@fedify/fedify 2.0.7 → 2.0.9

package/dist/{http-CQ7TiYUI.cjs → http-DKBDoudA.cjs}

@@ -1,131 +1,17 @@
-
-          const { Temporal } = require("@js-temporal/polyfill");
-          const { URLPattern } = require("urlpattern-polyfill");
-        
-const require_chunk = require('./chunk-CGaQZ11T.cjs');
-const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
-const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
-const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
-const byte_encodings_hex = require_chunk.__toESM(require("byte-encodings/hex"));
-const __opentelemetry_semantic_conventions = require_chunk.__toESM(require("@opentelemetry/semantic-conventions"));
-const byte_encodings_base64 = require_chunk.__toESM(require("byte-encodings/base64"));
-const structured_field_values = require_chunk.__toESM(require("structured-field-values"));
-const __fedify_vocab_runtime = require_chunk.__toESM(require("@fedify/vocab-runtime"));
-
+const { Temporal } = require("@js-temporal/polyfill");
+const { URLPattern } = require("urlpattern-polyfill");
+require("./chunk-DDcVe30Y.cjs");
+let _logtape_logtape = require("@logtape/logtape");
+let _fedify_vocab = require("@fedify/vocab");
+let _opentelemetry_api = require("@opentelemetry/api");
+let byte_encodings_hex = require("byte-encodings/hex");
+let _fedify_vocab_runtime = require("@fedify/vocab-runtime");
+let _opentelemetry_semantic_conventions = require("@opentelemetry/semantic-conventions");
+let byte_encodings_base64 = require("byte-encodings/base64");
+let structured_field_values = require("structured-field-values");
 //#region deno.json
 var name = "@fedify/fedify";
-var version = "2.0.7";
-var license = "MIT";
-var exports$1 = {
-	".": "./src/mod.ts",
-	"./compat": "./src/compat/mod.ts",
-	"./federation": "./src/federation/mod.ts",
-	"./nodeinfo": "./src/nodeinfo/mod.ts",
-	"./otel": "./src/otel/mod.ts",
-	"./runtime": "./src/runtime/mod.ts",
-	"./sig": "./src/sig/mod.ts",
-	"./utils": "./src/utils/mod.ts",
-	"./vocab": "./src/vocab/mod.ts"
-};
-var imports = {
-	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
-	"@std/assert": "jsr:@std/assert@^0.226.0",
-	"@std/url": "jsr:@std/url@^0.225.1",
-	"asn1js": "npm:asn1js@^3.0.7",
-	"fast-check": "npm:fast-check@^3.22.0",
-	"fetch-mock": "npm:fetch-mock@^12.5.2",
-	"json-canon": "npm:json-canon@^1.0.1",
-	"jsonld": "npm:jsonld@^9.0.0",
-	"pkijs": "npm:pkijs@^3.3.3",
-	"structured-field-values": "npm:structured-field-values@^2.0.4",
-	"uri-template-router": "npm:uri-template-router@^1.0.0",
-	"url-template": "npm:url-template@^3.1.1"
-};
-var exclude = [
-	".test-report.xml",
-	"apidoc/",
-	"dist/",
-	"node_modules/",
-	"npm/",
-	"pnpm-lock.yaml",
-	"src/cfworkers/dist/",
-	"src/cfworkers/fixtures/",
-	"src/cfworkers/imports.ts",
-	"src/cfworkers/README.md",
-	"src/cfworkers/server.ts",
-	"src/cfworkers/server.js",
-	"src/cfworkers/server.js.map"
-];
-var publish = { "exclude": [
-	"**/*.test.ts",
-	"src/testing/",
-	"tsdown.config.ts",
-	"scripts/",
-	"wrangler.toml"
-] };
-var tasks = {
-	"codegen": "deno task -f @fedify/vocab compile",
-	"cache": {
-		"command": "deno cache src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"check": {
-		"command": "deno fmt --check && deno lint && deno check src/**/*.ts",
-		"dependencies": ["codegen"]
-	},
-	"test": {
-		"command": "deno test --check --doc --allow-read --allow-write --allow-env --unstable-kv --trace-leaks --parallel",
-		"dependencies": ["codegen"]
-	},
-	"coverage": "deno task test --clean --coverage && deno coverage --html coverage",
-	"bench": {
-		"command": "deno bench --allow-read --allow-write --allow-net --allow-env --allow-run --unstable-kv",
-		"dependencies": ["codegen"]
-	},
-	"apidoc": {
-		"command": "deno doc --html --name=Fedify --output=apidoc/ src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"publish": {
-		"command": "deno publish",
-		"dependencies": ["codegen"]
-	},
-	"pnpm:install": "pnpm install --silent",
-	"pnpm:build": {
-		"command": "pnpm exec tsdown",
-		"dependencies": ["pnpm:build-vocab"]
-	},
-	"test:node": {
-		"command": "cd dist/ && node --test",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:bun": {
-		"command": "cd dist/ && bun test --timeout 60000",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:cfworkers": {
