@fedify/fedify 1.6.7 → 1.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. package/dist/{actor-fvEQljsh.js → actor-Bcs0hYb1.js} +179 -225
  2. package/dist/{actor-CJUOVkus.js → actor-XtK-8B6i.js} +3 -3
  3. package/dist/{authdocloader-sLr3_CKo.js → authdocloader-BOsOB7nI.js} +3 -3
  4. package/dist/{authdocloader-UN6bFYqE.js → authdocloader-BfXhfGGN.js} +3 -3
  5. package/dist/{builder-Dwwf9LZs.js → builder-BtoNoWx4.js} +3 -3
  6. package/dist/{client-BOQZYjsA.js → client-DfiRfarn.js} +1 -1
  7. package/dist/compat/transformers.test.js +17 -17
  8. package/dist/{context-B9H6ypbl.js → context-CTOs7_nl.js} +2 -2
  9. package/dist/{docloader-BpcD_SLO.js → docloader-DHsnjtrB.js} +1 -1
  10. package/dist/{docloader-D27WkV2-.js → docloader-DT61GYEC.js} +1 -1
  11. package/dist/{esm-CASHO3OR.js → esm-Db4De7AS.js} +5 -7
  12. package/dist/federation/builder.test.js +4 -4
  13. package/dist/federation/handler.test.js +77 -19
  14. package/dist/federation/inbox.test.js +3 -3
  15. package/dist/federation/keycache.test.js +3 -3
  16. package/dist/federation/middleware.test.js +19 -19
  17. package/dist/federation/mod.js +10 -10
  18. package/dist/federation/send.test.js +10 -10
  19. package/dist/{http-hhXcurBA.js → http-CsOXrx1b.js} +3 -3
  20. package/dist/{http-DEMqisx6.js → http-DY7ABMxV.js} +3 -3
  21. package/dist/{inbox-Dn9cGz72.js → inbox-G8JVL5Ne.js} +2 -2
  22. package/dist/{key-heR1cMpe.js → key-Bppy9mNu.js} +5 -5
  23. package/dist/{key-HZNzd-FS.js → key-Btb5k4lR.js} +3 -3
  24. package/dist/{key-Djjl3-NI.js → key-DS_OEdsO.js} +4 -4
  25. package/dist/{key-BS8tcPCt.js → key-DbchE9Xs.js} +2 -2
  26. package/dist/{keycache-DxrNxDV9.js → keycache-CounYPCT.js} +1 -1
  27. package/dist/{keys-cVHkVfkB.js → keys-CCsGIHDm.js} +1 -1
  28. package/dist/{ld-BHlSwz3F.js → ld-C5QomCTt.js} +3 -3
  29. package/dist/{lookup-DZ5JT-dZ.js → lookup-2j31uvvW.js} +3 -3
  30. package/dist/{lookup-d9KQSGH3.js → lookup-D-6fPBCB.js} +1 -1
  31. package/dist/{lookup-D1UwpzKL.js → lookup-DRz3cQ2q.js} +1 -1
  32. package/dist/{middleware-jYmGxpPU.js → middleware-BSWZF2bY.js} +24 -24
  33. package/dist/middleware-C_O2JGGb.js +33 -0
  34. package/dist/{middleware-DbABwSSq.js → middleware-EA-BBVH-.js} +29 -29
  35. package/dist/middleware-eyNnQzz_.js +17 -0
  36. package/dist/mod.js +10 -10
  37. package/dist/nodeinfo/client.test.js +3 -3
  38. package/dist/nodeinfo/handler.test.js +18 -18
  39. package/dist/nodeinfo/mod.js +2 -2
  40. package/dist/{owner-CY_4qryA.js → owner-BID7Mczj.js} +3 -3
  41. package/dist/{proof-ZOvHKN5-.js → proof-Cxepv82U.js} +3 -3
  42. package/dist/{proof-NEDLECyh.js → proof-DUknICkM.js} +3 -3
  43. package/dist/runtime/authdocloader.test.js +9 -9
  44. package/dist/runtime/docloader.test.js +2 -2
  45. package/dist/runtime/key.test.js +5 -5
  46. package/dist/runtime/mod.js +6 -6
  47. package/dist/{send-BrO7rgzl.js → send-F3m8PbtH.js} +2 -2
  48. package/dist/sig/http.test.js +8 -8
  49. package/dist/sig/key.test.js +6 -6
  50. package/dist/sig/ld.test.js +7 -7
  51. package/dist/sig/mod.js +6 -6
  52. package/dist/sig/owner.test.js +8 -8
  53. package/dist/sig/proof.test.js +7 -7
  54. package/dist/{types-45TSQHsw.js → types-BU3u-EMH.js} +1 -1
  55. package/dist/vocab/actor.test.js +6 -8
  56. package/dist/vocab/lookup.test.js +5 -5
  57. package/dist/vocab/mod.js +4 -4
  58. package/dist/vocab/type.test.js +2 -2
  59. package/dist/vocab/vocab.test.js +3 -3
  60. package/dist/{vocab-B42jXGwc.js → vocab-1dVqjZTk.js} +3 -3
  61. package/dist/{vocab-DzvTuYjm.js → vocab-BOEOrr72.js} +178 -224
  62. package/dist/webfinger/handler.test.js +18 -18
  63. package/dist/webfinger/lookup.test.js +3 -3
  64. package/dist/webfinger/mod.js +2 -2
  65. package/package.json +1 -1
  66. package/dist/middleware-YRLKRl1N.js +0 -17
  67. package/dist/middleware-lqxhBcoT.js +0 -33
package/dist/{actor-CJUOVkus.js → actor-XtK-8B6i.js} RENAMED
@@ -3,9 +3,9 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { deno_default } from "./docloader-BpcD_SLO.js";
7
- import { Application, Group, Organization, Person, Service } from "./vocab-DzvTuYjm.js";
8
- import { lookupWebFinger } from "./lookup-d9KQSGH3.js";
6
+ import { deno_default } from "./docloader-DHsnjtrB.js";
7
+ import { Application, Group, Organization, Person, Service } from "./vocab-BOEOrr72.js";
8
+ import { lookupWebFinger } from "./lookup-D-6fPBCB.js";
9
9
  import { getTypeId } from "./type-D2s5lmbZ.js";
10
10
  import { SpanStatusCode, trace } from "@opentelemetry/api";
11
11
  import { domainToASCII, domainToUnicode } from "node:url";
package/dist/{authdocloader-sLr3_CKo.js → authdocloader-BOsOB7nI.js} RENAMED
@@ -3,10 +3,10 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { createRequest, getRemoteDocument, logRequest } from "./docloader-BpcD_SLO.js";
6
+ import { createRequest, getRemoteDocument, logRequest } from "./docloader-DHsnjtrB.js";
7
7
  import { UrlError, validatePublicUrl } from "./url-kTAI6_KP.js";
8
- import { validateCryptoKey } from "./key-HZNzd-FS.js";
9
- import { doubleKnock } from "./http-DEMqisx6.js";
8
+ import { validateCryptoKey } from "./key-Btb5k4lR.js";
9
+ import { doubleKnock } from "./http-DY7ABMxV.js";
10
10
  import { getLogger } from "@logtape/logtape";
11
11
 
