@fedify/fedify 2.1.0-dev.503 → 2.1.0-dev.513

package/dist/otel/mod.cjs

@@ -127,11 +127,17 @@ var FedifySpanExporter = class {
 		const verified = attrs["activitypub.activity.verified"];
 		const httpSigVerified = attrs["http_signatures.verified"];
 		const httpSigKeyId = attrs["http_signatures.key_id"];
+		const httpSigFailureReason = attrs["http_signatures.failure_reason"];
+		const httpSigKeyFetchStatus = attrs["http_signatures.key_fetch_status"];
+		const httpSigKeyFetchError = attrs["http_signatures.key_fetch_error"];
 		const ldSigVerified = attrs["ld_signatures.verified"];
 		let signatureDetails;
-		if (typeof httpSigVerified === "boolean" || typeof ldSigVerified === "boolean") signatureDetails = {
+		if (typeof httpSigVerified === "boolean" || typeof ldSigVerified === "boolean" || typeof httpSigFailureReason === "string") signatureDetails = {
 			httpSignaturesVerified: httpSigVerified === true,
 			httpSignaturesKeyId: typeof httpSigKeyId === "string" && httpSigKeyId !== "" ? httpSigKeyId : void 0,
+			httpSignaturesFailureReason: typeof httpSigFailureReason === "string" && httpSigFailureReason !== "" ? httpSigFailureReason : void 0,
+			httpSignaturesKeyFetchStatus: typeof httpSigKeyFetchStatus === "number" ? httpSigKeyFetchStatus : void 0,
+			httpSignaturesKeyFetchError: typeof httpSigKeyFetchError === "string" && httpSigKeyFetchError !== "" ? httpSigKeyFetchError : void 0,
 			ldSignaturesVerified: ldSigVerified === true
 		};
 		return {

package/dist/otel/mod.d.cts

@@ -24,6 +24,18 @@ interface SignatureVerificationDetails {
   */
   readonly httpSignaturesKeyId?: string;
   /**
+  * The reason why HTTP signature verification failed, if available.
+  */
+  readonly httpSignaturesFailureReason?: string;
+  /**
+  * The HTTP status code from a failed key fetch, if available.
+  */
+  readonly httpSignaturesKeyFetchStatus?: number;
+  /**
+  * The error type from a non-HTTP key fetch failure, if available.
+  */
+  readonly httpSignaturesKeyFetchError?: string;
+  /**
   * Whether Linked Data Signatures were verified.
   */
   readonly ldSignaturesVerified: boolean;

package/dist/otel/mod.d.ts

@@ -26,6 +26,18 @@ interface SignatureVerificationDetails {
   */
   readonly httpSignaturesKeyId?: string;
   /**
+  * The reason why HTTP signature verification failed, if available.
+  */
+  readonly httpSignaturesFailureReason?: string;
+  /**
+  * The HTTP status code from a failed key fetch, if available.
+  */
+  readonly httpSignaturesKeyFetchStatus?: number;
+  /**
+  * The error type from a non-HTTP key fetch failure, if available.
+  */
+  readonly httpSignaturesKeyFetchError?: string;
+  /**
   * Whether Linked Data Signatures were verified.
   */
   readonly ldSignaturesVerified: boolean;

package/dist/otel/mod.js

@@ -126,11 +126,17 @@ var FedifySpanExporter = class {
 		const verified = attrs["activitypub.activity.verified"];
 		const httpSigVerified = attrs["http_signatures.verified"];
 		const httpSigKeyId = attrs["http_signatures.key_id"];
+		const httpSigFailureReason = attrs["http_signatures.failure_reason"];
+		const httpSigKeyFetchStatus = attrs["http_signatures.key_fetch_status"];
+		const httpSigKeyFetchError = attrs["http_signatures.key_fetch_error"];
 		const ldSigVerified = attrs["ld_signatures.verified"];
 		let signatureDetails;
-		if (typeof httpSigVerified === "boolean" || typeof ldSigVerified === "boolean") signatureDetails = {
+		if (typeof httpSigVerified === "boolean" || typeof ldSigVerified === "boolean" || typeof httpSigFailureReason === "string") signatureDetails = {
 			httpSignaturesVerified: httpSigVerified === true,
 			httpSignaturesKeyId: typeof httpSigKeyId === "string" && httpSigKeyId !== "" ? httpSigKeyId : void 0,
+			httpSignaturesFailureReason: typeof httpSigFailureReason === "string" && httpSigFailureReason !== "" ? httpSigFailureReason : void 0,
+			httpSignaturesKeyFetchStatus: typeof httpSigKeyFetchStatus === "number" ? httpSigKeyFetchStatus : void 0,
+			httpSignaturesKeyFetchError: typeof httpSigKeyFetchError === "string" && httpSigKeyFetchError !== "" ? httpSigKeyFetchError : void 0,
 			ldSignaturesVerified: ldSigVerified === true
 		};
 		return {

