@fedify/fedify 2.1.0-dev.503 → 2.1.0-dev.523

package/dist/{http-S2U3qDwN.js → http-DK0CTomU.js}

@@ -3,8 +3,8 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-BYerLnry.js";
-import { fetchKey, validateCryptoKey } from "./key-DCdTVZiK.js";
+import { deno_default } from "./deno-CQdJQjC5.js";
+import { fetchKeyDetailed, validateCryptoKey } from "./key-DRgvVevp.js";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
@@ -240,6 +240,55 @@ const supportedHashAlgorithms = {
 	"sha-256": "SHA-256",
 	"sha-512": "SHA-512"
 };
+function noSignatureResult() {
+	return {
+		verified: false,
+		reason: { type: "noSignature" }
+	};
+}
+function invalidSignatureResult(keyId) {
+	return keyId == null ? {
+		verified: false,
+		reason: { type: "invalidSignature" }
+	} : {
+		verified: false,
+		reason: {
+			type: "invalidSignature",
+			keyId
+		}
+	};
+}
+function keyFetchErrorResult(keyId, result) {
+	return {
+		verified: false,
+		reason: {
+			type: "keyFetchError",
+			keyId,
+			result
+		}
+	};
+}
+function parseKeyId(value) {
+	if (value == null) return null;
+	try {
+		return new URL(value);
+	} catch {
+		return null;
+	}
+}
+function getKeyFetchErrorName(error) {
+	return error.name || error.constructor.name || "Error";
+}
+function recordVerificationResult(span, result) {
+	span.setAttribute("http_signatures.verified", result.verified);
+	if (result.verified === true) return;
+	const reason = result.reason;
+	span.setAttribute("http_signatures.failure_reason", reason.type);
+	if ("keyId" in reason && reason.keyId != null) span.setAttribute("http_signatures.key_id", reason.keyId.href);
+	if (reason.type !== "keyFetchError") return;
+	if ("status" in reason.result) span.setAttribute("http_signatures.key_fetch_status", reason.result.status);
+	else span.setAttribute("http_signatures.key_fetch_error", getKeyFetchErrorName(reason.result.error));
+}
 /**
 * Verifies the signature of a request.
 *
@@ -254,6 +303,19 @@ const supportedHashAlgorithms = {
 *          could not be verified.
 */
 async function verifyRequest(request, options = {}) {
+	const result = await verifyRequestDetailed(request, options);
+	return result.verified ? result.key : null;
+}
+/**
+* Verifies the signature of a request and returns a structured failure reason
+* when verification does not succeed.
+*
+* @param request The request to verify.
+* @param options Options for verifying the request.
+* @returns The verified public key, or a structured verification failure.
+* @since 2.1.0
+*/
+async function verifyRequestDetailed(request, options = {}) {
 	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
 	return await tracer.startActiveSpan("http_signatures.verify", async (span) => {
@@ -265,11 +327,12 @@ async function verifyRequest(request, options = {}) {
 		try {
 			let spec = options.spec;
 			if (spec == null) spec = request.headers.has("Signature-Input") ? "rfc9421" : "draft-cavage-http-signatures-12";
-			let key;
-			if (spec === "rfc9421") key = await verifyRequestRfc9421(request, span, options);
-			else key = await verifyRequestDraft(request, span, options);
-			if (key == null) span.setStatus({ code: SpanStatusCode.ERROR });
-			return key;
+			let result;
+			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, options);
+			else result = await verifyRequestDraft(request, span, options);
+			recordVerificationResult(span, result);
+			if (!result.verified) span.setStatus({ code: SpanStatusCode.ERROR });
+			return result;
 		} catch (error) {
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
@@ -289,27 +352,29 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	]);
 	if (request.bodyUsed) {
 		logger.error("Failed to verify; the request body is already consumed.", { url: request.url });
-		return null;
+		return noSignatureResult();
 	} else if (request.body?.locked) {
 		logger.error("Failed to verify; the request body is locked.", { url: request.url });
-		return null;
+		return noSignatureResult();
 	}
 	const originalRequest = request;
 	request = request.clone();
-	const dateHeader = request.headers.get("Date");
-	if (dateHeader == null) {
-		logger.debug("Failed to verify; no Date header found.", { headers: Object.fromEntries(request.headers.entries()) });
-		return null;
-	}
 	const sigHeader = request.headers.get("Signature");
 	if (sigHeader == null) {
 		logger.debug("Failed to verify; no Signature header found.", { headers: Object.fromEntries(request.headers.entries()) });
-		return null;
+		return noSignatureResult();
+	}
+	const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)=(?:"([^"]*)"|(\d+))\s*$/)).filter((m) => m != null).map((m) => [m[1], m[2] ?? m[3]]));
+	const parsedKeyId = parseKeyId(sigValues.keyId);
