:26:25 +0000
Subject: [PATCH 19/25] Broch mode elapses

---
 blocking.py | 30 ++++++++++++++++++++++++++++++
 inbox.py    |  3 +++
 2 files changed, 33 insertions(+)

diff --git a/blocking.py b/blocking.py
index cfa885a79..d2ddfd89e 100644
--- a/blocking.py
+++ b/blocking.py
@@ -7,6 +7,8 @@ __email__ = "bob@freedombone.net"
 __status__ = "Production"
 
 import os
+from datetime import datetime
+from utils import fileLastModified
 from utils import setConfigParam
 from utils import hasUsersPath
 from utils import getFullDomain
@@ -374,6 +376,7 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
         # remove instance allow list
         if os.path.isfile(allowFilename):
             os.remove(allowFilename)
+            print('Broch mode turned off')
     else:
         # generate instance allow list
         allowedDomains = [domainFull]
@@ -405,5 +408,32 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
             for d in allowedDomains:
                 allowFile.write(d + '\n')
             allowFile.close()
+            print('Broch mode enabled')
 
     setConfigParam(baseDir, "brochMode", enabled)
+
+
+def brochModeLapses(baseDir: str, lapseDays=7) -> None:
+    """After broch mode is enabled it automatically
+    elapses after a period of time
+    """
+    allowFilename = baseDir + '/accounts/allowedinstances.txt'
+    if not os.path.isfile(allowFilename):
+        return
+    lastModified = fileLastModified(allowFilename)
+    modifiedDate = None
+    try:
+        modifiedDate = \
+            datetime.strptime(lastModified, "%Y-%m-%dT%H:%M:%SZ")
+    except BaseException:
+        return
+    if not modifiedDate:
+        return
+    currTime = datetime.datetime.utcnow()
+    daysSinceBroch = (currTime - modifiedDate).days
+    if daysSinceBroch >= lapseDays:
+        try:
+            os.remove(allowFilename)
+            print('Broch mode has elapsed')
+        except BaseException:
+            pass
diff --git a/inbox.py b/inbox.py
index 8f216e1c6..86507b87d 100644
--- a/inbox.py
+++ b/inbox.py
@@ -51,6 +51,7 @@ from bookmarks import updateBookmarksCollection
 from bookmarks import undoBookmarksCollectionEntry
 from blocking import isBlocked
 from blocking import isBlockedDomain
+from blocking import brochModeLapses
 from filters import isFiltered
 from utils import updateAnnounceCollection
 from utils import undoAnnounceCollectionEntry
@@ -2518,6 +2519,8 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
         # heartbeat to monitor whether the inbox queue is running
         heartBeatCtr += 5
         if heartBeatCtr >= 10:
+            # turn off broch mode after it has timed out
+            brochModeLapses(baseDir)
             print('>>> Heartbeat Q:' + str(len(queue)) + ' ' +
                   '{:%F %T}'.format(datetime.datetime.now()))
             heartBeatCtr = 0

From f4fdedba87111cd22a3780b9597497643842cba6 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 22:42:16 +0000
Subject: [PATCH 20/25] Include both following and follower domains within
 broch

---
 blocking.py | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/blocking.py b/blocking.py
index d2ddfd89e..7e81776de 100644
--- a/blocking.py
+++ b/blocking.py
@@ -380,6 +380,7 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
     else:
         # generate instance allow list
         allowedDomains = [domainFull]
+        followFiles = ('following.txt', 'followers.txt')
         for subdir, dirs, files in os.walk(baseDir + '/accounts'):
             for acct in dirs:
                 if '@' not in acct:
@@ -387,18 +388,19 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
                 if 'inbox@' in acct or 'news@' in acct:
                     continue
                 accountDir = os.path.join(baseDir + '/accounts', acct)
-                followingFilename = accountDir + '/following.txt'
-                if not os.path.isfile(followingFilename):
-                    continue
-                with open(followingFilename, "r") as f:
-                    followList = f.readlines()
-                    for handle in followList:
-                        if '@' not in handle:
-                            continue
-                        handle = handle.replace('\n', '')
-                        handleDomain = handle.split('@')[1]
-                        if handleDomain not in allowedDomains:
-                            allowedDomains.append(handleDomain)
+                for followFileType in followFiles:
+                    followingFilename = accountDir + '/' + followFileType
+                    if not os.path.isfile(followingFilename):
+                        continue
+                    with open(followingFilename, "r") as f:
+                        followList = f.readlines()
+                        for handle in followList:
+                            if '@' not in handle:
+                                continue
+                            handle = handle.replace('\n', '')
+                            handleDomain = handle.split('@')[1]
+                            if handleDomain not in allowedDomains:
+                                allowedDomains.append(handleDomain)
             break
 
         # write the allow file

From df550f8e65ffed3da47e7a73acbe9ad0fd0a735b Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 22:53:58 +0000
Subject: [PATCH 21/25] After elapsing set broch mode off in config

---
 blocking.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/blocking.py b/blocking.py
index 7e81776de..bf48bb1ad 100644
--- a/blocking.py
+++ b/blocking.py
@@ -436,6 +436,7 @@ def brochModeLapses(baseDir: str, lapseDays=7) -> None:
     if daysSinceBroch >= lapseDays:
         try:
             os.remove(allowFilename)
+            setConfigParam(baseDir, "brochMode", False)
             print('Broch mode has elapsed')
         except BaseException:
             pass

From 1adc343ebd6cbcefe4b386109079033e72726d17 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 23:01:07 +0000
Subject: [PATCH 22/25] Improve test for current broch mode