package/dist/{owner-BAlnLKMO.js → owner-ZjRdCtVA.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-BYerLnry.js";
+import { deno_default } from "./deno-aj03PJW6.js";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { getDocumentLoader } from "@fedify/vocab-runtime";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";

package/dist/{proof-BgUVmaJz.js → proof-CQfh4S5r.js}

@@ -2,7 +2,7 @@
           import { Temporal } from "@js-temporal/polyfill";
           import { URLPattern } from "urlpattern-polyfill";
         
-import { deno_default, fetchKey, validateCryptoKey } from "./http-CSX1-Mgi.js";
+import { deno_default, fetchKey, validateCryptoKey } from "./http-CoM8qFZV.js";
 import { getLogger } from "@logtape/logtape";
 import { Activity, CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1, getTypeId, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";

package/dist/{proof-CR5RUAmy.cjs → proof-D2auLGZD.cjs}

@@ -3,7 +3,7 @@
           const { URLPattern } = require("urlpattern-polyfill");
         
 const require_chunk = require('./chunk-CGaQZ11T.cjs');
-const require_http = require('./http-DJT6NciB.cjs');
+const require_http = require('./http-_l2XRk4S.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));

package/dist/{proof-DMgHaXNJ.js → proof-gmdzyEsv.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-BYerLnry.js";
-import { fetchKey, validateCryptoKey } from "./key-DCdTVZiK.js";
+import { deno_default } from "./deno-aj03PJW6.js";
+import { fetchKey, validateCryptoKey } from "./key-j1AjF3HL.js";
 import { getLogger } from "@logtape/logtape";
 import { Activity, DataIntegrityProof, Multikey, getTypeId } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";

package/dist/{send-B2aZYf9A.js → send-1lNwij0f.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-BYerLnry.js";
-import { doubleKnock } from "./http-S2U3qDwN.js";
+import { deno_default } from "./deno-aj03PJW6.js";
+import { doubleKnock } from "./http-pa5yLKK7.js";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 

package/dist/sig/http.test.js

@@ -3,20 +3,20 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
+import { createTestTracerProvider, mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BYerLnry.js";
-import { exportJwk } from "../key-DCdTVZiK.js";
-import { createRfc9421SignatureBase, doubleKnock, formatRfc9421Signature, formatRfc9421SignatureParameters, parseRfc9421Signature, parseRfc9421SignatureInput, signRequest, timingSafeEqual, verifyRequest } from "../http-S2U3qDwN.js";
+import "../deno-aj03PJW6.js";
+import { exportJwk } from "../key-j1AjF3HL.js";
+import { createRfc9421SignatureBase, doubleKnock, formatRfc9421Signature, formatRfc9421SignatureParameters, parseRfc9421Signature, parseRfc9421SignatureInput, signRequest, timingSafeEqual, verifyRequest, verifyRequestDetailed } from "../http-pa5yLKK7.js";
 import { assertExists, assertStringIncludes } from "../std__assert-DWivtrGR.js";
 import { assertFalse, assertRejects } from "../assert_rejects-Ce45JcFg.js";
 import { assertThrows } from "../assert_throws-BNXdRGWP.js";
 import "../assert_not_equals-C80BG-_5.js";
 import { rsaPrivateKey2, rsaPublicKey1, rsaPublicKey2, rsaPublicKey5 } from "../keys-ZbcByPg9.js";
 import { esm_default } from "../esm-DGl7uK1r.js";
-import { exportSpki } from "@fedify/vocab-runtime";
+import { FetchError, exportSpki } from "@fedify/vocab-runtime";
 import { encodeBase64 } from "byte-encodings/base64";
 
