@fedify/fedify 0.10.0-dev.200 → 0.10.0-dev.203

package/CHANGES.md

@@ -95,6 +95,11 @@ To be released.
      -  Added `VerifyProofOptions` interface.
      -  Added `fetchKey()` function.
      -  Added `FetchKeyOptions` interface.
+     -  Added `SenderKeyPair` interface.
+     -  The type of `Federation.sendActivity()` method's first parameter became
+        `SenderKeyPair[]` (was `{ keyId: URL; privateKey: CryptoKey }`).
+     -  The `Context.sendActivity()` method's first parameter now accepts
+        `SenderKeyPair[]` as well.
 
  -  Added `context` option to `Object.toJsonLd()` method.  This applies to
     any subclasses of the `Object` class too.
@@ -123,6 +128,15 @@ To be released.
 [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch
 
 
+Version 0.9.1
+-------------
+
+Released on June 13, 2024.
+
+ -  Fixed a bug of Activity Vocabulary API that `clone()` method of Vocabulary
+    classes had not cloned the `id` property from the source object.
+
+
 Version 0.9.0
 -------------
 

package/esm/federation/middleware.js

@@ -98,7 +98,7 @@ export class Federation {
     async #listenQueue(message) {
         const logger = getLogger(["fedify", "federation", "outbox"]);
         const logData = {
-            keyId: message.keyId,
+            keyIds: message.keys.map((pair) => pair.keyId),
             inbox: message.inbox,
             activity: message.activity,
             trial: message.trial,
@@ -106,16 +106,28 @@ export class Federation {
         };
         let activity = null;
         try {
-            const keyId = new URL(message.keyId);
-            const privateKey = await importJwk(message.privateKey, "private");
-            const documentLoader = this.#authenticatedDocumentLoaderFactory({ keyId, privateKey });
+            const keys = [];
+            let rsaKeyPair = null;
+            for (const { keyId, privateKey } of message.keys) {
+                const pair = {
+                    keyId: new URL(keyId),
+                    privateKey: await importJwk(privateKey, "private"),
+                };
+                if (rsaKeyPair == null &&
+                    pair.privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
+                    rsaKeyPair = pair;
+                }
+                keys.push(pair);
+            }
+            const documentLoader = rsaKeyPair == null
+                ? this.#documentLoader
+                : this.#authenticatedDocumentLoaderFactory(rsaKeyPair);
             activity = await Activity.fromJsonLd(message.activity, {
                 documentLoader,
                 contextLoader: this.#contextLoader,
             });
             await sendActivity({
-                keyId,
-                privateKey,
+                keys,
                 activity,
                 inbox: new URL(message.inbox),
                 contextLoader: this.#contextLoader,
@@ -578,14 +590,20 @@ export class Federation {
      * Sends an activity to recipients' inboxes.  You would typically use
      * {@link Context.sendActivity} instead of this method.
      *
-     * @param sender The sender's key pair.
+     * @param keys The sender's key pairs.
      * @param recipients The recipients of the activity.
      * @param activity The activity to send.
      * @param options Options for sending the activity.
      * @throws {TypeError} If the activity to send does not have an actor.
      */
-    async sendActivity({ keyId, privateKey }, recipients, activity, { preferSharedInbox, immediate, excludeBaseUris, collectionSync } = {}) {
+    async sendActivity(keys, recipients, activity, { preferSharedInbox, immediate, excludeBaseUris, collectionSync } = {}) {
         const logger = getLogger(["fedify", "federation", "outbox"]);
+        if (keys.length < 1) {
+            throw new TypeError("The sender's keys must not be empty.");
+        }
+        for (const { privateKey } of keys) {
+            validateCryptoKey(privateKey, "private");
+        }
         if (activity.actorId == null) {
             logger.error("Activity {activityId} to send does not have an actor.", { activity, activityId: activity?.id?.href });
             throw new TypeError("The activity to send must have at least one actor property.");
@@ -596,7 +614,6 @@ export class Federation {
                 id: new URL(`urn:uuid:${dntShim.crypto.randomUUID()}`),
             });
         }
-        validateCryptoKey(privateKey, "private");
         const inboxes = extractInboxes({
             recipients: Array.isArray(recipients) ? recipients : [recipients],
             preferSharedInbox,
@@ -618,8 +635,7 @@ export class Federation {
             const promises = [];
             for (const inbox in inboxes) {
                 promises.push(sendActivity({
-                    keyId,
-                    privateKey,
+                    keys,
                     activity,
                     inbox: new URL(inbox),
                     contextLoader: this.#contextLoader,
@@ -632,15 +648,18 @@ export class Federation {
             return;
         }
         logger.debug("Enqueuing activity {activityId} to send later.", { activityId: activity.id?.href, activity });
-        const privateKeyJwk = await exportJwk(privateKey);
+        const keyJwkPairs = [];
+        for (const { keyId, privateKey } of keys) {
+            const privateKeyJwk = await exportJwk(privateKey);
+            keyJwkPairs.push({ keyId: keyId.href, privateKey: privateKeyJwk });
+        }
         const activityJson = await activity.toJsonLd({
             contextLoader: this.#contextLoader,
         });
         for (const inbox in inboxes) {
             const message = {
                 type: "outbox",
-                keyId: keyId.href,
-                privateKey: privateKeyJwk,
+                keys: keyJwkPairs,
                 activity: activityJson,
                 inbox,
                 trial: 0,
@@ -1053,16 +1072,21 @@ class ContextImpl {
         return this.#authenticatedDocumentLoaderFactory(identity);
     }
     async sendActivity(sender, recipients, activity, options = {}) {
-        let senderPair;
+        let keys;
         if ("handle" in sender) {
-            const keyPair = await this.getRsaKeyPairFromHandle(sender.handle);
-            if (keyPair == null) {
-                throw new Error(`No key pair found for actor ${sender.handle}`);
+            keys = await this.getKeyPairsFromHandle(this.#url, this.data, sender.handle);
+            if (keys.length < 1) {
+                throw new Error(`No key pair found for actor ${JSON.stringify(sender.handle)}.`);
+            }
+        }
+        else if (Array.isArray(sender)) {
+            if (sender.length < 1) {
+                throw new Error("The sender's key pairs are empty.");
             }
-            senderPair = keyPair;
+            keys = sender;
         }
         else {
-            senderPair = sender;
+            keys = [sender];
         }
         const opts = { ...options };
         let expandedRecipients;
@@ -1085,7 +1109,7 @@ class ContextImpl {
         else {
             expandedRecipients = [recipients];
         }
-        return await this.#federation.sendActivity(senderPair, expandedRecipients, activity, opts);
+        return await this.#federation.sendActivity(keys, expandedRecipients, activity, opts);
     }
     getFollowers(_handle) {
         throw new Error('"followers" recipients are not supported in Context.  ' +

