Skip to content

BREAKING CHANGE: migrate to pydantic#10

Closed
AmaseCocoa wants to merge 24 commits intodevelopfrom
pydantic
Closed

BREAKING CHANGE: migrate to pydantic#10
AmaseCocoa wants to merge 24 commits intodevelopfrom
pydantic

Conversation

@AmaseCocoa
Copy link
Copy Markdown
Member

@AmaseCocoa AmaseCocoa commented Nov 4, 2025
edited
Loading

THIS IS BREAKING CHANGE!

resolve #9

Changes

  • nodeinfo no longer inherits from ActivityPubModel.

Restrictions

Currently, this implementation is incomplete, and the following features cannot be used properly.

  • dump model to compact json-ld

Implemented

  • load a model with apmodel.load()
  • preload json-ld schema (like, activitystreams 2.0)

Todo

  • fix apmodel can't export correct json-ld
  • write a better test
  • add serialize_by_alias=True to all models
  • Enable users to easily add their own ActivityPubModel based models to the loading mechanism

Example

Do you want try this? try this code!

from pyld import jsonld
from pyld.documentloader import requests

from apmodel.core.object import Object


def myloader(*args, **kwargs):
    requests_loader = requests.requests_document_loader(*args, **kwargs)

    def loader(url, options={}):
        options["headers"]["Accept"] = (
            "application/ld+json;profile=http://www.w3.org/ns/json-ld#context, application/ld+json, application/json;q=0.5, text/html;q=0.8, application/xhtml+xml;q=0.8"
        )
        return requests_loader(url, options)

    return loader


jsonld.set_document_loader(myloader())
expanded = jsonld.expand(
    {
        "@context": "https://www.w3.org/ns/activitystreams",
        "id": "http://example.org/foo",
        "type": "Object",
        "name": "A Simple Note",
        "content": "This is a simple note",
    }
)
a = Object.model_validate(expanded[0]).model_dump(mode="json")
print(jsonld.compact(a, a["@context"]))

@AmaseCocoa AmaseCocoa added the enhancement New feature or request label Nov 4, 2025
@AmaseCocoa AmaseCocoa self-assigned this Nov 4, 2025
@AmaseCocoa
feat: docs
e318b5f
@AmaseCocoa
fix: preload and rebuild core models to work correctly
efc646a
@AmaseCocoa
some fixes
29db112
@AmaseCocoa
feat: preload json-ld loader
9bb9e4f
@AmaseCocoa
feat: automatic registration to loader
ab3e152
@AmaseCocoa
doc: add docsting to dump() function
afb69db
@AmaseCocoa
refactor(jsonld): rename preloaded_loader to create_document_loader
8347597
@AmaseCocoa
fix: add Actor and Person to _rebuild
6c75d83
@AmaseCocoa
chore: version
82215aa
@AmaseCocoa
fix(jsonld)!: disable remote context fetching for security
d7b4b58 
  To mitigate potential Server-Side Request Forgery (SSRF)
  vulnerabilities, the JSON-LD document loader no longer fetches remote
  contexts from the network.

  It now exclusively uses a predefined set of preloaded local contexts.
  An attempt to load an unknown context URL will result in a
  JsonLdError.

  BREAKING CHANGE: Remote JSON-LD context fetching has been disabled.
  All contexts must be preloaded locally.
@AmaseCocoa
feat(jsonld): re-enable remote context fetching with SSRF protection
9df477e 
  Enables the loading of remote JSON-LD contexts while adding a security
  layer to prevent Server-Side Request Forgery (SSRF) attacks.

  The document loader now resolves the hostname of the context URL and
  blocks any request targeting a loopback or private IP address.

  This change also fixes a TypeError in the caching mechanism by
  ensuring the cache key is a hashable JSON string. Tests have been
  added to verify the new security behavior.
@AmaseCocoa
refactor(jsonld): refactor imports
9e1af68
@AmaseCocoa
Merge branch 'pydantic' of https://github.com/fedi-libs/apmodel into …
f306f28 
…pydantic
@AmaseCocoa
test(jsonld): add tests for SSRF protection in document loader
7151d75 
  Adds unit tests for the JSON-LD document loader to verify the new
  Server-Side Request Forgery (SSRF) protection mechanism.

  The tests cover the following scenarios: - Attempts to load contexts
  from loopback and private network addresses are blocked. -
  Unresolvable hostnames are handled correctly. - Loading from a public
  address is permitted.
@AmaseCocoa AmaseCocoa mentioned this pull request Nov 6, 2025
Open
9 tasks
@AmaseCocoa
feat: export
34fc281
@AmaseCocoa
fix(test): fix nodeinfo tests
967c41a
@AmaseCocoa
chore(deps): add backports-strenum for Python < 3.11
951e25d 
  The StrEnum class, used for string-based enumerations, was officially
  added to the standard library in Python 3.11.

  To ensure compatibility with older Python versions (>=3.10), this
  commit adds the backports-strenum dependency.
@AmaseCocoa
chore: bump version
b725374
@AmaseCocoa
feat(test): add test file for incorrect nodeinfo
93c66be
@AmaseCocoa
feat(jsonld): add security v1 to preload jsonld schema
53ecada
@AmaseCocoa
refactor(loader): Improve @context handling during serialization
f0996fa 
  The @context field was previously included in the model's serialized
  output, which is not ideal for nested objects.

  This change introduces a mechanism to exclude the @context field from
  the model dump by default. The loader now injects a special flag to
  identify the top-level object, allowing for more precise control over
  the final JSON-LD structure.

  Additionally, this commit ensures the Note model is correctly
  processed during the model rebuild phase.
@AmaseCocoa
Copy link
Copy Markdown
Member Author

AmaseCocoa commented Nov 26, 2025

I changing approach

@AmaseCocoa AmaseCocoa closed this Nov 26, 2025
@AmaseCocoa AmaseCocoa mentioned this pull request Dec 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AmaseCocoa AmaseCocoa

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate to pydantic

1 participant

@AmaseCocoa