@evanp/activitypub-bot 0.38.4 → 0.39.1

package/lib/activitypubclient.js

@@ -4,9 +4,9 @@ import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 
 import fetch from 'node-fetch'
-import createHttpError from 'http-errors'
 
 import as2 from './activitystreams.js'
+import { SignaturePolicyStorage } from './signaturepolicystorage.js'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
@@ -22,6 +22,32 @@ const COLLECTION_TYPES = [
   `${NS}OrderedCollection`
 ]
 
+function normalizeHeaders (headers) {
+  if (!headers) {
+    return headers
+  }
+  if (typeof headers.forEach === 'function') {
+    const result = {}
+    headers.forEach((value, key) => {
+      result[key] = value
+    })
+    return result
+  }
+  return headers
+}
+
+export class ActivityPubClientError extends Error {
+  constructor (status, message, { url, method, headers, body } = {}) {
+    super(message)
+    this.name = 'ActivityPubClientError'
+    this.status = status
+    this.url = url
+    this.method = method
+    this.headers = normalizeHeaders(headers)
+    this.body = body
+  }
+}
+
 export class ActivityPubClient {
   static #githubUrl = 'https://github.com/evanp/activitypub-bot'
   static #userAgent = `activitypub.bot/${version} (${ActivityPubClient.#githubUrl})`
@@ -37,8 +63,10 @@ export class ActivityPubClient {
   #logger = null
   #limiter
   #cache
+  #messageSigner
+  #policyStorage
 
-  constructor (keyStorage, urlFormatter, signer, digester, logger, limiter, cache) {
+  constructor (keyStorage, urlFormatter, signer, digester, logger, limiter, cache, messageSigner, policyStorage) {
     assert.strictEqual(typeof keyStorage, 'object')
     assert.strictEqual(typeof urlFormatter, 'object')
     assert.strictEqual(typeof signer, 'object')
@@ -46,6 +74,8 @@ export class ActivityPubClient {
     assert.strictEqual(typeof logger, 'object')
     assert.strictEqual(typeof limiter, 'object')
     assert.strictEqual(typeof cache, 'object')
+    assert.strictEqual(typeof messageSigner, 'object')
+    assert.strictEqual(typeof policyStorage, 'object')
     this.#keyStorage = keyStorage
     this.#urlFormatter = urlFormatter
     this.#signer = signer
@@ -53,6 +83,8 @@ export class ActivityPubClient {
     this.#logger = logger.child({ class: this.constructor.name })
     this.#limiter = limiter
     this.#cache = cache
+    this.#messageSigner = messageSigner
+    this.#policyStorage = policyStorage
   }
 
   async get (url, username = this.#urlFormatter.hostname) {
@@ -129,21 +161,47 @@ export class ActivityPubClient {
     this.#logger.debug({ headers }, 'Sending headers')
     const method = 'GET'
     this.#logger.debug({ url: baseUrl }, 'Signing GET request')
+    let storedPolicy, lastPolicy
     if (sign) {
-      headers.signature =
+      storedPolicy = await this.#policyStorage.get(parsed.origin)
+      if (!storedPolicy || storedPolicy === SignaturePolicyStorage.RFC9421) {
+        lastPolicy = SignaturePolicyStorage.RFC9421
+        const sigHeaders = await this.#messageSign({ username, url: baseUrl, method, headers })
+        Object.assign(headers, sigHeaders || {})
+      } else if (storedPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
+        lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
+        headers.signature =
         await this.#sign({ username, url: baseUrl, method, headers })
+      } else {
+        throw new Error(`Unexpected signature policy ${storedPolicy}`)
+      }
     }
     const hostname = parsed.hostname
     this.#logger.debug({ url: baseUrl, hostname }, 'Waiting for rate limiter')
     await this.#limiter.limit(hostname)
     this.#logger.debug({ url: baseUrl }, 'Fetching with GET')
-    const res = await fetch(baseUrl,
+    let res = await fetch(baseUrl,
       {
         method,
         headers
       }
     )
     this.#logger.debug({ hostname, status: res.status }, 'response received')
+    if ([401, 403].includes(res.status) &&
+        sign &&
+        !storedPolicy) {
+      lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
+      delete headers['signature-input']
+      headers.signature =
+        await this.#sign({ username, url: baseUrl, method, headers })
+      res = await fetch(baseUrl,
+        {
+          method,
+          headers
+        }
+      )
+    }
+
     await this.#limiter.update(hostname, res.headers)
     this.#logger.debug({ url }, 'Finished GET')
     if (useCache && res.status === 304) {
@@ -155,10 +213,10 @@ export class ActivityPubClient {
         { status: res.status, body, url: baseUrl },
         'Could not fetch url'
       )
-      throw createHttpError(
+      throw new ActivityPubClientError(
         res.status,
         `Could not fetch ${baseUrl}`,
-        { headers: res.headers }
+        { url: baseUrl, method, headers: res.headers, body }
       )
     }
 
