@evanp/activitypub-bot 0.43.0 → 0.43.2

package/CHANGELOG.md

@@ -9,6 +9,35 @@ and this project adheres to
 
 ## [Unreleased]
 
+## [0.43.2] - 2026-04-22
+
+### Fixed
+
+- `ActivityPubClient.post()` now re-sends the original activity JSON when
+  falling back from RFC 9421 to draft-cavage-12. A variable-shadowing bug
+  caused the retry to POST the error response body from the failed RFC 9421
+  attempt (e.g. `{"error":"missing signature header"}`) instead of the
+  original activity, which remote servers then rejected with `400 "no actor
+  in message"`.
+
+## [0.43.1] - 2026-04-22
+
+### Fixed
+
+- `ActivityPubClient` now falls back from RFC 9421 to draft-cavage-12
+  signatures on `400`, `401`, or `403` responses (previously only 401 and
+  403), so remote servers that reject RFC 9421 with a 400 — e.g.
+  Pleroma-Relay's `"missing signature header"` — now trigger the
+  double-knock instead of failing the request.
+- Signature-policy caching is no longer overeager: successful RFC 9421
+  requests no longer store a per-origin policy, and only confirmed
+  draft-cavage-12 fallbacks are cached. This prevents origins whose
+  public endpoints don't actually verify signatures (e.g. public
+  actor fetches) from pinning the wrong scheme.
+- Fallback on auth-shaped errors now also fires when the stored policy
+  is the legacy `rfc9421` value, so existing caches from earlier
+  releases self-correct on their next failure.
+
 ## [0.43.0] - 2026-04-22
 
 ### Added

package/lib/activitypubclient.js

@@ -205,12 +205,12 @@ export class ActivityPubClient {
       }
     )
     this.#logger.debug({ hostname, status: res.status }, 'response received')
-    if ([401, 403].includes(res.status) &&
+    if ([400, 401, 403].includes(res.status) &&
         sign &&
-        !storedPolicy) {
-      const body = await res.text()
+        lastPolicy === SignaturePolicyStorage.RFC9421) {
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Authentication error; retrying with draft-cavage-12 signature')
       lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
       delete headers['signature-input']
@@ -230,15 +230,15 @@ export class ActivityPubClient {
       this.#logger.debug({ baseUrl }, '304 Not Modified, returning cached object')
       return cached.object
     } else if (res.status < 200 || res.status > 299) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.warn(
-        { status: res.status, body, url: baseUrl },
+        { status: res.status, body: errBody, url: baseUrl },
         'Could not fetch url'
       )
       throw new ActivityPubClientError(
         res.status,
         `Could not fetch ${baseUrl}`,
-        { url: baseUrl, method, headers: res.headers, body }
+        { url: baseUrl, method, headers: res.headers, body: errBody }
       )
     }
 
@@ -256,7 +256,10 @@ export class ActivityPubClient {
       throw err
     }
 
-    if (sign && !storedPolicy && lastPolicy) {
+    // Only cache draft-cavage-12 (i.e. the degraded fallback). Caching
+    // rfc9421 would pin origins whose public endpoints don't actually
+    // verify signatures, and block future re-probing when they upgrade.
+    if (lastPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
       await this.#policyStorage.set(parsed.origin, lastPolicy)
     }
 
@@ -342,10 +345,11 @@ export class ActivityPubClient {
         body
       }
     )
-    if ([401, 403].includes(res.status) && !storedPolicy) {
-      const body = await res.text()
+    if ([400, 401, 403].includes(res.status) &&
+        lastPolicy === SignaturePolicyStorage.RFC9421) {
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Authentication error; retrying with draft-cavage-12 signature'
       )
       lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
@@ -367,18 +371,21 @@ export class ActivityPubClient {
     await this.#throttler.update(hostname, res.headers)
     this.#logger.debug({ url }, 'Done fetching POST')
     if (res.status < 200 || res.status > 299) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Error posting to url'
       )
       throw new ActivityPubClientError(
         res.status,
         `Could not post to ${url}`,
-        { url, method, headers: res.headers, body }
+        { url, method, headers: res.headers, body: errBody }
       )
     }
-    if (!storedPolicy && lastPolicy) {
+    // Only cache draft-cavage-12 (i.e. the degraded fallback). Caching
+    // rfc9421 would pin origins whose public endpoints don't actually
+    // verify signatures, and block future re-probing when they upgrade.
+    if (lastPolicy === SignaturePolicyStorage.DRAFT_CAVAGE_12) {
       await this.#policyStorage.set(parsed.origin, lastPolicy)
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.43.0",
+  "version": "0.43.2",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",