package/esm/federation/send.js

@@ -1,5 +1,7 @@
 import { getLogger } from "@logtape/logtape";
 import { signRequest } from "../sig/http.js";
+import { validateCryptoKey } from "../sig/key.js";
+import { signObject } from "../sig/proof.js";
 /**
  * Extracts the inbox URLs from recipients.
  * @param parameters The parameters to extract the inboxes.
@@ -30,11 +32,40 @@ export function extractInboxes({ recipients, preferSharedInbox, excludeBaseUris
  *                   See also {@link SendActivityParameters}.
  * @throws {Error} If the activity fails to send.
  */
-export async function sendActivity({ activity, privateKey, keyId, inbox, contextLoader, headers, }) {
+export async function sendActivity({ activity, keys, inbox, contextLoader, documentLoader, headers, }) {
     const logger = getLogger(["fedify", "federation", "outbox"]);
+    if (activity.id == null) {
+        throw new TypeError("The activity to send must have an id.");
+    }
     if (activity.actorId == null) {
         throw new TypeError("The activity to send must have at least one actor property.");
     }
+    else if (keys.length < 1) {
+        throw new TypeError("The keys must not be empty.");
+    }
+    const activityId = activity.id.href;
+    let proofCreated = false;
+    for (const { keyId, privateKey } of keys) {
+        validateCryptoKey(privateKey, "private");
+        if (privateKey.algorithm.name === "Ed25519") {
+            activity = await signObject(activity, privateKey, keyId, {
+                documentLoader,
+                contextLoader,
+            });
+            proofCreated = true;
+        }
+    }
+    if (!proofCreated) {
+        logger.warn("No supported key found to create a proof for the activity {activityId}.  " +
+            "The activity will be sent without a proof.  " +
+            "In order to create a proof, at least one Ed25519 key must be provided.", {
+            activityId,
+            keys: keys.map((pair) => ({
+                keyId: pair.keyId.href,
+                privateKey: pair.privateKey,
+            })),
+        });
+    }
     const jsonLd = await activity.toJsonLd({ contextLoader });
     headers = new Headers(headers);
     headers.set("Content-Type", "application/activity+json");
@@ -43,7 +74,26 @@ export async function sendActivity({ activity, privateKey, keyId, inbox, context
         headers,
         body: JSON.stringify(jsonLd),
     });
-    request = await signRequest(request, privateKey, keyId);
+    let requestSigned = false;
+    for (const { privateKey, keyId } of keys) {
+        if (privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
+            request = await signRequest(request, privateKey, keyId);
+            requestSigned = true;
+            break;
+        }
+    }
+    if (!requestSigned) {
+        logger.warn("No supported key found to sign the request to {inbox}.  " +
+            "The request will be sent without a signature.  " +
+            "In order to sign the request, at least one RSASSA-PKCS1-v1_5 key " +
+            "must be provided.", {
+            inbox: inbox.href,
+            keys: keys.map((pair) => ({
+                keyId: pair.keyId.href,
+                privateKey: pair.privateKey,
+            })),
+        });
+    }
     const response = await fetch(request);
     if (!response.ok) {
         let error;
@@ -55,13 +105,13 @@ export async function sendActivity({ activity, privateKey, keyId, inbox, context
         }
         logger.error("Failed to send activity {activityId} to {inbox} ({status} " +
             "{statusText}):\n{error}", {
-            activityId: activity.id?.href,
+            activityId,
             inbox: inbox.href,
             status: response.status,
             statusText: response.statusText,
             error,
         });
-        throw new Error(`Failed to send activity ${activity?.id?.href} to ${inbox.href} ` +
+        throw new Error(`Failed to send activity ${activityId} to ${inbox.href} ` +
             `(${response.status} ${response.statusText}):\n${error}`);
     }
 }