 //#region src/sig/http.test.ts
@@ -162,6 +162,86 @@ test("verifyRequest() [draft-cavage]", async () => {
 	};
 	assert(await verifyRequest(request2, options2) != null);
 });
+test("verifyRequestDetailed() classifies malformed signatures as invalid", async () => {
+	const draftMissingKeyId = await verifyRequestDetailed(new Request("https://example.com/", {
+		method: "POST",
+		headers: {
+			Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+			Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+			Signature: "headers=\"(request-target) date digest\",signature=\"AAAA\""
+		},
+		body: ""
+	}), {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	assertFalse(draftMissingKeyId.verified);
+	assertEquals(draftMissingKeyId.reason.type, "invalidSignature");
+	assertFalse("keyId" in draftMissingKeyId.reason);
+	const draftInvalidKeyId = await verifyRequestDetailed(new Request("https://example.com/", {
+		method: "POST",
+		headers: {
+			Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+			Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+			Signature: "keyId=\"not a url\",headers=\"(request-target) date digest\",signature=\"AAAA\""
+		},
+		body: ""
+	}), {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	assertFalse(draftInvalidKeyId.verified);
+	assertEquals(draftInvalidKeyId.reason.type, "invalidSignature");
+	assertFalse("keyId" in draftInvalidKeyId.reason);
+	const rfcMissingKeyId = await verifyRequestDetailed(new Request("https://example.com/api/resource", {
+		method: "GET",
+		headers: {
+			Host: "example.com",
+			Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+			"Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\");created=1709626184",
+			Signature: "sig1=:AAAA:"
+		}
+	}), {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader,
+		spec: "rfc9421"
+	});
+	assertFalse(rfcMissingKeyId.verified);
+	assertEquals(rfcMissingKeyId.reason.type, "invalidSignature");
+	assertFalse("keyId" in rfcMissingKeyId.reason);
+});
+test("verifyRequestDetailed() records failure details on span", async () => {
+	const [tracerProvider, exporter] = createTestTracerProvider();
+	const keyId = new URL("https://gone.example/actors/alice#main-key");
+	const request = await signRequest(new Request("https://example.com/inbox", {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/activity+json",
+			accept: "application/ld+json"
+		},
+		body: JSON.stringify({
+			"@context": "https://www.w3.org/ns/activitystreams",
+			type: "Create",
+			actor: "https://gone.example/actors/alice"
+		})
+	}), rsaPrivateKey2, keyId);
+	const result = await verifyRequestDetailed(request, {
+		tracerProvider,
+		contextLoader: mockDocumentLoader,
+		documentLoader(url) {
+			if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
+			return mockDocumentLoader(url);
+		}
+	});
+	assertFalse(result.verified);
+	const spans = exporter.getSpans("http_signatures.verify");
+	assertEquals(spans.length, 1);
+	const span = spans[0];
+	assertEquals(span.attributes["http_signatures.verified"], false);
+	assertEquals(span.attributes["http_signatures.failure_reason"], "keyFetchError");
+	assertEquals(span.attributes["http_signatures.key_id"], keyId.href);
+	assertEquals(span.attributes["http_signatures.key_fetch_status"], 410);
+});
 test("signRequest() and verifyRequest() [rfc9421] implementation", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");

package/dist/sig/key.test.js

@@ -3,18 +3,19 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
+import { createTestTracerProvider, mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BYerLnry.js";
-import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, validateCryptoKey } from "../key-DCdTVZiK.js";
+import "../deno-aj03PJW6.js";
+import { exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, importJwk, validateCryptoKey } from "../key-j1AjF3HL.js";
 import "../std__assert-DWivtrGR.js";
 import { assertRejects } from "../assert_rejects-Ce45JcFg.js";
 import { assertThrows } from "../assert_throws-BNXdRGWP.js";
 import "../assert_not_equals-C80BG-_5.js";
 import { ed25519Multikey, rsaPrivateKey2, rsaPublicKey1, rsaPublicKey2, rsaPublicKey3 } from "../keys-ZbcByPg9.js";
 import { CryptographicKey, Multikey } from "@fedify/vocab";
+import { FetchError } from "@fedify/vocab-runtime";
 