@@ -176,6 +234,10 @@ export class ActivityPubClient {
       throw err
     }
 
+    if (sign && !storedPolicy && lastPolicy) {
+      await this.#policyStorage.set(parsed.origin, lastPolicy)
+    }
+
     await this.#cache.set(baseUrl, username, json, res.headers)
 
     return json
@@ -206,6 +268,7 @@ export class ActivityPubClient {
     assert.ok(username)
     assert.equal(typeof username, 'string')
     assert.ok(username !== '*')
+    const parsed = (new URL(url))
     const json = await obj.export()
     this.#fixupJson(json)
     const body = JSON.stringify(json)
@@ -218,28 +281,56 @@ export class ActivityPubClient {
     const method = 'POST'
     assert.ok(headers)
     this.#logger.debug({ url }, 'Signing POST')
-    headers.signature = await this.#sign({ username, url, method, headers })
-    const hostname = (new URL(url)).hostname
+    let lastPolicy
+    const storedPolicy = await this.#policyStorage.get(parsed.origin)
+    if (!storedPolicy || storedPolicy === SignaturePolicyStorage.RFC9421) {
+      lastPolicy = SignaturePolicyStorage.RFC9421
+      const sigHeaders = await this.#messageSign({ username, url, method, headers })
+      Object.assign(headers, sigHeaders || {})
+    } else if (storedPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
+      lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
+      headers.signature =
+        await this.#sign({ username, url, method, headers })
+    } else {
+      throw new Error(`Unexpected signature policy ${storedPolicy}`)
+    }
+    const hostname = parsed.hostname
     this.#logger.debug({ url, hostname }, 'Waiting for rate limiter')
     await this.#limiter.limit(hostname)
     this.#logger.debug({ url }, 'Fetching POST')
-    const res = await fetch(url,
+    let res = await fetch(url,
       {
         method,
         headers,
         body
       }
     )
+    if ([401, 403].includes(res.status) && !storedPolicy) {
+      lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
+      delete headers['signature-input']
+      headers.signature =
+        await this.#sign({ username, url, method, headers })
+      res = await fetch(url,
+        {
+          method,
+          headers,
+          body
+        }
+      )
+    }
     this.#logger.debug({ hostname }, 'updating limiter')
     await this.#limiter.update(hostname, res.headers)
     this.#logger.debug({ url }, 'Done fetching POST')
     if (res.status < 200 || res.status > 299) {
-      throw createHttpError(
+      throw new ActivityPubClientError(
         res.status,
-        await res.text(),
-        { headers: res.headers }
+        `Could not post to ${url}`,
+        { url, method, headers: res.headers }
       )
     }
+    if (!storedPolicy && lastPolicy) {
+      await this.#policyStorage.set(parsed.origin, lastPolicy)
+    }
   }
 
   async #sign ({ username, url, method, headers }) {
@@ -252,6 +343,16 @@ export class ActivityPubClient {
     return this.#signer.sign({ privateKey, keyId, url, method, headers })
   }
 
