@fedify/fedify 1.2.24 → 1.2.25

package/CHANGES.md

@@ -3,6 +3,19 @@
 Fedify changelog
 ================
 
+Version 1.2.25
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.2.24
 --------------
 
@@ -427,6 +440,19 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.25
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.1.24
 --------------
 
@@ -892,6 +918,19 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.28
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.0.27
 --------------
 

package/esm/sig/http.js

@@ -150,7 +150,7 @@ export async function verifyRequest(request, { documentLoader, contextLoader, ti
             return null;
         }
     }
-    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)="([^"]*)"\s*$/)).filter((m) => m != null).map((m) => m.slice(1, 3)));
+    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)=(?:"([^"]*)"|(\d+))\s*$/)).filter((m) => m != null).map((m) => [m[1], m[2] ?? m[3]]));
     if (!("keyId" in sigValues)) {
         logger.debug("Failed to verify; no keyId field found in the Signature header.", { signature: sigHeader });
         return null;
@@ -163,6 +163,41 @@ export async function verifyRequest(request, { documentLoader, contextLoader, ti
         logger.debug("Failed to verify; no signature field found in the Signature header.", { signature: sigHeader });
         return null;
     }
+    if ("expires" in sigValues) {
+        const expiresSeconds = parseInt(sigValues.expires);
+        if (!Number.isInteger(expiresSeconds)) {
+            logger.debug("Failed to verify; invalid expires field in the Signature header: {expires}.", { expires: sigValues.expires, signature: sigHeader });
+            return null;
+        }
+        const expires = dntShim.Temporal.Instant.fromEpochMilliseconds(expiresSeconds * 1000);
+        if (dntShim.Temporal.Instant.compare(now, expires) > 0) {
+            logger.debug("Failed to verify; signature expired at {expires} (now: {now}).", {
+                expires: expires.toString(),
+                now: now.toString(),
+                signature: sigHeader,
+            });
+            return null;
+        }
+    }
+    if ("created" in sigValues) {
+        const createdSeconds = parseInt(sigValues.created);
+        if (!Number.isInteger(createdSeconds)) {
+            logger.debug("Failed to verify; invalid created field in the Signature header: {created}.", { created: sigValues.created, signature: sigHeader });
+            return null;
+        }
+        if (timeWindow !== false) {
+            const created = dntShim.Temporal.Instant.fromEpochMilliseconds(createdSeconds * 1000);
+            const tw = timeWindow ?? { minutes: 1 };
+            if (dntShim.Temporal.Instant.compare(created, now.add(tw)) > 0) {
+                logger.debug("Failed to verify; created is too far in the future.", { created: created.toString(), now: now.toString() });
+                return null;
+            }
+            else if (dntShim.Temporal.Instant.compare(created, now.subtract(tw)) < 0) {
+                logger.debug("Failed to verify; created is too far in the past.", { created: created.toString(), now: now.toString() });
+                return null;
+            }
+        }
+    }
     const { keyId, headers, signature } = sigValues;
     const keyResult = await fetchKey(new URL(keyId), CryptographicKey, {
         documentLoader,
@@ -184,11 +219,15 @@ export async function verifyRequest(request, { documentLoader, contextLoader, ti
         return null;
     }
     const message = headerNames.map((name) => `${name}: ` +
-        (name == "(request-target)"
+        (name === "(request-target)"
             ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}`
-            : name == "host"
-                ? request.headers.get("host") ?? new URL(request.url).host
-                : request.headers.get(name))).join("\n");
+            : name === "(created)"
+                ? (sigValues.created ?? "")
+                : name === "(expires)"
+                    ? (sigValues.expires ?? "")
+                    : name === "host"
+                        ? request.headers.get("host") ?? new URL(request.url).host
+                        : request.headers.get(name))).join("\n");
     const sig = decodeBase64(signature);
     // TODO: support other than RSASSA-PKCS1-v1_5:
     const verified = await dntShim.crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));

package/esm/testing/fixtures/oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd

@@ -0,0 +1,24 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/v1"
+  ],
+  "id": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd",
+  "type": "Person",
+  "preferredUsername": "hongminhee",
+  "name": "洪兔",
+  "inbox": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/inbox",
+  "outbox": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/outbox",
+  "publicKey": {
+    "id": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd#main-key",
+    "owner": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowJfOzpA/nAYyL0bVDTm\niCAOlhFCIBnqwk1jvGrbkDhMzxlsgyoDqUSlmcJdKaPwu24YdFajDtJIgto27Ju7\nIC3hB7OFchnZ4JZrdYFo7CJABOzK58o12sdmmkCdY5hXWf1604E+mzyIdBAJ1FFJ\nL8vP07VEUsZ7yo9x0iVNg7HpCOK+y6BqI2GHS2dq9qkqQEIhC2TKHXn/RQVXwYB6\nG+YQmVUtcsbCVKdcWyTKhItLRGnepu3BqBSbieLxV27B1O9NFSoPu8xiBUnYwMoe\nsUQCE5tGcqxc75HzcVCbq7PqVqHZ1NW9RYssaSUqi4FYcjXxQrR08DrAl8rR4eXT\n4QIDAQAB\n-----END PUBLIC KEY-----\n"
+  },
+  "endpoints": {
+    "type": "as:Endpoints",
+    "sharedInbox": "https://oeee.cafe/inbox"
+  },
+  "followers": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/followers",
+  "manuallyApprovesFollowers": false,
+  "url": "https://oeee.cafe/@hongminhee"
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "1.2.24",
+  "version": "1.2.25",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/sig/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/sig/http.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAI5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAY,KAAK,QAAQ,EAAqB,MAAM,UAAU,CAAC;AAEtE;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,CAAC,SAAS,EAC7B,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,OAAO,CAAC,CA0ClB;AAQD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC;IAE/E;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;IAEvC;;;OAGG;IACH,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,GAClE,oBAAyB,GAC1B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAkNlC"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/sig/http.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAI5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAY,KAAK,QAAQ,EAAqB,MAAM,UAAU,CAAC;AAEtE;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,CAAC,SAAS,EAC7B,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,OAAO,CAAC,CA0ClB;AAQD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC;IAE/E;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;IAEvC;;;OAGG;IACH,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,GAClE,oBAAyB,GAC1B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA6QlC"}