@fedify/fedify 2.1.0-dev.565 → 2.1.0-dev.599

package/dist/{middleware-Cldp2YSv.js → middleware-CWItYNUL.js}

@@ -3,25 +3,27 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { deno_default } from "./deno-CEdy89j9.js";
+import { deno_default } from "./deno-BYv1FXyT.js";
 import { getNodeInfo } from "./client-CoCIaTNO.js";
 import { RouterError } from "./router-D9eI0s4b.js";
 import { nodeInfoToJson } from "./types-CPz01LGH.js";
-import { exportJwk, importJwk, validateCryptoKey } from "./key-B0yADkL8.js";
-import { verifyRequest, verifyRequestDetailed } from "./http-Dm9n1mRe.js";
-import { detachSignature, hasSignature, signJsonLd, verifyJsonLd } from "./ld-BBmbv1nb.js";
-import { doesActorOwnKey, getKeyOwner } from "./owner-C1ZyG4NL.js";
-import { signObject, verifyObject } from "./proof-wclcUq0C.js";
-import { getAuthenticatedDocumentLoader } from "./docloader-CL1QPJzN.js";
-import { kvCache } from "./kv-cache-El7We5sy.js";
-import { routeActivity } from "./inbox-CMtnW0RE.js";
-import { FederationBuilderImpl } from "./builder-Deoi2N2z.js";
-import { buildCollectionSynchronizationHeader } from "./collection-CcnIw1qY.js";
-import { KvKeyCache } from "./keycache-C7k8s1Bk.js";
-import { acceptsJsonLd } from "./negotiation-5NPJL6zp.js";
-import { createExponentialBackoffPolicy } from "./retry-D4GJ670a.js";
-import { SendActivityError, extractInboxes, sendActivity } from "./send-DNJyYRVU.js";
+import { formatAcceptSignature } from "./accept-D7sAxyNa.js";
+import { exportJwk, importJwk, validateCryptoKey } from "./key-BSOrewQw.js";
+import { parseRfc9421SignatureInput, verifyRequest, verifyRequestDetailed } from "./http-SDJbghtm.js";
+import { detachSignature, hasSignature, signJsonLd, verifyJsonLd } from "./ld-8UNDFIO0.js";
+import { doesActorOwnKey, getKeyOwner } from "./owner-D1i3Gz1q.js";
+import { signObject, verifyObject } from "./proof-Blm7rPHe.js";
+import { getAuthenticatedDocumentLoader } from "./docloader-D3dGL8MN.js";
+import { kvCache } from "./kv-cache-Bw2F2ABq.js";
+import { routeActivity } from "./inbox-gPJ0RaKj.js";
+import { FederationBuilderImpl } from "./builder-rlJT9XsH.js";
+import { buildCollectionSynchronizationHeader } from "./collection-CSzG2j1P.js";
+import { KvKeyCache } from "./keycache-CpGWAUbj.js";
+import { acceptsJsonLd } from "./negotiation-BlAuS_nr.js";
+import { createExponentialBackoffPolicy } from "./retry-mqLf4b-R.js";
+import { SendActivityError, extractInboxes, sendActivity } from "./send-Ban_thmx.js";
 import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId, lookupObject, traverseCollection } from "@fedify/vocab";
+import { uniq } from "es-toolkit";
 import { FetchError, getDocumentLoader } from "@fedify/vocab-runtime";
 import { lookupWebFinger } from "@fedify/webfinger";
 import { getLogger, withContext } from "@logtape/logtape";
@@ -410,7 +412,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, inboxChallengePolicy, tracerProvider } = parameters;
 	const logger$2 = getLogger([
 		"fedify",
 		"federation",
@@ -562,6 +564,7 @@ async function handleInboxInternal(request, parameters, span) {
 		}
 	}
 	let httpSigKey = null;
+	let pendingNonceLabel;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
 			const verification = await verifyRequestDetailed(request, {
@@ -582,10 +585,7 @@ async function handleInboxInternal(request, parameters, span) {
 					code: SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				if (unverifiedActivityHandler == null) return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				try {
 					activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
 				} catch (error) {
@@ -639,17 +639,12 @@ async function handleInboxInternal(request, parameters, span) {
 							recipient
 						});
 					}
-					return new Response("Failed to verify the request signature.", {
-						status: 401,
-						headers: { "Content-Type": "text/plain; charset=utf-8" }
-					});
+					return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				}
 				if (response instanceof Response) return response;
-				return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 			} else {
+				if (inboxChallengePolicy?.enabled && inboxChallengePolicy.requestNonce) pendingNonceLabel = verification.signatureLabel;
 				logger$2.debug("HTTP Signatures are verified.", { recipient });
 				activityVerified = true;