 //#region src/sig/key.test.ts
 test("validateCryptoKey()", async () => {
@@ -243,5 +244,71 @@ test("fetchKey()", async () => {
 		cached: false
 	});
 });
+test("fetchKeyDetailed()", async () => {
+	const cache = { "https://example.com/nothing": null };
+	let documentLoaderCalls = 0;
+	const [tracerProvider, exporter] = createTestTracerProvider();
+	const options = {
+		documentLoader(url) {
+			documentLoaderCalls++;
+			return mockDocumentLoader(url);
+		},
+		contextLoader: mockDocumentLoader,
+		tracerProvider,
+		keyCache: {
+			get(keyId) {
+				return Promise.resolve(cache[keyId.href]);
+			},
+			set(keyId, key) {
+				cache[keyId.href] = key;
+				return Promise.resolve();
+			}
+		}
+	};
+	assertEquals(await fetchKeyDetailed("https://example.com/nothing", CryptographicKey, options), {
+		key: null,
+		cached: true
+	});
+	assertEquals(documentLoaderCalls, 0);
+	assertEquals(await fetchKeyDetailed("https://example.com/key", CryptographicKey, options), {
+		key: rsaPublicKey1,
+		cached: false
+	});
+	assertEquals(documentLoaderCalls, 1);
+	const spans = exporter.getSpans("activitypub.fetch_key");
+	assertEquals(spans.length, 2);
+	assertEquals(spans[0].attributes["activitypub.actor.key.cached"], true);
+	assertEquals(spans[1].attributes["activitypub.actor.key.cached"], false);
+});
+test("fetchKeyDetailed() returns detailed fetch errors", async () => {
+	const goneKeyId = new URL("https://example.com/gone-key");
+	const goneResult = await fetchKeyDetailed(goneKeyId, CryptographicKey, {
+		documentLoader(url) {
+			if (url === goneKeyId.href) throw new FetchError(goneKeyId, `HTTP 410: ${goneKeyId.href}`, new Response(null, { status: 410 }));
+			return mockDocumentLoader(url);
+		},
+		contextLoader: mockDocumentLoader
+	});
+	assertEquals(goneResult.key, null);
+	assertEquals(goneResult.cached, false);
+	const goneError = goneResult.fetchError;
+	assertEquals(goneError != null && "status" in goneError, true);
+	if (goneError == null || !("status" in goneError)) throw new Error("Expected HTTP fetch error details.");
+	assertEquals(goneError.status, 410);
+	assertEquals(goneError.response.status, 410);
+	const failure = /* @__PURE__ */ new TypeError("boom");
+	const errorResult = await fetchKeyDetailed("https://example.com/error-key", CryptographicKey, {
+		documentLoader() {
+			throw failure;
+		},
+		contextLoader: mockDocumentLoader
+	});
+	assertEquals(errorResult.key, null);
+	assertEquals(errorResult.cached, false);
+	const detailedError = errorResult.fetchError;
+	assertEquals(detailedError != null && "error" in detailedError, true);
+	if (detailedError == null || !("error" in detailedError)) throw new Error("Expected non-HTTP fetch error details.");
+	assertEquals(detailedError.error, failure);
+});
 
 //#endregion

package/dist/sig/ld.test.js

@@ -6,9 +6,9 @@
 import { mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
-import "../deno-BYerLnry.js";
-import { generateCryptoKeyPair } from "../key-DCdTVZiK.js";
-import { attachSignature, createSignature, detachSignature, signJsonLd, verifyJsonLd, verifySignature } from "../ld-CrX7pQda.js";
+import "../deno-aj03PJW6.js";
+import { generateCryptoKeyPair } from "../key-j1AjF3HL.js";
+import { attachSignature, createSignature, detachSignature, signJsonLd, verifyJsonLd, verifySignature } from "../ld-CD48Tb3_.js";
 import { assertFalse, assertRejects } from "../assert_rejects-Ce45JcFg.js";
 import { assertThrows } from "../assert_throws-BNXdRGWP.js";
 import { ed25519Multikey, ed25519PrivateKey, rsaPrivateKey2, rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-ZbcByPg9.js";

package/dist/sig/mod.cjs

@@ -2,8 +2,8 @@
           const { Temporal } = require("@js-temporal/polyfill");
           const { URLPattern } = require("urlpattern-polyfill");
         