package/esm/sig/proof.js

@@ -0,0 +1,182 @@
+import * as dntShim from "../_dnt.shims.js";
+// @ts-ignore: json-canon is not typed
+import serialize from "json-canon";
+import { DataIntegrityProof, Object } from "../vocab/vocab.js";
+import { fetchKey, validateCryptoKey } from "./key.js";
+import { Activity, Multikey } from "../vocab/mod.js";
+import { getLogger } from "@logtape/logtape";
+const logger = getLogger(["fedify", "sig", "proof"]);
+/**
+ * Creates a proof for the given object.
+ * @param object The object to create a proof for.
+ * @param privateKey The private key to sign the proof with.
+ * @param keyId The key ID to use in the proof. It will be used by the verifier.
+ * @param options Additional options.  See also {@link CreateProofOptions}.
+ * @returns The created proof.
+ * @throws {TypeError} If the private key is invalid or unsupported.
+ * @since 0.10.0
+ */
+export async function createProof(object, privateKey, keyId, { contextLoader, context, created } = {}) {
+    validateCryptoKey(privateKey, "private");
+    if (privateKey.algorithm.name !== "Ed25519") {
+        throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
+    }
+    const objectWithoutProofs = object.clone({ proofs: [] });
+    const compactMsg = await objectWithoutProofs.toJsonLd({
+        contextLoader,
+        context,
+    });
+    const msgCanon = serialize(compactMsg);
+    const encoder = new TextEncoder();
+    const msgBytes = encoder.encode(msgCanon);
+    const msgDigest = await dntShim.crypto.subtle.digest("SHA-256", msgBytes);
+    created ??= dntShim.Temporal.Now.instant();
+    const proofConfig = {
+        // The below commented out line is needed according to section 3.3.1 of
+        // the Data Integrity EdDSA Cryptosuites v1.0 spec, the FEP-8b32 spec does
+        // not reflect this step; however, the FEP-8b32 spec will be updated to
+        // be consistent with the Data Integrity EdDSA Cryptosuites v1.0 spec
+        // some time soon.  Before that happens, the below line is commented out.
+        // See also: https://socialhub.activitypub.rocks/t/fep-8b32-object-integrity-proofs/2725/91?u=hongminhee
+        // "@context": (compactMsg as any)["@context"],
+        type: "DataIntegrityProof",
+        cryptosuite: "eddsa-jcs-2022",
+        verificationMethod: keyId.href,
+        proofPurpose: "assertionMethod",
+        created: created.toString(),
+    };
+    const proofCanon = serialize(proofConfig);
+    const proofBytes = encoder.encode(proofCanon);
+    const proofDigest = await dntShim.crypto.subtle.digest("SHA-256", proofBytes);
+    const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
+    digest.set(new Uint8Array(proofDigest), 0);
+    digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
+    const sig = await dntShim.crypto.subtle.sign("Ed25519", privateKey, digest);
+    return new DataIntegrityProof({
+        cryptosuite: "eddsa-jcs-2022",
+        verificationMethod: keyId,
+        proofPurpose: "assertionMethod",
+        created: created ?? dntShim.Temporal.Now.instant(),
+        proofValue: new Uint8Array(sig),
+    });
+}
+/**
+ * Signs the given object with the private key and returns the signed object.
+ * @param object The object to create a proof for.
+ * @param privateKey The private key to sign the proof with.
+ * @param keyId The key ID to use in the proof. It will be used by the verifier.
+ * @param options Additional options.  See also {@link SignObjectOptions}.
+ * @returns The signed object.
+ * @throws {TypeError} If the private key is invalid or unsupported.
+ * @since 0.10.0
+ */
+export async function signObject(object, privateKey, keyId, options = {}) {
+    const existingProofs = [];
+    for await (const proof of object.getProofs(options)) {
+        existingProofs.push(proof);
+    }
+    const proof = await createProof(object, privateKey, keyId, options);
+    return object.clone({ proofs: [...existingProofs, proof] });
+}
+/**
+ * Verifies the given proof for the object.
+ * @param jsonLd The JSON-LD object to verify the proof for.  If it contains
+ *               any proofs, they will be ignored.
+ * @param proof The proof to verify.
+ * @param options Additional options.  See also {@link VerifyProofOptions}.
+ * @returns The public key that was used to sign the proof, or `null` if the
+ *          proof is invalid.