---
 blocking.py | 13 ++++++++-----
 daemon.py   |  4 +++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/blocking.py b/blocking.py
index bf48bb1ad..9655e1c9d 100644
--- a/blocking.py
+++ b/blocking.py
@@ -415,28 +415,31 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
     setConfigParam(baseDir, "brochMode", enabled)
 
 
-def brochModeLapses(baseDir: str, lapseDays=7) -> None:
+def brochModeLapses(baseDir: str, lapseDays=7) -> bool:
     """After broch mode is enabled it automatically
     elapses after a period of time
     """
     allowFilename = baseDir + '/accounts/allowedinstances.txt'
     if not os.path.isfile(allowFilename):
-        return
+        return False
     lastModified = fileLastModified(allowFilename)
     modifiedDate = None
+    brochMode = True
     try:
         modifiedDate = \
             datetime.strptime(lastModified, "%Y-%m-%dT%H:%M:%SZ")
     except BaseException:
-        return
+        return brochMode
     if not modifiedDate:
-        return
+        return brochMode
     currTime = datetime.datetime.utcnow()
     daysSinceBroch = (currTime - modifiedDate).days
     if daysSinceBroch >= lapseDays:
         try:
             os.remove(allowFilename)
-            setConfigParam(baseDir, "brochMode", False)
+            brochMode = False
+            setConfigParam(baseDir, "brochMode", brochMode)
             print('Broch mode has elapsed')
         except BaseException:
             pass
+    return brochMode
diff --git a/daemon.py b/daemon.py
index 9d3014250..7fb3b71cb 100644
--- a/daemon.py
+++ b/daemon.py
@@ -4548,7 +4548,9 @@ class PubServer(BaseHTTPRequestHandler):
                             if fields.get('brochMode'):
                                 if fields['brochMode'] == 'on':
                                     brochMode = True
-                            if brochMode != self.server.brochMode:
+                            currBrochMode = \
+                                getConfigParam(baseDir, "brochMode")
+                            if brochMode != currBrochMode:
                                 setBrochMode(self.server.baseDir,
                                              self.server.domainFull,
                                              brochMode)

From 695a49b3e8121c07062f6a0d1be900f1bff5b946 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Mon, 15 Feb 2021 22:49:57 -0500
Subject: [PATCH 23/25] Add stub setup.py

This allows one to use commands such as "python3 setup.py install".
---
 setup.py | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 setup.py

diff --git a/setup.py b/setup.py
new file mode 100644
index 000000000..6819ec0fd
--- /dev/null
+++ b/setup.py
@@ -0,0 +1,6 @@
+#!/usr/bin/python3
+
+import setuptools
+
+if __name__ == "__main__":
+    setuptools.setup()

From 00094e53c685b68e0871e7922e9280892646eddb Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Mon, 15 Feb 2021 22:58:14 -0500
Subject: [PATCH 24/25] Update cryptography dependency for CI

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d6501a39a..d3e2d1587 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,6 +3,6 @@ image: debian:testing
 test:
   script:
     - apt-get update
-    - apt-get install -y python3-crypto python3-dateutil python3-idna python3-numpy python3-pil.imagetk python3-pycryptodome python3-requests python3-socks python3-setuptools python3-pyqrcode
+    - apt-get install -y python3-cryptography python3-dateutil python3-idna python3-numpy python3-pil.imagetk python3-requests python3-socks python3-setuptools python3-pyqrcode
     - python3 epicyon.py --tests
     - python3 epicyon.py --testsnetwork

From 0f1b7eb67b7d4d740faebf8ca599b115cfa44342 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 16 Feb 2021 09:50:50 +0000
Subject: [PATCH 25/25] Set broch mode on daemon start

---
 blocking.py | 4 ++++
 daemon.py   | 7 +++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/blocking.py b/blocking.py
index 9655e1c9d..29aa2a45b 100644
--- a/blocking.py
+++ b/blocking.py
@@ -378,6 +378,10 @@ def setBrochMode(baseDir: str, domainFull: str, enabled: bool) -> None:
             os.remove(allowFilename)
             print('Broch mode turned off')
     else:
+        if os.path.isfile(allowFilename):
+            lastModified = fileLastModified(allowFilename)
+            print('Broch mode already activated ' + lastModified)
+            return
         # generate instance allow list
         allowedDomains = [domainFull]
         followFiles = ('following.txt', 'followers.txt')
diff --git a/daemon.py b/daemon.py
index 7fb3b71cb..f2515ad8e 100644
--- a/daemon.py
+++ b/daemon.py
@@ -4554,7 +4554,6 @@ class PubServer(BaseHTTPRequestHandler):
                                 setBrochMode(self.server.baseDir,
                                              self.server.domainFull,
                                              brochMode)
-                                self.server.brochMode = brochMode
                                 setConfigParam(baseDir, "brochMode", brochMode)
 
                         # change moderators list
@@ -14022,9 +14021,6 @@ def runDaemon(brochMode: bool,
     # maximum number of posts to appear in the newswire on the right column
     httpd.maxNewswirePosts = maxNewswirePosts
 
-    # whether to enable broch mode, which locks down the instance
-    httpd.brochMode = brochMode
-
     # whether to require that all incoming posts have valid jsonld signatures
     httpd.verifyAllSignatures = verifyAllSignatures
 
@@ -14195,6 +14191,9 @@ def runDaemon(brochMode: bool,
     # cache to store css files
     httpd.cssCache = {}
 
+    # whether to enable broch mode, which locks down the instance
+    setBrochMode(baseDir, httpd.domainFull, brochMode)
+
     if not os.path.isdir(baseDir + '/accounts/inbox@' + domain):
         print('Creating shared inbox: inbox@' + domain)
         createSharedInbox(baseDir, 'inbox', domain, port, httpPrefix)