12
12
  //#region runtime/authdocloader.ts
package/dist/{authdocloader-UN6bFYqE.js → authdocloader-BfXhfGGN.js} RENAMED
@@ -2,9 +2,9 @@
2
2
  import { Temporal } from "@js-temporal/polyfill";
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
 
5
- import { UrlError, createRequest, getRemoteDocument, logRequest, validatePublicUrl } from "./docloader-D27WkV2-.js";
6
- import { validateCryptoKey } from "./key-BS8tcPCt.js";
7
- import { doubleKnock } from "./http-hhXcurBA.js";
5
+ import { UrlError, createRequest, getRemoteDocument, logRequest, validatePublicUrl } from "./docloader-DT61GYEC.js";
6
+ import { validateCryptoKey } from "./key-DbchE9Xs.js";
7
+ import { doubleKnock } from "./http-CsOXrx1b.js";
8
8
  import { getLogger } from "@logtape/logtape";
9
9
 
10
10
  //#region runtime/authdocloader.ts
package/dist/{builder-Dwwf9LZs.js → builder-BtoNoWx4.js} RENAMED
@@ -3,10 +3,10 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { deno_default } from "./docloader-BpcD_SLO.js";
6
+ import { deno_default } from "./docloader-DHsnjtrB.js";
7
7
  import { Router, RouterError } from "./router-D_aVZZUc.js";
8
8
  import { getTypeId } from "./type-D2s5lmbZ.js";
9
- import { InboxListenerSet } from "./inbox-Dn9cGz72.js";
9
+ import { InboxListenerSet } from "./inbox-G8JVL5Ne.js";
10
10
  import { getLogger } from "@logtape/logtape";
11
11
  import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
12
12
 
@@ -34,7 +34,7 @@ var FederationBuilderImpl = class {
34
34
  this.objectTypeIds = {};
35
35
  }
36
36
  async build(options) {
37
- const { FederationImpl } = await import("./middleware-lqxhBcoT.js");
37
+ const { FederationImpl } = await import("./middleware-C_O2JGGb.js");
38
38
  const f = new FederationImpl(options);
39
39
  const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
40
40
  f.router = this.router.clone();
package/dist/{client-BOQZYjsA.js → client-DfiRfarn.js} RENAMED
@@ -3,7 +3,7 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { getUserAgent } from "./docloader-BpcD_SLO.js";
6
+ import { getUserAgent } from "./docloader-DHsnjtrB.js";
7
7
  import { parseSemVer } from "./semver-DWClQt_5.js";
8
8
  import { getLogger } from "@logtape/logtape";
9
9
 