+ * @since 0.10.0
+ */
+export async function verifyProof(jsonLd, proof, options = {}) {
+    if (typeof jsonLd !== "object" ||
+        proof.cryptosuite !== "eddsa-jcs-2022" ||
+        proof.verificationMethodId == null ||
+        proof.proofPurpose !== "assertionMethod" ||
+        proof.proofValue == null ||
+        proof.created == null)
+        return null;
+    const publicKeyPromise = fetchKey(proof.verificationMethodId, Multikey, options);
+    const proofConfig = {
+        // The below commented out line is needed according to section 3.3.1 of
+        // the Data Integrity EdDSA Cryptosuites v1.0 spec, the FEP-8b32 spec does
+        // not reflect this step; however, the FEP-8b32 spec will be updated to
+        // be consistent with the Data Integrity EdDSA Cryptosuites v1.0 spec
+        // some time soon.  Before that happens, the below line is commented out.
+        // See also: https://socialhub.activitypub.rocks/t/fep-8b32-object-integrity-proofs/2725/91?u=hongminhee
+        // "@context": (jsonLd as any)["@context"],
+        type: "DataIntegrityProof",
+        cryptosuite: proof.cryptosuite,
+        verificationMethod: proof.verificationMethodId.href,
+        proofPurpose: proof.proofPurpose,
+        created: proof.created.toString(),
+    };
+    const proofCanon = serialize(proofConfig);
+    const encoder = new TextEncoder();
+    const proofBytes = encoder.encode(proofCanon);
+    const proofDigest = await dntShim.crypto.subtle.digest("SHA-256", proofBytes);
+    const msg = { ...jsonLd };
+    if ("proof" in msg)
+        delete msg.proof;
+    const msgCanon = serialize(msg);
+    const msgBytes = encoder.encode(msgCanon);
+    const msgDigest = await dntShim.crypto.subtle.digest("SHA-256", msgBytes);
+    const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
+    digest.set(new Uint8Array(proofDigest), 0);
+    digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
+    let publicKey;
+    try {
+        publicKey = await publicKeyPromise;
+    }
+    catch (error) {
+        logger.debug("Failed to get the key (verificationMethod) for the proof:\n{proof}", { proof, error });
+        return null;
+    }
+    if (publicKey == null || publicKey.publicKey.algorithm.name !== "Ed25519") {
+        logger.debug("The key (verificationMethod) for the proof is not a valid Ed25519 " +
+            "key:\n{keyId}", { proof, keyId: proof.verificationMethodId.href });
+        return null;
+    }
+    const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey.publicKey, proof.proofValue, digest);
+    if (!verified) {
+        logger.debug("The proof's signature is invalid.", { proof });
+        return null;
+    }
+    return publicKey;
+}
+/**
+ * Verifies the given object.  It will verify all the proofs in the object,
+ * and succeed only if all the proofs are valid and all attributions and
+ * actors are authenticated by the proofs.
+ * @param jsonLd The JSON-LD object to verify.  It's assumed that the object
+ *               is a compacted JSON-LD representation of an {@link Object}
+ *               with `@context`.
+ * @param options Additional options.  See also {@link VerifyObjectOptions}.
+ * @returns The object if it's verified, or `null` if it's not.
+ * @throws {TypeError} If the object is invalid or unsupported.
+ * @since 0.10.0
+ */
+export async function verifyObject(jsonLd, options = {}) {
+    const logger = getLogger(["fedify", "sig", "proof"]);
+    const object = await Object.fromJsonLd(jsonLd, options);
+    const attributions = new Set(object.attributionIds.map((uri) => uri.href));
+    if (object instanceof Activity) {
+        for (const uri of object.actorIds)
+            attributions.add(uri.href);
+    }
+    for await (const proof of object.getProofs(options)) {
+        const key = await verifyProof(jsonLd, proof, options);
+        if (key === null)
+            return null;
+        if (key.controllerId == null) {
+            logger.debug("Key {keyId} does not have a controller.", { keyId: key.id?.href });
+            continue;
+        }
+        attributions.delete(key.controllerId.href);
+    }
+    if (attributions.size > 0) {
+        logger.debug("Some attributions are not authenticated by the proofs: {attributions}.", { attributions: [...attributions] });
+        return null;
+    }
+    return object;
+}