 			}
@@ -682,6 +677,13 @@ async function handleInboxInternal(request, parameters, span) {
 			headers: { "Content-Type": "text/plain; charset=utf-8" }
 		});
 	}
+	if (pendingNonceLabel != null) {
+		const nonceValid = await verifySignatureNonce(request, kv, kvPrefixes.acceptSignatureNonce, pendingNonceLabel);
+		if (!nonceValid) {
+			logger$2.error("Signature nonce verification failed (missing, expired, or replayed).", { recipient });
+			return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
+		}
+	}
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
@@ -1146,6 +1148,79 @@ async function respondWithObjectIfAcceptable(object, request, options) {
 	response.headers.set("Vary", "Accept");
 	return response;
 }
+function generateNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function verifySignatureNonce(request, kv, noncePrefix, verifiedLabel) {
+	const signatureInput = request.headers.get("Signature-Input");
+	if (signatureInput == null) return false;
+	const parsed = parseRfc9421SignatureInput(signatureInput);
+	if (verifiedLabel == null) return false;
+	const sig = parsed[verifiedLabel];
+	if (sig == null) return false;
+	const nonce = sig.nonce;
+	if (nonce == null) return false;
+	const key = [...noncePrefix, nonce];
+	if (kv.cas != null) return await kv.cas(key, true, void 0);
+	const stored = await kv.get(key);
+	if (stored != null) {
+		await kv.delete(key);
+		return true;
+	}
+	return false;
+}
+const getFailedSignatureResponse = async (policy, kv, kvPrefixes) => {
+	const headers = await getFailedSignatureHeaders(policy, kv, kvPrefixes);
+	return new Response("Failed to verify the request signature.", {
+		status: 401,
+		headers
+	});
+};
+const getFailedSignatureHeaders = async (policy, kv, kvPrefixes) => ({
+	"Content-Type": "text/plain; charset=utf-8",
+	...policy?.enabled && {
+		"Accept-Signature": await buildAcceptSignatureHeader(policy, kv, kvPrefixes.acceptSignatureNonce),
+		"Cache-Control": "no-store",
+		"Vary": "Accept, Signature"
+	}
+});
+async function buildAcceptSignatureHeader(policy, kv, noncePrefix) {
+	const parameters = { created: true };
+	if (policy.requestNonce) {
+		const nonce = generateNonce();
+		const key = [...noncePrefix, nonce];
+		await setKey(kv, key, policy);
+		parameters.nonce = nonce;
+	}
+	const baseComponents = policy.components ?? DEF_COMPONENTS;
+	const components = uniq(MIN_COMPONENTS.concat(baseComponents)).filter((c) => c !== "@status").map((v) => ({
+		value: v,
+		params: {}
+	}));
+	return formatAcceptSignature([{
+		label: "sig1",
+		components,
+		parameters
+	}]);
+}
+async function setKey(kv, key, policy) {
+	const seconds = policy.nonceTtlSeconds ?? 300;
+	const ttl = Temporal.Duration.from({ seconds });
+	await kv.set(key, true, { ttl });
+}
+const DEF_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority",
+	"content-digest"
+];
+const MIN_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority"
+];
 
 //#endregion
 //#region src/federation/webfinger.ts
@@ -1315,6 +1390,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 	activityTransformers;
 	_tracerProvider;
 	firstKnock;
+	inboxChallengePolicy;
 	constructor(options) {
 		super();
 		this.kv = options.kv;
@@ -1323,6 +1399,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			remoteDocument: ["_fedify", "remoteDocument"],
 			publicKey: ["_fedify", "publicKey"],
 			httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"],
 			...options.kvPrefixes ?? {}
 		};
 		if (options.queue == null) {
@@ -1392,6 +1469,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.permanentFailureStatusCodes = options.permanentFailureStatusCodes ?? [404, 410];
 		this.signatureTimeWindow = options.signatureTimeWindow ?? { hours: 1 };
 		this.skipSignatureVerification = options.skipSignatureVerification ?? false;
+		this.inboxChallengePolicy = options.inboxChallengePolicy;
 		this.outboxRetryPolicy = options.outboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.inboxRetryPolicy = options.inboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.activityTransformers = options.activityTransformers ?? getDefaultActivityTransformers();
@@ -1638,11 +1716,11 @@ var FederationImpl = class extends FederationBuilderImpl {
 				});
 				throw error;
 			}
-			const delay = this.outboxRetryPolicy({
+			const delay$1 = this.outboxRetryPolicy({
