Federation Refactoring & Architecture Improvements

[Flomp]

Overview

This PR represents a significant architectural refactoring of the backend to better support ActivityPub federation. The changes extract monolithic code from main.go into modular hooks and route handlers, while implementing federation support for trails, lists, comments, and user interactions. The PR tries to offload as much federation logic as possible from the frontend API to the go backend.

Testing Recommendations

• Test ActivityPub federation endpoints
• Verify list/trail creation and federation across instances
• Test waypoint creation with author tracking
• Test remote trail/comment interactions
• Verify integration endpoints (Strava, Komoot, Hammerhead)

[Flomp]

GitHub CodeQL flags this because it sees a user-provided domain string being used to construct a URL for an outbound HTTP request. Historically, this allows Server-Side Request Forgery (SSRF), where an attacker could force our server to hit internal metadata services (like 169.254.169.254) or local services (localhost).

We have to allow users to contact arbitrary servers to allow federation. However, this PR mitigates this risk by using a custom util.SafeHTTPClient(). This client is "hardened" against SSRF in the following ways:

• Network-Level Validation (Dialer Hook): Instead of just checking the string URL, we intercept the request at the connection level (in DialContext).

• DNS Rebinding Protection: We resolve the domain and validate the IP address before the connection is made. We then dial the validated IP directly. This prevents "DNS Rebinding" attacks where an attacker switches a "safe" IP for a "malicious" one between the check and the use.

• Private IP Blocklist: We explicitly block all private, loopback, and reserved IP ranges (e.g., 10.x.x.x, 127.x.x.x, 169.254.x.x). Even if an attacker provides localhost or an internal IP, the SafeHTTPClient will refuse to connect.

• Outbound Rate Limiting: We’ve added a per-actor rate limiter keyed to the dbActor.Id. This ensures that even if a user tries to abuse the discovery process to spam a remote server, they are limited to 30 requests per minute.