@fedify/fedify 2.1.0-dev.503 → 2.1.0-dev.523

package/dist/{middleware-MlO5iUeZ.js → middleware-Ajnk9qHB.js}

@@ -3,10 +3,10 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import { getDefaultActivityTransformers } from "./transformers-C3FLHUd6.js";
-import { deno_default, doubleKnock, exportJwk, importJwk, validateCryptoKey, verifyRequest } from "./http-CSX1-Mgi.js";
-import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-BgUVmaJz.js";
+import { deno_default, doubleKnock, exportJwk, importJwk, validateCryptoKey, verifyRequest, verifyRequestDetailed } from "./http-DJmytoC2.js";
+import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-Le4DAkqb.js";
 import { getNodeInfo, nodeInfoToJson } from "./types-C93Ob9cU.js";
-import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-CQPL_aGY.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-MPcS_mGG.js";
 import { getLogger, withContext } from "@logtape/logtape";
 import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId, lookupObject, traverseCollection } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
@@ -322,6 +322,7 @@ var FederationBuilderImpl = class {
 	inboxListeners;
 	inboxErrorHandler;
 	sharedInboxKeyDispatcher;
+	unverifiedActivityHandler;
 	outboxPermanentFailureHandler;
 	idempotencyStrategy;
 	collectionTypeIds;
@@ -338,7 +339,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await import("./middleware-C8PKuPrm.js");
+		const { FederationImpl: FederationImpl$1 } = await import("./middleware-DGUNDGCl.js");
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -360,6 +361,7 @@ var FederationBuilderImpl = class {
 		f.inboxListeners = this.inboxListeners?.clone();
 		f.inboxErrorHandler = this.inboxErrorHandler;
 		f.sharedInboxKeyDispatcher = this.sharedInboxKeyDispatcher;
+		f.unverifiedActivityHandler = this.unverifiedActivityHandler;
 		f.outboxPermanentFailureHandler = this.outboxPermanentFailureHandler;
 		f.idempotencyStrategy = this.idempotencyStrategy;
 		return f;
@@ -736,6 +738,10 @@ var FederationBuilderImpl = class {
 				this.inboxErrorHandler = handler;
 				return setters;
 			},
+			onUnverifiedActivity: (handler) => {
+				this.unverifiedActivityHandler = handler;
+				return setters;
+			},
 			setSharedKeyDispatcher: (dispatcher) => {
 				this.sharedInboxKeyDispatcher = dispatcher;
 				return setters;
@@ -869,17 +875,34 @@ var KvKeyCache = class {
 	kv;
 	prefix;
 	options;
+	unavailableKeyTtl;
 	nullKeys;
 	constructor(kv, prefix, options = {}) {
 		this.kv = kv;
 		this.prefix = prefix;
-		this.nullKeys = /* @__PURE__ */ new Set();
 		this.options = options;
+		this.unavailableKeyTtl = options.unavailableKeyTtl ?? Temporal.Duration.from({ minutes: 10 });
+		this.nullKeys = /* @__PURE__ */ new Map();
+	}
+	#getFetchErrorKey(keyId) {
+		return [
+			...this.prefix,
+			"__fetchError",
+			keyId.href
+		];
 	}
 	async get(keyId) {
-		if (this.nullKeys.has(keyId.href)) return null;
+		const negativeExpiration = this.nullKeys.get(keyId.href);
+		if (negativeExpiration != null) {
+			if (Temporal.Now.instant().until(negativeExpiration).sign >= 0) return null;
+			this.nullKeys.delete(keyId.href);
+		}
 		const serialized = await this.kv.get([...this.prefix, keyId.href]);
-		if (serialized == null) return void 0;
+		if (serialized === void 0) return void 0;
+		if (serialized === null) {
+			this.nullKeys.set(keyId.href, Temporal.Now.instant().add(this.unavailableKeyTtl));
+			return null;
+		}
 		try {
 			return await CryptographicKey.fromJsonLd(serialized, this.options);
 		} catch {
@@ -893,14 +916,51 @@ var KvKeyCache = class {
 	}
 	async set(keyId, key) {
 		if (key == null) {
-			this.nullKeys.add(keyId.href);
-			await this.kv.delete([...this.prefix, keyId.href]);
+			this.nullKeys.set(keyId.href, Temporal.Now.instant().add(this.unavailableKeyTtl));
+			await this.kv.set([...this.prefix, keyId.href], null, { ttl: this.unavailableKeyTtl });
 			return;
 		}
 		this.nullKeys.delete(keyId.href);
 		const serialized = await key.toJsonLd(this.options);
 		await this.kv.set([...this.prefix, keyId.href], serialized);
 	}
+	async getFetchError(keyId) {
+		const cached = await this.kv.get(this.#getFetchErrorKey(keyId));
+		if (cached == null || typeof cached !== "object") return void 0;
+		if ("status" in cached && typeof cached.status === "number" && "statusText" in cached && typeof cached.statusText === "string" && "headers" in cached && Array.isArray(cached.headers) && "body" in cached && typeof cached.body === "string") return {
+			status: cached.status,
+			response: new Response(cached.body, {
+				status: cached.status,
+				statusText: cached.statusText,
+				headers: cached.headers
+			})
+		};
+		else if ("errorName" in cached && typeof cached.errorName === "string" && "errorMessage" in cached && typeof cached.errorMessage === "string") {
+			const error = new Error(cached.errorMessage);
+			error.name = cached.errorName;
+			return { error };
+		}
+		return void 0;
+	}
+	async setFetchError(keyId, error) {
+		if (error == null) {
+			await this.kv.delete(this.#getFetchErrorKey(keyId));
+			return;
+		}
+		if ("status" in error) {
+			await this.kv.set(this.#getFetchErrorKey(keyId), {
+				status: error.status,
+				statusText: error.response.statusText,
+				headers: Array.from(error.response.headers.entries()),
+				body: await error.response.clone().text()
+			}, { ttl: this.unavailableKeyTtl });
+			return;
+		}
+		await this.kv.set(this.#getFetchErrorKey(keyId), {
+			errorName: error.error.name,
+			errorMessage: error.error.message
+		}, { ttl: this.unavailableKeyTtl });
+	}
 };
 