+  async #messageSign ({ username, url, method, headers }) {
+    assert.ok(url)
+    assert.ok(method)
+    assert.ok(headers)
+    assert.ok(username)
+    const privateKey = await this.#keyStorage.getPrivateKey(username)
+    const keyId = this.#urlFormatter.format({ username, type: 'publickey' })
+    return this.#messageSigner.sign({ privateKey, keyId, url, method, headers })
+  }
+
   #isCollection (obj) {
     return (Array.isArray(obj.type))
       ? obj.type.some(item => COLLECTION_TYPES.includes(item))

package/lib/app.js

@@ -1,6 +1,7 @@
 import http from 'node:http'
 import { resolve, dirname } from 'node:path'
 import { fileURLToPath } from 'node:url'
+import { randomUUID } from 'node:crypto'
 
 import { Sequelize } from 'sequelize'
 import express from 'express'
@@ -8,7 +9,7 @@ import Logger from 'pino'
 import HTTPLogger from 'pino-http'
 
 import { ActivityDistributor } from './activitydistributor.js'
-import { ActivityPubClient } from './activitypubclient.js'
+import { ActivityPubClient, ActivityPubClientError } from './activitypubclient.js'
 import { ActorStorage } from './actorstorage.js'
 import { BotDataStorage } from './botdatastorage.js'
 import { KeyStorage } from './keystorage.js'
@@ -45,7 +46,7 @@ import { FanoutWorker } from './fanoutworker.js'
 import { IntakeWorker } from './intakeworker.js'
 import { RemoteObjectCache } from './remoteobjectcache.js'
 import { HTTPMessageSignature } from './httpmessagesignature.js'
-import { randomUUID } from 'node:crypto'
+import { SignaturePolicyStorage } from './signaturepolicystorage.js'
 
 const currentDir = dirname(fileURLToPath(import.meta.url))
 const DEFAULT_INDEX_FILENAME = resolve(currentDir, '..', 'web', 'index.html')
@@ -77,7 +78,8 @@ export async function makeApp ({ databaseUrl, origin, bots, logLevel = 'silent',
   const objectStorage = new ObjectStorage(connection)
   const limiter = new RateLimiter(connection, logger)
   const remoteObjectCache = new RemoteObjectCache(connection, logger)
-  const client = new ActivityPubClient(keyStorage, formatter, signer, digester, logger, limiter, remoteObjectCache)
+  const policyStore = new SignaturePolicyStorage(connection, logger)
+  const client = new ActivityPubClient(keyStorage, formatter, signer, digester, logger, limiter, remoteObjectCache, messageSigner, policyStore)
   const remoteKeyStorage = new RemoteKeyStorage(client, connection, logger)
   const signature = new HTTPSignatureAuthenticator(remoteKeyStorage, signer, messageSigner, digester, logger)
   const jobQueue = new JobQueue(connection, logger)
@@ -253,24 +255,46 @@ export async function makeApp ({ databaseUrl, origin, bots, logLevel = 'silent',
 
   app.use((err, req, res, next) => {
     const { logger } = req.app.locals
-    let status = 500
-    if (err.status) {
-      status = err.status
-    }
-    const title = (http.STATUS_CODES[status])
-      ? http.STATUS_CODES[status]
-      : 'Unknown Status'
-
-    if (status >= 500 && status < 600) {
-      logger.error(err)
-    } else if (status >= 400 && status < 500) {
-      logger.warn(err)
+    if (err instanceof ActivityPubClientError) {
+      logger.error({
+        err,
+        status: err.status,
+        url: err.url,
+        method: err.method
+      }, 'ActivityPub client request failed')
+      res.status(500).type('application/problem+json').json({
+        type: 'about:blank',
+        title: 'Internal Server Error',
+        status: 500,
+        detail: 'Internal Server Error'
+      })
     } else {
-      logger.debug(err)
+      let status = 500
+      if (err.status) {
+        status = err.status
+      }
+      const title = (http.STATUS_CODES[status])
+        ? http.STATUS_CODES[status]
+        : 'Unknown Status'
+
+      if (status >= 500 && status < 600) {
+        logger.error(err)
+      } else if (status >= 400 && status < 500) {
+        logger.warn(err)
+      } else {
+        logger.debug(err)
+      }
+      const type = err.type || 'about:blank'
+      const problemTitle = err.title || title
+      const extra = Object.fromEntries(
+        Object.entries(err).filter(
+          ([k]) => !['status', 'type', 'title', 'detail', 'stack'].includes(k)
+        )
+      )
+      res.status(status)
+      res.type('application/problem+json')
+      res.json({ type, title: problemTitle, status, detail: err.message, ...extra })
     }
-    res.status(status)
-    res.type('application/problem+json')
-    res.json({ type: 'about:blank', title, status, detail: err.message })
   })
 