package/esm/vocab/vocab.js

@@ -288,7 +288,7 @@ export class Object {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_49BipA5dq9eoH8LX8xdsVumveTca = this.#_49BipA5dq9eoH8LX8xdsVumveTca;
         if ("attachments" in values && values.attachments != null) {
             clone.#_49BipA5dq9eoH8LX8xdsVumveTca = values.attachments;
@@ -3625,7 +3625,7 @@ export class PropertyValue {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_4ZHbBuK7PrsvGgrjM8wgc6KMWjav = this.#_4ZHbBuK7PrsvGgrjM8wgc6KMWjav;
         if ("name" in values && values.name != null) {
             clone.#_4ZHbBuK7PrsvGgrjM8wgc6KMWjav = [values.name];
@@ -3867,7 +3867,7 @@ export class DataIntegrityProof {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_3RurJsa7tnptyqMFR5hDGcP9pMs5 = this.#_3RurJsa7tnptyqMFR5hDGcP9pMs5;
         if ("cryptosuite" in values && values.cryptosuite != null) {
             clone.#_3RurJsa7tnptyqMFR5hDGcP9pMs5 = [values.cryptosuite];
@@ -4235,7 +4235,7 @@ export class CryptographicKey {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_5UJq9NDh3ZHgswFwwdVxQvJxdx2 = this.#_5UJq9NDh3ZHgswFwwdVxQvJxdx2;
         if ("owner" in values && values.owner != null) {
             clone.#_5UJq9NDh3ZHgswFwwdVxQvJxdx2 = [values.owner];
@@ -4543,7 +4543,7 @@ export class Multikey {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_2yr3eUBTP6cNcyaxKzAXWjFsnGzN = this.#_2yr3eUBTP6cNcyaxKzAXWjFsnGzN;
         if ("controller" in values && values.controller != null) {
             clone.#_2yr3eUBTP6cNcyaxKzAXWjFsnGzN = [values.controller];
@@ -9103,7 +9103,7 @@ export class Endpoints {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_2JCYDbSxEHCCLdBYed33cCETfGyR = this.#_2JCYDbSxEHCCLdBYed33cCETfGyR;
         if ("proxyUrl" in values && values.proxyUrl != null) {
             clone.#_2JCYDbSxEHCCLdBYed33cCETfGyR = [values.proxyUrl];
@@ -11120,7 +11120,7 @@ export class Link {
      */
     clone(values = {}, options = {}) {
         // @ts-ignore: this.constructor is not recognized as a constructor, but it is.
-        const clone = new this.constructor({ id: values.id }, options);
+        const clone = new this.constructor({ id: values.id ?? this.id }, options);
         clone.#_pVjLsybKQdmkjuU7MHjiVmNnuj7 = this.#_pVjLsybKQdmkjuU7MHjiVmNnuj7;
         if ("href" in values && values.href != null) {
             clone.#_pVjLsybKQdmkjuU7MHjiVmNnuj7 = [values.href];

