@fedify/fedify 1.9.0-pr.407.1544 → 1.9.0-pr.421.1747

package/dist/{http-D8Q4xH0d.d.ts → http-wsGR6KkT.d.ts}

@@ -1,7 +1,7 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
 import { DocumentLoader } from "./docloader-CxWcuWqQ.js";
-import { CryptographicKey, Multikey } from "./vocab-BEEm2I6u.js";
+import { CryptographicKey, Multikey } from "./vocab-CDHNj5zp.js";
 import { TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/key.d.ts

package/dist/{inbox-Dg825gXU.js → inbox-CAt-VuhL.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Activity, deno_default, getTypeId } from "./type-OboVsUha.js";
+import { Activity, deno_default, getTypeId } from "./type-D50ufokc.js";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
 
@@ -41,17 +41,39 @@ var InboxListenerSet = class InboxListenerSet {
 		return this.dispatchWithClass(activity)?.listener ?? null;
 	}
 };
-async function routeActivity({ context: ctx, json, activity, recipient, inboxListeners, inboxContextFactory, inboxErrorHandler, kv, kvPrefixes, queue, span, tracerProvider }) {
+let warnedAboutDefaultIdempotency = false;
+async function routeActivity({ context: ctx, json, activity, recipient, inboxListeners, inboxContextFactory, inboxErrorHandler, kv, kvPrefixes, queue, span, tracerProvider, idempotencyStrategy }) {
 	const logger = getLogger([
 		"fedify",
 		"federation",
 		"inbox"
 	]);
-	const cacheKey = activity.id == null ? null : [
-		...kvPrefixes.activityIdempotence,
-		ctx.origin,
-		activity.id.href
-	];
+	let cacheKey = null;
+	if (activity.id != null) {
+		const inboxContext = inboxContextFactory(recipient, json, activity.id?.href, getTypeId(activity).href);
+		const strategy = idempotencyStrategy ?? "per-origin";
+		if (idempotencyStrategy === void 0 && !warnedAboutDefaultIdempotency) {
+			logger.warn("Using default idempotency strategy 'per-origin'. This default will change to 'per-inbox' in Fedify 2.0. Please explicitly set the idempotency strategy using .withIdempotency().");
+			warnedAboutDefaultIdempotency = true;
+		}
+		let keyString;
+		if (typeof strategy === "function") {
+			const result = await strategy(inboxContext, activity);
+			keyString = result;
+		} else switch (strategy) {
+			case "global":
+				keyString = activity.id.href;
+				break;
+			case "per-origin":
+				keyString = `${ctx.origin}\n${activity.id.href}`;
+				break;
+			case "per-inbox":
+				keyString = `${ctx.origin}\n${activity.id.href}\n${recipient == null ? "sharedInbox" : `inbox\n${recipient}`}`;
+				break;
+			default: keyString = `${ctx.origin}\n${activity.id.href}`;
+		}
+		if (keyString != null) cacheKey = [...kvPrefixes.activityIdempotence, keyString];
+	}
 	if (cacheKey != null) {
 		const cached = await kv.get(cacheKey);
 		if (cached === true) {

package/dist/key-BZBF55sg.cjs

@@ -0,0 +1,10 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+require('./docloader-FAn755Ez.cjs');
+require('./actor-DaFSkBV-.cjs');
+require('./lookup-DSSOyhz2.cjs');
+const require_key = require('./key-DFZ_CvG0.cjs');
+
+exports.validateCryptoKey = require_key.validateCryptoKey;

package/dist/key-CKScBmP1.js

@@ -0,0 +1,10 @@
+
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
+import "./docloader-BRrqMbX0.js";
+import "./actor-J-9oLs-V.js";
+import "./lookup-Zzj9McvA.js";
+import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-D7A24D7c.js";
+
+export { validateCryptoKey };