   app.onIdle = async () => {

package/lib/errors.js

@@ -0,0 +1,158 @@
+import http from 'node:http'
+
+const FEP_C180 = 'https://w3id.org/fep/c180'
+
+export class ProblemDetailsError extends Error {
+  constructor (status, detail, extra = {}) {
+    super(detail)
+    this.status = status
+    const { type, title, ...rest } = extra
+    this.type = type || 'about:blank'
+    this.title = title || http.STATUS_CODES[status] || 'Unknown Status'
+    this.detail = detail
+    Object.assign(this, rest)
+  }
+}
+
+export class UnsupportedTypeError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    // Rename `type` to `objectType` to avoid conflict with the problem type URI field
+    const { type: objectType, ...rest } = extra
+    super(400, detail, {
+      type: `${FEP_C180}#unsupported-type`,
+      title: 'Unsupported type',
+      ...rest,
+      ...(objectType != null ? { objectType } : {})
+    })
+  }
+}
+
+export class ObjectDoesNotExistError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#object-does-not-exist`,
+      title: 'Object does not exist',
+      ...extra
+    })
+  }
+}
+
+export class DuplicateDeliveryError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#duplicate-delivery`,
+      title: 'Duplicate delivery',
+      ...extra
+    })
+  }
+}
+
+export class RedundantActivityError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#redundant-activity`,
+      title: 'Redundant activity',
+      ...extra
+    })
+  }
+}
+
+export class ApprovalRequiredError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(202, detail, {
+      type: `${FEP_C180}#approval-required`,
+      title: 'Approval required',
+      ...extra
+    })
+  }
+}
+
+export class NotAnActorError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#not-an-actor`,
+      title: 'Not an actor',
+      ...extra
+    })
+  }
+}
+
+export class PrincipalActorMismatchError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#principal-actor-mismatch`,
+      title: 'Principal-actor mismatch',
+      ...extra
+    })
+  }
+}
+
+export class ActorNotAuthorizedError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(403, detail, {
+      type: `${FEP_C180}#actor-not-authorized`,
+      title: 'Actor not authorized',
+      ...extra
+    })
+  }
+}
+
+export class PrincipalNotAuthorizedError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(403, detail, {
+      type: `${FEP_C180}#principal-not-authorized`,
+      title: 'Principal not authorized',
+      ...extra
+    })
+  }
+}
+
+export class ClientNotAuthorizedError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(403, detail, {
+      type: `${FEP_C180}#client-not-authorized`,
+      title: 'Client not authorized',
+      ...extra
+    })
+  }
+}
+
+export class UnsupportedMediaTypeError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#unsupported-media-type`,
+      title: 'Unsupported media type',
+      ...extra
+    })
+  }
+}
+
+export class MediaTooLargeError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(413, detail, {
+      type: `${FEP_C180}#media-too-large`,
+      title: 'Media too large',
+      ...extra
+    })
+  }
+}
+
+export class NoApplicableAddresseesError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(400, detail, {
+      type: `${FEP_C180}#no-applicable-addressees`,
+      title: 'No applicable addressees',
+      ...extra
+    })
+  }
+}
+
+export class RateLimitExceededError extends ProblemDetailsError {
+  constructor (detail, extra = {}) {
+    super(429, detail, {
+      type: `${FEP_C180}#rate-limit-exceeded`,
+      title: 'Rate limit exceeded',
+      ...extra
+    })
+  }
+}

package/lib/httpmessagesignature.js

@@ -15,7 +15,7 @@ export class HTTPMessageSignature {
   constructor (logger) {
     assert.ok(logger)
     assert.strictEqual(typeof logger, 'object')
-    this.#logger = logger
+    this.#logger = logger.child({ class: this.constructor.name })
   }
 
   keyId (signatureInput) {

package/lib/httpsignature.js

@@ -1,7 +1,7 @@
 import crypto from 'node:crypto'
 import assert from 'node:assert'
 