+	const dateHeader = request.headers.get("Date");
+	if (dateHeader == null) {
+		logger.debug("Failed to verify; no Date header found.", { headers: Object.fromEntries(request.headers.entries()) });
+		return invalidSignatureResult(parsedKeyId);
 	}
 	const digestHeader = request.headers.get("Digest");
 	if (request.method !== "GET" && request.method !== "HEAD" && digestHeader == null) {
 		logger.debug("Failed to verify; no Digest header found.", { headers: Object.fromEntries(request.headers.entries()) });
-		return null;
+		return invalidSignatureResult(parsedKeyId);
 	}
 	let body = null;
 	if (digestHeader != null) {
@@ -327,7 +392,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 					digest: digestBase64,
 					error
 				});
-				return null;
+				return invalidSignatureResult(parsedKeyId);
 			}
 			if (span.isRecording()) span.setAttribute(`http_signatures.digest.${algo}`, encodeHex(digest));
 			const expectedDigest = await crypto.subtle.digest(supportedHashAlgorithms[algo], body);
@@ -337,7 +402,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 					digest: digestBase64,
 					expectedDigest: encodeBase64(expectedDigest)
 				});
-				return null;
+				return invalidSignatureResult(parsedKeyId);
 			}
 			matched = true;
 		}
@@ -346,7 +411,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				supportedAlgorithms: Object.keys(supportedHashAlgorithms),
 				algorithms: digests.map(([algo]) => algo)
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		}
 	}
 	const date = Temporal.Instant.from(new Date(dateHeader).toISOString());
@@ -358,25 +423,24 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				date: date.toString(),
 				now: now.toString()
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		} else if (Temporal.Instant.compare(date, now.subtract(tw)) < 0) {
 			logger.debug("Failed to verify; Date is too far in the past.", {
 				date: date.toString(),
 				now: now.toString()
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		}
 	}
-	const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)=(?:"([^"]*)"|(\d+))\s*$/)).filter((m) => m != null).map((m) => [m[1], m[2] ?? m[3]]));
 	if (!("keyId" in sigValues)) {
 		logger.debug("Failed to verify; no keyId field found in the Signature header.", { signature: sigHeader });
-		return null;
+		return invalidSignatureResult(null);
 	} else if (!("headers" in sigValues)) {
 		logger.debug("Failed to verify; no headers field found in the Signature header.", { signature: sigHeader });
-		return null;
+		return invalidSignatureResult(parsedKeyId);
 	} else if (!("signature" in sigValues)) {
 		logger.debug("Failed to verify; no signature field found in the Signature header.", { signature: sigHeader });
-		return null;
+		return invalidSignatureResult(parsedKeyId);
 	}
 	if ("expires" in sigValues) {
 		const expiresSeconds = parseInt(sigValues.expires);
@@ -385,7 +449,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				expires: sigValues.expires,
 				signature: sigHeader
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		}
 		const expires = Temporal.Instant.fromEpochMilliseconds(expiresSeconds * 1e3);
 		if (Temporal.Instant.compare(now, expires) > 0) {
@@ -394,7 +458,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				now: now.toString(),
 				signature: sigHeader
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		}
 	}
 	if ("created" in sigValues) {
@@ -404,7 +468,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				created: sigValues.created,
 				signature: sigHeader
 			});
-			return null;
+			return invalidSignatureResult(parsedKeyId);
 		}
 		if (timeWindow !== false) {
 			const created = Temporal.Instant.fromEpochMilliseconds(createdSeconds * 1e3);
@@ -414,34 +478,37 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 					created: created.toString(),
 					now: now.toString()
 				});
-				return null;
+				return invalidSignatureResult(parsedKeyId);
 			} else if (Temporal.Instant.compare(created, now.subtract(tw)) < 0) {
 				logger.debug("Failed to verify; created is too far in the past.", {
 					created: created.toString(),
 					now: now.toString()
 				});
-				return null;
+				return invalidSignatureResult(parsedKeyId);
 			}
 		}
 	}
 	const { keyId, headers, signature } = sigValues;
+	const keyIdUrl = parseKeyId(keyId);
+	if (keyIdUrl == null) return invalidSignatureResult(null);
 	span?.setAttribute("http_signatures.key_id", keyId);
 	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached } = await fetchKey(new URL(keyId), CryptographicKey, {
+	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
 		tracerProvider
 	});
-	if (key == null) return null;
