@fedify/fedify 2.1.0-dev.565 → 2.1.0-dev.592

package/dist/{middleware-Cx0tTbX1.js → middleware--uATyG9i.js}

@@ -3,14 +3,14 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import { getDefaultActivityTransformers } from "./transformers-C3FLHUd6.js";
-import { deno_default, doubleKnock, exportJwk, importJwk, validateCryptoKey, verifyRequest, verifyRequestDetailed } from "./http-VpqmUjje.js";
-import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-DnRq8s8f.js";
+import { deno_default, doubleKnock, exportJwk, formatAcceptSignature, importJwk, parseRfc9421SignatureInput, validateCryptoKey, verifyRequest, verifyRequestDetailed } from "./http-DePHjWKP.js";
+import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-CiCp_mCG.js";
 import { getNodeInfo, nodeInfoToJson } from "./types-C93Ob9cU.js";
-import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-BSATpUtX.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-DizRqYX4.js";
 import { getLogger, withContext } from "@logtape/logtape";
 import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId, lookupObject, traverseCollection } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
-import { cloneDeep } from "es-toolkit";
+import { cloneDeep, uniq } from "es-toolkit";
 import { Router } from "uri-template-router";
 import { parseTemplate } from "url-template";
 import { encodeHex } from "byte-encodings/hex";
@@ -339,7 +339,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await import("./middleware-DpdPMZII.js");
+		const { FederationImpl: FederationImpl$1 } = await import("./middleware-4fo4pEtA.js");
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -1281,7 +1281,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, inboxChallengePolicy, tracerProvider } = parameters;
 	const logger$1 = getLogger([
 		"fedify",
 		"federation",
@@ -1433,6 +1433,7 @@ async function handleInboxInternal(request, parameters, span) {
 		}
 	}
 	let httpSigKey = null;
+	let pendingNonceLabel;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
 			const verification = await verifyRequestDetailed(request, {
@@ -1453,10 +1454,7 @@ async function handleInboxInternal(request, parameters, span) {
 					code: SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				if (unverifiedActivityHandler == null) return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				try {
 					activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
 				} catch (error) {
@@ -1510,17 +1508,12 @@ async function handleInboxInternal(request, parameters, span) {
 							recipient
 						});
 					}
-					return new Response("Failed to verify the request signature.", {
-						status: 401,
-						headers: { "Content-Type": "text/plain; charset=utf-8" }
-					});
+					return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				}
 				if (response instanceof Response) return response;
-				return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 			} else {
+				if (inboxChallengePolicy?.enabled && inboxChallengePolicy.requestNonce) pendingNonceLabel = verification.signatureLabel;
 				logger$1.debug("HTTP Signatures are verified.", { recipient });
 				activityVerified = true;
 			}
@@ -1553,6 +1546,13 @@ async function handleInboxInternal(request, parameters, span) {
 			headers: { "Content-Type": "text/plain; charset=utf-8" }
 		});
 	}
+	if (pendingNonceLabel != null) {
+		const nonceValid = await verifySignatureNonce(request, kv, kvPrefixes.acceptSignatureNonce, pendingNonceLabel);
+		if (!nonceValid) {
+			logger$1.error("Signature nonce verification failed (missing, expired, or replayed).", { recipient });
+			return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
+		}
+	}
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
@@ -2017,6 +2017,79 @@ async function respondWithObjectIfAcceptable(object, request, options) {
 	response.headers.set("Vary", "Accept");
 	return response;
 }
+function generateNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function verifySignatureNonce(request, kv, noncePrefix, verifiedLabel) {
+	const signatureInput = request.headers.get("Signature-Input");
+	if (signatureInput == null) return false;
+	const parsed = parseRfc9421SignatureInput(signatureInput);
+	if (verifiedLabel == null) return false;
+	const sig = parsed[verifiedLabel];
+	if (sig == null) return false;
+	const nonce = sig.nonce;
+	if (nonce == null) return false;
+	const key = [...noncePrefix, nonce];
+	if (kv.cas != null) return await kv.cas(key, true, void 0);
+	const stored = await kv.get(key);
+	if (stored != null) {
+		await kv.delete(key);
+		return true;
+	}
+	return false;
+}
+const getFailedSignatureResponse = async (policy, kv, kvPrefixes) => {
+	const headers = await getFailedSignatureHeaders(policy, kv, kvPrefixes);
+	return new Response("Failed to verify the request signature.", {
+		status: 401,
+		headers
+	});
+};
+const getFailedSignatureHeaders = async (policy, kv, kvPrefixes) => ({
+	"Content-Type": "text/plain; charset=utf-8",
+	...policy?.enabled && {
+		"Accept-Signature": await buildAcceptSignatureHeader(policy, kv, kvPrefixes.acceptSignatureNonce),
+		"Cache-Control": "no-store",
+		"Vary": "Accept, Signature"
+	}
+});
+async function buildAcceptSignatureHeader(policy, kv, noncePrefix) {
+	const parameters = { created: true };
+	if (policy.requestNonce) {
+		const nonce = generateNonce();
+		const key = [...noncePrefix, nonce];
+		await setKey(kv, key, policy);
+		parameters.nonce = nonce;
+	}
+	const baseComponents = policy.components ?? DEF_COMPONENTS;
+	const components = uniq(MIN_COMPONENTS.concat(baseComponents)).filter((c) => c !== "@status").map((v) => ({
+		value: v,
+		params: {}
+	}));
+	return formatAcceptSignature([{
+		label: "sig1",
+		components,
+		parameters
+	}]);
+}
+async function setKey(kv, key, policy) {
+	const seconds = policy.nonceTtlSeconds ?? 300;
+	const ttl = Temporal.Duration.from({ seconds });
+	await kv.set(key, true, { ttl });
+}
+const DEF_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority",
+	"content-digest"
+];
+const MIN_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority"
+];
 