-import createHttpError from 'http-errors'
+import { ProblemDetailsError } from './errors.js'
 
 export class HTTPSignature {
   static #maxDateDiff = 5 * 60 * 1000 // 5 minutes
@@ -13,48 +13,48 @@ export class HTTPSignature {
   keyId (signature) {
     const params = this.#parseSignatureHeader(signature)
     if (!params.keyId) {
-      throw createHttpError(401, 'No keyId provided')
+      throw new ProblemDetailsError(401, 'No keyId provided')
     }
     return params.keyId
   }
 
   async validate (publicKeyPem, signature, method, path, headers) {
     if (!signature) {
-      throw createHttpError(401, 'No signature provided')
+      throw new ProblemDetailsError(401, 'No signature provided')
     }
     if (!method) {
-      throw createHttpError(400, 'No HTTP method provided')
+      throw new ProblemDetailsError(400, 'No HTTP method provided')
     }
     if (!path) {
-      throw createHttpError(400, 'No URL path provided')
+      throw new ProblemDetailsError(400, 'No URL path provided')
     }
     if (!headers) {
-      throw createHttpError(400, 'No request headers provided')
+      throw new ProblemDetailsError(400, 'No request headers provided')
     }
 
     const params = this.#parseSignatureHeader(signature)
 
     const keyId = params.keyId
     if (!keyId) {
-      throw createHttpError(401, 'No keyId provided')
+      throw new ProblemDetailsError(401, 'No keyId provided')
     }
     this.#logger.debug({ keyId }, 'validating signature')
     const algorithm = params.algorithm
     if (!algorithm) {
-      throw createHttpError(401, 'No algorithm provided')
+      throw new ProblemDetailsError(401, 'No algorithm provided')
     }
     this.#logger.debug({ algorithm }, 'validating signature')
     if (!(algorithm === 'rsa-sha256' || (algorithm === 'hs2019' && this.#isRSAKey(publicKeyPem)))) {
-      throw createHttpError(401, 'Only rsa-sha256 or hs2019 with RSA supported')
+      throw new ProblemDetailsError(401, 'Only rsa-sha256 or hs2019 with RSA supported')
     }
     if (!params.headers) {
-      throw createHttpError(401, 'No headers provided')
+      throw new ProblemDetailsError(401, 'No headers provided')
     }
     const signedHeaders = params.headers.split(' ')
     this.#logger.debug({ signedHeaders }, 'validating signature')
     const signatureString = params.signature
     if (!signatureString) {
-      throw createHttpError(401, 'No signature field provided in signature header')
+      throw new ProblemDetailsError(401, 'No signature field provided in signature header')
     }
     this.#logger.debug({ signatureString }, 'validating signature')
     const signingString = this.#signingString({

package/lib/httpsignatureauthenticator.js

@@ -1,6 +1,6 @@
 import assert from 'node:assert'
 
-import createHttpError from 'http-errors'
+import { ProblemDetailsError } from './errors.js'
 
 import BotMaker from './botmaker.js'
 
@@ -77,21 +77,21 @@ export class HTTPSignatureAuthenticator {
     this.#logger.debug({ reqId: req.id, signature }, 'Got signed request')
     const date = req.get('Date')
     if (!date) {
-      throw createHttpError(400, 'No date provided')
+      throw new ProblemDetailsError(400, 'No date provided')
     }
     if (Math.abs(Date.parse(date) - Date.now()) >
         HTTPSignatureAuthenticator.#maxDateDiff) {
-      throw createHttpError(400, 'Time skew too large')
+      throw new ProblemDetailsError(400, 'Time skew too large')
     }
     if (req.rawBodyText && req.rawBodyText.length > 0) {
       const digest = req.get('Digest')
       if (!digest) {
-        throw createHttpError(400, 'No digest provided')
+        throw new ProblemDetailsError(400, 'No digest provided')
       }
       const calculated = await this.#digester.digest(req.rawBodyText)
       if (!this.#digester.equals(digest, calculated)) {
         this.#logger.debug({ reqId: req.id, calculated, digest }, 'Digest mismatch')
-        throw createHttpError(400, 'Digest mismatch')
+        throw new ProblemDetailsError(400, 'Digest mismatch')
       }
     }
     const { method, headers } = req
@@ -100,7 +100,7 @@ export class HTTPSignatureAuthenticator {
     this.#logger.debug({ reqId: req.id, keyId }, 'Signed with keyId')
     const ok = await this.#remoteKeyStorage.getPublicKey(keyId)
     if (!ok) {
-      throw createHttpError(400, 'public key not found')
+      throw new ProblemDetailsError(400, 'public key not found')
     }
     let owner = ok.owner
     let publicKeyPem = ok.publicKeyPem
@@ -125,7 +125,7 @@ export class HTTPSignatureAuthenticator {
       req.auth.subject = owner
       return next()
     } else {
-      throw createHttpError(401, 'Unauthorized')
+      throw new ProblemDetailsError(401, 'Unauthorized')
     }
   }
 