+	if (fetchError != null) return keyFetchErrorResult(keyIdUrl, fetchError);
+	if (key == null) return invalidSignatureResult(keyIdUrl);
 	const headerNames = headers.split(/\s+/g);
 	if (!headerNames.includes("(request-target)") || !headerNames.includes("date")) {
 		logger.debug("Failed to verify; required headers missing in the Signature header: {headers}.", { headers });
-		return null;
+		return invalidSignatureResult(keyIdUrl);
 	}
 	if (body != null && !headerNames.includes("digest")) {
 		logger.debug("Failed to verify; required headers missing in the Signature header: {headers}.", { headers });
-		return null;
+		return invalidSignatureResult(keyIdUrl);
 	}
 	const message = headerNames.map((name) => `${name}: ` + (name === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name === "(created)" ? sigValues.created ?? "" : name === "(expires)" ? sigValues.expires ?? "" : name === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name))).join("\n");
 	const sig = decodeBase64(signature);
@@ -454,7 +521,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				signature,
 				message
 			});
-			return await verifyRequest(originalRequest, {
+			return await verifyRequestDetailed(originalRequest, {
 				documentLoader,
 				contextLoader,
 				timeWindow,
@@ -470,9 +537,12 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 			signature,
 			message
 		});
-		return null;
+		return invalidSignatureResult(keyIdUrl);
 	}
-	return key;
+	return {
+		verified: true,
+		key
+	};
 }
 /**
 * RFC 9421 map of algorithm identifiers to WebCrypto algorithms
@@ -543,22 +613,22 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 	]);
 	if (request.bodyUsed) {
 		logger.error("Failed to verify; the request body is already consumed.", { url: request.url });
-		return null;
+		return noSignatureResult();
 	} else if (request.body?.locked) {
 		logger.error("Failed to verify; the request body is locked.", { url: request.url });
-		return null;
+		return noSignatureResult();
 	}
 	const originalRequest = request;
 	request = request.clone();
 	const signatureInputHeader = request.headers.get("Signature-Input");
 	if (!signatureInputHeader) {
 		logger.debug("Failed to verify; no Signature-Input header found.", { headers: Object.fromEntries(request.headers.entries()) });
-		return null;
+		return noSignatureResult();
 	}
 	const signatureHeader = request.headers.get("Signature");
 	if (!signatureHeader) {
 		logger.debug("Failed to verify; no Signature header found.", { headers: Object.fromEntries(request.headers.entries()) });
-		return null;
+		return noSignatureResult();
 	}
 	const signatureInputs = parseRfc9421SignatureInput(signatureInputHeader);
 	logger.debug("Parsed Signature-Input header: {signatureInputs}", { signatureInputs });
@@ -566,18 +636,23 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 	const signatureNames = Object.keys(signatureInputs);
 	if (signatureNames.length === 0) {
 		logger.debug("Failed to verify; no valid signatures found in Signature-Input header.", { header: signatureInputHeader });
-		return null;
+		return invalidSignatureResult(null);
 	}
-	let validKey = null;
+	let failure = noSignatureResult();
 	for (const sigName of signatureNames) {
-		if (!signatures[sigName]) continue;
+		if (!signatures[sigName]) {
+			failure = invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId));
+			continue;
+		}
 		const sigInput = signatureInputs[sigName];
 		const sigBytes = signatures[sigName];
+		const keyId = parseKeyId(sigInput.keyId);
 		if (!sigInput.keyId) {
 			logger.debug("Failed to verify; missing keyId in signature {signatureName}.", {
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
+			failure = invalidSignatureResult(null);
 			continue;
 		}
 		if (!sigInput.created) {
@@ -585,6 +660,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
+			failure = invalidSignatureResult(keyId);
 			continue;
 		}
 		const signatureCreated = Temporal.Instant.fromEpochMilliseconds(sigInput.created * 1e3);
@@ -596,12 +672,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
+				failure = invalidSignatureResult(keyId);
 				continue;
 			} else if (Temporal.Instant.compare(signatureCreated, now.subtract(tw)) < 0) {
 				logger.debug("Failed to verify; signature created time is too far in the past.", {
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
+				failure = invalidSignatureResult(keyId);
 				continue;
 			}
 		}
@@ -609,25 +687,36 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 			const contentDigestHeader = request.headers.get("Content-Digest");
 			if (!contentDigestHeader) {
 				logger.debug("Failed to verify; Content-Digest header required but not found.", { components: sigInput.components });