-const require_http = require('../http-DJT6NciB.cjs');
-const require_proof = require('../proof-CR5RUAmy.cjs');
+const require_http = require('../http-_l2XRk4S.cjs');
+const require_proof = require('../proof-D2auLGZD.cjs');
 require('../sig-vX39WyWI.cjs');
 
 exports.attachSignature = require_proof.attachSignature;
@@ -13,6 +13,7 @@ exports.detachSignature = require_proof.detachSignature;
 exports.doesActorOwnKey = require_proof.doesActorOwnKey;
 exports.exportJwk = require_http.exportJwk;
 exports.fetchKey = require_http.fetchKey;
+exports.fetchKeyDetailed = require_http.fetchKeyDetailed;
 exports.generateCryptoKeyPair = require_http.generateCryptoKeyPair;
 exports.getKeyOwner = require_proof.getKeyOwner;
 exports.importJwk = require_http.importJwk;
@@ -23,4 +24,5 @@ exports.verifyJsonLd = require_proof.verifyJsonLd;
 exports.verifyObject = require_proof.verifyObject;
 exports.verifyProof = require_proof.verifyProof;
 exports.verifyRequest = require_http.verifyRequest;
+exports.verifyRequestDetailed = require_http.verifyRequestDetailed;
 exports.verifySignature = require_proof.verifySignature;

package/dist/sig/mod.d.cts

@@ -1,4 +1,4 @@
-import { FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestOptions, exportJwk, fetchKey, generateCryptoKeyPair, importJwk, signRequest, verifyRequest } from "../http-Cz3MlXAZ.cjs";
+import { FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, importJwk, signRequest, verifyRequest, verifyRequestDetailed } from "../http-DsqqmkXi.cjs";
 import { DoesActorOwnKeyOptions, GetKeyOwnerOptions, doesActorOwnKey, getKeyOwner } from "../owner-1AbPBOOZ.cjs";
-import { CreateProofOptions, CreateSignatureOptions, SignJsonLdOptions, SignObjectOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../mod-DPkRU3EK.cjs";
-export { CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyOptions, FetchKeyResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifySignature };
+import { CreateProofOptions, CreateSignatureOptions, SignJsonLdOptions, SignObjectOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../mod-CFBU2OT3.cjs";
+export { CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/mod.d.ts

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestOptions, exportJwk, fetchKey, generateCryptoKeyPair, importJwk, signRequest, verifyRequest } from "../http-DkHdFfrc.js";
+import { FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, importJwk, signRequest, verifyRequest, verifyRequestDetailed } from "../http-BbfOqHGG.js";
 import { DoesActorOwnKeyOptions, GetKeyOwnerOptions, doesActorOwnKey, getKeyOwner } from "../owner-gd0Q9FuU.js";
-import { CreateProofOptions, CreateSignatureOptions, SignJsonLdOptions, SignObjectOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../mod-DUWcVv49.js";
-export { CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyOptions, FetchKeyResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifySignature };
+import { CreateProofOptions, CreateSignatureOptions, SignJsonLdOptions, SignObjectOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../mod-CvxylbuV.js";
+export { CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/mod.js

@@ -2,8 +2,8 @@
           import { Temporal } from "@js-temporal/polyfill";
           import { URLPattern } from "urlpattern-polyfill";
         
-import { exportJwk, fetchKey, generateCryptoKeyPair, importJwk, signRequest, verifyRequest } from "../http-CSX1-Mgi.js";
-import { attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, getKeyOwner, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../proof-BgUVmaJz.js";
+import { exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, importJwk, signRequest, verifyRequest, verifyRequestDetailed } from "../http-CoM8qFZV.js";
+import { attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, getKeyOwner, signJsonLd, signObject, verifyJsonLd, verifyObject, verifyProof, verifySignature } from "../proof-CQfh4S5r.js";
 import "../sig-BNhspNOf.js";
 
-export { attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifySignature };
+export { attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, getKeyOwner, importJwk, signJsonLd, signObject, signRequest, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/owner.test.js