@@ -137,25 +137,25 @@ export class HTTPSignatureAuthenticator {
     const date = req.get('Date')
     if (date && Math.abs(Date.parse(date) - Date.now()) >
         HTTPSignatureAuthenticator.#maxDateDiff) {
-      throw createHttpError(400, 'Time skew too large')
+      throw new ProblemDetailsError(400, 'Time skew too large')
     }
     if (req.rawBodyText && req.rawBodyText.length > 0) {
       const digest = req.get('Content-Digest')
       if (!digest) {
-        throw createHttpError(400, 'No digest provided')
+        throw new ProblemDetailsError(400, 'No digest provided')
       }
       const calculated = await this.#digester.contentDigest(req.rawBodyText)
       if (!this.#digester.equals(digest, calculated)) {
         this.#logger.debug({ reqId: req.id, calculated, digest }, 'Digest mismatch')
-        throw createHttpError(400, 'Digest mismatch')
+        throw new ProblemDetailsError(400, 'Digest mismatch')
       }
     }
     const created = this.#messageSigner.created(signatureInput)
     if (!created) {
-      throw createHttpError(400, 'No created timestamp provided')
+      throw new ProblemDetailsError(400, 'No created timestamp provided')
     }
     if (Math.abs(Date.now() - created * 1000) > HTTPSignatureAuthenticator.#maxDateDiff) {
-      throw createHttpError(400, 'Time skew too large')
+      throw new ProblemDetailsError(400, 'Time skew too large')
     }
     const { method, headers } = req
     const { origin } = req.app.locals
@@ -163,12 +163,12 @@ export class HTTPSignatureAuthenticator {
 
     const keyId = this.#messageSigner.keyId(signatureInput)
     if (!keyId) {
-      throw createHttpError(400, 'no public key provided')
+      throw new ProblemDetailsError(400, 'no public key provided')
     }
     this.#logger.debug({ reqId: req.id, keyId }, 'Signed with keyId')
     const ok = await this.#remoteKeyStorage.getPublicKey(keyId)
     if (!ok) {
-      throw createHttpError(400, 'public key not found')
+      throw new ProblemDetailsError(400, 'public key not found')
     }
     let owner = ok.owner
     let publicKeyPem = ok.publicKeyPem
@@ -193,7 +193,7 @@ export class HTTPSignatureAuthenticator {
       req.auth.subject = owner
       return next()
     } else {
-      throw createHttpError(401, 'Unauthorized')
+      throw new ProblemDetailsError(401, 'Unauthorized')
     }
   }
 }

package/lib/migrations/008-signature-policy.js

@@ -0,0 +1,16 @@
+export const id = '008-signature-policy'
+
+export async function up (connection, queryOptions = {}) {
+  await connection.query(`
+    CREATE TABLE signature_policy (
+      origin varchar(256) NOT NULL PRIMARY KEY,
+      policy varchar(32) NOT NULL,
+      expiry TIMESTAMP NOT NULL,
+      created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+      updated_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+    );
+  `, queryOptions)
+  await connection.query(`
+    CREATE INDEX signature_policy_expiry on signature_policy (expiry);
+  `, queryOptions)
+}