@fedify/fedify 2.1.0 → 2.1.2

package/dist/{http-gvnJbMS1.cjs → http-CxodXLwi.cjs}

@@ -1,134 +1,26 @@
-
-          const { Temporal } = require("@js-temporal/polyfill");
-          const { URLPattern } = require("urlpattern-polyfill");
-        
-const require_chunk = require('./chunk-CGaQZ11T.cjs');
-const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
-const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
-const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
-const byte_encodings_hex = require_chunk.__toESM(require("byte-encodings/hex"));
-const structured_field_values = require_chunk.__toESM(require("structured-field-values"));
-const __opentelemetry_semantic_conventions = require_chunk.__toESM(require("@opentelemetry/semantic-conventions"));
-const byte_encodings_base64 = require_chunk.__toESM(require("byte-encodings/base64"));
-const __fedify_vocab_runtime = require_chunk.__toESM(require("@fedify/vocab-runtime"));
-
+const { Temporal } = require("@js-temporal/polyfill");
+const { URLPattern } = require("urlpattern-polyfill");
+require("./chunk-DDcVe30Y.cjs");
+let _logtape_logtape = require("@logtape/logtape");
+let _fedify_vocab = require("@fedify/vocab");
+let _opentelemetry_api = require("@opentelemetry/api");
+let byte_encodings_hex = require("byte-encodings/hex");
+let structured_field_values = require("structured-field-values");
+let _fedify_vocab_runtime = require("@fedify/vocab-runtime");
+let _opentelemetry_semantic_conventions = require("@opentelemetry/semantic-conventions");
+let byte_encodings_base64 = require("byte-encodings/base64");
 //#region deno.json
 var name = "@fedify/fedify";
-var version = "2.1.0";
-var license = "MIT";
-var exports$1 = {
-	".": "./src/mod.ts",
-	"./compat": "./src/compat/mod.ts",
-	"./federation": "./src/federation/mod.ts",
-	"./nodeinfo": "./src/nodeinfo/mod.ts",
-	"./otel": "./src/otel/mod.ts",
-	"./runtime": "./src/runtime/mod.ts",
-	"./sig": "./src/sig/mod.ts",
-	"./utils": "./src/utils/mod.ts",
-	"./vocab": "./src/vocab/mod.ts"
-};
-var imports = {
-	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
-	"@std/assert": "jsr:@std/assert@^0.226.0",
-	"@std/url": "jsr:@std/url@^0.225.1",
-	"asn1js": "npm:asn1js@^3.0.7",
-	"fast-check": "npm:fast-check@^3.22.0",
-	"fetch-mock": "npm:fetch-mock@^12.5.2",
-	"json-canon": "npm:json-canon@^1.0.1",
-	"jsonld": "npm:jsonld@^9.0.0",
-	"pkijs": "npm:pkijs@^3.3.3",
-	"structured-field-values": "npm:structured-field-values@^2.0.4",
-	"uri-template-router": "npm:uri-template-router@^1.0.0",
-	"url-template": "npm:url-template@^3.1.1"
-};
-var exclude = [
-	".test-report.xml",
-	"apidoc/",
-	"dist/",
-	"node_modules/",
-	"npm/",
-	"pnpm-lock.yaml",
-	"src/cfworkers/dist/",
-	"src/cfworkers/fixtures/",
-	"src/cfworkers/imports.ts",
-	"src/cfworkers/README.md",
-	"src/cfworkers/server.ts",
-	"src/cfworkers/server.js",
-	"src/cfworkers/server.js.map"
-];
-var publish = { "exclude": [
-	"**/*.test.ts",
-	"src/testing/",
-	"tsdown.config.ts",
-	"scripts/",
-	"wrangler.toml"
-] };
-var tasks = {
-	"codegen": "deno task -f @fedify/vocab compile",
-	"cache": {
-		"command": "deno cache src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"check": {