package/dist/{key-l5QMtRss.js → key-D7A24D7c.js}

@@ -1,9 +1,9 @@
 
-      import { Temporal } from "@js-temporal/polyfill";
-      import { URLPattern } from "urlpattern-polyfill";
-    
-import { deno_default, getDocumentLoader } from "./docloader-BJTPo7_i.js";
-import { CryptographicKey, Object as Object$1, isActor } from "./actor-BY--uubW.js";
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
+import { deno_default, getDocumentLoader } from "./docloader-BRrqMbX0.js";
+import { CryptographicKey, Object as Object$1, isActor } from "./actor-J-9oLs-V.js";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 

package/dist/key-DFZ_CvG0.cjs

@@ -0,0 +1,290 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+const require_chunk = require('./chunk-DqRYRqnO.cjs');
+const require_docloader = require('./docloader-FAn755Ez.cjs');
+const require_actor = require('./actor-DaFSkBV-.cjs');
+const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
+const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
+
+//#region src/sig/key.ts
+/**
+* Checks if the given key is valid and supported.  No-op if the key is valid,
+* otherwise throws an error.
+* @param key The key to check.
+* @param type Which type of key to check.  If not specified, the key can be
+*             either public or private.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+function validateCryptoKey(key, type) {
+	if (type != null && key.type !== type) throw new TypeError(`The key is not a ${type} key.`);
+	if (!key.extractable) throw new TypeError("The key is not extractable.");
+	if (key.algorithm.name !== "RSASSA-PKCS1-v1_5" && key.algorithm.name !== "Ed25519") throw new TypeError("Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  More algorithms will be added in the future!");
+	if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
+		const algorithm = key.algorithm;
+		if (algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
+	}
+}
+/**
+* Generates a key pair which is appropriate for Fedify.
+* @param algorithm The algorithm to use.  Currently only RSASSA-PKCS1-v1_5 and
+*                  Ed25519 are supported.
+* @returns The generated key pair.
+* @throws {TypeError} If the algorithm is unsupported.
+*/
+function generateCryptoKeyPair(algorithm) {
+	if (algorithm == null) (0, __logtape_logtape.getLogger)([
+		"fedify",
+		"sig",
+		"key"
+	]).warn("No algorithm specified.  Using RSASSA-PKCS1-v1_5 by default, but it is recommended to specify the algorithm explicitly as the parameter will be required in the future.");
+	if (algorithm == null || algorithm === "RSASSA-PKCS1-v1_5") return crypto.subtle.generateKey({
+		name: "RSASSA-PKCS1-v1_5",
+		modulusLength: 4096,
+		publicExponent: new Uint8Array([
+			1,
+			0,
+			1
+		]),
+		hash: "SHA-256"
+	}, true, ["sign", "verify"]);
+	else if (algorithm === "Ed25519") return crypto.subtle.generateKey("Ed25519", true, ["sign", "verify"]);
+	throw new TypeError("Unsupported algorithm: " + algorithm);
+}
+/**
+* Exports a key in JWK format.
+* @param key The key to export.  Either public or private key.
+* @returns The exported key in JWK format.  The key is suitable for
+*          serialization and storage.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+async function exportJwk(key) {
+	validateCryptoKey(key);
+	const jwk = await crypto.subtle.exportKey("jwk", key);
+	if (jwk.crv === "Ed25519") jwk.alg = "Ed25519";
+	return jwk;
+}
+/**
+* Imports a key from JWK format.
+* @param jwk The key in JWK format.
+* @param type Which type of key to import, either `"public"` or `"private"`.
+* @returns The imported key.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+async function importJwk(jwk, type) {
+	let key;
+	if (jwk.kty === "RSA" && jwk.alg === "RS256") key = await crypto.subtle.importKey("jwk", jwk, {
+		name: "RSASSA-PKCS1-v1_5",
+		hash: "SHA-256"
+	}, true, type === "public" ? ["verify"] : ["sign"]);
+	else if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
+		if (navigator?.userAgent === "Cloudflare-Workers") {
+			jwk = { ...jwk };
+			delete jwk.alg;
+		}
+		key = await crypto.subtle.importKey("jwk", jwk, "Ed25519", true, type === "public" ? ["verify"] : ["sign"]);
+	} else throw new TypeError("Unsupported JWK format.");
+	validateCryptoKey(key, type);
+	return key;
+}
+/**
+* Fetches a {@link CryptographicKey} or {@link Multikey} from the given URL.
+* If the given URL contains an {@link Actor} object, it tries to find
+* the corresponding key in the `publicKey` or `assertionMethod` property.
+* @template T The type of the key to fetch.  Either {@link CryptographicKey}
+*              or {@link Multikey}.
+* @param keyId The URL of the key.
+* @param cls The class of the key to fetch.  Either {@link CryptographicKey}