 //#endregion
@@ -1221,7 +1281,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
 	const logger$1 = getLogger([
 		"fedify",
 		"federation",
@@ -1316,12 +1376,14 @@ async function handleInboxInternal(request, parameters, span) {
 	}
 	const jsonWithoutSig = detachSignature(json);
 	let activity = null;
+	let activityVerified = false;
 	if (ldSigVerified) {
 		logger$1.debug("Linked Data Signatures are verified.", {
 			recipient,
 			json
 		});
 		activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
+		activityVerified = true;
 	} else {
 		logger$1.debug("Linked Data Signatures are not verified.", {
 			recipient,
@@ -1362,34 +1424,107 @@ async function handleInboxInternal(request, parameters, span) {
 			recipient,
 			activity: json
 		});
-		else logger$1.debug("Object Integrity Proofs are verified.", {
-			recipient,
-			activity: json
-		});
+		else {
+			logger$1.debug("Object Integrity Proofs are verified.", {
+				recipient,
+				activity: json
+			});
+			activityVerified = true;
+		}
 	}
 	let httpSigKey = null;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
-			const key = await verifyRequest(request, {
+			const verification = await verifyRequestDetailed(request, {
 				contextLoader: ctx.contextLoader,
 				documentLoader: ctx.documentLoader,
 				timeWindow: signatureTimeWindow,
 				keyCache,
 				tracerProvider
 			});
-			if (key == null) {
-				logger$1.error("Failed to verify the request's HTTP Signatures.", { recipient });
+			if (verification.verified === false) {
+				const reason = verification.reason;
+				logger$1.error("Failed to verify the request's HTTP Signatures.", {
+					recipient,
+					reason: reason.type,
+					keyId: "keyId" in reason ? reason.keyId?.href : void 0
+				});
 				span.setStatus({
 					code: SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				const response = new Response("Failed to verify the request signature.", {
+				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
 					status: 401,
 					headers: { "Content-Type": "text/plain; charset=utf-8" }
 				});
-				return response;
-			} else logger$1.debug("HTTP Signatures are verified.", { recipient });
-			httpSigKey = key;
+				try {
+					activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
+				} catch (error) {
+					logger$1.error("Failed to parse activity:\n{error}", {
+						recipient,
+						activity: json,
+						error
+					});
+					try {
+						await inboxErrorHandler?.(ctx, error);
+					} catch (error$1) {
+						logger$1.error("An unexpected error occurred in inbox error handler:\n{error}", {
+							error: error$1,
+							activity: json,
+							recipient
+						});
+					}
+					return new Response("Invalid activity.", {
+						status: 400,
+						headers: { "Content-Type": "text/plain; charset=utf-8" }
+					});
+				}
+				if (activity.id != null) span.setAttribute("activitypub.activity.id", activity.id.href);
+				span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
+				const eventAttributes = {
+					"activitypub.activity.json": JSON.stringify(json),
+					"activitypub.activity.verified": false,
+					"ld_signatures.verified": ldSigVerified,
+					"http_signatures.verified": false,
+					"http_signatures.key_id": "keyId" in reason ? reason.keyId?.href ?? "" : "",
+					"http_signatures.failure_reason": reason.type
+				};
+				if (reason.type === "keyFetchError") if ("status" in reason.result) eventAttributes["http_signatures.key_fetch_status"] = reason.result.status;
+				else eventAttributes["http_signatures.key_fetch_error"] = reason.result.error.name || reason.result.error.constructor.name || "Error";
+				span.addEvent("activitypub.activity.received", eventAttributes);
+				let response;
+				try {
+					response = await unverifiedActivityHandler(ctx, activity, reason);
+				} catch (error) {
+					logger$1.error("An unexpected error occurred in unverified activity handler:\n{error}", {
+						error,
+						activity: json,
+						recipient
+					});
+					try {
+						await inboxErrorHandler?.(ctx, error);
+					} catch (error$1) {
+						logger$1.error("An unexpected error occurred in inbox error handler:\n{error}", {
+							error: error$1,
+							activity: json,
+							recipient
+						});
+					}
+					return new Response("Failed to verify the request signature.", {
+						status: 401,
+						headers: { "Content-Type": "text/plain; charset=utf-8" }
+					});
+				}
+				if (response instanceof Response) return response;
+				return new Response("Failed to verify the request signature.", {
+					status: 401,
+					headers: { "Content-Type": "text/plain; charset=utf-8" }
+				});
+			} else {
+				logger$1.debug("HTTP Signatures are verified.", { recipient });
+				activityVerified = true;
+			}
+			httpSigKey = verification.key;
 		}
 		activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
 	}
@@ -1397,7 +1532,7 @@ async function handleInboxInternal(request, parameters, span) {
 	span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
 	span.addEvent("activitypub.activity.received", {
 		"activitypub.activity.json": JSON.stringify(json),
-		"activitypub.activity.verified": activity != null,
+		"activitypub.activity.verified": activityVerified,
 		"ld_signatures.verified": ldSigVerified,
 		"http_signatures.verified": httpSigKey != null,
 		"http_signatures.key_id": httpSigKey?.id?.href ?? ""
@@ -3122,6 +3257,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					actorDispatcher: this.actorCallbacks?.dispatcher,
 					inboxListeners: this.inboxListeners,
 					inboxErrorHandler: this.inboxErrorHandler,
+					unverifiedActivityHandler: this.unverifiedActivityHandler,
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,

