But it will happily send messages and allow itself to be followed.

This shows that it is totally possible to broadcast fully-featured ActivityPub messages to the Fediverse with minimal coding skills and modest resources.

Why

I wanted to create a service a bit like FourSquare. For this, I needed an ActivityPub server which allows posting geotagged locations to the Fediverse.

I didn't want to install a fully-featured server with lots of complex parts. So I (foolishly) decided to write my own. I had a lot of trouble with HTTP Signatures. Because they are cursed and I cannot read documentation. But mostly the cursed thing.

How

Creating a minimum viable Mastodon instance can be done with half a dozen static files. That gets you an account that people can see. They can't follow it or receive any posts though.

I wanted to use PHP to build an interactive server. PHP is supported everywhere and is simple to deploy. Luckily, Robb Knight has written an excellent tutorial, so I ripped off his code and rewrote it for Symfony.

The structure is relatively straightforward.

• /.well-known/webfinger is a static file which gives information about where to find details of the account.
• /[username] is a static file which has the user's metadata, public key, and links to avatar images.
• /following and /followers are also static files which say how many users are being followed / are following.
• /posts/[GUID] a directory with JSON files saved to disk - each ones contains the published ActivityPub note.
• /photos/ is a directory with any uploaded media in it.
• /outbox is a list of all the posts which have been published.
• /inbox is an external API endpoint. An ActivityPub server sends it a follow request, the endpoint then POSTs a cryptographically signed Accept message to the follower's inbox. The follower's inbox address is saved to disk.
• /logs is a listing of all the messages received by the inbox.
• /new is a password protected page which lets you write a message. This is then sent to...
• /send is an internal API endpoint. It constructs an ActivityPub note, with attached location metadata, and POSTs it to each follower's inbox with a cryptographic signature.

That's it.

The front-end grabs my phone's geolocation and shows the 25 nearest places within 100 metres. One click and the page posts to the /send endpoint which then publishes a message saying I'm checked in. It is also possible to attach to the post a short message and a single photo with alt text.

There's no database. Posts are saved as JSON documents. Images are uploaded to a directory. It is single-user, so there is no account management.

What Works

• Users can find the account.
• Users can follow the account and receive updates.
• Posts contain geotag metadata.
• Posts contain a description of the place.
• Posts contain an OSM link to the place.
• Posts contain a custom message.
• Posts autolink #Hashtags (sort of).
• Posts can have an image attached to them.
• Messages to the inbox are recorded (but not yet integrated).

ToDo

• My account only has a few dozen followers, some of whom share the same sever. Even with cURL multi handle, it takes time to post to several servers.
• It posts plain text. It doesn't autolink websites
• Hashtags are linked when viewed remotely, but they don't go anywhere locally.
• There's no language selection - it is hard-coded to English.
• The outbox isn't paginated.
• The UI looks crap - but it is only me using it.
• There's only a basic front-page showing a map of all my check-ins.
• Replies are logged, but there's no easy way to see them.
• Doesn't show any metadata about the place being checked-in to. It could use the item's website (if any) or hashtags for the type of amenity it is.
• No way to handle being unfollowed.
• No way to remove servers which have died.
• Probably lots more.

Other Resources

I found these resources helpful while creating this project:

• MVP ActivityPub in Python on Glitch
• Understanding ActivityPub Part 1: Protocol Fundamentals
• Activity Notes
• Federating with GoToSocial

What's Next?

I've raised an issue on Mastodon to see if they can support showing locations in posts. Hopefully, one day, they'll allow adding locations and then I can shut this down.

The code needs tidying up - it is very much a scratch-my-own-itch development. Probably riddled with bugs and security holes.

World domination?

Where

You can laugh at my code on GitHub.

You can look at my check-ins on a map.

You can follow my location on the Fediverse at @edent_location@location.edent.tel

I jest. But only a little. When I build for myself I treat best practices and coding styles as harmful. Chaotic evil but, hey, it's only myself I'm hurting.

Anyway, my wife and I run a hobby site - OpenBenches.org - which was coded in a long alcopop fueled weekend. It's fair to say that it has exceeded our expectations in terms of people getting involved. But is underwhelming in terms of stability, speed, memory usage, efficiency, idempotency, and accessibility.

So I decided to rewrite it using a somewhat modern PHP framework. Partly to improve things and partly as a learning exercise.

I picked Symfony as it seemed to be under active development and had a reasonably simple "getting started" guide. The documentation looked good but, sadly, assumed a tonne of pre-existing knowledge. I ended up sending a few Pull Requests to improve it where I could.

Symfony suffers, like a lot of frameworks, from messy and inconsistent conventions. Some things are zero indexed, some from one. Why? Who know? Similarly, there are a bunch of random YAML (yeuch) files which need to be manually edited and a tangled mess of various config files scattered around.

But... in the end, the Symfony server is reasonably easy to use - with relatively sensible conventions and decent performance. It forced me to actually think about what I was doing and why I'd chosen certain conventions.

I won't claim it to be the best written code on the planet - and there's still some way to go in order to clean it up completely - but I'm pleased with the way things have turned out.