+*            or {@link Multikey}.
+* @param options Options for fetching the key.  See {@link FetchKeyOptions}.
+* @returns The fetched key or `null` if the key is not found.
+* @since 1.3.0
+*/
+function fetchKey(keyId, cls, options = {}) {
+	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	keyId = typeof keyId === "string" ? new URL(keyId) : keyId;
+	return tracer.startActiveSpan("activitypub.fetch_key", {
+		kind: __opentelemetry_api.SpanKind.CLIENT,
+		attributes: {
+			"http.method": "GET",
+			"url.full": keyId.href,
+			"url.scheme": keyId.protocol.replace(/:$/, ""),
+			"url.domain": keyId.hostname,
+			"url.path": keyId.pathname,
+			"url.query": keyId.search.replace(/^\?/, ""),
+			"url.fragment": keyId.hash.replace(/^#/, "")
+		}
+	}, async (span) => {
+		try {
+			const result = await fetchKeyInternal(keyId, cls, options);
+			span.setAttribute("activitypub.actor.key.cached", result.cached);
+			return result;
+		} catch (e) {
+			span.setStatus({
+				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				message: String(e)
+			});
+			throw e;
+		} finally {
+			span.end();
+		}
+	});
+}
+async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, keyCache, tracerProvider } = {}) {
+	const logger = (0, __logtape_logtape.getLogger)([
+		"fedify",
+		"sig",
+		"key"
+	]);
+	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
+	keyId = typeof keyId === "string" ? keyId : keyId.href;
+	if (keyCache != null) {
+		const cachedKey = await keyCache.get(cacheKey);
+		if (cachedKey instanceof cls && cachedKey.publicKey != null) {
+			logger.debug("Key {keyId} found in cache.", { keyId });
+			return {
+				key: cachedKey,
+				cached: true
+			};
+		} else if (cachedKey === null) {
+			logger.debug("Entry {keyId} found in cache, but it is unavailable.", { keyId });
+			return {
+				key: null,
+				cached: true
+			};
+		}
+	}
+	logger.debug("Fetching key {keyId} to verify signature...", { keyId });
+	let document;
+	try {
+		const remoteDocument = await (documentLoader ?? require_docloader.getDocumentLoader())(keyId);
+		document = remoteDocument.document;
+	} catch (_) {
+		logger.debug("Failed to fetch key {keyId}.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	let object;
+	try {
+		object = await require_actor.Object.fromJsonLd(document, {
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		});
+	} catch (e) {
+		if (!(e instanceof TypeError)) throw e;
+		try {
+			object = await cls.fromJsonLd(document, {
+				documentLoader,
+				contextLoader,
+				tracerProvider
+			});
+		} catch (e$1) {
+			if (e$1 instanceof TypeError) {
+				logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+				await keyCache?.set(cacheKey, null);
+				return {
+					key: null,
+					cached: false
+				};
+			}
+			throw e$1;
+		}
+	}
+	let key = null;
+	if (object instanceof cls) key = object;
+	else if (require_actor.isActor(object)) {
+		const keys = cls === require_actor.CryptographicKey ? object.getPublicKeys({
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		}) : object.getAssertionMethods({
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		});
+		let length = 0;
+		let lastKey = null;
+		for await (const k of keys) {
+			length++;
+			lastKey = k;
+			if (k.id?.href === keyId) {
+				key = k;
+				break;
+			}
+		}
+		const keyIdUrl = new URL(keyId);
+		if (key == null && keyIdUrl.hash === "" && length === 1) key = lastKey;
+		if (key == null) {
+			logger.debug("Failed to verify; object {keyId} returned an {actorType}, but has no key matching {keyId}.", {
+				keyId,
+				actorType: object.constructor.name
+			});
+			await keyCache?.set(cacheKey, null);
+			return {
+				key: null,
+				cached: false
+			};
+		}
+	} else {
+		logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	if (key.publicKey == null) {
+		logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	if (keyCache != null) {
+		await keyCache.set(cacheKey, key);
+		logger.debug("Key {keyId} cached.", { keyId });
+	}
+	return {
+		key,
+		cached: false
+	};
+}
+
+//#endregion
+Object.defineProperty(exports, 'exportJwk', {
+  enumerable: true,
+  get: function () {
+    return exportJwk;
+  }
+});
+Object.defineProperty(exports, 'fetchKey', {
+  enumerable: true,
+  get: function () {
+    return fetchKey;
+  }
+});
+Object.defineProperty(exports, 'generateCryptoKeyPair', {
+  enumerable: true,
+  get: function () {
+    return generateCryptoKeyPair;
+  }
+});
+Object.defineProperty(exports, 'importJwk', {
+  enumerable: true,
+  get: function () {
+    return importJwk;
+  }
+});
+Object.defineProperty(exports, 'validateCryptoKey', {
+  enumerable: true,
+  get: function () {
+    return validateCryptoKey;
+  }
+});