 //#endregion
 //#region src/nodeinfo/handler.ts
@@ -2442,6 +2515,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 	activityTransformers;
 	_tracerProvider;
 	firstKnock;
+	inboxChallengePolicy;
 	constructor(options) {
 		super();
 		this.kv = options.kv;
@@ -2450,6 +2524,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			remoteDocument: ["_fedify", "remoteDocument"],
 			publicKey: ["_fedify", "publicKey"],
 			httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"],
 			...options.kvPrefixes ?? {}
 		};
 		if (options.queue == null) {
@@ -2519,6 +2594,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.permanentFailureStatusCodes = options.permanentFailureStatusCodes ?? [404, 410];
 		this.signatureTimeWindow = options.signatureTimeWindow ?? { hours: 1 };
 		this.skipSignatureVerification = options.skipSignatureVerification ?? false;
+		this.inboxChallengePolicy = options.inboxChallengePolicy;
 		this.outboxRetryPolicy = options.outboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.inboxRetryPolicy = options.inboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.activityTransformers = options.activityTransformers ?? getDefaultActivityTransformers();
@@ -3261,6 +3337,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,
+					inboxChallengePolicy: this.inboxChallengePolicy,
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});

package/dist/{middleware-DpdPMZII.js → middleware-4fo4pEtA.js}

@@ -3,10 +3,10 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import "./transformers-C3FLHUd6.js";
-import "./http-VpqmUjje.js";
-import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-Cx0tTbX1.js";
-import "./proof-DnRq8s8f.js";
+import "./http-DePHjWKP.js";
+import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware--uATyG9i.js";
+import "./proof-CiCp_mCG.js";
 import "./types-C93Ob9cU.js";
-import "./kv-cache-BSATpUtX.js";
+import "./kv-cache-DizRqYX4.js";
 
 export { FederationImpl };