 				elapsedTime: Temporal.Instant.from(message.started).until(Temporal.Now.instant()),
 				attempts: message.attempt
 			});
-			if (delay != null) {
+			if (delay$1 != null) {
 				logger$2.error("Failed to send activity {activityId} to {inbox} (attempt #{attempt}); retry...:\n{error}", {
 					...logData,
 					error
@@ -1650,7 +1728,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 				await this.outboxQueue?.enqueue({
 					...message,
 					attempt: message.attempt + 1
-				}, { delay: Temporal.Duration.compare(delay, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay });
+				}, { delay: Temporal.Duration.compare(delay$1, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay$1 });
 			} else logger$2.error("Failed to send activity {activityId} to {inbox} after {attempt} attempts; giving up:\n{error}", {
 				...logData,
 				error
@@ -1737,11 +1815,11 @@ var FederationImpl = class extends FederationBuilderImpl {
 					span$1.end();
 					throw error;
 				}
-				const delay = this.inboxRetryPolicy({
+				const delay$1 = this.inboxRetryPolicy({
 					elapsedTime: Temporal.Instant.from(message.started).until(Temporal.Now.instant()),
 					attempts: message.attempt
 				});
-				if (delay != null) {
+				if (delay$1 != null) {
 					logger$2.error("Failed to process the incoming activity {activityId} (attempt #{attempt}); retry...:\n{error}", {
 						error,
 						attempt: message.attempt,
@@ -1752,7 +1830,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					await this.inboxQueue?.enqueue({
 						...message,
 						attempt: message.attempt + 1
-					}, { delay: Temporal.Duration.compare(delay, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay });
+					}, { delay: Temporal.Duration.compare(delay$1, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay$1 });
 				} else logger$2.error("Failed to process the incoming activity {activityId} after {trial} attempts; giving up:\n{error}", {
 					error,
 					activityId: activity.id?.href,
@@ -2134,6 +2212,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,
+					inboxChallengePolicy: this.inboxChallengePolicy,
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});

package/dist/{middleware-Cx0tTbX1.js → middleware-C_89nqvv.js}

@@ -3,14 +3,14 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import { getDefaultActivityTransformers } from "./transformers-C3FLHUd6.js";
-import { deno_default, doubleKnock, exportJwk, importJwk, validateCryptoKey, verifyRequest, verifyRequestDetailed } from "./http-VpqmUjje.js";
-import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-DnRq8s8f.js";
+import { deno_default, doubleKnock, exportJwk, formatAcceptSignature, importJwk, parseRfc9421SignatureInput, validateCryptoKey, verifyRequest, verifyRequestDetailed } from "./http-WrV4DdQ1.js";
+import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-DgU0YpXY.js";
 import { getNodeInfo, nodeInfoToJson } from "./types-C93Ob9cU.js";
-import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-BSATpUtX.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-D0a-g8yG.js";
 import { getLogger, withContext } from "@logtape/logtape";
 import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId, lookupObject, traverseCollection } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
-import { cloneDeep } from "es-toolkit";
+import { cloneDeep, uniq } from "es-toolkit";
 import { Router } from "uri-template-router";
 import { parseTemplate } from "url-template";
 import { encodeHex } from "byte-encodings/hex";
@@ -339,7 +339,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await import("./middleware-DpdPMZII.js");
+		const { FederationImpl: FederationImpl$1 } = await import("./middleware-Brge9sYu.js");
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -1281,7 +1281,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, inboxChallengePolicy, tracerProvider } = parameters;
 	const logger$1 = getLogger([
 		"fedify",
 		"federation",
@@ -1433,6 +1433,7 @@ async function handleInboxInternal(request, parameters, span) {
 		}
 	}
 	let httpSigKey = null;
+	let pendingNonceLabel;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
 			const verification = await verifyRequestDetailed(request, {
@@ -1453,10 +1454,7 @@ async function handleInboxInternal(request, parameters, span) {
