@evanp/activitypub-bot 0.43.1 → 0.43.2

package/CHANGELOG.md

@@ -9,6 +9,17 @@ and this project adheres to
 
 ## [Unreleased]
 
+## [0.43.2] - 2026-04-22
+
+### Fixed
+
+- `ActivityPubClient.post()` now re-sends the original activity JSON when
+  falling back from RFC 9421 to draft-cavage-12. A variable-shadowing bug
+  caused the retry to POST the error response body from the failed RFC 9421
+  attempt (e.g. `{"error":"missing signature header"}`) instead of the
+  original activity, which remote servers then rejected with `400 "no actor
+  in message"`.
+
 ## [0.43.1] - 2026-04-22
 
 ### Fixed

package/lib/activitypubclient.js

@@ -208,9 +208,9 @@ export class ActivityPubClient {
     if ([400, 401, 403].includes(res.status) &&
         sign &&
         lastPolicy === SignaturePolicyStorage.RFC9421) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Authentication error; retrying with draft-cavage-12 signature')
       lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
       delete headers['signature-input']
@@ -230,15 +230,15 @@ export class ActivityPubClient {
       this.#logger.debug({ baseUrl }, '304 Not Modified, returning cached object')
       return cached.object
     } else if (res.status < 200 || res.status > 299) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.warn(
-        { status: res.status, body, url: baseUrl },
+        { status: res.status, body: errBody, url: baseUrl },
         'Could not fetch url'
       )
       throw new ActivityPubClientError(
         res.status,
         `Could not fetch ${baseUrl}`,
-        { url: baseUrl, method, headers: res.headers, body }
+        { url: baseUrl, method, headers: res.headers, body: errBody }
       )
     }
 
@@ -347,9 +347,9 @@ export class ActivityPubClient {
     )
     if ([400, 401, 403].includes(res.status) &&
         lastPolicy === SignaturePolicyStorage.RFC9421) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Authentication error; retrying with draft-cavage-12 signature'
       )
       lastPolicy = SignaturePolicyStorage.DRAFT_CAVAGE_12
@@ -371,15 +371,15 @@ export class ActivityPubClient {
     await this.#throttler.update(hostname, res.headers)
     this.#logger.debug({ url }, 'Done fetching POST')
     if (res.status < 200 || res.status > 299) {
-      const body = await res.text()
+      const errBody = await res.text()
       this.#logger.debug(
-        { url, status: res.status, body, headers: res.headers },
+        { url, status: res.status, body: errBody, headers: res.headers },
         'Error posting to url'
       )
       throw new ActivityPubClientError(
         res.status,
         `Could not post to ${url}`,
-        { url, method, headers: res.headers, body }
+        { url, method, headers: res.headers, body: errBody }
       )
     }
     // Only cache draft-cavage-12 (i.e. the degraded fallback). Caching

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evanp/activitypub-bot",
-  "version": "0.43.1",
+  "version": "0.43.2",
   "description": "server-side ActivityPub bot framework",
   "type": "module",
   "main": "lib/index.js",