package/dist/middleware-BgCIhb_C.cjs

@@ -0,0 +1,12 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+require('./transformers-3g8GZwkZ.cjs');
+require('./http-D6a6mMc0.cjs');
+const require_middleware = require('./middleware-BoCzk7-G.cjs');
+require('./proof-qHcNgE5i.cjs');
+require('./types-Cd_hszr_.cjs');
+require('./kv-cache-DPtsJ1sL.cjs');
+
+exports.FederationImpl = require_middleware.FederationImpl;

package/dist/{middleware-D4S6i4A_.cjs → middleware-BoCzk7-G.cjs}

@@ -4,10 +4,10 @@
         
 const require_chunk = require('./chunk-CGaQZ11T.cjs');
 const require_transformers = require('./transformers-3g8GZwkZ.cjs');
-const require_http = require('./http-DJT6NciB.cjs');
-const require_proof = require('./proof-CR5RUAmy.cjs');
+const require_http = require('./http-D6a6mMc0.cjs');
+const require_proof = require('./proof-qHcNgE5i.cjs');
 const require_types = require('./types-Cd_hszr_.cjs');
-const require_kv_cache = require('./kv-cache-Vtxhbo1W.cjs');
+const require_kv_cache = require('./kv-cache-DPtsJ1sL.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
@@ -323,6 +323,7 @@ var FederationBuilderImpl = class {
 	inboxListeners;
 	inboxErrorHandler;
 	sharedInboxKeyDispatcher;
+	unverifiedActivityHandler;
 	outboxPermanentFailureHandler;
 	idempotencyStrategy;
 	collectionTypeIds;
@@ -339,7 +340,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-D4XcpSBG.cjs"));
+		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-BgCIhb_C.cjs"));
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -361,6 +362,7 @@ var FederationBuilderImpl = class {
 		f.inboxListeners = this.inboxListeners?.clone();
 		f.inboxErrorHandler = this.inboxErrorHandler;
 		f.sharedInboxKeyDispatcher = this.sharedInboxKeyDispatcher;
+		f.unverifiedActivityHandler = this.unverifiedActivityHandler;
 		f.outboxPermanentFailureHandler = this.outboxPermanentFailureHandler;
 		f.idempotencyStrategy = this.idempotencyStrategy;
 		return f;
@@ -737,6 +739,10 @@ var FederationBuilderImpl = class {
 				this.inboxErrorHandler = handler;
 				return setters;
 			},
+			onUnverifiedActivity: (handler) => {
+				this.unverifiedActivityHandler = handler;
+				return setters;
+			},
 			setSharedKeyDispatcher: (dispatcher) => {
 				this.sharedInboxKeyDispatcher = dispatcher;
 				return setters;
@@ -870,17 +876,34 @@ var KvKeyCache = class {
 	kv;
 	prefix;
 	options;
+	unavailableKeyTtl;
 	nullKeys;
 	constructor(kv, prefix, options = {}) {
 		this.kv = kv;
 		this.prefix = prefix;
-		this.nullKeys = /* @__PURE__ */ new Set();
 		this.options = options;
+		this.unavailableKeyTtl = options.unavailableKeyTtl ?? Temporal.Duration.from({ minutes: 10 });
+		this.nullKeys = /* @__PURE__ */ new Map();
+	}
+	#getFetchErrorKey(keyId) {
+		return [
+			...this.prefix,
+			"__fetchError",
