• Townie
    AI
  • Blog
  • Docs
  • Pricing
  • We’re hiring!
Log inSign up
stevekrouse

stevekrouse

postherous

Remix of paulkinlan/postherous
Public
Like
postherous
Home
Code
22
backend
3
frontend
2
shared
2
.vtignore
ACTIVITYPUB-STATUS.md
ACTIVITYPUB-TROUBLESHOOTING.md
ACTIVITYPUB.md
README.md
SECURITY.md
SETUP.md
H
debug-config.ts
H
debug-signatures.ts
deno.json
E
email.ts
H
generate-keys.ts
H
test-activitypub-delivery.ts
H
test-activitypub-inbox.ts
H
test-activitypub.ts
H
test-follow.ts
H
test-http-signatures.ts
H
test-publish.ts
H
test-verification.ts
Branches
1
Pull requests
Remixes
History
Environment variables
8
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data – all from the browser, and deployed in milliseconds.
Sign up now
Code
/
README.md
Code
/
README.md
Search
7/14/2025
Viewing readonly version of main branch: v11
View latest version
README.md

Email Blog Platform

A modern blog platform inspired by Posterous that allows publishing posts via email.

🚀 Status: READY TO USE

Your email blog platform is fully functional! Send an email to start publishing.

✨ Features

  • 📧 Email-to-Publish: Send an email to publish posts instantly
  • 🔒 Email Security: Allowlist and verification system to prevent unauthorized posts
  • 🎨 Multi-format Support: HTML and plain text posts
  • 🖼️ Image Storage: Upload images via web interface or email attachments with automatic processing
  • 📡 RSS Feed: Full RSS 2.0 support for syndication
  • 🌐 WebSub: Real-time feed updates via WebSub protocol (configured)
  • 🐘 ActivityPub: Full federated social networking with followers, likes, and shares ✅
    • Content negotiation for HTML/JSON responses
    • Actor profile accessible from browsers and ActivityPub clients
  • 🦋 AT Protocol: Bluesky integration for cross-platform syndication (configured)
  • 🔗 SEO Friendly: Clean URLs with slugified titles
  • 📱 Responsive Design: Mobile-first responsive interface with TailwindCSS
  • ⚡ Fast: Built on Val Town with SQLite storage and static HTML generation
  • 🚀 No JavaScript: Pure HTML/CSS frontend for maximum performance

🏗️ Architecture

Backend (/backend/)

  • index.ts - Main Hono server with HTML generation and API routes ✅
  • database/ - SQLite schema and query functions ✅
  • services/ - External service integrations ✅

Email Handler (/email.ts)

  • Email trigger handler with security verification ✅
  • Allowlist checking and draft post creation ✅
  • Automated verification email sending ✅

Static HTML Generation

  • Server-side HTML rendering with TailwindCSS ✅
  • No client-side JavaScript dependencies ✅
  • Fast loading and SEO optimized ✅

🎯 Quick Start

  1. Configure Security: Set ALLOWED_EMAIL_ADDRESSES environment variable (see Security section)
  2. Send Email: Send email from an allowed address to your Val Town email address
  3. Verify Email: Click the verification link sent to your email
  4. View Blog: Visit your backend HTTP val URL after verification
  5. RSS Feed: Access /rss for syndication
  6. Individual Posts: Visit /post/[slug]

🔧 Configuration

See SETUP.md for detailed setup instructions and ACTIVITYPUB.md for ActivityPub federation details.

Environment Variables (Required for Security)

  • ALLOWED_EMAIL_ADDRESSES - Comma-separated list of allowed email addresses (required for email publishing)
  • BASE_URL - Your blog's base URL (e.g., https://myblog.com or just myblog.com) - Required for custom domains and ActivityPub federation
  • UPLOAD_PASSWORD - Password required for image uploads (required to enable image upload functionality)

Environment Variables (Optional)

  • WEBSUB_HUB_URL - WebSub hub URL
  • ACTIVITYPUB_DOMAIN - Domain for ActivityPub federation (deprecated - use BASE_URL instead)
  • ATPROTO_HANDLE - AT Protocol handle
  • ATPROTO_PASSWORD - AT Protocol app password
  • ADMIN_PASSWORD - Admin password for advanced features (falls back to UPLOAD_PASSWORD if not set)

Environment Variables (Required for ActivityPub HTTP Signatures)

For proper ActivityPub federation with HTTP signatures (recommended for production):

  • ACTIVITYPUB_PUBLIC_KEY - RSA public key in PEM format
  • ACTIVITYPUB_PRIVATE_KEY - RSA private key in PEM format

To generate these keys:

  1. Visit /generate-keys.ts (your key generator val)
  2. Copy the generated keys to your environment variables
  3. Restart your val

Without these keys, the system will generate temporary keys that change on restart, which may cause federation issues.

🧪 Development Mode & Testing

The platform includes several testing and debugging endpoints that are only accessible in development mode for security.