package/dist/{key-RzI0hV7H.js → key-DbX-_KvI.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { CryptographicKey, Object as Object$1, deno_default, getDocumentLoader } from "./type-OboVsUha.js";
-import { isActor } from "./actor-CeBu8hLy.js";
+import { CryptographicKey, Object as Object$1, deno_default, getDocumentLoader } from "./type-D50ufokc.js";
+import { isActor } from "./actor-CNV1ck1S.js";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 

package/dist/{key-BWgRsIwz.js → key-uBD0-2wc.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import "./type-OboVsUha.js";
-import "./actor-CeBu8hLy.js";
-import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-RzI0hV7H.js";
+import "./type-D50ufokc.js";
+import "./actor-CNV1ck1S.js";
+import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "./key-DbX-_KvI.js";
 
 export { validateCryptoKey };

package/dist/{keycache-BGlP5YTm.js → keycache-DVVM5m9f.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { CryptographicKey, Multikey } from "./type-OboVsUha.js";
+import { CryptographicKey, Multikey } from "./type-D50ufokc.js";
 
 //#region src/federation/keycache.ts
 var KvKeyCache = class {

package/dist/{keys-BRbwmdDJ.js → keys-Hl2h0ZG0.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { CryptographicKey, Multikey, importSpki } from "./type-OboVsUha.js";
+import { CryptographicKey, Multikey, importSpki } from "./type-D50ufokc.js";
 