+			keyId.href
+		];
 	}
 	async get(keyId) {
-		if (this.nullKeys.has(keyId.href)) return null;
+		const negativeExpiration = this.nullKeys.get(keyId.href);
+		if (negativeExpiration != null) {
+			if (Temporal.Now.instant().until(negativeExpiration).sign >= 0) return null;
+			this.nullKeys.delete(keyId.href);
+		}
 		const serialized = await this.kv.get([...this.prefix, keyId.href]);
-		if (serialized == null) return void 0;
+		if (serialized === void 0) return void 0;
+		if (serialized === null) {
+			this.nullKeys.set(keyId.href, Temporal.Now.instant().add(this.unavailableKeyTtl));
+			return null;
+		}
 		try {
 			return await __fedify_vocab.CryptographicKey.fromJsonLd(serialized, this.options);
 		} catch {
@@ -894,14 +917,51 @@ var KvKeyCache = class {
 	}
 	async set(keyId, key) {
 		if (key == null) {
-			this.nullKeys.add(keyId.href);
-			await this.kv.delete([...this.prefix, keyId.href]);
+			this.nullKeys.set(keyId.href, Temporal.Now.instant().add(this.unavailableKeyTtl));
+			await this.kv.set([...this.prefix, keyId.href], null, { ttl: this.unavailableKeyTtl });
 			return;
 		}
 		this.nullKeys.delete(keyId.href);
 		const serialized = await key.toJsonLd(this.options);
 		await this.kv.set([...this.prefix, keyId.href], serialized);
 	}
+	async getFetchError(keyId) {
+		const cached = await this.kv.get(this.#getFetchErrorKey(keyId));
+		if (cached == null || typeof cached !== "object") return void 0;
+		if ("status" in cached && typeof cached.status === "number" && "statusText" in cached && typeof cached.statusText === "string" && "headers" in cached && Array.isArray(cached.headers) && "body" in cached && typeof cached.body === "string") return {
+			status: cached.status,
+			response: new Response(cached.body, {
+				status: cached.status,
+				statusText: cached.statusText,
+				headers: cached.headers
+			})
+		};
+		else if ("errorName" in cached && typeof cached.errorName === "string" && "errorMessage" in cached && typeof cached.errorMessage === "string") {
+			const error = new Error(cached.errorMessage);
+			error.name = cached.errorName;
+			return { error };
+		}
+		return void 0;
+	}
+	async setFetchError(keyId, error) {
+		if (error == null) {
+			await this.kv.delete(this.#getFetchErrorKey(keyId));
+			return;
+		}
+		if ("status" in error) {
+			await this.kv.set(this.#getFetchErrorKey(keyId), {
+				status: error.status,
+				statusText: error.response.statusText,
+				headers: Array.from(error.response.headers.entries()),
+				body: await error.response.clone().text()
+			}, { ttl: this.unavailableKeyTtl });
+			return;
+		}
+		await this.kv.set(this.#getFetchErrorKey(keyId), {
+			errorName: error.error.name,
+			errorMessage: error.error.message
+		}, { ttl: this.unavailableKeyTtl });
+	}
 };
 
