@fedify/fedify 2.1.0-dev.543 → 2.1.0-dev.592

package/dist/federation/handler.test.js

@@ -3,36 +3,37 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { createTestTracerProvider, mockDocumentLoader, test } from "../dist-B5f6a8Tt.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
 import { MemoryKvStore } from "../kv-QzKcOQgP.js";
-import "../deno-9yc0TPBI.js";
-import { createFederation, handleActor, handleCollection, handleCustomCollection, handleInbox, handleObject, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-FZ0T8vIp.js";
-import "../client-Dg7OfUDA.js";
+import "../deno-OR506Yti.js";
+import { createFederation, handleActor, handleCollection, handleCustomCollection, handleInbox, handleObject, respondWithObject, respondWithObjectIfAcceptable } from "../middleware-DzICTgdC.js";
+import "../client-CoCIaTNO.js";
 import "../router-D9eI0s4b.js";
 import "../types-CPz01LGH.js";
-import "../key-DFG6tJgw.js";
-import { signRequest } from "../http-CpvoK0Y7.js";
-import "../ld-DVnRS9IK.js";
-import "../owner-MCqkZ1KE.js";
-import "../proof-D2B3jvnF.js";
-import "../docloader-6Wrqp6SE.js";
-import "../kv-cache-B__dHl7g.js";
-import { InboxListenerSet } from "../inbox-DMq3a5bc.js";
-import "../builder-BBucr-Bp.js";
-import "../collection-CcnIw1qY.js";
-import "../keycache-C7k8s1Bk.js";
-import "../negotiation-5NPJL6zp.js";
-import "../retry-D4GJ670a.js";
-import "../send-DtP5YkuY.js";
-import "../std__assert-DWivtrGR.js";
-import "../assert_rejects-Ce45JcFg.js";
-import "../assert_throws-BNXdRGWP.js";
-import "../assert_not_equals-C80BG-_5.js";
-import { createInboxContext, createRequestContext } from "../context-CZ5llAss.js";
-import { rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-ZbcByPg9.js";
+import { parseAcceptSignature } from "../accept-D7sAxyNa.js";
+import "../key-Cx3Tx_In.js";
+import { signRequest } from "../http-BUCxbGks.js";
+import "../ld-CLMJw_iX.js";
+import "../owner-D5J299vd.js";
+import "../proof-BBLHhWMC.js";
+import "../docloader-BG_pP2fW.js";
+import "../kv-cache-Bw2F2ABq.js";
+import { InboxListenerSet } from "../inbox-D_LU1opv.js";
+import "../builder-B24i8eYp.js";
+import "../collection-CSzG2j1P.js";
+import "../keycache-CpGWAUbj.js";
+import "../negotiation-BlAuS_nr.js";
+import "../retry-mqLf4b-R.js";
+import "../send-2b0Fn9cn.js";
+import "../std__assert-X-_kMxKM.js";
+import "../assert_rejects-0h7I2Esa.js";
+import "../assert_throws-rjdMBf31.js";
+import "../assert_not_equals-f3m3epl3.js";
+import { createInboxContext, createRequestContext } from "../context-Aqenou7c.js";
+import { rsaPrivateKey3, rsaPublicKey2, rsaPublicKey3 } from "../keys-BFve7QQv.js";
+import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { Create, Note, Person } from "@fedify/vocab";
 import { FetchError } from "@fedify/vocab-runtime";
 
@@ -914,7 +915,8 @@ test("handleInbox()", async () => {
 		kv: new MemoryKvStore(),
 		kvPrefixes: {
 			activityIdempotence: ["_fedify", "activityIdempotence"],
-			publicKey: ["_fedify", "publicKey"]
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
 		},
 		actorDispatcher,
 		onNotFound,
@@ -1160,7 +1162,8 @@ test("handleInbox() - authentication bypass vulnerability", async () => {
 		kv: new MemoryKvStore(),
 		kvPrefixes: {
 			activityIdempotence: ["_fedify", "activityIdempotence"],
-			publicKey: ["_fedify", "publicKey"]
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
 		},
 		actorDispatcher,
 		inboxListeners,
@@ -1556,7 +1559,8 @@ test("handleInbox() records OpenTelemetry span events", async () => {
 		kv,
 		kvPrefixes: {
 			activityIdempotence: ["activityIdempotence"],
-			publicKey: ["publicKey"]
+			publicKey: ["publicKey"],
+			acceptSignatureNonce: ["acceptSignatureNonce"]
 		},
 		actorDispatcher,
 		inboxListeners: listeners,
@@ -1642,7 +1646,8 @@ test("handleInbox() records unverified HTTP signature details", async () => {
 		kv,
 		kvPrefixes: {
 			activityIdempotence: ["activityIdempotence"],
-			publicKey: ["publicKey"]
+			publicKey: ["publicKey"],
+			acceptSignatureNonce: ["acceptSignatureNonce"]