-		"command": "pnpm exec wrangler deploy --dry-run --outdir src/cfworkers && node --import=tsx src/cfworkers/client.ts",
-		"dependencies": ["pnpm:build"]
-	},
-	"test-all": { "dependencies": [
-		"check",
-		"test",
-		"test:node",
-		"test:bun",
-		"test:cfworkers"
-	] }
-};
-var deno_default = {
-	name,
-	version,
-	license,
-	exports: exports$1,
-	imports,
-	exclude,
-	publish,
-	tasks
-};
-
+var version = "2.0.9";
 //#endregion
 //#region src/sig/key.ts
 /**
@@ -141,8 +27,7 @@ function validateCryptoKey(key, type) {
 	if (!key.extractable) throw new TypeError("The key is not extractable.");
 	if (key.algorithm.name !== "RSASSA-PKCS1-v1_5" && key.algorithm.name !== "Ed25519") throw new TypeError("Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  More algorithms will be added in the future!");
 	if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
-		const algorithm = key.algorithm;
-		if (algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
+		if (key.algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
 	}
 }
 /**
@@ -153,7 +38,7 @@ function validateCryptoKey(key, type) {
 * @throws {TypeError} If the algorithm is unsupported.
 */
 function generateCryptoKeyPair(algorithm) {
-	if (algorithm == null) (0, __logtape_logtape.getLogger)([
+	if (algorithm == null) (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"key"
@@ -221,11 +106,10 @@ async function importJwk(jwk, type) {
 * @since 1.3.0
 */
 function fetchKey(keyId, cls, options = {}) {
-	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
+	const tracer = (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(name, version);
 	keyId = typeof keyId === "string" ? new URL(keyId) : keyId;
 	return tracer.startActiveSpan("activitypub.fetch_key", {
-		kind: __opentelemetry_api.SpanKind.CLIENT,
+		kind: _opentelemetry_api.SpanKind.CLIENT,
 		attributes: {
 			"http.method": "GET",
 			"url.full": keyId.href,
@@ -242,7 +126,7 @@ function fetchKey(keyId, cls, options = {}) {
 			return result;
 		} catch (e) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(e)
 			});
 			throw e;
@@ -252,7 +136,7 @@ function fetchKey(keyId, cls, options = {}) {
 	});
 }
 async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, keyCache, tracerProvider } = {}) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"key"
@@ -278,8 +162,7 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 	logger.debug("Fetching key {keyId} to verify signature...", { keyId });
 	let document;
 	try {
-		const remoteDocument = await (documentLoader ?? (0, __fedify_vocab_runtime.getDocumentLoader)())(keyId);
-		document = remoteDocument.document;
+		document = (await (documentLoader ?? (0, _fedify_vocab_runtime.getDocumentLoader)())(keyId)).document;
 	} catch (_) {
 		logger.debug("Failed to fetch key {keyId}.", { keyId });
 		await keyCache?.set(cacheKey, null);
@@ -290,7 +173,7 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 	}
 	let object;
 	try {
-		object = await __fedify_vocab.Object.fromJsonLd(document, {
+		object = await _fedify_vocab.Object.fromJsonLd(document, {
 			documentLoader,
 			contextLoader,
 			tracerProvider
@@ -303,8 +186,8 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 				contextLoader,
 				tracerProvider
 			});
-		} catch (e$1) {
-			if (e$1 instanceof TypeError) {
+		} catch (e) {
+			if (e instanceof TypeError) {
 				logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
 				await keyCache?.set(cacheKey, null);
 				return {
@@ -312,13 +195,13 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 					cached: false
 				};
 			}
-			throw e$1;
+			throw e;
 		}
 	}
 	let key = null;
 	if (object instanceof cls) key = object;
-	else if ((0, __fedify_vocab.isActor)(object)) {
-		const keys = cls === __fedify_vocab.CryptographicKey ? object.getPublicKeys({
+	else if ((0, _fedify_vocab.isActor)(object)) {
+		const keys = cls === _fedify_vocab.CryptographicKey ? object.getPublicKeys({
 			documentLoader,
 			contextLoader,
 			tracerProvider
@@ -375,9 +258,9 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 		cached: false
 	};
 }
-
 //#endregion
 //#region src/sig/http.ts
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Signs a request using the given private key.