package/dist/compat/transformers.test.js CHANGED
@@ -7,32 +7,32 @@ import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import { assert } from "../assert-DmFG7ppO.js";
8
8
  import { assertInstanceOf } from "../assert_instance_of-CF09JHYM.js";
9
9
  import { MemoryKvStore } from "../kv-DohFOP2C.js";
10
- import { FederationImpl, actorDehydrator, autoIdAssigner } from "../middleware-DbABwSSq.js";
11
- import "../docloader-BpcD_SLO.js";
10
+ import { FederationImpl, actorDehydrator, autoIdAssigner } from "../middleware-EA-BBVH-.js";
11
+ import "../docloader-DHsnjtrB.js";
12
12
  import "../url-kTAI6_KP.js";
13
13
  import "../semver-DWClQt_5.js";
14
- import "../client-BOQZYjsA.js";
14
+ import "../client-DfiRfarn.js";
15
15
  import "../router-D_aVZZUc.js";
16
16
  import "../types-C7C_l-jz.js";
17
17
  import "../multibase-DeCHcK8L.js";
18
- import { Follow, Person } from "../vocab-DzvTuYjm.js";
18
+ import { Follow, Person } from "../vocab-BOEOrr72.js";
19
19
  import "../langstr-DbWheeIS.js";
20
- import "../lookup-d9KQSGH3.js";
20
+ import "../lookup-D-6fPBCB.js";
21
21
  import "../type-D2s5lmbZ.js";
22
- import "../actor-CJUOVkus.js";
23
- import "../key-HZNzd-FS.js";
24
- import "../http-DEMqisx6.js";
25
- import "../authdocloader-sLr3_CKo.js";
26
- import "../ld-BHlSwz3F.js";
27
- import "../owner-CY_4qryA.js";
28
- import "../proof-NEDLECyh.js";
29
- import "../lookup-DZ5JT-dZ.js";
30
- import "../inbox-Dn9cGz72.js";
31
- import "../builder-Dwwf9LZs.js";
22
+ import "../actor-XtK-8B6i.js";
23
+ import "../key-Btb5k4lR.js";
24
+ import "../http-DY7ABMxV.js";
25
+ import "../authdocloader-BOsOB7nI.js";
26
+ import "../ld-C5QomCTt.js";
27
+ import "../owner-BID7Mczj.js";
28
+ import "../proof-DUknICkM.js";
29
+ import "../lookup-2j31uvvW.js";
30
+ import "../inbox-G8JVL5Ne.js";
31
+ import "../builder-BtoNoWx4.js";
32
32
  import "../collection-Dfb0TPno.js";
33
- import "../keycache-DxrNxDV9.js";
33
+ import "../keycache-CounYPCT.js";
34
34
  import "../retry-BiIhZWgD.js";
35
- import "../send-BrO7rgzl.js";
35
+ import "../send-F3m8PbtH.js";
36
36
  import { test } from "../testing-BZ0dJ4qn.js";
37
37
 
38
38
  //#region compat/transformers.test.ts
package/dist/{context-B9H6ypbl.js → context-CTOs7_nl.js} RENAMED
@@ -4,8 +4,8 @@
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
6
  import { RouterError } from "./router-D_aVZZUc.js";
7
- import { lookupWebFinger } from "./lookup-d9KQSGH3.js";
8
- import { lookupObject, traverseCollection } from "./lookup-DZ5JT-dZ.js";
7
+ import { lookupWebFinger } from "./lookup-D-6fPBCB.js";
8
+ import { lookupObject, traverseCollection } from "./lookup-2j31uvvW.js";
9
9
  import { mockDocumentLoader } from "./docloader-09nVWLAZ.js";
10
10
  import { trace } from "@opentelemetry/api";
11
11
 
package/dist/{docloader-BpcD_SLO.js → docloader-DHsnjtrB.js} RENAMED
@@ -10,7 +10,7 @@ import process from "node:process";
10
10
 
11
11
  //#region deno.json
12
12
  var name = "@fedify/fedify";
13
- var version = "1.6.7";
13
+ var version = "1.6.8";
14
14
  var license = "MIT";
15
15
  var exports = {
16
16
  ".": "./mod.ts",
package/dist/{docloader-D27WkV2-.js → docloader-DT61GYEC.js} RENAMED
@@ -10,7 +10,7 @@ import { isIP } from "node:net";
10
10
 
11
11
  //#region deno.json
12
12
  var name = "@fedify/fedify";
13
- var version = "1.6.7";
13
+ var version = "1.6.8";
14
14
  var license = "MIT";
15
15
  var exports = {
16
16
  ".": "./mod.ts",
package/dist/{esm-CASHO3OR.js → esm-Db4De7AS.js} RENAMED
@@ -6,7 +6,7 @@
6
6
  import { __commonJS, __toESM } from "./chunk-HsBuZ-b2.js";
7
7
 
8
8
  //#region node_modules/.pnpm/glob-to-regexp@0.4.1/node_modules/glob-to-regexp/index.js
9
- var require_glob_to_regexp = __commonJS({ "node_modules/.pnpm/glob-to-regexp@0.4.1/node_modules/glob-to-regexp/index.js"(exports, module) {
9
+ var require_glob_to_regexp = /* @__PURE__ */ __commonJS({ "node_modules/.pnpm/glob-to-regexp@0.4.1/node_modules/glob-to-regexp/index.js": ((exports, module) => {
10
10
  module.exports = function(glob$1, opts) {
11
11
  if (typeof glob$1 !== "string") throw new TypeError("Expected a string");
12
12
  var str = String(glob$1);
@@ -80,7 +80,7 @@ var require_glob_to_regexp = __commonJS({ "node_modules/.pnpm/glob-to-regexp@0.4
80
80
  if (!flags || !~flags.indexOf("g")) reStr = "^" + reStr + "$";
81
81
  return new RegExp(reStr, flags);
82
82
  };
83
- } });
83
+ }) });
84
84
 