@@ -7,9 +7,9 @@ import { createTestTracerProvider, mockDocumentLoader, test } from "../dist-B5f6
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BYerLnry.js";
-import "../key-DCdTVZiK.js";
-import { doesActorOwnKey, getKeyOwner } from "../owner-BAlnLKMO.js";
+import "../deno-aj03PJW6.js";
+import "../key-j1AjF3HL.js";
+import { doesActorOwnKey, getKeyOwner } from "../owner-ZjRdCtVA.js";
 import "../std__assert-DWivtrGR.js";
 import { assertFalse } from "../assert_rejects-Ce45JcFg.js";
 import "../assert_throws-BNXdRGWP.js";

package/dist/sig/proof.test.js

@@ -7,9 +7,9 @@ import { mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import "../assert-MZs1qjMx.js";
 import { assertInstanceOf } from "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BYerLnry.js";
-import "../key-DCdTVZiK.js";
-import { createProof, signObject, verifyObject, verifyProof } from "../proof-DMgHaXNJ.js";
+import "../deno-aj03PJW6.js";
+import "../key-j1AjF3HL.js";
+import { createProof, signObject, verifyObject, verifyProof } from "../proof-gmdzyEsv.js";
 import "../std__assert-DWivtrGR.js";
 import { assertRejects } from "../assert_rejects-Ce45JcFg.js";
 import "../assert_throws-BNXdRGWP.js";

package/dist/testing/mod.d.ts

@@ -184,6 +184,24 @@ interface GetNodeInfoOptions {
  *          Otherwise, `undefined` is returned.
  * @since 1.2.0
  */
+
+//#endregion
+//#region src/sig/key.d.ts
+
+/**
+ * Detailed fetch failure information from {@link fetchKeyDetailed}.
+ * @since 2.1.0
+ */
+type FetchKeyErrorResult = {
+  readonly status: number;
+  readonly response: Response;
+} | {
+  readonly error: Error;
+};
+/**
+ * The result of {@link fetchKeyDetailed}.
+ * @since 2.1.0
+ */
 //#endregion
 //#region src/sig/owner.d.ts
 /**
@@ -216,6 +234,28 @@ interface GetKeyOwnerOptions {
  *          owner.
  * @since 0.7.0
  */
+
+//#endregion
+//#region src/sig/http.d.ts
+
+/**
+ * The reason why {@link verifyRequestDetailed} could not verify a request.
+ * @since 2.1.0
+ */
+type VerifyRequestFailureReason = {
+  readonly type: "keyFetchError";
+  readonly keyId: URL;
+  readonly result: FetchKeyErrorResult;
+} | {
+  readonly type: "invalidSignature";
+  readonly keyId?: URL;
+} | {
+  readonly type: "noSignature";
+};
+/**
+ * The detailed result of {@link verifyRequestDetailed}.
+ * @since 2.1.0
+ */
 //#endregion
 //#region src/federation/collection.d.ts
 /**
@@ -406,6 +446,29 @@ type CollectionCursor<TContext extends Context<TContextData>, TContextData, TFil
  * @param activity The activity that was received.
  */
 type InboxListener<TContextData, TActivity extends Activity> = (context: InboxContext<TContextData>, activity: TActivity) => void | Promise<void>;
+/**
+ * The reason why an incoming activity could not be verified.
+ *
+ * Unlike inbox listeners registered through {@link InboxListenerSetters.on},
+ * unverified activity handlers are called only when the activity payload could
+ * be parsed but its HTTP signatures could not be verified.
+ *
+ * @since 2.1.0
+ */
+type UnverifiedActivityReason = VerifyRequestFailureReason;
+/**
+ * A callback that handles activities whose signatures could not be verified.
+ *
+ * Returning a {@link Response} overrides Fedify's default `401 Unauthorized`
+ * response.  Returning `void` keeps the default behavior.
+ *
+ * @template TContextData The context data to pass to the {@link Context}.
+ * @param context The request context.
+ * @param activity The incoming activity that could be parsed.
+ * @param reason The reason why signature verification failed.
+ * @since 2.1.0
+ */
+type UnverifiedActivityHandler<TContextData> = (context: RequestContext<TContextData>, activity: Activity, reason: UnverifiedActivityReason) => void | Response | Promise<void | Response>;
 /**
  * A callback that handles errors in an inbox.
  *
@@ -1198,6 +1261,35 @@ interface InboxListenerSetters<TContextData> {
    * @returns The setters object so that settings can be chained.
    */
   onError(handler: InboxErrorHandler<TContextData>): InboxListenerSetters<TContextData>;
+  /**
+   * Registers a callback for incoming activities whose HTTP signatures could
+   * not be verified.
+   *
+   * The regular inbox listeners registered through {@link on} continue to
+   * receive only verified activities.  This hook is an opt-in escape hatch for
+   * applications that need to inspect unverified deliveries and optionally
+   * override the default `401 Unauthorized` response.
+   *
+   * @example
+   * ``` typescript
+   * federation
+   *   .setInboxListeners("/users/{identifier}/inbox", "/inbox")
+   *   .onUnverifiedActivity((ctx, activity, reason) => {
+   *     if (
+   *       reason.type === "keyFetchError" &&
+   *       "status" in reason.result &&
+   *       reason.result.status === 410
+   *     ) {
+   *       return new Response(null, { status: 202 });
+   *     }
+   *   });
+   * ```
+   *
+   * @param handler A callback to handle an unverified activity.
+   * @returns The setters object so that settings can be chained.
+   * @since 2.1.0
+   */
+  onUnverifiedActivity(handler: UnverifiedActivityHandler<TContextData>): InboxListenerSetters<TContextData>;
   /**
    * Configures a callback to dispatch the key pair for the authenticated
    * document loader of the {@link Context} passed to the shared inbox listener.