+				failure = invalidSignatureResult(keyId);
 				continue;
 			}
 			const body = await request.arrayBuffer();
 			const digestValid = await verifyRfc9421ContentDigest(contentDigestHeader, body);
 			if (!digestValid) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
+				failure = invalidSignatureResult(keyId);
 				continue;
 			}
 		}
 		span?.setAttribute("http_signatures.key_id", sigInput.keyId);
 		span?.setAttribute("http_signatures.created", sigInput.created.toString());
-		const { key, cached } = await fetchKey(new URL(sigInput.keyId), CryptographicKey, {
+		if (keyId == null) {
+			failure = invalidSignatureResult(null);
+			continue;
+		}
+		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
 			tracerProvider
 		});
+		if (fetchError != null) {
+			failure = keyFetchErrorResult(keyId, fetchError);
+			continue;
+		}
 		if (!key) {
 			logger.debug("Failed to fetch key: {keyId}", { keyId: sigInput.keyId });
+			failure = invalidSignatureResult(keyId);
 			continue;
 		}
 		let alg = sigInput.alg?.toLowerCase();
@@ -644,6 +733,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				algorithm: sigInput.alg,
 				supported: Object.keys(rfc9421AlgorithmMap)
 			});
+			failure = invalidSignatureResult(keyId);
 			continue;
 		}
 		let signatureBase;
@@ -654,41 +744,47 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				error,
 				signatureInput: sigInput
 			});
+			failure = invalidSignatureResult(keyId);
 			continue;
 		}
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", encodeHex(sigBytes));
 		try {
 			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes);
-			if (verified) {
-				validKey = key;
-				break;
-			} else if (cached) {
+			if (verified) return {
+				verified: true,
+				key
+			};
+			else if (cached) {
 				logger.debug("Failed to verify with cached key {keyId}; retrying with fresh key...", { keyId: sigInput.keyId });
-				return await verifyRequest(originalRequest, {
+				return await verifyRequestDetailed(originalRequest, {
 					documentLoader,
 					contextLoader,
 					timeWindow,
 					currentTime,
 					keyCache: {
 						get: () => Promise.resolve(void 0),
-						set: async (keyId, key$1) => await keyCache?.set(keyId, key$1)
+						set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
 					},
 					spec: "rfc9421"
 				});
-			} else logger.debug("Failed to verify signature with fetched key {keyId}; signature invalid.", {
-				keyId: sigInput.keyId,
-				signatureBase
-			});
+			} else {
+				logger.debug("Failed to verify signature with fetched key {keyId}; signature invalid.", {
+					keyId: sigInput.keyId,
+					signatureBase
+				});
+				failure = invalidSignatureResult(keyId);
+			}
 		} catch (error) {
 			logger.debug("Error during signature verification: {error}", {
 				error,
 				keyId: sigInput.keyId,
 				algorithm: sigInput.alg
 			});
+			failure = invalidSignatureResult(keyId);
 		}
 	}
-	return validKey;
+	return failure;
 }
 /**
 * Helper function to create a new Request for redirect handling.
@@ -806,4 +902,4 @@ function timingSafeEqual(a, b) {
 }
 
 //#endregion
-export { createRfc9421SignatureBase, doubleKnock, formatRfc9421Signature, formatRfc9421SignatureParameters, parseRfc9421Signature, parseRfc9421SignatureInput, signRequest, timingSafeEqual, verifyRequest };
+export { createRfc9421SignatureBase, doubleKnock, formatRfc9421Signature, formatRfc9421SignatureParameters, parseRfc9421Signature, parseRfc9421SignatureInput, signRequest, timingSafeEqual, verifyRequest, verifyRequestDetailed };

package/dist/{http-Cz3MlXAZ.d.cts → http-DsqqmkXi.d.cts}

@@ -70,6 +70,34 @@ interface FetchKeyResult<T extends CryptographicKey | Multikey> {
   readonly cached: boolean;
 }
 /**
+* Detailed fetch failure information from {@link fetchKeyDetailed}.
+* @since 2.1.0
+*/
+type FetchKeyErrorResult = {
+  readonly status: number;
+  readonly response: Response;
+} | {
+  readonly error: Error;
+};
+/**
+* The result of {@link fetchKeyDetailed}.
+* @since 2.1.0
+*/
+interface FetchKeyDetailedResult<T extends CryptographicKey | Multikey> extends FetchKeyResult<T> {
+  /**
+  * The error that occurred while fetching the key, if fetching failed before
+  * a document could be parsed.
+  */
+  readonly fetchError?: FetchKeyErrorResult;
+}
+type FetchableKeyClass<T extends CryptographicKey | Multikey> = (new (...args: any[]) => T) & {
+  fromJsonLd(jsonLd: unknown, options: {
+    documentLoader?: DocumentLoader;
+    contextLoader?: DocumentLoader;
+    tracerProvider?: TracerProvider;
+  }): Promise<T>;
+};
+/**
 * Fetches a {@link CryptographicKey} or {@link Multikey} from the given URL.