If you'd like to get involved - check out the code

Using this firewall configuration, a user who visits /private is successfully taken through the login flow and I can then use $this->getUser() to see their details.

security:
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    providers:
        users_in_memory: { memory: null }
        auth0_provider:
            id: Auth0\Symfony\Security\UserProvider
    firewalls:
        private:
            pattern: ^/private$
            context: user
            stateless: false
            provider: auth0_provider
            custom_authenticators:
                - auth0.authenticator
        main:
            lazy: true
            provider: users_in_memory

I want some unauthenticated pages to show user information. For example, if the user is logged in then /home should say "Hello $username". If not, it should say "Log in here".

The answer was annoyingly simple - but not documented by Symfony or Auth0.

Change the main firewall to not be lazy:

        main:
            lazy: false
            provider: users_in_memory

That then places all the Auth0 information into the $_SESSION global variable. You can retrieve the user's details with:

if ( isset( $_SESSION["_sf2_attributes"]["auth0_session"]["user"] ) ) {
    $user = $_SESSION["_sf2_attributes"]["auth0_session"]["user"];
    $username   = $user["nickname"];
    $avatar     = $user["picture"];
}

I'm sure there's a more official way to do this, but this quick and dirty hack seems to work pretty well.

Imagine you're using Symfony and Doctrine to access a database. You are using prepared statements to prevent any SQL injection problems.

There are two main ways of doing this - and they disagree about how positional variables should be specified.

Data Retrieval And Manipulation

Here's a fairly trivial SQL statement with a couple of variables:

$sql = "SELECT `userID` FROM `users` WHERE `firstname` LIKE ? AND `surname` LIKE ?";
$stmt = $conn->prepare($sql);
$stmt->bindValue(1, $user_input_1st_name);
$stmt->bindValue(2, $user_input_2nd_name);
$results = $stmt->executeQuery();

Pretty easy, right? Write your SQL as normal, but place ? where you want user supplied variables to be. This uses bindValue() to set the variables in the query.

The approach using question marks is called positional, because the values are bound in order from left to right to any question mark found in the previously prepared SQL query. That is why you specify the position of the variable to bind into the bindValue() method Doctrine: Data Retrieval And Manipulation

Query Builder

Doctrine also offer an SQL Query Builder - it looks like this:

$queryBuilder = $conn->createQueryBuilder();
$queryBuilder
    ->select("userID")
    ->from("users")
    ->where("firstname LIKE ? AND surname LIKE ?")
    ->setParameter(0, $user_input_1st_name)
    ->setParameter(1, $user_input_2nd_name);
$results = $queryBuilder->executeQuery();

Notice the difference? Yes! setParameter() is zero based!

The numerical parameters in the QueryBuilder API start with the needle 0. SQL Query Builder

Why the difference?

Because the universe hates you, I guess?

Solving the issue

I've sent a pull request to make the documentation clearer. In the meantime, both methods accept named parameters.

$sql = "SELECT `userID` FROM `users` WHERE `firstname` LIKE :first";
$stmt->bindValue("first", $user_input_1st_name);

...

$queryBuilder
    ->select("userID")
    ->from("users")
    ->where("firstname LIKE :first")
    ->setParameter("first", $user_input_1st_name)

I hope that helps remove some confusion for future users. Even if it's only me!

Suppose you want users to be able to access a page using /users/123 and /people/123 - with both routes displaying the same data?

Normally you'd write something like #[Route('/user/{id}', name: 'show_user')] - as it happens, that first parameter can be an array! Which means you can write:

<?php
namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\Routing\Annotation\Route;

class ThingController extends AbstractController
{

    #[Route(["/user/{id}", "/people/{id}", "/guests/{id}"], name: 'show_user')]
    public function show_user(int $id) {
        // Your logic here
    }
}

If you need to know which route your user took, call $request->getRequestUri(); to get the string representation, i.e. /user.

Symfony has a concept of Cache Contracts. You can call an expensive / slow / intensive operation and immediately cache the result for a specific time period. Next time you call the operation, the results are served from the cache until the expiry time has been hit.

Nifty! But I couldn't get it to work.

Take this sample code. It should return the current date and time and cache the result for 5 minutes (300 seconds). If you call it repeatedly, it should keep showing the old date until the 5 minutes are up.

<?php
use Symfony\Contracts\Cache\ItemInterface;
use Symfony\Component\Cache\Adapter\FilesystemAdapter;

class Whatever
{
    public function get_date() {
        $cache = new FilesystemAdapter();
        $value = $cache->get('cached_date', function (ItemInterface $item) {
            $item->expiresAfter(300);
            $date = date("Y-m-d H:i:s");
            return $date;
      });
      return $value;
    }
}

But it wasn't working. Why? I don't know. But I fixed it by using a namespaced cache:

$cache = new FilesystemAdapter("my_awesome_cache");

I hope that's helpful to someone - even if that someone is me in a few years' time!

I want to use Doctrine dbal to search a database for a partial match. For example searching for "smith" should find "blacksmith" and "smithy".

I have a prepared statement like this:

$queryBuilder = $conn->createQueryBuilder();
$queryBuilder
    ->select("whatever")
    ->from("table")
    ->where("name LIKE '%?%'")
    ->setParameter(0, $query);

But I get the error:

The number of variables must match the number of parameters in the prepared statement.

The solution is annoyingly simple. The escaping has to be in the parameter itself. Like this:

...
    ->where("name LIKE ?")
    ->setParameter(0, "%{$query}%");

I hope that's helpful to someone - even if that someone is me in a few years' time!