 					code: SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				if (unverifiedActivityHandler == null) return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				try {
 					activity = await Activity.fromJsonLd(jsonWithoutSig, ctx);
 				} catch (error) {
@@ -1510,17 +1508,12 @@ async function handleInboxInternal(request, parameters, span) {
 							recipient
 						});
 					}
-					return new Response("Failed to verify the request signature.", {
-						status: 401,
-						headers: { "Content-Type": "text/plain; charset=utf-8" }
-					});
+					return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				}
 				if (response instanceof Response) return response;
-				return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 			} else {
+				if (inboxChallengePolicy?.enabled && inboxChallengePolicy.requestNonce) pendingNonceLabel = verification.signatureLabel;
 				logger$1.debug("HTTP Signatures are verified.", { recipient });
 				activityVerified = true;
 			}
@@ -1553,6 +1546,13 @@ async function handleInboxInternal(request, parameters, span) {
 			headers: { "Content-Type": "text/plain; charset=utf-8" }
 		});
 	}
+	if (pendingNonceLabel != null) {
+		const nonceValid = await verifySignatureNonce(request, kv, kvPrefixes.acceptSignatureNonce, pendingNonceLabel);
+		if (!nonceValid) {
+			logger$1.error("Signature nonce verification failed (missing, expired, or replayed).", { recipient });
+			return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
+		}
+	}
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
@@ -2017,6 +2017,79 @@ async function respondWithObjectIfAcceptable(object, request, options) {
 	response.headers.set("Vary", "Accept");
 	return response;
 }
+function generateNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function verifySignatureNonce(request, kv, noncePrefix, verifiedLabel) {
+	const signatureInput = request.headers.get("Signature-Input");
+	if (signatureInput == null) return false;
+	const parsed = parseRfc9421SignatureInput(signatureInput);
+	if (verifiedLabel == null) return false;
+	const sig = parsed[verifiedLabel];
+	if (sig == null) return false;
+	const nonce = sig.nonce;
+	if (nonce == null) return false;
+	const key = [...noncePrefix, nonce];
+	if (kv.cas != null) return await kv.cas(key, true, void 0);
+	const stored = await kv.get(key);
+	if (stored != null) {
+		await kv.delete(key);
+		return true;
+	}
+	return false;
+}
+const getFailedSignatureResponse = async (policy, kv, kvPrefixes) => {
+	const headers = await getFailedSignatureHeaders(policy, kv, kvPrefixes);
+	return new Response("Failed to verify the request signature.", {
+		status: 401,
+		headers
+	});
+};
+const getFailedSignatureHeaders = async (policy, kv, kvPrefixes) => ({
+	"Content-Type": "text/plain; charset=utf-8",
+	...policy?.enabled && {
+		"Accept-Signature": await buildAcceptSignatureHeader(policy, kv, kvPrefixes.acceptSignatureNonce),
+		"Cache-Control": "no-store",
+		"Vary": "Accept, Signature"
+	}
+});
+async function buildAcceptSignatureHeader(policy, kv, noncePrefix) {
+	const parameters = { created: true };
+	if (policy.requestNonce) {
+		const nonce = generateNonce();
+		const key = [...noncePrefix, nonce];
+		await setKey(kv, key, policy);
+		parameters.nonce = nonce;
+	}
+	const baseComponents = policy.components ?? DEF_COMPONENTS;
+	const components = uniq(MIN_COMPONENTS.concat(baseComponents)).filter((c) => c !== "@status").map((v) => ({
+		value: v,
+		params: {}
+	}));
+	return formatAcceptSignature([{
+		label: "sig1",
+		components,
+		parameters
+	}]);
+}
+async function setKey(kv, key, policy) {
+	const seconds = policy.nonceTtlSeconds ?? 300;
+	const ttl = Temporal.Duration.from({ seconds });
+	await kv.set(key, true, { ttl });
+}
+const DEF_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority",
+	"content-digest"
+];
+const MIN_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority"
+];
 
 //#endregion
 //#region src/nodeinfo/handler.ts
@@ -2442,6 +2515,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 	activityTransformers;
 	_tracerProvider;
 	firstKnock;
+	inboxChallengePolicy;
 	constructor(options) {
 		super();
 		this.kv = options.kv;
@@ -2450,6 +2524,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			remoteDocument: ["_fedify", "remoteDocument"],
 			publicKey: ["_fedify", "publicKey"],
