@evanp/activitypub-bot 0.43.0 → 0.43.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +18 -0
  2. package/lib/activitypubclient.js +12 -5
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -9,6 +9,24 @@ and this project adheres to
9
9
 
10
10
  ## [Unreleased]
11
11
 
12
+ ## [0.43.1] - 2026-04-22
13
+
14
+ ### Fixed
15
+
16
+ - `ActivityPubClient` now falls back from RFC 9421 to draft-cavage-12
17
+ signatures on `400`, `401`, or `403` responses (previously only 401 and
18
+ 403), so remote servers that reject RFC 9421 with a 400 — e.g.
19
+ Pleroma-Relay's `"missing signature header"` — now trigger the
20
+ double-knock instead of failing the request.
21
+ - Signature-policy caching is no longer overeager: successful RFC 9421
22
+ requests no longer store a per-origin policy, and only confirmed
23
+ draft-cavage-12 fallbacks are cached. This prevents origins whose
24
+ public endpoints don't actually verify signatures (e.g. public
25
+ actor fetches) from pinning the wrong scheme.
26
+ - Fallback on auth-shaped errors now also fires when the stored policy
27
+ is the legacy `rfc9421` value, so existing caches from earlier
28
+ releases self-correct on their next failure.
29
+
12
30
  ## [0.43.0] - 2026-04-22
13
31
 
14
32
  ### Added
package/lib/activitypubclient.js CHANGED
@@ -205,9 +205,9 @@ export class ActivityPubClient {
205
205
  }
206
206
  )
207
207
  this.#logger.debug({ hostname, status: res.status }, 'response received')
208
- if ([401, 403].includes(res.status) &&
208
+ if ([400, 401, 403].includes(res.status) &&
209
209
  sign &&
210
- !storedPolicy) {
210
+ lastPolicy === SignaturePolicyStorage.RFC9421) {
211
211
  const body = await res.text()
212
212
  this.#logger.debug(
213
213
  { url, status: res.status, body, headers: res.headers },
@@ -256,7 +256,10 @@ export class ActivityPubClient {
256
256
  throw err
257
257
  }
258
258
 
259
- if (sign && !storedPolicy && lastPolicy) {
259
+ // Only cache draft-cavage-12 (i.e. the degraded fallback). Caching
260
+ // rfc9421 would pin origins whose public endpoints don't actually
261
+ // verify signatures, and block future re-probing when they upgrade.
262
+ if (lastPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
260
263
  await this.#policyStorage.set(parsed.origin, lastPolicy)
261
264
  }
262
265
 
@@ -342,7 +345,8 @@ export class ActivityPubClient {
342
345
  body
343
346
  }
344
347
  )
345
- if ([401, 403].includes(res.status) && !storedPolicy) {
348
+ if ([400, 401, 403].includes(res.status) &&
349
+ lastPolicy === SignaturePolicyStorage.RFC9421) {
346
350
  const body = await res.text()
347
351
  this.#logger.debug(
348
352
  { url, status: res.status, body, headers: res.headers },
@@ -378,7 +382,10 @@ export class ActivityPubClient {
378
382
  { url, method, headers: res.headers, body }
379
383
  )
380
384
  }
381
- if (!storedPolicy && lastPolicy) {
385
+ // Only cache draft-cavage-12 (i.e. the degraded fallback). Caching
386
+ // rfc9421 would pin origins whose public endpoints don't actually
387
+ // verify signatures, and block future re-probing when they upgrade.
388
+ if (lastPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
382
389
  await this.#policyStorage.set(parsed.origin, lastPolicy)
383
390
  }
384
391
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@evanp/activitypub-bot",
3
- "version": "0.43.0",
3
+ "version": "0.43.1",
4
4
  "description": "server-side ActivityPub bot framework",
5
5
  "type": "module",
6
6
  "main": "lib/index.js",