 		},
 		actorDispatcher,
 		inboxListeners: new InboxListenerSet(),
@@ -1667,5 +1672,780 @@ test("handleInbox() records unverified HTTP signature details", async () => {
 	assertEquals(event.attributes["http_signatures.failure_reason"], "keyFetchError");
 	assertEquals(event.attributes["http_signatures.key_fetch_status"], 410);
 });
+test("handleInbox() challenge policy enabled + unsigned request", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-1"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-1"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const unsignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: unsignedRequest,
+		url: new URL(unsignedRequest.url),
+		data: void 0
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(unsignedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Accept-Signature header must be present");
+	const parsed = parseAcceptSignature(acceptSig);
+	assert(parsed.length > 0, "Accept-Signature must have at least one entry");
+	assertEquals(parsed[0].label, "sig1");
+	assert(parsed[0].components.some((c) => c.value === "@method"), "Must include @method component");
+	assertEquals(response.headers.get("Cache-Control"), "no-store");
+	assertEquals(response.headers.get("Vary"), "Accept, Signature");
+});
+test("handleInbox() challenge policy enabled + invalid signature", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-2"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-2"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const originalRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const signedRequest = await signRequest(originalRequest, rsaPrivateKey3, rsaPublicKey3.id);
+	const jsonLd = await activity.toJsonLd();
+	const tamperedBody = JSON.stringify({
+		...jsonLd,
+		"https://example.com/tampered": true
+	});
+	const tamperedRequest = new Request(signedRequest.url, {
+		method: signedRequest.method,
+		headers: signedRequest.headers,
+		body: tamperedBody
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: tamperedRequest,
+		url: new URL(tamperedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(tamperedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Accept-Signature header must be present");
+	assertEquals(response.headers.get("Cache-Control"), "no-store");
+});
+test("handleInbox() challenge policy enabled + valid signature", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-3"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-3"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const signedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const context = createRequestContext({
+		federation,
+		request: signedRequest,
+		url: new URL(signedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(signedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 202);
+	assertEquals(response.headers.get("Accept-Signature"), null, "No Accept-Signature header on successful request");
+});
+test("handleInbox() challenge policy disabled + unsigned request", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-4"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-4"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const unsignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: unsignedRequest,
+		url: new URL(unsignedRequest.url),
+		data: void 0
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(unsignedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false
+	});
+	assertEquals(response.status, 401);
+	assertEquals(response.headers.get("Accept-Signature"), null, "No Accept-Signature header when challenge policy is disabled");
+});
+test("handleInbox() actor/key mismatch → plain 401 (no challenge)", async () => {
+	const maliciousActivity = new Create({
+		id: new URL("https://attacker.example.com/activities/challenge-5"),
+		actor: new URL("https://victim.example.com/users/alice"),
+		object: new Note({
+			id: new URL("https://attacker.example.com/notes/challenge-5"),
+			attribution: new URL("https://victim.example.com/users/alice"),
+			content: "Forged message!"