Enabling Development Mode

Set one of these environment variables to enable testing endpoints:

  • NODE_ENV=development
  • DEV_MODE=true
  • ENABLE_TEST_ENDPOINTS=true

Available Test Endpoints

When development mode is enabled, you can access:

  • /test-activitypub.ts - Test ActivityPub and WebFinger endpoints
  • /test-publish.ts - Create a test blog post
  • /test-follow.ts - Test Follow activity processing
  • /test-verification.ts - Test email verification flow
  • /test-http-signatures.ts - Test HTTP signatures implementation
  • /test-activitypub-inbox.ts - Test ActivityPub inbox functionality
  • /test-activitypub-delivery.ts - Test ActivityPub delivery with HTTP signatures
  • /debug-config.ts - Debug email security configuration
  • /debug-signatures.ts - Debug HTTP signatures in detail
  • /generate-keys.ts - Generate RSA keys for ActivityPub

Production Security

In production (when development mode is disabled), all test endpoints return a 404 response, ensuring your production environment remains secure while allowing full testing capabilities during development.

Custom Domain Setup

To use a custom domain with ActivityPub federation:

  1. Set up your custom domain in Val Town (see Val Town documentation)
  2. Set the BASE_URL environment variable to your custom domain:
    • BASE_URL=https://yourdomain.com (with protocol)
    • OR BASE_URL=yourdomain.com (protocol will be assumed as https)
  3. Test ActivityPub discovery by visiting https://yourdomain.com/.well-known/webfinger?resource=acct:blog@yourdomain.com

Without BASE_URL set, the system will use the default Val Town URL for ActivityPub federation.

📊 API Endpoints

  • GET / - Main blog interface (with ActivityPub Link header)
  • GET /post/:slug - Individual post page (supports content negotiation for ActivityPub)
  • GET /upload - Image upload interface ✅
  • GET /images/:filename - Serve uploaded images ✅
  • GET /rss - RSS 2.0 feed
  • GET /api/posts - JSON API for posts
  • GET /api/posts/:slug - JSON API for single post
  • POST /api/images/upload - Upload image endpoint ✅
  • GET /api/posts/:slug/images - Get images for a specific post ✅
  • GET /api/images/user/:email - Get images uploaded by a user ✅
  • GET /api/images - Get all images (admin endpoint) ✅
  • DELETE /api/images/:filename - Delete an image ✅
  • GET /websub - WebSub subscription endpoint
  • GET /.well-known/webfinger - WebFinger discovery for ActivityPub ✅
  • GET /actor - ActivityPub actor document with rich metadata ✅
  • GET /outbox - ActivityPub outbox (paginated published activities) ✅
  • GET /outbox?page=N - Paginated outbox pages ✅
  • GET /followers - ActivityPub followers collection (with pagination support) ✅
  • GET /followers-list - Human-readable followers page ✅
  • GET /api/followers - JSON API for followers list ✅
  • GET /following - ActivityPub following collection ✅
  • POST /inbox - ActivityPub inbox (processes Follow, Like, Announce, Undo) ✅
  • GET /api/posts/:slug/activities - Get activity counts (likes, shares, replies) ✅
  • GET /verify-email - Email verification endpoint ✅
  • GET /health - Health check

🔒 Security Features

Email Allowlist

Only emails from pre-configured addresses can publish posts. Configure via environment variable:

ALLOWED_EMAIL_ADDRESSES=user1@example.com,user2@example.com,admin@myblog.com

Email Verification

To prevent spoofing, all emails go through a verification process:

  1. Email Received: Email is stored as a draft (not published)
  2. Verification Sent: Automated verification email sent to sender
  3. User Clicks Link: Sender clicks verification link in email
  4. Post Published: After verification, post is published and syndicated

Security Benefits

  • Anti-spoofing: Prevents unauthorized users from publishing posts
  • Email confirmation: Ensures the sender actually sent the email
  • Time-limited: Verification links expire after 24 hours
  • Automatic cleanup: Expired drafts are automatically removed

🖼️ Image Storage & Management

The platform includes comprehensive image storage capabilities for both static assets and email attachments.

Image Upload Methods

  1. Web Interface: Visit /upload (requires UPLOAD_PASSWORD) to upload images via drag-and-drop interface
  2. Email Attachments: Images attached to blog post emails are automatically processed and stored

Supported Image Formats

  • JPEG/JPG
  • PNG
  • GIF
  • WebP
  • SVG

File Size Limit: 5MB per image

Image Storage Features

  • Password Protection: Upload interface protected by UPLOAD_PASSWORD environment variable
  • Automatic Processing: Email attachments are automatically extracted and stored
  • Content Reference Replacement: Image references in email content are automatically updated to use stored URLs
  • Metadata Storage: Original filename, MIME type, file size, alt text, and post associations
  • Secure Access: Password-protected upload system prevents unauthorized access
  • Blob Storage: Images stored using Val Town's blob storage with unique filenames
  • URL Generation: Clean /images/filename URLs for serving images