 			httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"],
 			...options.kvPrefixes ?? {}
 		};
 		if (options.queue == null) {
@@ -2519,6 +2594,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.permanentFailureStatusCodes = options.permanentFailureStatusCodes ?? [404, 410];
 		this.signatureTimeWindow = options.signatureTimeWindow ?? { hours: 1 };
 		this.skipSignatureVerification = options.skipSignatureVerification ?? false;
+		this.inboxChallengePolicy = options.inboxChallengePolicy;
 		this.outboxRetryPolicy = options.outboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.inboxRetryPolicy = options.inboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.activityTransformers = options.activityTransformers ?? getDefaultActivityTransformers();
@@ -3261,6 +3337,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,
+					inboxChallengePolicy: this.inboxChallengePolicy,
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});

package/dist/{middleware-D11GYoP-.cjs → middleware-PGDxr3nC.cjs}

@@ -4,10 +4,10 @@
         
 const require_chunk = require('./chunk-CGaQZ11T.cjs');
 const require_transformers = require('./transformers-3g8GZwkZ.cjs');
-const require_http = require('./http-iDlaLy8a.cjs');
-const require_proof = require('./proof-CgK60TcQ.cjs');
+const require_http = require('./http-Cjdbgipx.cjs');
+const require_proof = require('./proof-DFqGzNZi.cjs');
 const require_types = require('./types-Cd_hszr_.cjs');
-const require_kv_cache = require('./kv-cache-551Om14-.cjs');
+const require_kv_cache = require('./kv-cache-sn8V-LU_.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
@@ -340,7 +340,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-BDr0P6dx.cjs"));
+		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-74Kx7iWO.cjs"));
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -1282,7 +1282,7 @@ async function handleInbox(request, options) {
 * @returns A promise that resolves to an HTTP response.
 */
 async function handleInboxInternal(request, parameters, span) {
-	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, tracerProvider } = parameters;
+	const { recipient, context: ctx, inboxContextFactory, kv, kvPrefixes, queue, actorDispatcher, inboxListeners, inboxErrorHandler, unverifiedActivityHandler, onNotFound, signatureTimeWindow, skipSignatureVerification, inboxChallengePolicy, tracerProvider } = parameters;
 	const logger$1 = (0, __logtape_logtape.getLogger)([
 		"fedify",
 		"federation",
@@ -1434,6 +1434,7 @@ async function handleInboxInternal(request, parameters, span) {
 		}
 	}
 	let httpSigKey = null;
+	let pendingNonceLabel;
 	if (activity == null) {
 		if (!skipSignatureVerification) {
 			const verification = await require_http.verifyRequestDetailed(request, {
@@ -1454,10 +1455,7 @@ async function handleInboxInternal(request, parameters, span) {
 					code: __opentelemetry_api.SpanStatusCode.ERROR,
 					message: `Failed to verify the request's HTTP Signatures.`
 				});
-				if (unverifiedActivityHandler == null) return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				if (unverifiedActivityHandler == null) return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				try {
 					activity = await __fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
 				} catch (error) {
@@ -1511,17 +1509,12 @@ async function handleInboxInternal(request, parameters, span) {
 							recipient
 						});
 					}
-					return new Response("Failed to verify the request signature.", {
-						status: 401,
-						headers: { "Content-Type": "text/plain; charset=utf-8" }
-					});
+					return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 				}
 				if (response instanceof Response) return response;
-				return new Response("Failed to verify the request signature.", {
-					status: 401,
-					headers: { "Content-Type": "text/plain; charset=utf-8" }
-				});
+				return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
 			} else {
+				if (inboxChallengePolicy?.enabled && inboxChallengePolicy.requestNonce) pendingNonceLabel = verification.signatureLabel;
 				logger$1.debug("HTTP Signatures are verified.", { recipient });
 				activityVerified = true;
 			}
@@ -1554,6 +1547,13 @@ async function handleInboxInternal(request, parameters, span) {
 			headers: { "Content-Type": "text/plain; charset=utf-8" }
 		});
 	}
+	if (pendingNonceLabel != null) {