+		})
+	});
+	const maliciousRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await maliciousActivity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: maliciousRequest,
+		url: new URL(maliciousRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(maliciousRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 401);
+	assertEquals(response.headers.get("Accept-Signature"), null, "Actor/key mismatch should not emit Accept-Signature challenge");
+	assertEquals(await response.text(), "The signer and the actor do not match.");
+});
+test("handleInbox() nonce issuance in challenge", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/nonce-1"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/nonce-1"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const unsignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: unsignedRequest,
+		url: new URL(unsignedRequest.url),
+		data: void 0
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(unsignedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: {
+			enabled: true,
+			requestNonce: true,
+			nonceTtlSeconds: 300
+		}
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Accept-Signature header must be present");
+	const parsed = parseAcceptSignature(acceptSig);
+	assert(parsed.length > 0);
+	assert(parsed[0].parameters.nonce != null, "Nonce must be present in Accept-Signature parameters");
+	assertEquals(response.headers.get("Cache-Control"), "no-store");
+	const nonceKey = [
+		"_fedify",
+		"acceptSignatureNonce",
+		parsed[0].parameters.nonce
+	];
+	const stored = await kv.get(nonceKey);
+	assertEquals(stored, true, "Nonce must be stored in KV store");
+});
+test("handleInbox() nonce consumption on valid signed request", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/nonce-2"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/nonce-2"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const kv = new MemoryKvStore();
+	const noncePrefix = ["_fedify", "acceptSignatureNonce"];
+	const nonce = "test-nonce-abc123";
+	await kv.set([
+		"_fedify",
+		"acceptSignatureNonce",
+		nonce
+	], true, { ttl: Temporal.Duration.from({ seconds: 300 }) });
+	const signedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id, {
+		spec: "rfc9421",
+		rfc9421: { nonce }
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: signedRequest,
+		url: new URL(signedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const response = await handleInbox(signedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: noncePrefix
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: {
+			enabled: true,
+			requestNonce: true,
+			nonceTtlSeconds: 300
+		}
+	});
+	assertEquals(response.status, 202);
+	const stored = await kv.get([
+		"_fedify",
+		"acceptSignatureNonce",
+		nonce
+	]);
+	assertEquals(stored, void 0, "Nonce must be consumed after use");
+});
+test("handleInbox() nonce replay prevention", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/nonce-3"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/nonce-3"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const kv = new MemoryKvStore();
+	const noncePrefix = ["_fedify", "acceptSignatureNonce"];
+	const nonce = "replay-nonce-xyz";
+	const signedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id, {
+		spec: "rfc9421",
+		rfc9421: { nonce }
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: signedRequest,
+		url: new URL(signedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const response = await handleInbox(signedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: noncePrefix
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: {
+			enabled: true,
+			requestNonce: true,
+			nonceTtlSeconds: 300
+		}
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Must emit fresh Accept-Signature challenge");
+	const parsed = parseAcceptSignature(acceptSig);
+	assert(parsed.length > 0);
+	assert(parsed[0].parameters.nonce != null, "Fresh challenge must include a new nonce");
+	assert(parsed[0].parameters.nonce !== nonce, "Fresh nonce must differ from the replayed one");
+	assertEquals(response.headers.get("Cache-Control"), "no-store", "Challenge response must have Cache-Control: no-store");
+});
+test("handleInbox() nonce bypass: valid sig without nonce + invalid sig with nonce", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/nonce-bypass-1"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/nonce-bypass-1"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const kv = new MemoryKvStore();
+	const noncePrefix = ["_fedify", "acceptSignatureNonce"];
+	const storedNonce = "bypass-nonce-abc123";
+	await kv.set([
+		"_fedify",
+		"acceptSignatureNonce",
+		storedNonce
+	], true, { ttl: Temporal.Duration.from({ seconds: 300 }) });
+	const signedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id, { spec: "rfc9421" });
+	const existingSignatureInput = signedRequest.headers.get("Signature-Input");
+	const existingSignature = signedRequest.headers.get("Signature");
+	const bogusSigInput = `sig2=("@method" "@target-uri");alg="rsa-v1_5-sha256";keyid="${rsaPublicKey3.id.href}";created=${Math.floor(Date.now() / 1e3)};nonce="${storedNonce}"`;
+	const bogusSigValue = `sig2=:AAAA:`;
+	const tamperedHeaders = new Headers(signedRequest.headers);
+	tamperedHeaders.set("Signature-Input", `${existingSignatureInput}, ${bogusSigInput}`);
+	tamperedHeaders.set("Signature", `${existingSignature}, ${bogusSigValue}`);
+	const tamperedRequest = new Request(signedRequest.url, {
+		method: signedRequest.method,
+		headers: tamperedHeaders,
+		body: await signedRequest.clone().arrayBuffer()
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: tamperedRequest,
+		url: new URL(tamperedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const response = await handleInbox(tamperedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: noncePrefix
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: {
+			enabled: true,
+			requestNonce: true,
+			nonceTtlSeconds: 300
+		}
+	});
+	assertEquals(response.status, 401, "Request with nonce only in a non-verified signature must be rejected (nonce verification must be bound to the verified signature label)");
+	const stored = await kv.get([
+		"_fedify",
+		"acceptSignatureNonce",
+		storedNonce
+	]);
+	assertEquals(stored, true, "Nonce must not be consumed when it comes from a non-verified signature");
+});
+test("handleInbox() actor/key mismatch does not consume nonce", async () => {
+	const maliciousActivity = new Create({
+		id: new URL("https://attacker.example.com/activities/mismatch-nonce-1"),
+		actor: new URL("https://victim.example.com/users/alice"),
+		object: new Note({
+			id: new URL("https://attacker.example.com/notes/mismatch-nonce-1"),
+			attribution: new URL("https://victim.example.com/users/alice"),
+			content: "Forged message with nonce!"