package/esm/webfinger/handler.js

@@ -7,10 +7,8 @@ import { Link as LinkObject } from "../vocab/mod.js";
  * @returns The response to the request.
  */
 export async function handleWebFinger(request, { context, actorDispatcher, onNotFound, }) {
-    if (actorDispatcher == null) {
-        const response = onNotFound(request);
-        return response instanceof Promise ? await response : response;
-    }
+    if (actorDispatcher == null)
+        return await onNotFound(request);
     const resource = context.url.searchParams.get("resource");
     if (resource == null) {
         return new Response("Missing resource parameter.", { status: 400 });
@@ -30,20 +28,16 @@ export async function handleWebFinger(request, { context, actorDispatcher, onNot
     if (uriParsed?.type != "actor") {
         const match = /^acct:([^@]+)@([^@]+)$/.exec(resource);
         if (match == null || match[2] != context.url.host) {
-            const response = onNotFound(request);
-            return response instanceof Promise ? await response : response;
+            return await onNotFound(request);
         }
         handle = match[1];
     }
     else {
         handle = uriParsed.handle;
     }
-    const key = await context.getActorKey(handle);
-    const actor = await actorDispatcher(context, handle, key);
-    if (actor == null) {
-        const response = onNotFound(request);
-        return response instanceof Promise ? await response : response;
-    }
+    const actor = await context.getActor(handle);
+    if (actor == null)
+        return await onNotFound(request);
     const links = [
         {
             rel: "self",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.10.0-dev.200+e581ce37",
+  "version": "0.10.0-dev.203+43162fc2",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",
@@ -85,6 +85,7 @@
     "@logtape/logtape": "^0.4.0",
     "@phensley/language-tag": "^1.8.0",
     "asn1js": "^3.0.5",
+    "json-canon": "^1.0.1",
     "jsonld": "^8.3.2",
     "multibase": "^4.0.6",
     "multicodec": "^3.2.1",
@@ -100,8 +101,7 @@
     "@types/node": "^20.9.0",
     "picocolors": "^1.0.0",
     "@cfworker/json-schema": "^1.12.8",
-    "fast-check": "^3.18.0",
-    "json-canon": "^1.0.1"
+    "fast-check": "^3.18.0"
   },
   "_generatedBy": "dnt@dev"
 }

package/types/federation/context.d.ts

@@ -4,6 +4,7 @@ import * as dntShim from "../_dnt.shims.js";
 import type { DocumentLoader } from "../runtime/docloader.js";
 import type { Actor, Recipient } from "../vocab/actor.js";
 import type { Activity, CryptographicKey, Multikey, Object } from "../vocab/mod.js";
+import type { SenderKeyPair } from "./send.js";
 /**
  * A context.
  */
@@ -138,15 +139,12 @@ export interface Context<TContextData> {
     }): DocumentLoader;
     /**
      * Sends an activity to recipients' inboxes.
-     * @param sender The sender's handle or the sender's key pair.
+     * @param sender The sender's handle or the sender's key pair(s).
      * @param recipients The recipients of the activity.
      * @param activity The activity to send.
      * @param options Options for sending the activity.
      */
-    sendActivity(sender: {
-        keyId: URL;
-        privateKey: dntShim.CryptoKey;
-    } | {
+    sendActivity(sender: SenderKeyPair | SenderKeyPair[] | {
         handle: string;
     }, recipients: Recipient | Recipient[], activity: Activity, options?: SendActivityOptions): Promise<void>;
 }
@@ -212,15 +210,12 @@ export interface RequestContext<TContextData> extends Context<TContextData> {
     getSignedKeyOwner(): Promise<Actor | null>;
     /**
      * Sends an activity to recipients' inboxes.
-     * @param sender The sender's handle or the sender's key pair.
+     * @param sender The sender's handle or the sender's key pair(s).
      * @param recipients The recipients of the activity.
      * @param activity The activity to send.
      * @param options Options for sending the activity.
      */
-    sendActivity(sender: {
-        keyId: URL;
-        privateKey: dntShim.CryptoKey;
-    } | {
+    sendActivity(sender: SenderKeyPair | SenderKeyPair[] | {
         handle: string;
     }, recipients: Recipient | Recipient[], activity: Activity, options?: SendActivityOptions): Promise<void>;
     /**