85
85
  //#endregion
86
86
  //#region node_modules/.pnpm/regexparam@3.0.0/node_modules/regexparam/dist/index.mjs
@@ -232,7 +232,7 @@ const isSubsetOf = function(subset, superset, visited = []) {
232
232
  switch (subsetItemType) {
233
233
  case "array":
234
234
  case "object":
235
- case "function": {
235
+ case "function":
236
236
  if (visited.includes(subsetItem)) continue;
237
237
  visited.push(subsetItem);
238
238
  isItemInSuperset = superset.some((supersetItem) => {
@@ -243,7 +243,6 @@ const isSubsetOf = function(subset, superset, visited = []) {
243
243
  }
244
244
  });
245
245
  break;
246
- }
247
246
  default: isItemInSuperset = superset.includes(subsetItem);
248
247
  }
249
248
  if (!isItemInSuperset) return false;
@@ -259,7 +258,7 @@ const isSubsetOf = function(subset, superset, visited = []) {
259
258
  switch (subsetValueType) {
260
259
  case "array":
261
260
  case "object":
262
- case "function": {
261
+ case "function":
263
262
  if (visited.includes(subsetValue)) continue;
264
263
  visited.push(subsetValue);
265
264
  try {
@@ -269,7 +268,6 @@ const isSubsetOf = function(subset, superset, visited = []) {
269
268
  return false;
270
269
  }
271
270
  break;
272
- }
273
271
  default: if (subsetValue !== supersetValue) return false;
274
272
  }
275
273
  }
@@ -445,7 +443,7 @@ function normalizeHeaders(headers) {
445
443
 
446
444
  //#endregion
447
445
  //#region node_modules/.pnpm/fetch-mock@12.5.3/node_modules/fetch-mock/dist/esm/Matchers.js
448
- var import_glob_to_regexp = __toESM(require_glob_to_regexp(), 1);
446
+ var import_glob_to_regexp = /* @__PURE__ */ __toESM(require_glob_to_regexp(), 1);
449
447
  const isUrlMatcher = (matcher) => matcher instanceof RegExp || typeof matcher === "string" || typeof matcher === "object" && "href" in matcher;
450
448
  const isFunctionMatcher = (matcher) => typeof matcher === "function";
451
449
  const stringMatchers = {
package/dist/federation/builder.test.js CHANGED
@@ -7,16 +7,16 @@ import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import "../assert-DmFG7ppO.js";
8
8
  import "../assert_instance_of-CF09JHYM.js";
9
9
  import { MemoryKvStore } from "../kv-DohFOP2C.js";
10
- import "../docloader-BpcD_SLO.js";
10
+ import "../docloader-DHsnjtrB.js";
11
11
  import "../url-kTAI6_KP.js";
12
12
  import { parseSemVer } from "../semver-DWClQt_5.js";
13
13
  import "../router-D_aVZZUc.js";
14
14
  import "../multibase-DeCHcK8L.js";
15
- import { Activity, Note, Person } from "../vocab-DzvTuYjm.js";
15
+ import { Activity, Note, Person } from "../vocab-BOEOrr72.js";
16
16
  import "../langstr-DbWheeIS.js";
17
17
  import "../type-D2s5lmbZ.js";
18
- import "../inbox-Dn9cGz72.js";
19
- import { createFederationBuilder } from "../builder-Dwwf9LZs.js";
18
+ import "../inbox-G8JVL5Ne.js";
19
+ import { createFederationBuilder } from "../builder-BtoNoWx4.js";
20
20
  import { test } from "../testing-BZ0dJ4qn.js";
21
21
  import { assertExists } from "../std__assert-vp0TKMS1.js";
22
22
  import "../assert_rejects-C-sxEMM5.js";
package/dist/federation/handler.test.js CHANGED
@@ -7,32 +7,32 @@ import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import { assert } from "../assert-DmFG7ppO.js";
8
8
  import "../assert_instance_of-CF09JHYM.js";
9
9
  import { MemoryKvStore } from "../kv-DohFOP2C.js";
10
- import { acceptsJsonLd, createFederation, handleActor, handleCollection, handleInbox, handleObject, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-DbABwSSq.js";
11
- import "../docloader-BpcD_SLO.js";
10
+ import { acceptsJsonLd, createFederation, handleActor, handleCollection, handleInbox, handleObject, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-EA-BBVH-.js";
11
+ import "../docloader-DHsnjtrB.js";
12
12
  import "../url-kTAI6_KP.js";
13
13
  import "../semver-DWClQt_5.js";
14
- import "../client-BOQZYjsA.js";
14
+ import "../client-DfiRfarn.js";
15
15
  import "../router-D_aVZZUc.js";
16
16
  import "../types-C7C_l-jz.js";
17
17
  import "../multibase-DeCHcK8L.js";
18
- import { Create, Note, Person } from "../vocab-DzvTuYjm.js";
18
+ import { Create, Note, Person } from "../vocab-BOEOrr72.js";
19
19
  import "../langstr-DbWheeIS.js";
20
- import "../lookup-d9KQSGH3.js";
20
+ import "../lookup-D-6fPBCB.js";
21
21
  import "../type-D2s5lmbZ.js";
22
- import "../actor-CJUOVkus.js";
23
- import "../key-HZNzd-FS.js";
24
- import { signRequest } from "../http-DEMqisx6.js";
25
- import "../authdocloader-sLr3_CKo.js";
26
- import "../ld-BHlSwz3F.js";
27
- import "../owner-CY_4qryA.js";
28
- import "../proof-NEDLECyh.js";
29
- import "../lookup-DZ5JT-dZ.js";
30
- import "../inbox-Dn9cGz72.js";
31
- import "../builder-Dwwf9LZs.js";
22
+ import "../actor-XtK-8B6i.js";
23
+ import "../key-Btb5k4lR.js";
24
+ import { signRequest } from "../http-DY7ABMxV.js";
25
+ import "../authdocloader-BOsOB7nI.js";
26
+ import "../ld-C5QomCTt.js";
27
+ import "../owner-BID7Mczj.js";
28
+ import "../proof-DUknICkM.js";
29
+ import "../lookup-2j31uvvW.js";
30
+ import { InboxListenerSet } from "../inbox-G8JVL5Ne.js";
31
+ import "../builder-BtoNoWx4.js";
32
32
  import "../collection-Dfb0TPno.js";
33
- import "../keycache-DxrNxDV9.js";
33
+ import "../keycache-CounYPCT.js";
34
34
  import "../retry-BiIhZWgD.js";
35
- import "../send-BrO7rgzl.js";
35
+ import "../send-F3m8PbtH.js";
36
36
  import { test } from "../testing-BZ0dJ4qn.js";
37
37
  import "../std__assert-vp0TKMS1.js";
38
38
  import { assertFalse } from "../assert_rejects-C-sxEMM5.js";
@@ -40,8 +40,8 @@ import "../assert_is_error-nrwA1GeT.js";
40
40
  import "../assert_not_equals-Dc7y-V5Q.js";
41
41
  import "../assert_throws-Cn9C6Jur.js";
42
42
  import { mockDocumentLoader } from "../docloader-09nVWLAZ.js";
43
- import { createInboxContext, createRequestContext } from "../context-B9H6ypbl.js";
44
- import { rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-cVHkVfkB.js";
43
+ import { createInboxContext, createRequestContext } from "../context-CTOs7_nl.js";
44
+ import { rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-CCsGIHDm.js";
45
45
 