 //#region src/testing/keys.ts
 const rsaPublicKey1 = new CryptographicKey({

package/dist/kv-63Cil1MD.d.cts

@@ -0,0 +1,81 @@
+//#region src/federation/kv.d.ts
+/**
+ * A key for a key–value store.  An array of one or more strings.
+ *
+ * @since 0.5.0
+ */
+type KvKey = readonly [string] | readonly [string, ...string[]];
+/**
+ * Additional options for setting a value in a key–value store.
+ *
+ * @since 0.5.0
+ */
+interface KvStoreSetOptions {
+  /**
+   * The time-to-live (TTL) for the value.
+   */
+  ttl?: Temporal.Duration;
+}
+/**
+ * An abstract interface for a key–value store.
+ *
+ * @since 0.5.0
+ */
+interface KvStore {
+  /**
+   * Gets the value for the given key.
+   * @param key The key to get the value for.
+   * @returns The value for the key, or `undefined` if the key does not exist.
+   * @template T The type of the value to get.
+   */
+  get<T = unknown>(key: KvKey): Promise<T | undefined>;
+  /**
+   * Sets the value for the given key.
+   * @param key The key to set the value for.
+   * @param value The value to set.
+   * @param options Additional options for setting the value.
+   */
+  set(key: KvKey, value: unknown, options?: KvStoreSetOptions): Promise<void>;
+  /**
+   * Deletes the value for the given key.
+   * @param key The key to delete.
+   */
+  delete(key: KvKey): Promise<void>;
+  /**
+   * Compare-and-swap (CAS) operation for the key–value store.
+   * @param key The key to perform the CAS operation on.
+   * @param expectedValue The expected value for the key.
+   * @param newValue The new value to set if the expected value matches.
+   * @param options Additional options for setting the value.
+   * @return `true` if the CAS operation was successful, `false` otherwise.
+   * @since 1.8.0
+   */
+  cas?: (key: KvKey, expectedValue: unknown, newValue: unknown, options?: KvStoreSetOptions) => Promise<boolean>;
+}
+/**
+ * A key–value store that stores values in memory.
+ * Do not use this in production as it does not persist values.
+ *
+ * @since 0.5.0
+ */
+declare class MemoryKvStore implements KvStore {
+  #private;
+  /**
+   * {@inheritDoc KvStore.get}
+   */
+  get<T = unknown>(key: KvKey): Promise<T | undefined>;
+  /**
+   * {@inheritDoc KvStore.set}
+   */
+  set(key: KvKey, value: unknown, options?: KvStoreSetOptions): Promise<void>;
+  /**
+   * {@inheritDoc KvStore.delete}
+   */
+  delete(key: KvKey): Promise<void>;
+  /**
+   * {@inheritDoc KvStore.cas}
+   */
+  cas(key: KvKey, expectedValue: unknown, newValue: unknown, options?: KvStoreSetOptions): Promise<boolean>;
+}
+//#endregion
+export { KvKey, KvStore, KvStoreSetOptions, MemoryKvStore };

package/dist/{ld-C9E9DPBz.js → ld-e-G3iYdn.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Activity, CryptographicKey, Object as Object$1, deno_default, getDocumentLoader, getTypeId } from "./type-OboVsUha.js";
-import { fetchKey, validateCryptoKey } from "./key-RzI0hV7H.js";
+import { Activity, CryptographicKey, Object as Object$1, deno_default, getDocumentLoader, getTypeId } from "./type-D50ufokc.js";
+import { fetchKey, validateCryptoKey } from "./key-DbX-_KvI.js";
 import { getLogger } from "@logtape/logtape";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
 import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
@@ -182,7 +182,7 @@ async function verifySignature(jsonLd, options = {}) {
 	const encoder = new TextEncoder();
 	const message = sigOptsHash + docHash;
 	const messageBytes = encoder.encode(message);
-	const verified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature, messageBytes);
+	const verified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes);
 	if (verified) return key;
 	if (cached) {
 		logger.debug("Failed to verify with the cached key {keyId}; signature {signatureValue} is invalid.  Retrying with the freshly fetched key...", {
@@ -197,7 +197,7 @@ async function verifySignature(jsonLd, options = {}) {
 			}
 		});
 		if (key$1 == null) return null;
-		const verified$1 = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key$1.publicKey, signature, messageBytes);
+		const verified$1 = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key$1.publicKey, signature.slice(), messageBytes);
 		return verified$1 ? key$1 : null;
 	}
 	logger.debug("Failed to verify with the fetched key {keyId}; signature {signatureValue} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {

package/dist/{lookup-oZxe6kZr.js → lookup-DNGo5BR6.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Object as Object$1, deno_default, getDocumentLoader, getTypeId, lookupWebFinger } from "./type-OboVsUha.js";
+import { Object as Object$1, deno_default, getDocumentLoader, getTypeId, lookupWebFinger } from "./type-D50ufokc.js";
 import { cloneDeep, delay } from "es-toolkit";
 import { getLogger } from "@logtape/logtape";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
@@ -240,14 +240,13 @@ async function lookupObject(identifier, options = {}) {
 async function lookupObjectInternal(identifier, options = {}) {
 	const documentLoader = options.documentLoader ?? getDocumentLoader({ userAgent: options.userAgent });
 	if (typeof identifier === "string") identifier = toAcctUrl(identifier) ?? new URL(identifier);
-	let document = null;
+	let remoteDoc = null;
 	if (identifier.protocol === "http:" || identifier.protocol === "https:") try {
-		const remoteDoc = await documentLoader(identifier.href, { signal: options.signal });
-		document = remoteDoc.document;
+		remoteDoc = await documentLoader(identifier.href, { signal: options.signal });
 	} catch (error) {
 		logger.debug("Failed to fetch remote document:\n{error}", { error });
 	}
-	if (document == null) {
+	if (remoteDoc == null) {
 		const jrd = await lookupWebFinger(identifier, {
 			userAgent: options.userAgent,
 			tracerProvider: options.tracerProvider,
@@ -258,8 +257,7 @@ async function lookupObjectInternal(identifier, options = {}) {
 		for (const l of jrd.links) {
 			if (l.type !== "application/activity+json" && !l.type?.match(/application\/ld\+json;\s*profile="https:\/\/www.w3.org\/ns\/activitystreams"/) || l.rel !== "self" || l.href == null) continue;
 			try {
-				const remoteDoc = await documentLoader(l.href, { signal: options.signal });
-				document = remoteDoc.document;
+				remoteDoc = await documentLoader(l.href, { signal: options.signal });
 				break;
 			} catch (error) {
 				logger.debug("Failed to fetch remote document:\n{error}", { error });
@@ -267,23 +265,34 @@ async function lookupObjectInternal(identifier, options = {}) {
 			}
 		}
 	}
-	if (document == null) return null;
+	if (remoteDoc == null) return null;
+	let object;
 	try {
-		return await Object$1.fromJsonLd(document, {
+		object = await Object$1.fromJsonLd(remoteDoc.document, {
 			documentLoader,
 			contextLoader: options.contextLoader,
-			tracerProvider: options.tracerProvider
+			tracerProvider: options.tracerProvider,
+			baseUrl: new URL(remoteDoc.documentUrl)
 		});
 	} catch (error) {
 		if (error instanceof TypeError) {
 			logger.debug("Failed to parse JSON-LD document: {error}\n{document}", {
-				error,
-				document
+				...remoteDoc,
+				error
 			});
 			return null;
 		}
 		throw error;
 	}
+	if (options.crossOrigin !== "trust" && object.id != null && object.id.origin !== new URL(remoteDoc.documentUrl).origin) {
+		if (options.crossOrigin === "throw") throw new Error(`The object's @id (${object.id.href}) has a different origin than the document URL (${remoteDoc.documentUrl}); refusing to return the object.  If you want to bypass this check and are aware of the security implications, set the crossOrigin option to "trust".`);
+		logger.warn("The object's @id ({objectId}) has a different origin than the document URL ({documentUrl}); refusing to return the object.  If you want to bypass this check and are aware of the security implications, set the crossOrigin option to \"trust\".", {
+			...remoteDoc,
+			objectId: object.id.href
+		});
+		return null;
+	}
+	return object;
 }
 /**
 * Traverses a collection, yielding each item in the collection.