 * @param request The request to sign.
@@ -389,24 +272,22 @@ async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, key
 */
 async function signRequest(request, privateKey, keyId, options = {}) {
 	validateCryptoKey(privateKey, "private");
-	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.sign", async (span) => {
+	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.sign", async (span) => {
 		try {
 			const spec = options.spec ?? "draft-cavage-http-signatures-12";
 			let signed;
 			if (spec === "rfc9421") signed = await signRequestRfc9421(request, privateKey, keyId, span, options.currentTime, options.body);
 			else signed = await signRequestDraft(request, privateKey, keyId, span, options.currentTime, options.body);
 			if (span.isRecording()) {
-				span.setAttribute(__opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, signed.method);
-				span.setAttribute(__opentelemetry_semantic_conventions.ATTR_URL_FULL, signed.url);
-				for (const [name$1, value] of signed.headers) span.setAttribute((0, __opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name$1), value);
+				span.setAttribute(_opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, signed.method);
+				span.setAttribute(_opentelemetry_semantic_conventions.ATTR_URL_FULL, signed.url);
+				for (const [name, value] of signed.headers) span.setAttribute((0, _opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name), value);
 				span.setAttribute("http_signatures.key_id", keyId.href);
 			}
 			return signed;
 		} catch (error) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
@@ -428,8 +309,8 @@ async function signRequestDraft(request, privateKey, keyId, span, currentTime, b
 	}
 	if (!headers.has("Date")) headers.set("Date", currentTime == null ? (/* @__PURE__ */ new Date()).toUTCString() : new Date(currentTime.toString()).toUTCString());
 	const serialized = [["(request-target)", `${request.method.toLowerCase()} ${url.pathname}`], ...headers];
-	const headerNames = serialized.map(([name$1]) => name$1);
-	const message = serialized.map(([name$1, value]) => `${name$1}: ${value.trim()}`).join("\n");
+	const headerNames = serialized.map(([name]) => name);
+	const message = serialized.map(([name, value]) => `${name}: ${value.trim()}`).join("\n");
 	const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, new TextEncoder().encode(message));
 	const sigHeader = `keyId="${keyId.href}",algorithm="rsa-sha256",headers="${headerNames.join(" ")}",signature="${(0, byte_encodings_base64.encodeBase64)(signature)}"`;
 	headers.set("Signature", sigHeader);
@@ -486,9 +367,7 @@ function createRfc9421SignatureBase(request, components, parameters) {
 * @returns The formatted signature string.
 */
 function formatRfc9421Signature(signature, components, parameters) {
-	const signatureInputValue = `sig1=("${components.join("\" \"")}");${parameters}`;
-	const signatureValue = `sig1=:${(0, byte_encodings_base64.encodeBase64)(signature)}:`;
-	return [signatureInputValue, signatureValue];
+	return [`sig1=("${components.join("\" \"")}");${parameters}`, `sig1=:${(0, byte_encodings_base64.encodeBase64)(signature)}:`];
 }
 /**
 * Parse RFC 9421 Signature-Input header.
@@ -500,7 +379,7 @@ function parseRfc9421SignatureInput(signatureInput) {
 	try {
 		dict = (0, structured_field_values.decodeDict)(signatureInput);
 	} catch (error) {
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -535,7 +414,7 @@ function parseRfc9421Signature(signature) {
 	try {
 		dict = (0, structured_field_values.decodeDict)(signature);
 	} catch (error) {
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -618,13 +497,11 @@ const supportedHashAlgorithms = {
 *          could not be verified.