 //#endregion
@@ -1222,7 +1282,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
 	const logger$1 = (0, __logtape_logtape.getLogger)([
 		"fedify",
 		"federation",
@@ -1317,12 +1377,14 @@ async function handleInboxInternal(request, parameters, span) {
 	}
 	const jsonWithoutSig = require_proof.detachSignature(json);
 	let activity = null;
+	let activityVerified = false;
 	if (ldSigVerified) {
 		logger$1.debug("Linked Data Signatures are verified.", {
 			recipient,
 			json
 		});
 		activity = await __fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
+		activityVerified = true;
 	} else {
 		logger$1.debug("Linked Data Signatures are not verified.", {
 			recipient,
@@ -1363,34 +1425,107 @@ async function handleInboxInternal(request, parameters, span) {
 			recipient,
 			activity: json
 		});
-		else logger$1.debug("Object Integrity Proofs are verified.", {
-			recipient,
-			activity: json
-		});
+		else {
+			logger$1.debug("Object Integrity Proofs are verified.", {
+				recipient,
+				activity: json
+			});
+			activityVerified = true;
+		}
 	}
 	let httpSigKey = null;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
-			const key = await require_http.verifyRequest(request, {
+			const verification = await require_http.verifyRequestDetailed(request, {
 				contextLoader: ctx.contextLoader,
 				documentLoader: ctx.documentLoader,
 				timeWindow: signatureTimeWindow,
 				keyCache,
 				tracerProvider
 			});
-			if (key == null) {
-				logger$1.error("Failed to verify the request's HTTP Signatures.", { recipient });
+			if (verification.verified === false) {
+				const reason = verification.reason;
+				logger$1.error("Failed to verify the request's HTTP Signatures.", {
+					recipient,
+					reason: reason.type,
+					keyId: "keyId" in reason ? reason.keyId?.href : void 0
+				});
 				span.setStatus({
 					code: __opentelemetry_api.SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				const response = new Response("Failed to verify the request signature.", {
+				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
 					status: 401,
 					headers: { "Content-Type": "text/plain; charset=utf-8" }
 				});
-				return response;
-			} else logger$1.debug("HTTP Signatures are verified.", { recipient });
-			httpSigKey = key;
+				try {
+					activity = await __fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
+				} catch (error) {
+					logger$1.error("Failed to parse activity:\n{error}", {
+						recipient,
+						activity: json,
+						error
+					});
+					try {
+						await inboxErrorHandler?.(ctx, error);
+					} catch (error$1) {
+						logger$1.error("An unexpected error occurred in inbox error handler:\n{error}", {
+							error: error$1,
+							activity: json,
+							recipient
+						});
+					}
+					return new Response("Invalid activity.", {
+						status: 400,
+						headers: { "Content-Type": "text/plain; charset=utf-8" }
+					});
+				}
+				if (activity.id != null) span.setAttribute("activitypub.activity.id", activity.id.href);
+				span.setAttribute("activitypub.activity.type", (0, __fedify_vocab.getTypeId)(activity).href);
+				const eventAttributes = {
+					"activitypub.activity.json": JSON.stringify(json),