package/types/federation/context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../src/federation/context.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,gBAAgB,EAChB,QAAQ,EACR,MAAM,EACP,MAAM,iBAAiB,CAAC;AAEzB;;GAEG;AACH,MAAM,WAAW,OAAO,CAAC,YAAY;IACnC;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAE5B;;OAEG;IACH,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IAExC;;OAEG;IACH,QAAQ,CAAC,aAAa,EAAE,cAAc,CAAC;IAEvC;;;;;OAKG;IACH,cAAc,IAAI,GAAG,CAAC;IAEtB;;;;;OAKG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;;;;OAQG;IACH,YAAY,CAAC,OAAO,SAAS,MAAM,EAEjC,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,GAAG,CAAC;IAEP;;;;;OAKG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAElC;;;;OAIG;IACH,WAAW,IAAI,GAAG,CAAC;IAEnB;;;;;OAKG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;OAKG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAErC;;;;;OAKG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAErC;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,GAAG,GAAG,cAAc,GAAG,IAAI,CAAC;IAE1C;;;;;OAKG;IACH,qBAAqB,CAAC,QAAQ,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAAC;IAEpD;;;;;OAKG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAE1D;;;;;;OAMG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAE9D;;;;;;;;;;OAUG;IACH,iBAAiB,CAAC,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAEzE;;;;;;;;;OASG;IACH,iBAAiB,CACf,QAAQ,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,GACtD,cAAc,CAAC;IAElB;;;;;;OAMG;IACH,YAAY,CACV,MAAM,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC1E,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,YAAY,CAAE,SAAQ,OAAO,CAAC,YAAY,CAAC;IACzE;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAE1B;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC;IAElB;;;;;;OAMG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAEhD;;;;;;;;;OASG;IACH,SAAS,CAAC,OAAO,SAAS,MAAM,EAE9B,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAE3B;;;;;;;;;;;OAWG;IACH,YAAY,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAEjD;;;;;;;;;;;;OAYG;IACH,iBAAiB,IAAI,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAE3C;;;;;;OAMG;IACH,YAAY,CACV,MAAM,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC1E,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;;;;OAQG;IACH,YAAY,CACV,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC1B,UAAU,EAAE,WAAW,EACvB,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc;AACxB;;GAEG;AACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACnC;;GAEG;GACD;IACA,IAAI,EAAE,QAAQ,CAAC;IAEf,KAAK,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,MAAM,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,CAAC;IAC1D,MAAM,EAAE,GAAG,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AACD;;;GAGG;GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE;AACpC;;GAEG;GACD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACpC;;GAEG;GACD;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACvC;;GAEG;GACD;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE1C;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAE5B;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAa,SAAQ,OAAO,CAAC,aAAa;IACzD;;OAEG;IACH,KAAK,EAAE,GAAG,CAAC;IAEX;;OAEG;IACH,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC;;OAEG;IACH,QAAQ,EAAE,QAAQ,CAAC;CACpB"}
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../src/federation/context.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,gBAAgB,EAChB,QAAQ,EACR,MAAM,EACP,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,OAAO,CAAC,YAAY;IACnC;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAE5B;;OAEG;IACH,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IAExC;;OAEG;IACH,QAAQ,CAAC,aAAa,EAAE,cAAc,CAAC;IAEvC;;;;;OAKG;IACH,cAAc,IAAI,GAAG,CAAC;IAEtB;;;;;OAKG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;;;;OAQG;IACH,YAAY,CAAC,OAAO,SAAS,MAAM,EAEjC,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,GAAG,CAAC;IAEP;;;;;OAKG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAElC;;;;OAIG;IACH,WAAW,IAAI,GAAG,CAAC;IAEnB;;;;;OAKG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;OAKG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAErC;;;;;OAKG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IAErC;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,GAAG,GAAG,cAAc,GAAG,IAAI,CAAC;IAE1C;;;;;OAKG;IACH,qBAAqB,CAAC,QAAQ,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAAC;IAEpD;;;;;OAKG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAE1D;;;;;;OAMG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAE9D;;;;;;;;;;OAUG;IACH,iBAAiB,CAAC,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAEzE;;;;;;;;;OASG;IACH,iBAAiB,CACf,QAAQ,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,GACtD,cAAc,CAAC;IAElB;;;;;;OAMG;IACH,YAAY,CACV,MAAM,EAAE,aAAa,GAAG,aAAa,EAAE,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC5D,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,YAAY,CAAE,SAAQ,OAAO,CAAC,YAAY,CAAC;IACzE;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAE1B;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC;IAElB;;;;;;OAMG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAEhD;;;;;;;;;OASG;IACH,SAAS,CAAC,OAAO,SAAS,MAAM,EAE9B,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAE3B;;;;;;;;;;;OAWG;IACH,YAAY,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAEjD;;;;;;;;;;;;OAYG;IACH,iBAAiB,IAAI,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAE3C;;;;;;OAMG;IACH,YAAY,CACV,MAAM,EAAE,aAAa,GAAG,aAAa,EAAE,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC5D,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;;;;OAQG;IACH,YAAY,CACV,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,EAC1B,UAAU,EAAE,WAAW,EACvB,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc;AACxB;;GAEG;AACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACnC;;GAEG;GACD;IACA,IAAI,EAAE,QAAQ,CAAC;IAEf,KAAK,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,MAAM,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,CAAC;IAC1D,MAAM,EAAE,GAAG,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AACD;;;GAGG;GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE;AACpC;;GAEG;GACD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACpC;;GAEG;GACD;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE;AACvC;;GAEG;GACD;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE1C;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAE5B;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAa,SAAQ,OAAO,CAAC,aAAa;IACzD;;OAEG;IACH,KAAK,EAAE,GAAG,CAAC;IAEX;;OAEG;IACH,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC;;OAEG;IACH,QAAQ,EAAE,QAAQ,CAAC;CACpB"}