-		"command": "deno fmt --check && deno lint && deno check src/**/*.ts",
-		"dependencies": ["codegen"]
-	},
-	"test": {
-		"command": "deno test --check --doc --allow-read --allow-write --allow-env --unstable-kv --trace-leaks --parallel",
-		"dependencies": ["codegen"]
-	},
-	"coverage": "deno task test --clean --coverage && deno coverage --html coverage",
-	"bench": {
-		"command": "deno bench --allow-read --allow-write --allow-net --allow-env --allow-run --unstable-kv",
-		"dependencies": ["codegen"]
-	},
-	"apidoc": {
-		"command": "deno doc --html --name=Fedify --output=apidoc/ src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"publish": {
-		"command": "deno publish",
-		"dependencies": ["codegen"]
-	},
-	"pnpm:install": "pnpm install --silent",
-	"pnpm:build": {
-		"command": "pnpm exec tsdown",
-		"dependencies": ["pnpm:build-vocab"]
-	},
-	"test:node": {
-		"command": "cd dist/ && node --test",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:bun": {
-		"command": "cd dist/ && bun test --timeout 60000",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:cfworkers": {
-		"command": "pnpm exec wrangler deploy --dry-run --outdir src/cfworkers && node --import=tsx src/cfworkers/client.ts",
-		"dependencies": ["pnpm:build"]
-	},
-	"test-all": { "dependencies": [
-		"check",
-		"test",
-		"test:node",
-		"test:bun",
-		"test:cfworkers"
-	] }
-};
-var deno_default = {
-	name,
-	version,
-	license,
-	exports: exports$1,
-	imports,
-	exclude,
-	publish,
-	tasks
-};
-
+var version = "2.1.2";
 //#endregion
 //#region src/sig/accept.ts
 /**
+* `Accept-Signature` header parsing, serialization, and validation utilities
+* for RFC 9421 §5 challenge-response negotiation.
+*
+* @module
+*/
+/**
 * Parses an `Accept-Signature` header value (RFC 9421 §5.1) into an
 * array of {@link AcceptSignatureMember} objects.
 *
@@ -147,7 +39,7 @@ function parseAcceptSignature(header) {
 	try {
 		return parseEachSignature((0, structured_field_values.decodeDict)(header));
 	} catch {
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -216,7 +108,7 @@ const compactParameters = (member) => {
 * @since 2.1.0
 */
 function validateAcceptSignature(members) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"http"
@@ -259,7 +151,6 @@ function fulfillAcceptSignature(entry, localKeyId, localAlg) {
 		expires: entry.parameters.expires
 	};
 }
-
 //#endregion
 //#region src/sig/key.ts
 /**
@@ -275,8 +166,7 @@ function validateCryptoKey(key, type) {
 	if (!key.extractable) throw new TypeError("The key is not extractable.");
 	if (key.algorithm.name !== "RSASSA-PKCS1-v1_5" && key.algorithm.name !== "Ed25519") throw new TypeError("Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  More algorithms will be added in the future!");
 	if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
-		const algorithm = key.algorithm;
-		if (algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
+		if (key.algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
 	}
 }
 /**
@@ -287,7 +177,7 @@ function validateCryptoKey(key, type) {
 * @throws {TypeError} If the algorithm is unsupported.
