@fedify/fedify 1.3.21 → 1.3.22

package/CHANGES.md

@@ -3,6 +3,19 @@
 Fedify changelog
 ================
 
+Version 1.3.22
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.3.21
 --------------
 
@@ -394,6 +407,19 @@ Released on November 30, 2024.
 [#193]: https://github.com/fedify-dev/fedify/issues/193
 
 
+Version 1.2.25
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.2.24
 --------------
 
@@ -818,6 +844,19 @@ Released on October 31, 2024.
 [#118]: https://github.com/fedify-dev/fedify/issues/118
 
 
+Version 1.1.25
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.1.24
 --------------
 
@@ -1283,6 +1322,19 @@ Released on October 20, 2024.
 [#150]: https://github.com/fedify-dev/fedify/issues/150
 
 
+Version 1.0.28
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where `verifyRequest()` function threw a `TypeError` when
+    verifying HTTP Signatures with `created` or `expires` fields in
+    the `Signature` header as defined in draft-cavage-http-signatures-12,
+    causing `500 Internal Server Error` responses in inbox handlers.
+    Now it correctly handles these fields as unquoted integers according
+    to the specification.
+
+
 Version 1.0.27
 --------------
 

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.3.21",
+    "version": "1.3.22",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",

package/esm/sig/http.js

@@ -221,7 +221,7 @@ async function verifyRequestInternal(request, span, { documentLoader, contextLoa
             return null;
         }
     }
-    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)="([^"]*)"\s*$/)).filter((m) => m != null).map((m) => m.slice(1, 3)));
+    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)=(?:"([^"]*)"|(\d+))\s*$/)).filter((m) => m != null).map((m) => [m[1], m[2] ?? m[3]]));
     if (!("keyId" in sigValues)) {
         logger.debug("Failed to verify; no keyId field found in the Signature header.", { signature: sigHeader });
         return null;
@@ -234,6 +234,41 @@ async function verifyRequestInternal(request, span, { documentLoader, contextLoa
         logger.debug("Failed to verify; no signature field found in the Signature header.", { signature: sigHeader });
         return null;
     }
+    if ("expires" in sigValues) {
+        const expiresSeconds = parseInt(sigValues.expires);
+        if (!Number.isInteger(expiresSeconds)) {
+            logger.debug("Failed to verify; invalid expires field in the Signature header: {expires}.", { expires: sigValues.expires, signature: sigHeader });
+            return null;
+        }
+        const expires = dntShim.Temporal.Instant.fromEpochMilliseconds(expiresSeconds * 1000);
+        if (dntShim.Temporal.Instant.compare(now, expires) > 0) {
+            logger.debug("Failed to verify; signature expired at {expires} (now: {now}).", {
+                expires: expires.toString(),
+                now: now.toString(),
+                signature: sigHeader,
+            });
+            return null;
+        }
+    }
+    if ("created" in sigValues) {
+        const createdSeconds = parseInt(sigValues.created);
+        if (!Number.isInteger(createdSeconds)) {
+            logger.debug("Failed to verify; invalid created field in the Signature header: {created}.", { created: sigValues.created, signature: sigHeader });
+            return null;
+        }
+        if (timeWindow !== false) {
+            const created = dntShim.Temporal.Instant.fromEpochMilliseconds(createdSeconds * 1000);
+            const tw = timeWindow ?? { minutes: 1 };
+            if (dntShim.Temporal.Instant.compare(created, now.add(tw)) > 0) {
+                logger.debug("Failed to verify; created is too far in the future.", { created: created.toString(), now: now.toString() });
+                return null;
+            }
+            else if (dntShim.Temporal.Instant.compare(created, now.subtract(tw)) < 0) {
+                logger.debug("Failed to verify; created is too far in the past.", { created: created.toString(), now: now.toString() });
+                return null;
+            }
+        }
+    }
     const { keyId, headers, signature } = sigValues;
     span?.setAttribute("http_signatures.key_id", keyId);
     if ("algorithm" in sigValues) {
@@ -259,11 +294,15 @@ async function verifyRequestInternal(request, span, { documentLoader, contextLoa
         return null;
     }
     const message = headerNames.map((name) => `${name}: ` +
-        (name == "(request-target)"
+        (name === "(request-target)"
             ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}`
-            : name == "host"
-                ? request.headers.get("host") ?? new URL(request.url).host
-                : request.headers.get(name))).join("\n");
+            : name === "(created)"
+                ? (sigValues.created ?? "")
+                : name === "(expires)"
+                    ? (sigValues.expires ?? "")
+                    : name === "host"
+                        ? request.headers.get("host") ?? new URL(request.url).host
+                        : request.headers.get(name))).join("\n");
     const sig = decodeBase64(signature);
     span?.setAttribute("http_signatures.signature", encodeHex(sig));
     // TODO: support other than RSASSA-PKCS1-v1_5:

package/esm/testing/fixtures/oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd

@@ -0,0 +1,24 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/v1"
+  ],
+  "id": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd",
+  "type": "Person",
+  "preferredUsername": "hongminhee",
+  "name": "洪兔",
+  "inbox": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/inbox",
+  "outbox": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/outbox",
+  "publicKey": {
+    "id": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd#main-key",
+    "owner": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowJfOzpA/nAYyL0bVDTm\niCAOlhFCIBnqwk1jvGrbkDhMzxlsgyoDqUSlmcJdKaPwu24YdFajDtJIgto27Ju7\nIC3hB7OFchnZ4JZrdYFo7CJABOzK58o12sdmmkCdY5hXWf1604E+mzyIdBAJ1FFJ\nL8vP07VEUsZ7yo9x0iVNg7HpCOK+y6BqI2GHS2dq9qkqQEIhC2TKHXn/RQVXwYB6\nG+YQmVUtcsbCVKdcWyTKhItLRGnepu3BqBSbieLxV27B1O9NFSoPu8xiBUnYwMoe\nsUQCE5tGcqxc75HzcVCbq7PqVqHZ1NW9RYssaSUqi4FYcjXxQrR08DrAl8rR4eXT\n4QIDAQAB\n-----END PUBLIC KEY-----\n"
+  },
+  "endpoints": {
+    "type": "as:Endpoints",
+    "sharedInbox": "https://oeee.cafe/inbox"
+  },
+  "followers": "https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd/followers",
+  "manuallyApprovesFollowers": false,
+  "url": "https://oeee.cafe/@hongminhee"
+}