+		})
+	});
+	const kv = new MemoryKvStore();
+	const noncePrefix = ["_fedify", "acceptSignatureNonce"];
+	const nonce = "mismatch-nonce-xyz";
+	await kv.set([
+		"_fedify",
+		"acceptSignatureNonce",
+		nonce
+	], true, { ttl: Temporal.Duration.from({ seconds: 300 }) });
+	const maliciousRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await maliciousActivity.toJsonLd())
+	}), rsaPrivateKey3, rsaPublicKey3.id, {
+		spec: "rfc9421",
+		rfc9421: { nonce }
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: maliciousRequest,
+		url: new URL(maliciousRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const response = await handleInbox(maliciousRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: noncePrefix
+		},
+		actorDispatcher,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: {
+			enabled: true,
+			requestNonce: true,
+			nonceTtlSeconds: 300
+		}
+	});
+	assertEquals(response.status, 401);
+	assertEquals(await response.text(), "The signer and the actor do not match.");
+	const stored = await kv.get([
+		"_fedify",
+		"acceptSignatureNonce",
+		nonce
+	]);
+	assertEquals(stored, true, "Nonce must not be consumed when actor/key ownership check fails");
+});
+test("handleInbox() challenge policy enabled + unverifiedActivityHandler returns undefined", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-unverified"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-unverified"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const originalRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const signedRequest = await signRequest(originalRequest, rsaPrivateKey3, rsaPublicKey3.id);
+	const jsonLd = await activity.toJsonLd();
+	const tamperedBody = JSON.stringify({
+		...jsonLd,
+		"https://example.com/tampered": true
+	});
+	const tamperedRequest = new Request(signedRequest.url, {
+		method: signedRequest.method,
+		headers: signedRequest.headers,
+		body: tamperedBody
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: tamperedRequest,
+		url: new URL(tamperedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(tamperedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		unverifiedActivityHandler() {},
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Accept-Signature header must be present when unverifiedActivityHandler returns undefined and challenge policy is enabled");
+	const parsed = parseAcceptSignature(acceptSig);
+	assert(parsed.length > 0, "Accept-Signature must have at least one entry");
+	assertEquals(response.headers.get("Cache-Control"), "no-store", "Cache-Control: no-store must be set for challenge-response");
+	assertEquals(response.headers.get("Vary"), "Accept, Signature", "Vary header must include Accept and Signature");
+});
+test("handleInbox() challenge policy enabled + unverifiedActivityHandler throws error", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/challenge-throw"),
+		actor: new URL("https://example.com/person2"),
+		object: new Note({
+			id: new URL("https://example.com/notes/challenge-throw"),
+			attribution: new URL("https://example.com/person2"),
+			content: "Hello!"
+		})
+	});
+	const originalRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await activity.toJsonLd())
+	});
+	const signedRequest = await signRequest(originalRequest, rsaPrivateKey3, rsaPublicKey3.id);
+	const jsonLd = await activity.toJsonLd();
+	const tamperedBody = JSON.stringify({
+		...jsonLd,
+		"https://example.com/tampered": true
+	});
+	const tamperedRequest = new Request(signedRequest.url, {
+		method: signedRequest.method,
+		headers: signedRequest.headers,
+		body: tamperedBody
+	});
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const context = createRequestContext({
+		federation,
+		request: tamperedRequest,
+		url: new URL(tamperedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	const actorDispatcher = (_ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({ name: "Someone" });
+	};
+	const kv = new MemoryKvStore();
+	const response = await handleInbox(tamperedRequest, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...context,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		kv,
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher,
+		unverifiedActivityHandler() {
+			throw new Error("handler error");
+		},
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false,
+		inboxChallengePolicy: { enabled: true }
+	});
+	assertEquals(response.status, 401);
+	const acceptSig = response.headers.get("Accept-Signature");
+	assert(acceptSig != null, "Accept-Signature header must be present when unverifiedActivityHandler throws and challenge policy is enabled");
+	const parsed = parseAcceptSignature(acceptSig);
+	assert(parsed.length > 0, "Accept-Signature must have at least one entry");
+	assertEquals(response.headers.get("Cache-Control"), "no-store", "Cache-Control: no-store must be set for challenge-response");
+	assertEquals(response.headers.get("Vary"), "Accept, Signature", "Vary header must include Accept and Signature");
+});
 
 //#endregion