 */
 async function verifyRequest(request, options = {}) {
-	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.verify", async (span) => {
+	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.verify", async (span) => {
 		if (span.isRecording()) {
-			span.setAttribute(__opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, request.method);
-			span.setAttribute(__opentelemetry_semantic_conventions.ATTR_URL_FULL, request.url);
-			for (const [name$1, value] of request.headers) span.setAttribute((0, __opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name$1), value);
+			span.setAttribute(_opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, request.method);
+			span.setAttribute(_opentelemetry_semantic_conventions.ATTR_URL_FULL, request.url);
+			for (const [name, value] of request.headers) span.setAttribute((0, _opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name), value);
 		}
 		try {
 			let spec = options.spec;
@@ -632,11 +509,11 @@ async function verifyRequest(request, options = {}) {
 			let key;
 			if (spec === "rfc9421") key = await verifyRequestRfc9421(request, span, options);
 			else key = await verifyRequestDraft(request, span, options);
-			if (key == null) span.setStatus({ code: __opentelemetry_api.SpanStatusCode.ERROR });
+			if (key == null) span.setStatus({ code: _opentelemetry_api.SpanStatusCode.ERROR });
 			return key;
 		} catch (error) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
@@ -646,7 +523,7 @@ async function verifyRequest(request, options = {}) {
 	});
 }
 async function verifyRequestDraft(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"http"
@@ -791,7 +668,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	const { keyId, headers, signature } = sigValues;
 	span?.setAttribute("http_signatures.key_id", keyId);
 	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached } = await fetchKey(new URL(keyId), __fedify_vocab.CryptographicKey, {
+	const { key, cached } = await fetchKey(new URL(keyId), _fedify_vocab.CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
@@ -807,11 +684,10 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 		logger.debug("Failed to verify; required headers missing in the Signature header: {headers}.", { headers });
 		return null;
 	}
-	const message = headerNames.map((name$1) => `${name$1}: ` + (name$1 === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name$1 === "(created)" ? sigValues.created ?? "" : name$1 === "(expires)" ? sigValues.expires ?? "" : name$1 === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name$1))).join("\n");
+	const message = headerNames.map((name) => `${name}: ` + (name === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name === "(created)" ? sigValues.created ?? "" : name === "(expires)" ? sigValues.expires ?? "" : name === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name))).join("\n");
 	const sig = (0, byte_encodings_base64.decodeBase64)(signature);
 	span?.setAttribute("http_signatures.signature", (0, byte_encodings_hex.encodeHex)(sig));
-	const verified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));
-	if (!verified) {
+	if (!await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message))) {
 		if (cached) {
 			logger.debug("Failed to verify with the cached key {keyId}; signature {signature} is invalid.  Retrying with the freshly fetched key...", {
 				keyId,
@@ -825,7 +701,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				currentTime,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
-					set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
+					set: async (keyId, key) => await keyCache?.set(keyId, key)
 				}
 			});
 		}
@@ -900,7 +776,7 @@ async function verifyRfc9421ContentDigest(digestHeader, body) {
 	return false;
 }
 async function verifyRequestRfc9421(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"http"
@@ -975,16 +851,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				logger.debug("Failed to verify; Content-Digest header required but not found.", { components: sigInput.components });
 				continue;
 			}
-			const body = await request.arrayBuffer();
-			const digestValid = await verifyRfc9421ContentDigest(contentDigestHeader, body);
-			if (!digestValid) {
+			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
 				continue;
 			}
 		}
 		span?.setAttribute("http_signatures.key_id", sigInput.keyId);
 		span?.setAttribute("http_signatures.created", sigInput.created.toString());
-		const { key, cached } = await fetchKey(new URL(sigInput.keyId), __fedify_vocab.CryptographicKey, {
+		const { key, cached } = await fetchKey(new URL(sigInput.keyId), _fedify_vocab.CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
@@ -1023,8 +897,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", (0, byte_encodings_hex.encodeHex)(sigBytes));
 		try {
-			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes);
-			if (verified) {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) {
 				validKey = key;
 				break;
 			} else if (cached) {
@@ -1036,7 +909,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					currentTime,
 					keyCache: {
 						get: () => Promise.resolve(void 0),
-						set: async (keyId, key$1) => await keyCache?.set(keyId, key$1)