46
46
  //#region federation/handler.test.ts
47
47
  test("acceptsJsonLd()", () => {
@@ -1203,6 +1203,64 @@ test("respondWithObject()", async () => {
1203
1203
  content: "Hello, world!"
1204
1204
  });
1205
1205
  });
1206
+ test("handleInbox() - authentication bypass vulnerability", async () => {
1207
+ const federation = createFederation({ kv: new MemoryKvStore() });
1208
+ let processedActivity;
1209
+ const inboxListeners = new InboxListenerSet();
1210
+ inboxListeners.add(Create, (_ctx, activity) => {
1211
+ processedActivity = activity;
1212
+ });
1213
+ const maliciousActivity = new Create({
1214
+ id: new URL("https://attacker.example.com/activities/malicious"),
1215
+ actor: new URL("https://victim.example.com/users/alice"),
1216
+ object: new Note({
1217
+ id: new URL("https://attacker.example.com/notes/forged"),
1218
+ attribution: new URL("https://victim.example.com/users/alice"),
1219
+ content: "This is a forged message from the victim!"
1220
+ })
1221
+ });
1222
+ const maliciousRequest = await signRequest(new Request("https://example.com/", {
1223
+ method: "POST",
1224
+ body: JSON.stringify(await maliciousActivity.toJsonLd())
1225
+ }), rsaPrivateKey3, rsaPublicKey3.id);
1226
+ const maliciousContext = createRequestContext({
1227
+ request: maliciousRequest,
1228
+ url: new URL(maliciousRequest.url),
1229
+ data: void 0,
1230
+ documentLoader: mockDocumentLoader,
1231
+ federation
1232
+ });
1233
+ const actorDispatcher = (_ctx, identifier) => {
1234
+ if (identifier !== "someone") return null;
1235
+ return new Person({ name: "Someone" });
1236
+ };
1237
+ const response = await handleInbox(maliciousRequest, {
1238
+ recipient: "someone",
1239
+ context: maliciousContext,
1240
+ inboxContextFactory(_activity) {
1241
+ return createInboxContext({
1242
+ url: new URL(maliciousRequest.url),
1243
+ data: void 0,
1244
+ documentLoader: mockDocumentLoader,
1245
+ federation,
1246
+ recipient: "someone"
1247
+ });
1248
+ },
1249
+ kv: new MemoryKvStore(),
1250
+ kvPrefixes: {
1251
+ activityIdempotence: ["_fedify", "activityIdempotence"],
1252
+ publicKey: ["_fedify", "publicKey"]
1253
+ },
1254
+ actorDispatcher,
1255
+ inboxListeners,
1256
+ onNotFound: () => new Response("Not found", { status: 404 }),
1257
+ signatureTimeWindow: { minutes: 5 },
1258
+ skipSignatureVerification: false
1259
+ });
1260
+ assertEquals(response.status, 401);
1261
+ assertEquals(await response.text(), "The signer and the actor do not match.");
1262
+ assertEquals(processedActivity, void 0, `SECURITY VULNERABILITY: Malicious activity with mismatched signature was processed! Activity ID: ${processedActivity?.id?.href}, Claimed actor: ${processedActivity?.actorId?.href}`);
1263
+ });
1206
1264
  test("respondWithObjectIfAcceptable", async () => {
1207
1265
  let request = new Request("https://example.com/", { headers: { Accept: "application/activity+json" } });
1208
1266
  let response = await respondWithObjectIfAcceptable(new Note({
package/dist/federation/inbox.test.js CHANGED
@@ -4,13 +4,13 @@
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
6
  import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
- import "../docloader-BpcD_SLO.js";
7
+ import "../docloader-DHsnjtrB.js";
8
8
  import "../url-kTAI6_KP.js";
9
9
  import "../multibase-DeCHcK8L.js";
10
- import { Activity, Create, Invite, Offer, Update } from "../vocab-DzvTuYjm.js";
10
+ import { Activity, Create, Invite, Offer, Update } from "../vocab-BOEOrr72.js";
11
11
  import "../langstr-DbWheeIS.js";
12
12
  import "../type-D2s5lmbZ.js";
13
- import { InboxListenerSet } from "../inbox-Dn9cGz72.js";
13
+ import { InboxListenerSet } from "../inbox-G8JVL5Ne.js";
14
14
  import { test } from "../testing-BZ0dJ4qn.js";
15
15
  import "../assert_is_error-nrwA1GeT.js";
16
16
  import { assertThrows } from "../assert_throws-Cn9C6Jur.js";
package/dist/federation/keycache.test.js CHANGED
@@ -7,12 +7,12 @@ import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import { assert } from "../assert-DmFG7ppO.js";
8
8
  import { assertInstanceOf } from "../assert_instance_of-CF09JHYM.js";
9
9
  import { MemoryKvStore } from "../kv-DohFOP2C.js";
10
- import "../docloader-BpcD_SLO.js";
10
+ import "../docloader-DHsnjtrB.js";
11
11
  import "../url-kTAI6_KP.js";
12
12
  import "../multibase-DeCHcK8L.js";
13
- import { CryptographicKey, Multikey } from "../vocab-DzvTuYjm.js";
13
+ import { CryptographicKey, Multikey } from "../vocab-BOEOrr72.js";
14
14
  import "../langstr-DbWheeIS.js";
15
- import { KvKeyCache } from "../keycache-DxrNxDV9.js";
15
+ import { KvKeyCache } from "../keycache-CounYPCT.js";
16
16
  import { test } from "../testing-BZ0dJ4qn.js";
17
17
 