package/dist/utils/docloader.test.js

@@ -7,10 +7,10 @@ import { mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BYerLnry.js";
-import "../key-DCdTVZiK.js";
-import { verifyRequest } from "../http-S2U3qDwN.js";
-import { getAuthenticatedDocumentLoader } from "../docloader-MSkogD2T.js";
+import "../deno-aj03PJW6.js";
+import "../key-j1AjF3HL.js";
+import { verifyRequest } from "../http-pa5yLKK7.js";
+import { getAuthenticatedDocumentLoader } from "../docloader-tMQxWuTM.js";
 import "../std__assert-DWivtrGR.js";
 import { assertRejects } from "../assert_rejects-Ce45JcFg.js";
 import "../assert_throws-BNXdRGWP.js";

package/dist/utils/mod.cjs

@@ -2,8 +2,8 @@
           const { Temporal } = require("@js-temporal/polyfill");
           const { URLPattern } = require("urlpattern-polyfill");
         
-require('../http-DJT6NciB.cjs');
-const require_kv_cache = require('../kv-cache-Vtxhbo1W.cjs');
+require('../http-_l2XRk4S.cjs');
+const require_kv_cache = require('../kv-cache-D0IkOVYm.cjs');
 require('../utils-BQ9KqEK9.cjs');
 
 exports.getAuthenticatedDocumentLoader = require_kv_cache.getAuthenticatedDocumentLoader;

package/dist/utils/mod.d.cts

@@ -1,4 +1,4 @@
-import "../http-Cz3MlXAZ.cjs";
+import "../http-DsqqmkXi.cjs";
 import "../kv-BL4nlICN.cjs";
-import { getAuthenticatedDocumentLoader, kvCache } from "../mod-DXsQakeS.cjs";
+import { getAuthenticatedDocumentLoader, kvCache } from "../mod-DKG0ovjR.cjs";
 export { getAuthenticatedDocumentLoader, kvCache };

package/dist/utils/mod.d.ts

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import "../http-DkHdFfrc.js";
+import "../http-BbfOqHGG.js";
 import "../kv-DXEUEP6z.js";
-import { getAuthenticatedDocumentLoader, kvCache } from "../mod-CwZXZJ9d.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "../mod-BugwI0JN.js";
 export { getAuthenticatedDocumentLoader, kvCache };

package/dist/utils/mod.js

@@ -2,8 +2,8 @@
           import { Temporal } from "@js-temporal/polyfill";
           import { URLPattern } from "urlpattern-polyfill";
         
-import "../http-CSX1-Mgi.js";
-import { getAuthenticatedDocumentLoader, kvCache } from "../kv-cache-CQPL_aGY.js";
+import "../http-CoM8qFZV.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "../kv-cache-CMk-kfWp.js";
 import "../utils-Dn5OPdSW.js";
 
 export { getAuthenticatedDocumentLoader, kvCache };