package/types/federation/middleware.d.ts

@@ -8,6 +8,7 @@ import type { ActorDispatcher, ActorKeyPairDispatcher, ActorKeyPairsDispatcher,
 import type { Context, RequestContext, SendActivityOptions } from "./context.js";
 import type { KvKey, KvStore } from "./kv.js";
 import type { MessageQueue } from "./mq.js";
+import { type SenderKeyPair } from "./send.js";
 /**
  * Parameters for initializing a {@link Federation} instance.
  */
@@ -346,16 +347,13 @@ export declare class Federation<TContextData> {
      * Sends an activity to recipients' inboxes.  You would typically use
      * {@link Context.sendActivity} instead of this method.
      *
-     * @param sender The sender's key pair.
+     * @param keys The sender's key pairs.
      * @param recipients The recipients of the activity.
      * @param activity The activity to send.
      * @param options Options for sending the activity.
      * @throws {TypeError} If the activity to send does not have an actor.
      */
-    sendActivity({ keyId, privateKey }: {
-        keyId: URL;
-        privateKey: dntShim.CryptoKey;
-    }, recipients: Recipient | Recipient[], activity: Activity, { preferSharedInbox, immediate, excludeBaseUris, collectionSync }?: SendActivityInternalOptions): Promise<void>;
+    sendActivity(keys: SenderKeyPair[], recipients: Recipient | Recipient[], activity: Activity, { preferSharedInbox, immediate, excludeBaseUris, collectionSync }?: SendActivityInternalOptions): Promise<void>;
     /**
      * Handles a request related to federation.  If a request is not related to
      * federation, the `onNotFound` or `onNotAcceptable` callback is called.