18
18
  //#region federation/keycache.test.ts
package/dist/federation/middleware.test.js CHANGED
@@ -7,32 +7,32 @@ import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import { assert } from "../assert-DmFG7ppO.js";
8
8
  import { assertInstanceOf } from "../assert_instance_of-CF09JHYM.js";
9
9
  import { MemoryKvStore } from "../kv-DohFOP2C.js";
10
- import { ContextImpl, FederationImpl, InboxContextImpl, createFederation } from "../middleware-DbABwSSq.js";
11
- import { FetchError, fetchDocumentLoader } from "../docloader-BpcD_SLO.js";
10
+ import { ContextImpl, FederationImpl, InboxContextImpl, createFederation } from "../middleware-EA-BBVH-.js";
11
+ import { FetchError, fetchDocumentLoader } from "../docloader-DHsnjtrB.js";
12
12
  import "../url-kTAI6_KP.js";
13
13
  import "../semver-DWClQt_5.js";
14
- import "../client-BOQZYjsA.js";
14
+ import "../client-DfiRfarn.js";
15
15
  import { RouterError } from "../router-D_aVZZUc.js";
16
16
  import "../types-C7C_l-jz.js";
17
17
  import "../multibase-DeCHcK8L.js";
18
- import { Activity, Announce, Create, Invite, Multikey, Note, Object as Object$1, Offer, Person } from "../vocab-DzvTuYjm.js";
18
+ import { Activity, Announce, Create, Invite, Multikey, Note, Object as Object$1, Offer, Person } from "../vocab-BOEOrr72.js";
19
19
  import "../langstr-DbWheeIS.js";
20
- import "../lookup-d9KQSGH3.js";
20
+ import "../lookup-D-6fPBCB.js";
21
21
  import { getTypeId } from "../type-D2s5lmbZ.js";
22
- import "../actor-CJUOVkus.js";
23
- import "../key-HZNzd-FS.js";
24
- import { signRequest, verifyRequest } from "../http-DEMqisx6.js";
25
- import { getAuthenticatedDocumentLoader } from "../authdocloader-sLr3_CKo.js";
26
- import { detachSignature, signJsonLd, verifyJsonLd } from "../ld-BHlSwz3F.js";
27
- import { doesActorOwnKey } from "../owner-CY_4qryA.js";
28
- import { signObject, verifyObject } from "../proof-NEDLECyh.js";
29
- import { lookupObject } from "../lookup-DZ5JT-dZ.js";
30
- import "../inbox-Dn9cGz72.js";
31
- import "../builder-Dwwf9LZs.js";
22
+ import "../actor-XtK-8B6i.js";
23
+ import "../key-Btb5k4lR.js";
24
+ import { signRequest, verifyRequest } from "../http-DY7ABMxV.js";
25
+ import { getAuthenticatedDocumentLoader } from "../authdocloader-BOsOB7nI.js";
26
+ import { detachSignature, signJsonLd, verifyJsonLd } from "../ld-C5QomCTt.js";
27
+ import { doesActorOwnKey } from "../owner-BID7Mczj.js";
28
+ import { signObject, verifyObject } from "../proof-DUknICkM.js";
29
+ import { lookupObject } from "../lookup-2j31uvvW.js";
30
+ import "../inbox-G8JVL5Ne.js";
31
+ import "../builder-BtoNoWx4.js";
32
32
  import "../collection-Dfb0TPno.js";
33
- import "../keycache-DxrNxDV9.js";
33
+ import "../keycache-CounYPCT.js";
34
34
  import "../retry-BiIhZWgD.js";
35
- import "../send-BrO7rgzl.js";
35
+ import "../send-F3m8PbtH.js";
36
36
  import { test } from "../testing-BZ0dJ4qn.js";
37
37
  import { assertStrictEquals } from "../std__assert-vp0TKMS1.js";
38
38
  import { assertFalse, assertRejects } from "../assert_rejects-C-sxEMM5.js";
@@ -40,8 +40,8 @@ import "../assert_is_error-nrwA1GeT.js";
40
40
  import { assertNotEquals } from "../assert_not_equals-Dc7y-V5Q.js";
41
41
  import { assertThrows } from "../assert_throws-Cn9C6Jur.js";
42
42
  import { mockDocumentLoader } from "../docloader-09nVWLAZ.js";
43
- import { ed25519Multikey, ed25519PrivateKey, ed25519PublicKey, rsaPrivateKey2, rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-cVHkVfkB.js";
44
- import { esm_default } from "../esm-CASHO3OR.js";
43
+ import { ed25519Multikey, ed25519PrivateKey, ed25519PublicKey, rsaPrivateKey2, rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-CCsGIHDm.js";
44
+ import { esm_default } from "../esm-Db4De7AS.js";
45
45
 