 * If the given URL contains an {@link Actor} object, it tries to find
 * the corresponding key in the `publicKey` or `assertionMethod` property.
@@ -82,13 +110,22 @@ interface FetchKeyResult<T extends CryptographicKey | Multikey> {
 * @returns The fetched key or `null` if the key is not found.
 * @since 1.3.0
 */
-declare function fetchKey<T extends CryptographicKey | Multikey>(keyId: URL | string, cls: (new (...args: any[]) => T) & {
-  fromJsonLd(jsonLd: unknown, options: {
-    documentLoader?: DocumentLoader;
-    contextLoader?: DocumentLoader;
-    tracerProvider?: TracerProvider;
-  }): Promise<T>;
-}, options?: FetchKeyOptions): Promise<FetchKeyResult<T>>;
+declare function fetchKey<T extends CryptographicKey | Multikey>(keyId: URL | string, cls: FetchableKeyClass<T>, options?: FetchKeyOptions): Promise<FetchKeyResult<T>>;
+/**
+* Fetches a {@link CryptographicKey} or {@link Multikey} from the given URL,
+* preserving transport-level fetch failures for callers that need to inspect
+* why the key could not be loaded.
+*
+* @template T The type of the key to fetch.  Either {@link CryptographicKey}
+*              or {@link Multikey}.
+* @param keyId The URL of the key.
+* @param cls The class of the key to fetch.  Either {@link CryptographicKey}
+*            or {@link Multikey}.
+* @param options Options for fetching the key.
+* @returns The fetched key, or detailed fetch failure information.
+* @since 2.1.0
+*/
+declare function fetchKeyDetailed<T extends CryptographicKey | Multikey>(keyId: URL | string, cls: FetchableKeyClass<T>, options?: FetchKeyOptions): Promise<FetchKeyDetailedResult<T>>;
 /**
 * A cache for storing cryptographic keys.
 * @since 0.12.0
@@ -202,6 +239,31 @@ interface VerifyRequestOptions {
   tracerProvider?: TracerProvider;
 }
 /**
+* The reason why {@link verifyRequestDetailed} could not verify a request.
+* @since 2.1.0
+*/
+type VerifyRequestFailureReason = {
+  readonly type: "keyFetchError";
+  readonly keyId: URL;
+  readonly result: FetchKeyErrorResult;
+} | {
+  readonly type: "invalidSignature";
+  readonly keyId?: URL;
+} | {
+  readonly type: "noSignature";
+};
+/**
+* The detailed result of {@link verifyRequestDetailed}.
+* @since 2.1.0
+*/
+type VerifyRequestDetailedResult = {
+  readonly verified: true;
+  readonly key: CryptographicKey;
+} | {
+  readonly verified: false;
+  readonly reason: VerifyRequestFailureReason;
+};
+/**
 * Verifies the signature of a request.
 *
 * Note that this function consumes the request body, so it should not be used
@@ -216,6 +278,16 @@ interface VerifyRequestOptions {
 */
 declare function verifyRequest(request: Request, options?: VerifyRequestOptions): Promise<CryptographicKey | null>;
 /**
+* Verifies the signature of a request and returns a structured failure reason
+* when verification does not succeed.
+*
+* @param request The request to verify.
+* @param options Options for verifying the request.
+* @returns The verified public key, or a structured verification failure.
+* @since 2.1.0
+*/
+declare function verifyRequestDetailed(request: Request, options?: VerifyRequestOptions): Promise<VerifyRequestDetailedResult>;
+/**
 * A spec determiner for HTTP Message Signatures.
 * It determines the spec to use for signing requests.
 * It is used for double-knocking
@@ -241,4 +313,4 @@ interface HttpMessageSignaturesSpecDeterminer {
 * @since 1.6.0
 */
 //#endregion
-export { FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestOptions, exportJwk, fetchKey, generateCryptoKeyPair, importJwk, signRequest, verifyRequest };
+export { FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, SignRequestOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, exportJwk, fetchKey, fetchKeyDetailed, generateCryptoKeyPair, importJwk, signRequest, verifyRequest, verifyRequestDetailed };

package/dist/{inbox-BaA0g5I_.js → inbox-CWa6sqsk.js}

@@ -3,7 +3,7 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-BYerLnry.js";
+import { deno_default } from "./deno-CQdJQjC5.js";
 import { getLogger } from "@logtape/logtape";
 import { Activity, getTypeId } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";