 */
 function generateCryptoKeyPair(algorithm) {
-	if (algorithm == null) (0, __logtape_logtape.getLogger)([
+	if (algorithm == null) (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"key"
@@ -342,10 +232,9 @@ async function importJwk(jwk, type) {
 	return key;
 }
 async function withFetchKeySpan(keyId, tracerProvider, fetcher) {
-	tracerProvider ??= __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("activitypub.fetch_key", {
-		kind: __opentelemetry_api.SpanKind.CLIENT,
+	tracerProvider ??= _opentelemetry_api.trace.getTracerProvider();
+	return await tracerProvider.getTracer(name, version).startActiveSpan("activitypub.fetch_key", {
+		kind: _opentelemetry_api.SpanKind.CLIENT,
 		attributes: {
 			"http.method": "GET",
 			"url.full": keyId.href,
@@ -362,7 +251,7 @@ async function withFetchKeySpan(keyId, tracerProvider, fetcher) {
 			return result;
 		} catch (e) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(e)
 			});
 			throw e;
@@ -405,41 +294,41 @@ function fetchKey(keyId, cls, options = {}) {
 async function fetchKeyDetailed(keyId, cls, options = {}) {
 	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
 	return await withFetchKeySpan(cacheKey, options.tracerProvider, async () => {
-		return await fetchKeyWithResult(cacheKey, cls, options, async (cacheKey$1, keyId$1, keyCache, logger) => {
-			const fetchError = await keyCache?.getFetchError?.(cacheKey$1);
+		return await fetchKeyWithResult(cacheKey, cls, options, async (cacheKey, keyId, keyCache, logger) => {
+			const fetchError = await keyCache?.getFetchError?.(cacheKey);
 			if (fetchError != null) {
-				logger.debug("Entry {keyId} found in cache with preserved fetch failure details.", { keyId: keyId$1 });
+				logger.debug("Entry {keyId} found in cache with preserved fetch failure details.", { keyId });
 				return {
 					key: null,
 					cached: true,
 					fetchError
 				};
 			}
-			logger.debug("Entry {keyId} found in cache, but no fetch failure details are available.", { keyId: keyId$1 });
+			logger.debug("Entry {keyId} found in cache, but no fetch failure details are available.", { keyId });
 			return {
 				key: null,
 				cached: true
 			};
-		}, async (error, cacheKey$1, keyId$1, keyCache, logger) => {
+		}, async (error, cacheKey, keyId, keyCache, logger) => {
 			logger.debug("Failed to fetch key {keyId}.", {
-				keyId: keyId$1,
+				keyId,
 				error
 			});
-			await keyCache?.set(cacheKey$1, null);
-			if (error instanceof __fedify_vocab_runtime.FetchError && error.response != null) {
-				const fetchError$1 = {
+			await keyCache?.set(cacheKey, null);
+			if (error instanceof _fedify_vocab_runtime.FetchError && error.response != null) {
+				const fetchError = {
 					status: error.response.status,
 					response: error.response.clone()
 				};
-				await keyCache?.setFetchError?.(cacheKey$1, fetchError$1);
+				await keyCache?.setFetchError?.(cacheKey, fetchError);
 				return {
 					key: null,
 					cached: false,
-					fetchError: fetchError$1
+					fetchError
 				};
 			}
 			const fetchError = { error: error instanceof Error ? error : new Error(String(error)) };
-			await keyCache?.setFetchError?.(cacheKey$1, fetchError);
+			await keyCache?.setFetchError?.(cacheKey, fetchError);
 			return {
 				key: null,
 				cached: false,
@@ -472,7 +361,7 @@ async function clearFetchErrorMetadata(keyId, keyCache) {
 async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoader, contextLoader, keyCache, tracerProvider }, logger) {
 	let object;
 	try {
-		object = await __fedify_vocab.Object.fromJsonLd(document, {
+		object = await _fedify_vocab.Object.fromJsonLd(document, {
 			documentLoader,
 			contextLoader,
 			tracerProvider
@@ -485,8 +374,8 @@ async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoade
 				contextLoader,
 				tracerProvider
 			});
-		} catch (e$1) {
-			if (e$1 instanceof TypeError) {
+		} catch (e) {
+			if (e instanceof TypeError) {
 				logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
 				await keyCache?.set(cacheKey, null);
 				await clearFetchErrorMetadata(cacheKey, keyCache);
@@ -495,13 +384,13 @@ async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoade
 					cached: false
 				};
 			}
-			throw e$1;
+			throw e;
 		}
 	}
 	let key = null;
 	if (object instanceof cls) key = object;
-	else if ((0, __fedify_vocab.isActor)(object)) {
-		const keys = cls === __fedify_vocab.CryptographicKey ? object.getPublicKeys({
+	else if ((0, _fedify_vocab.isActor)(object)) {
+		const keys = cls === _fedify_vocab.CryptographicKey ? object.getPublicKeys({
 			documentLoader,
 			contextLoader,
 			tracerProvider