46
46
  //#region testing/fixtures/example.com/person.json
47
47
  var __context$1 = ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"];
package/dist/federation/mod.js CHANGED
@@ -3,16 +3,16 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
 
5
5
  import "../transformers-ghwJuzGY.js";
6
- import "../docloader-D27WkV2-.js";
7
- import "../actor-fvEQljsh.js";
8
- import { Router, RouterError, buildCollectionSynchronizationHeader, createExponentialBackoffPolicy, createFederation, createFederationBuilder, digest, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-jYmGxpPU.js";
9
- import "../lookup-D1UwpzKL.js";
10
- import "../key-BS8tcPCt.js";
11
- import "../http-hhXcurBA.js";
12
- import "../proof-ZOvHKN5-.js";
6
+ import "../docloader-DT61GYEC.js";
7
+ import "../actor-Bcs0hYb1.js";
8
+ import { Router, RouterError, buildCollectionSynchronizationHeader, createExponentialBackoffPolicy, createFederation, createFederationBuilder, digest, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-BSWZF2bY.js";
9
+ import "../lookup-DRz3cQ2q.js";
10
+ import "../key-DbchE9Xs.js";
11
+ import "../http-CsOXrx1b.js";
12
+ import "../proof-Cxepv82U.js";
13
13
  import { InProcessMessageQueue, MemoryKvStore, ParallelMessageQueue } from "../federation-3B6BDKCK.js";
14
- import "../types-45TSQHsw.js";
15
- import "../authdocloader-UN6bFYqE.js";
16
- import "../vocab-B42jXGwc.js";
14
+ import "../types-BU3u-EMH.js";
15
+ import "../authdocloader-BfXhfGGN.js";
16
+ import "../vocab-1dVqjZTk.js";
17
17
 
18
18
  export { InProcessMessageQueue, MemoryKvStore, ParallelMessageQueue, Router, RouterError, buildCollectionSynchronizationHeader, createExponentialBackoffPolicy, createFederation, createFederationBuilder, digest, respondWithObject, respondWithObjectIfAcceptable };
package/dist/federation/send.test.js CHANGED
@@ -6,18 +6,18 @@
6
6
  import { assertEquals } from "../assert_equals-CTYbeopb.js";
7
7
  import { assert } from "../assert-DmFG7ppO.js";
8
8
  import "../assert_instance_of-CF09JHYM.js";
9
- import "../docloader-BpcD_SLO.js";
9
+ import "../docloader-DHsnjtrB.js";
10
10
  import "../url-kTAI6_KP.js";
11
11
  import "../multibase-DeCHcK8L.js";
12
- import { Activity, Application, Endpoints, Group, Person, Service } from "../vocab-DzvTuYjm.js";
12
+ import { Activity, Application, Endpoints, Group, Person, Service } from "../vocab-BOEOrr72.js";
13
13
  import "../langstr-DbWheeIS.js";
14
- import "../lookup-d9KQSGH3.js";
14
+ import "../lookup-D-6fPBCB.js";
15
15
  import "../type-D2s5lmbZ.js";
16
- import "../actor-CJUOVkus.js";
17
- import "../key-HZNzd-FS.js";
18
- import { verifyRequest } from "../http-DEMqisx6.js";
19
- import { doesActorOwnKey } from "../owner-CY_4qryA.js";
20
- import { extractInboxes, sendActivity } from "../send-BrO7rgzl.js";
16
+ import "../actor-XtK-8B6i.js";
17
+ import "../key-Btb5k4lR.js";
18
+ import { verifyRequest } from "../http-DY7ABMxV.js";
19
+ import { doesActorOwnKey } from "../owner-BID7Mczj.js";
20
+ import { extractInboxes, sendActivity } from "../send-F3m8PbtH.js";
21
21
  import { test } from "../testing-BZ0dJ4qn.js";
22
22
  import "../std__assert-vp0TKMS1.js";
23
23
  import { assertFalse, assertRejects } from "../assert_rejects-C-sxEMM5.js";
@@ -25,8 +25,8 @@ import "../assert_is_error-nrwA1GeT.js";
25
25
  import { assertNotEquals } from "../assert_not_equals-Dc7y-V5Q.js";
26
26
  import "../assert_throws-Cn9C6Jur.js";
27
27
  import { mockDocumentLoader } from "../docloader-09nVWLAZ.js";
28
- import { ed25519Multikey, ed25519PrivateKey, rsaPrivateKey2, rsaPublicKey2 } from "../keys-cVHkVfkB.js";
29
- import { esm_default } from "../esm-CASHO3OR.js";
28
+ import { ed25519Multikey, ed25519PrivateKey, rsaPrivateKey2, rsaPublicKey2 } from "../keys-CCsGIHDm.js";
29
+ import { esm_default } from "../esm-Db4De7AS.js";
30
30
 