+						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
 					spec: "rfc9421"
 				});
@@ -1089,7 +962,11 @@ function createRedirectRequest(request, location, body) {
 * @since 1.6.0
 */
 async function doubleKnock(request, identity, options = {}) {
+	return await doubleKnockInternal(request, identity, options);
+}
+async function doubleKnockInternal(request, identity, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 	const { specDeterminer, log, tracerProvider, signal } = options;
+	visited.add(request.url);
 	const origin = new URL(request.url).origin;
 	const firstTrySpec = specDeterminer == null ? "rfc9421" : await specDeterminer.determineSpec(origin);
 	const body = options.body !== void 0 ? options.body : request.method !== "GET" && request.method !== "HEAD" ? await request.clone().arrayBuffer() : null;
@@ -1104,14 +981,16 @@ async function doubleKnock(request, identity, options = {}) {
 		signal
 	});
 	if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-		const location = response.headers.get("Location");
-		return doubleKnock(createRedirectRequest(request, location, body), identity, {
+		if (redirected >= DEFAULT_MAX_REDIRECTION) throw new _fedify_vocab_runtime.FetchError(request.url, `Too many redirections (${redirected + 1})`);
+		const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+		if (visited.has(redirectRequest.url)) throw new _fedify_vocab_runtime.FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+		return doubleKnockInternal(redirectRequest, identity, {
 			...options,
 			body
-		});
+		}, redirected + 1, visited);
 	} else if (response.status === 400 || response.status === 401 || response.status > 401) {
 		const spec = firstTrySpec === "draft-cavage-http-signatures-12" ? "rfc9421" : "draft-cavage-http-signatures-12";
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -1132,11 +1011,13 @@ async function doubleKnock(request, identity, options = {}) {
 			signal
 		});
 		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-			const location = response.headers.get("Location");
-			return doubleKnock(createRedirectRequest(request, location, body), identity, {
+			if (redirected >= DEFAULT_MAX_REDIRECTION) throw new _fedify_vocab_runtime.FetchError(request.url, `Too many redirections (${redirected + 1})`);
+			const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+			if (visited.has(redirectRequest.url)) throw new _fedify_vocab_runtime.FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+			return doubleKnockInternal(redirectRequest, identity, {
 				...options,
 				body
-			});
+			}, redirected + 1, visited);
 		} else if (response.status !== 400 && response.status !== 401) await specDeterminer?.rememberSpec(origin, spec);
 	} else await specDeterminer?.rememberSpec(origin, firstTrySpec);
 	return response;
@@ -1168,59 +1049,64 @@ function timingSafeEqual(a, b) {
 	result |= lenA ^ lenB;
 	return result === 0;
 }
-
 //#endregion
-Object.defineProperty(exports, 'deno_default', {
-  enumerable: true,
-  get: function () {
-    return deno_default;
-  }
+Object.defineProperty(exports, "doubleKnock", {
+	enumerable: true,
+	get: function() {
+		return doubleKnock;
+	}
 });
-Object.defineProperty(exports, 'doubleKnock', {
-  enumerable: true,
-  get: function () {
-    return doubleKnock;
-  }
+Object.defineProperty(exports, "exportJwk", {
+	enumerable: true,
+	get: function() {
+		return exportJwk;
+	}
 });
-Object.defineProperty(exports, 'exportJwk', {
-  enumerable: true,
-  get: function () {
-    return exportJwk;
-  }
+Object.defineProperty(exports, "fetchKey", {
+	enumerable: true,
+	get: function() {
+		return fetchKey;
+	}
 });
-Object.defineProperty(exports, 'fetchKey', {
-  enumerable: true,
-  get: function () {
-    return fetchKey;
-  }
+Object.defineProperty(exports, "generateCryptoKeyPair", {
+	enumerable: true,
+	get: function() {
+		return generateCryptoKeyPair;
+	}
 });
-Object.defineProperty(exports, 'generateCryptoKeyPair', {
-  enumerable: true,
-  get: function () {
-    return generateCryptoKeyPair;
-  }
+Object.defineProperty(exports, "importJwk", {
+	enumerable: true,
+	get: function() {
+		return importJwk;
+	}
 });
-Object.defineProperty(exports, 'importJwk', {
-  enumerable: true,
-  get: function () {
-    return importJwk;
-  }
+Object.defineProperty(exports, "name", {
+	enumerable: true,
+	get: function() {
+		return name;
+	}
+});
+Object.defineProperty(exports, "signRequest", {
+	enumerable: true,
+	get: function() {
+		return signRequest;
+	}
 });
-Object.defineProperty(exports, 'signRequest', {
-  enumerable: true,
-  get: function () {
-    return signRequest;
-  }
+Object.defineProperty(exports, "validateCryptoKey", {
+	enumerable: true,
+	get: function() {
+		return validateCryptoKey;
+	}
 });
-Object.defineProperty(exports, 'validateCryptoKey', {
-  enumerable: true,
-  get: function () {
-    return validateCryptoKey;
-  }
+Object.defineProperty(exports, "verifyRequest", {
+	enumerable: true,
+	get: function() {
+		return verifyRequest;
+	}
+});
+Object.defineProperty(exports, "version", {
+	enumerable: true,
+	get: function() {
+		return version;
+	}
 });
-Object.defineProperty(exports, 'verifyRequest', {
-  enumerable: true,
-  get: function () {
-    return verifyRequest;
-  }
-});