package/dist/{middleware-D11GYoP-.cjs → middleware-9YDezkYJ.cjs}

@@ -4,10 +4,10 @@
         
 const require_chunk = require('./chunk-CGaQZ11T.cjs');
 const require_transformers = require('./transformers-3g8GZwkZ.cjs');
-const require_http = require('./http-iDlaLy8a.cjs');
-const require_proof = require('./proof-CgK60TcQ.cjs');
+const require_http = require('./http-CaXARmaJ.cjs');
+const require_proof = require('./proof-BVl5IgbN.cjs');
 const require_types = require('./types-Cd_hszr_.cjs');
-const require_kv_cache = require('./kv-cache-551Om14-.cjs');
+const require_kv_cache = require('./kv-cache-CYTDBChd.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
@@ -340,7 +340,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-BDr0P6dx.cjs"));
+		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-DNY45l5T.cjs"));
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -1282,7 +1282,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, inboxChallengePolicy, tracerProvider } = parameters;
 	const logger$1 = (0, __logtape_logtape.getLogger)([
 		"fedify",
 		"federation",
@@ -1434,6 +1434,7 @@ async function handleInboxInternal(request, parameters, span) {
 		}
 	}
 	let httpSigKey = null;
+	let pendingNonceLabel;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
 			const verification = await require_http.verifyRequestDetailed(request, {
@@ -1454,10 +1455,7 @@ async function handleInboxInternal(request, parameters, span) {
 					code: __opentelemetry_api.SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				if (unverifiedActivityHandler == null) return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				try {
 					activity = await __fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
 				} catch (error) {
@@ -1511,17 +1509,12 @@ async function handleInboxInternal(request, parameters, span) {
 							recipient
 						});
 					}
-					return new Response("Failed to verify the request signature.", {
-						status: 401,
-						headers: { "Content-Type": "text/plain; charset=utf-8" }
-					});
+					return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				}
 				if (response instanceof Response) return response;
-				return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 			} else {
+				if (inboxChallengePolicy?.enabled && inboxChallengePolicy.requestNonce) pendingNonceLabel = verification.signatureLabel;
 				logger$1.debug("HTTP Signatures are verified.", { recipient });
 				activityVerified = true;
 			}
@@ -1554,6 +1547,13 @@ async function handleInboxInternal(request, parameters, span) {
 			headers: { "Content-Type": "text/plain; charset=utf-8" }
 		});
 	}
+	if (pendingNonceLabel != null) {
+		const nonceValid = await verifySignatureNonce(request, kv, kvPrefixes.acceptSignatureNonce, pendingNonceLabel);
+		if (!nonceValid) {
+			logger$1.error("Signature nonce verification failed (missing, expired, or replayed).", { recipient });
+			return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
+		}
+	}
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
@@ -2018,6 +2018,79 @@ async function respondWithObjectIfAcceptable(object, request, options) {
 	response.headers.set("Vary", "Accept");
 	return response;
 }
+function generateNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function verifySignatureNonce(request, kv, noncePrefix, verifiedLabel) {
+	const signatureInput = request.headers.get("Signature-Input");
+	if (signatureInput == null) return false;
+	const parsed = require_http.parseRfc9421SignatureInput(signatureInput);
+	if (verifiedLabel == null) return false;
+	const sig = parsed[verifiedLabel];
+	if (sig == null) return false;
+	const nonce = sig.nonce;
+	if (nonce == null) return false;
+	const key = [...noncePrefix, nonce];
+	if (kv.cas != null) return await kv.cas(key, true, void 0);
+	const stored = await kv.get(key);
+	if (stored != null) {
+		await kv.delete(key);
+		return true;
+	}
+	return false;
+}
+const getFailedSignatureResponse = async (policy, kv, kvPrefixes) => {
+	const headers = await getFailedSignatureHeaders(policy, kv, kvPrefixes);
+	return new Response("Failed to verify the request signature.", {
+		status: 401,
+		headers
+	});
+};
+const getFailedSignatureHeaders = async (policy, kv, kvPrefixes) => ({
+	"Content-Type": "text/plain; charset=utf-8",
+	...policy?.enabled && {
+		"Accept-Signature": await buildAcceptSignatureHeader(policy, kv, kvPrefixes.acceptSignatureNonce),
+		"Cache-Control": "no-store",
+		"Vary": "Accept, Signature"
+	}
+});
+async function buildAcceptSignatureHeader(policy, kv, noncePrefix) {
+	const parameters = { created: true };
+	if (policy.requestNonce) {
+		const nonce = generateNonce();
+		const key = [...noncePrefix, nonce];
+		await setKey(kv, key, policy);
+		parameters.nonce = nonce;
+	}
+	const baseComponents = policy.components ?? DEF_COMPONENTS;
+	const components = (0, es_toolkit.uniq)(MIN_COMPONENTS.concat(baseComponents)).filter((c) => c !== "@status").map((v) => ({
+		value: v,
+		params: {}
+	}));
+	return require_http.formatAcceptSignature([{
+		label: "sig1",
+		components,
+		parameters
+	}]);
+}
+async function setKey(kv, key, policy) {
+	const seconds = policy.nonceTtlSeconds ?? 300;
+	const ttl = Temporal.Duration.from({ seconds });
+	await kv.set(key, true, { ttl });
+}
+const DEF_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority",
+	"content-digest"
+];
+const MIN_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority"
+];
 