31
31
  //#region federation/send.test.ts
32
32
  test("extractInboxes()", () => {
package/dist/{http-hhXcurBA.js → http-CsOXrx1b.js} RENAMED
@@ -2,9 +2,9 @@
2
2
  import { Temporal } from "@js-temporal/polyfill";
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
 
5
- import { deno_default } from "./docloader-D27WkV2-.js";
6
- import { CryptographicKey } from "./actor-fvEQljsh.js";
7
- import { fetchKey, validateCryptoKey } from "./key-BS8tcPCt.js";
5
+ import { deno_default } from "./docloader-DT61GYEC.js";
6
+ import { CryptographicKey } from "./actor-Bcs0hYb1.js";
7
+ import { fetchKey, validateCryptoKey } from "./key-DbchE9Xs.js";
8
8
  import { getLogger } from "@logtape/logtape";
9
9
  import { SpanStatusCode, trace } from "@opentelemetry/api";
10
10
  import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
package/dist/{http-DEMqisx6.js → http-DY7ABMxV.js} RENAMED
@@ -3,9 +3,9 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { deno_default } from "./docloader-BpcD_SLO.js";
7
- import { CryptographicKey } from "./vocab-DzvTuYjm.js";
8
- import { fetchKey, validateCryptoKey } from "./key-HZNzd-FS.js";
6
+ import { deno_default } from "./docloader-DHsnjtrB.js";
7
+ import { CryptographicKey } from "./vocab-BOEOrr72.js";
8
+ import { fetchKey, validateCryptoKey } from "./key-Btb5k4lR.js";
9
9
  import { getLogger } from "@logtape/logtape";
10
10
  import { SpanStatusCode, trace } from "@opentelemetry/api";
11
11
  import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_URL_FULL } from "@opentelemetry/semantic-conventions";
package/dist/{inbox-Dn9cGz72.js → inbox-G8JVL5Ne.js} RENAMED
@@ -3,8 +3,8 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { deno_default } from "./docloader-BpcD_SLO.js";
7
- import { Activity } from "./vocab-DzvTuYjm.js";
6
+ import { deno_default } from "./docloader-DHsnjtrB.js";
7
+ import { Activity } from "./vocab-BOEOrr72.js";
8
8
  import { getTypeId } from "./type-D2s5lmbZ.js";
9
9
  import { getLogger } from "@logtape/logtape";
10
10
  import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
package/dist/{key-heR1cMpe.js → key-Bppy9mNu.js} RENAMED
@@ -3,14 +3,14 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import "./docloader-BpcD_SLO.js";
6
+ import "./docloader-DHsnjtrB.js";
7
7
  import "./url-kTAI6_KP.js";
8
8
  import "./multibase-DeCHcK8L.js";
9
- import "./vocab-DzvTuYjm.js";
9
+ import "./vocab-BOEOrr72.js";
10
10
  import "./langstr-DbWheeIS.js";
11
- import "./lookup-d9KQSGH3.js";
11
+ import "./lookup-D-6fPBCB.js";
12
12
  import "./type-D2s5lmbZ.js";
13
- import "./actor-CJUOVkus.js";
14
- import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-HZNzd-FS.js";
13
+ import "./actor-XtK-8B6i.js";
14
+ import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-Btb5k4lR.js";
15
15
 
16
16
  export { validateCryptoKey };
package/dist/{key-HZNzd-FS.js → key-Btb5k4lR.js} RENAMED
@@ -3,9 +3,9 @@
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
  globalThis.addEventListener = () => {};
5
5
 
6
- import { deno_default, getDocumentLoader } from "./docloader-BpcD_SLO.js";
7
- import { CryptographicKey, Object as Object$1 } from "./vocab-DzvTuYjm.js";
8
- import { isActor } from "./actor-CJUOVkus.js";
6
+ import { deno_default, getDocumentLoader } from "./docloader-DHsnjtrB.js";
7
+ import { CryptographicKey, Object as Object$1 } from "./vocab-BOEOrr72.js";
8
+ import { isActor } from "./actor-XtK-8B6i.js";
9
9
  import { getLogger } from "@logtape/logtape";
10
10
  import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
11
11
 
package/dist/{key-Djjl3-NI.js → key-DS_OEdsO.js} RENAMED
@@ -2,9 +2,9 @@
2
2
  import { Temporal } from "@js-temporal/polyfill";
3
3
  import { URLPattern } from "urlpattern-polyfill";
4
4
 
5
- import "./docloader-D27WkV2-.js";
6
- import "./actor-fvEQljsh.js";
7
- import "./lookup-D1UwpzKL.js";
8
- import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-BS8tcPCt.js";
5
+ import "./docloader-DT61GYEC.js";
6
+ import "./actor-Bcs0hYb1.js";
7
+ import "./lookup-DRz3cQ2q.js";
8
+ import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-DbchE9Xs.js";
9
9
 
10
10
  export { validateCryptoKey };