Image API Usage

// Upload an image (requires password) const formData = new FormData(); formData.append('image', file); formData.append('password', 'your-upload-password'); formData.append('email', 'your-email@example.com'); formData.append('altText', 'Description of image'); formData.append('postSlug', 'my-blog-post'); // optional const response = await fetch('/api/images/upload', { method: 'POST', body: formData }); // Get images for a post (no password required) const images = await fetch('/api/posts/my-post-slug/images').then(r => r.json()); // Get images by user (requires password) const userImages = await fetch('/api/images/user/user@example.com?password=your-upload-password').then(r => r.json()); // Get all images (requires password) const allImages = await fetch('/api/images?password=your-upload-password&limit=50').then(r => r.json());

Email Attachment Processing

When you send an email with image attachments:

  1. Automatic Detection: System identifies image attachments by MIME type
  2. Storage: Images are stored with unique filenames in blob storage
  3. Database Records: Metadata is saved linking images to the post
  4. Content Updates: Email content is updated to reference stored image URLs
  5. Reference Replacement: Common patterns like cid:image.jpg are replaced with proper URLs

Example email with attachment:

To: your-blog@val.town
From: author@example.com
Subject: My Post with Images
Attachments: photo.jpg, diagram.png

<p>Check out this photo:</p>
<img src="cid:photo.jpg" alt="My photo" />
<p>And this diagram: [diagram.png]</p>

After processing, the content becomes:

<p>Check out this photo:</p> <img src="/images/1234567890-abc123-photo.jpg" alt="My photo" /> <p>And this diagram: ![diagram.png](/images/1234567890-def456-diagram.png)</p>

🧪 Testing

Use /test-publish.ts to create sample posts for testing.

📝 Usage Example

Send an email like this:

To: your-email-val@val.town
From: allowed-user@example.com  (must be in ALLOWED_EMAIL_ADDRESSES)
Subject: My Amazing Blog Post
Body: <h2>Hello World!</h2><p>This post was published via email!</p>

The process will be:

  1. Email received and stored as draft
  2. Verification email sent to allowed-user@example.com
  3. User clicks verification link
  4. Post published with:
    • Title: "My Amazing Blog Post"
    • Slug: "my-amazing-blog-post"
    • Content: Rendered HTML
    • Author: Extracted from email address

🎨 Customization

  • Edit HTML generation functions in /backend/index.ts
  • Modify CSS styles in the getCustomCSS() function
  • Update branding in HTML templates
  • Configure federation services via environment variables

🔄 Syndication

Posts are automatically syndicated to:

  • RSS feed (always enabled)
  • WebSub subscribers (if configured)
  • ActivityPub followers (with full interaction support) ✅
  • AT Protocol/Bluesky (if configured)

ActivityPub Federation

Your blog is now fully federated with ActivityPub! Users can:

  • Follow your blog from Mastodon, Pleroma, and other ActivityPub platforms
  • Like your blog posts (shows ❤️ count on posts)
  • Share/Boost your posts (shows 🔄 count on posts)
  • Reply to your posts (shows 💬 count on posts)
  • Preview posts directly in Mastodon timeline with proper formatting

Discovery formats:

  • WebFinger: @blog@your-domain.com
  • Direct actor URL: https://your-domain.com/actor

Configuration for custom domains:

  • Set BASE_URL=https://your-custom-domain.com in your environment variables
  • This ensures all ActivityPub URLs use your custom domain instead of the default Val Town URL

Enhanced ActivityPub Features:

  • ✅ Paginated Outbox: Posts are served with proper pagination for better performance
  • ✅ Rich Post Previews: Posts display with titles, summaries, and full content in Mastodon
  • ✅ Content Negotiation: Individual posts serve both HTML and ActivityPub JSON based on Accept headers
  • ✅ Profile Metadata: Actor profile includes avatar, header image, and custom fields
  • ✅ Link Discovery: Proper HTTP Link headers for ActivityPub discovery
  • ✅ Post Permalinks: Each post has its own ActivityPub Note endpoint

Real-time interaction tracking:

  • All likes, shares, and replies are stored and displayed on individual post pages
  • Follower count is maintained and accurate
  • Full ActivityPub inbox processing for Follow/Unfollow activities

Example: If your blog is at myblog.com (with BASE_URL=https://myblog.com), users can follow @blog@myblog.com from their Mastodon client and see your posts with rich previews in their timeline!


Ready to blog via email? Send your first post now! 📧✨

FeaturesVersion controlCode intelligenceCLI
Use cases
TeamsAI agentsSlackGTM
DocsShowcaseTemplatesNewestTrendingAPI examplesNPM packages
PricingNewsletterBlogAboutCareers
We’re hiring!
Brandhi@val.townStatus
X (Twitter)
Discord community
GitHub discussions
YouTube channel
Bluesky
Open Source Pledge
Terms of usePrivacy policyAbuse contact
© 2025 Val Town, Inc.