 //#endregion
 //#region src/nodeinfo/handler.ts
@@ -2443,6 +2516,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 	activityTransformers;
 	_tracerProvider;
 	firstKnock;
+	inboxChallengePolicy;
 	constructor(options) {
 		super();
 		this.kv = options.kv;
@@ -2451,6 +2525,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			remoteDocument: ["_fedify", "remoteDocument"],
 			publicKey: ["_fedify", "publicKey"],
 			httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"],
 			...options.kvPrefixes ?? {}
 		};
 		if (options.queue == null) {
@@ -2520,6 +2595,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.permanentFailureStatusCodes = options.permanentFailureStatusCodes ?? [404, 410];
 		this.signatureTimeWindow = options.signatureTimeWindow ?? { hours: 1 };
 		this.skipSignatureVerification = options.skipSignatureVerification ?? false;
+		this.inboxChallengePolicy = options.inboxChallengePolicy;
 		this.outboxRetryPolicy = options.outboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.inboxRetryPolicy = options.inboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.activityTransformers = options.activityTransformers ?? require_transformers.getDefaultActivityTransformers();
@@ -3262,6 +3338,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,
+					inboxChallengePolicy: this.inboxChallengePolicy,
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});

package/dist/middleware-C2PqSUaA.js

@@ -0,0 +1,27 @@
+
+      import { Temporal } from "@js-temporal/polyfill";
+      import { URLPattern } from "urlpattern-polyfill";
+      globalThis.addEventListener = () => {};
+    
+import "./deno-OR506Yti.js";
+import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-DzICTgdC.js";
+import "./client-CoCIaTNO.js";
+import "./router-D9eI0s4b.js";
+import "./types-CPz01LGH.js";
+import "./accept-D7sAxyNa.js";
+import "./key-Cx3Tx_In.js";
+import "./http-BUCxbGks.js";
+import "./ld-CLMJw_iX.js";
+import "./owner-D5J299vd.js";
+import "./proof-BBLHhWMC.js";
+import "./docloader-BG_pP2fW.js";
+import "./kv-cache-Bw2F2ABq.js";
+import "./inbox-D_LU1opv.js";
+import "./builder-B24i8eYp.js";
+import "./collection-CSzG2j1P.js";
+import "./keycache-CpGWAUbj.js";
+import "./negotiation-BlAuS_nr.js";
+import "./retry-mqLf4b-R.js";
+import "./send-2b0Fn9cn.js";
+
+export { FederationImpl };

package/dist/middleware-DNY45l5T.cjs

@@ -0,0 +1,12 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+require('./transformers-3g8GZwkZ.cjs');
+require('./http-CaXARmaJ.cjs');
+const require_middleware = require('./middleware-9YDezkYJ.cjs');
+require('./proof-BVl5IgbN.cjs');
+require('./types-Cd_hszr_.cjs');
+require('./kv-cache-CYTDBChd.cjs');
+
+exports.FederationImpl = require_middleware.FederationImpl;