+		const nonceValid = await verifySignatureNonce(request, kv, kvPrefixes.acceptSignatureNonce, pendingNonceLabel);
+		if (!nonceValid) {
+			logger$1.error("Signature nonce verification failed (missing, expired, or replayed).", { recipient });
+			return await getFailedSignatureResponse(inboxChallengePolicy, kv, kvPrefixes);
+		}
+	}
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
@@ -2018,6 +2018,79 @@ async function respondWithObjectIfAcceptable(object, request, options) {
 	response.headers.set("Vary", "Accept");
 	return response;
 }
+function generateNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function verifySignatureNonce(request, kv, noncePrefix, verifiedLabel) {
+	const signatureInput = request.headers.get("Signature-Input");
+	if (signatureInput == null) return false;
+	const parsed = require_http.parseRfc9421SignatureInput(signatureInput);
+	if (verifiedLabel == null) return false;
+	const sig = parsed[verifiedLabel];
+	if (sig == null) return false;
+	const nonce = sig.nonce;
+	if (nonce == null) return false;
+	const key = [...noncePrefix, nonce];
+	if (kv.cas != null) return await kv.cas(key, true, void 0);
+	const stored = await kv.get(key);
+	if (stored != null) {
+		await kv.delete(key);
+		return true;
+	}
+	return false;
+}
+const getFailedSignatureResponse = async (policy, kv, kvPrefixes) => {
+	const headers = await getFailedSignatureHeaders(policy, kv, kvPrefixes);
+	return new Response("Failed to verify the request signature.", {
+		status: 401,
+		headers
+	});
+};
+const getFailedSignatureHeaders = async (policy, kv, kvPrefixes) => ({
+	"Content-Type": "text/plain; charset=utf-8",
+	...policy?.enabled && {
+		"Accept-Signature": await buildAcceptSignatureHeader(policy, kv, kvPrefixes.acceptSignatureNonce),
+		"Cache-Control": "no-store",
+		"Vary": "Accept, Signature"
+	}
+});
+async function buildAcceptSignatureHeader(policy, kv, noncePrefix) {
+	const parameters = { created: true };
+	if (policy.requestNonce) {
+		const nonce = generateNonce();
+		const key = [...noncePrefix, nonce];
+		await setKey(kv, key, policy);
+		parameters.nonce = nonce;
+	}
+	const baseComponents = policy.components ?? DEF_COMPONENTS;
+	const components = (0, es_toolkit.uniq)(MIN_COMPONENTS.concat(baseComponents)).filter((c) => c !== "@status").map((v) => ({
+		value: v,
+		params: {}
+	}));
+	return require_http.formatAcceptSignature([{
+		label: "sig1",
+		components,
+		parameters
+	}]);
+}
+async function setKey(kv, key, policy) {
+	const seconds = policy.nonceTtlSeconds ?? 300;
+	const ttl = Temporal.Duration.from({ seconds });
+	await kv.set(key, true, { ttl });
+}
+const DEF_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority",
+	"content-digest"
+];
+const MIN_COMPONENTS = [
+	"@method",
+	"@target-uri",
+	"@authority"
+];
 
 //#endregion
 //#region src/nodeinfo/handler.ts
@@ -2443,6 +2516,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 	activityTransformers;
 	_tracerProvider;
 	firstKnock;
+	inboxChallengePolicy;
 	constructor(options) {
 		super();
 		this.kv = options.kv;
@@ -2451,6 +2525,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			remoteDocument: ["_fedify", "remoteDocument"],
 			publicKey: ["_fedify", "publicKey"],
 			httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"],
 			...options.kvPrefixes ?? {}
 		};
 		if (options.queue == null) {
@@ -2520,6 +2595,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.permanentFailureStatusCodes = options.permanentFailureStatusCodes ?? [404, 410];
 		this.signatureTimeWindow = options.signatureTimeWindow ?? { hours: 1 };
 		this.skipSignatureVerification = options.skipSignatureVerification ?? false;
+		this.inboxChallengePolicy = options.inboxChallengePolicy;
 		this.outboxRetryPolicy = options.outboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.inboxRetryPolicy = options.inboxRetryPolicy ?? createExponentialBackoffPolicy();
 		this.activityTransformers = options.activityTransformers ?? require_transformers.getDefaultActivityTransformers();
@@ -3262,6 +3338,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound,
 					signatureTimeWindow: this.signatureTimeWindow,
 					skipSignatureVerification: this.skipSignatureVerification,
+					inboxChallengePolicy: this.inboxChallengePolicy,
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});