+					"activitypub.activity.verified": false,
+					"ld_signatures.verified": ldSigVerified,
+					"http_signatures.verified": false,
+					"http_signatures.key_id": "keyId" in reason ? reason.keyId?.href ?? "" : "",
+					"http_signatures.failure_reason": reason.type
+				};
+				if (reason.type === "keyFetchError") if ("status" in reason.result) eventAttributes["http_signatures.key_fetch_status"] = reason.result.status;
+				else eventAttributes["http_signatures.key_fetch_error"] = reason.result.error.name || reason.result.error.constructor.name || "Error";
+				span.addEvent("activitypub.activity.received", eventAttributes);
+				let response;
+				try {
+					response = await unverifiedActivityHandler(ctx, activity, reason);
+				} catch (error) {
+					logger$1.error("An unexpected error occurred in unverified activity handler:\n{error}", {
+						error,
+						activity: json,
+						recipient
+					});
+					try {
+						await inboxErrorHandler?.(ctx, error);
+					} catch (error$1) {
+						logger$1.error("An unexpected error occurred in inbox error handler:\n{error}", {
+							error: error$1,
+							activity: json,
+							recipient
+						});
+					}
+					return new Response("Failed to verify the request signature.", {
+						status: 401,
+						headers: { "Content-Type": "text/plain; charset=utf-8" }
+					});
+				}
+				if (response instanceof Response) return response;
+				return new Response("Failed to verify the request signature.", {
+					status: 401,
+					headers: { "Content-Type": "text/plain; charset=utf-8" }
+				});
+			} else {
+				logger$1.debug("HTTP Signatures are verified.", { recipient });
+				activityVerified = true;
+			}
+			httpSigKey = verification.key;
 		}
 		activity = await __fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
 	}
@@ -1398,7 +1533,7 @@ async function handleInboxInternal(request, parameters, span) {
 	span.setAttribute("activitypub.activity.type", (0, __fedify_vocab.getTypeId)(activity).href);
 	span.addEvent("activitypub.activity.received", {
 		"activitypub.activity.json": JSON.stringify(json),
-		"activitypub.activity.verified": activity != null,
+		"activitypub.activity.verified": activityVerified,
 		"ld_signatures.verified": ldSigVerified,
 		"http_signatures.verified": httpSigKey != null,
 		"http_signatures.key_id": httpSigKey?.id?.href ?? ""
@@ -3123,6 +3258,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					actorDispatcher: this.actorCallbacks?.dispatcher,
 					inboxListeners: this.inboxListeners,
 					inboxErrorHandler: this.inboxErrorHandler,
+					unverifiedActivityHandler: this.unverifiedActivityHandler,
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,

package/dist/{middleware-C8PKuPrm.js → middleware-DGUNDGCl.js}

@@ -3,10 +3,10 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import "./transformers-C3FLHUd6.js";
-import "./http-CSX1-Mgi.js";
-import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-MlO5iUeZ.js";
-import "./proof-BgUVmaJz.js";
+import "./http-DJmytoC2.js";
+import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-Ajnk9qHB.js";
+import "./proof-Le4DAkqb.js";
 import "./types-C93Ob9cU.js";
-import "./kv-cache-CQPL_aGY.js";
+import "./kv-cache-MPcS_mGG.js";
 
 export { FederationImpl };