@@ -563,7 +452,7 @@ async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoade
 	};
 }
 async function fetchKeyWithResult(cacheKey, cls, options, onCachedUnavailable, onFetchError) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"key"
@@ -576,40 +465,38 @@ async function fetchKeyWithResult(cacheKey, cls, options, onCachedUnavailable, o
 	logger.debug("Fetching key {keyId} to verify signature...", { keyId });
 	let document;
 	try {
-		const remoteDocument = await (options.documentLoader ?? (0, __fedify_vocab_runtime.getDocumentLoader)())(keyId);
-		document = remoteDocument.document;
+		document = (await (options.documentLoader ?? (0, _fedify_vocab_runtime.getDocumentLoader)())(keyId)).document;
 	} catch (error) {
 		return await onFetchError(error, cacheKey, keyId, keyCache, logger);
 	}
 	return await resolveFetchedKey(document, cacheKey, keyId, cls, options, logger);
 }
 async function fetchKeyInternal(keyId, cls, options = {}) {
-	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
-	return await fetchKeyWithResult(cacheKey, cls, options, (_cacheKey, _keyId, _keyCache, _logger) => {
+	return await fetchKeyWithResult(typeof keyId === "string" ? new URL(keyId) : keyId, cls, options, (_cacheKey, _keyId, _keyCache, _logger) => {
 		return {
 			key: null,
 			cached: true
 		};
-	}, async (error, cacheKey$1, keyId$1, keyCache, logger) => {
+	}, async (error, cacheKey, keyId, keyCache, logger) => {
 		logger.debug("Failed to fetch key {keyId}.", {
-			keyId: keyId$1,
+			keyId,
 			error
 		});
-		await keyCache?.set(cacheKey$1, null);
-		if (error instanceof __fedify_vocab_runtime.FetchError && error.response != null) await keyCache?.setFetchError?.(cacheKey$1, {
+		await keyCache?.set(cacheKey, null);
+		if (error instanceof _fedify_vocab_runtime.FetchError && error.response != null) await keyCache?.setFetchError?.(cacheKey, {
 			status: error.response.status,
 			response: error.response.clone()
 		});
-		else await keyCache?.setFetchError?.(cacheKey$1, { error: error instanceof Error ? error : new Error(String(error)) });
+		else await keyCache?.setFetchError?.(cacheKey, { error: error instanceof Error ? error : new Error(String(error)) });
 		return {
 			key: null,
 			cached: false
 		};
 	});
 }
-
 //#endregion
 //#region src/sig/http.ts
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Signs a request using the given private key.
 * @param request The request to sign.
@@ -621,24 +508,22 @@ async function fetchKeyInternal(keyId, cls, options = {}) {
 */
 async function signRequest(request, privateKey, keyId, options = {}) {
 	validateCryptoKey(privateKey, "private");
-	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.sign", async (span) => {
+	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.sign", async (span) => {
 		try {
 			const spec = options.spec ?? "draft-cavage-http-signatures-12";
 			let signed;
 			if (spec === "rfc9421") signed = await signRequestRfc9421(request, privateKey, keyId, span, options.currentTime, options.body, options.rfc9421);
 			else signed = await signRequestDraft(request, privateKey, keyId, span, options.currentTime, options.body);
 			if (span.isRecording()) {
-				span.setAttribute(__opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, signed.method);
-				span.setAttribute(__opentelemetry_semantic_conventions.ATTR_URL_FULL, signed.url);
-				for (const [name$1, value] of signed.headers) span.setAttribute((0, __opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name$1), value);
+				span.setAttribute(_opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, signed.method);
+				span.setAttribute(_opentelemetry_semantic_conventions.ATTR_URL_FULL, signed.url);
+				for (const [name, value] of signed.headers) span.setAttribute((0, _opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name), value);
 				span.setAttribute("http_signatures.key_id", keyId.href);
 			}
 			return signed;
 		} catch (error) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
@@ -660,8 +545,8 @@ async function signRequestDraft(request, privateKey, keyId, span, currentTime, b
 	}
 	if (!headers.has("Date")) headers.set("Date", currentTime == null ? (/* @__PURE__ */ new Date()).toUTCString() : new Date(currentTime.toString()).toUTCString());
 	const serialized = [["(request-target)", `${request.method.toLowerCase()} ${url.pathname}`], ...headers];
-	const headerNames = serialized.map(([name$1]) => name$1);
-	const message = serialized.map(([name$1, value]) => `${name$1}: ${value.trim()}`).join("\n");
+	const headerNames = serialized.map(([name]) => name);
+	const message = serialized.map(([name, value]) => `${name}: ${value.trim()}`).join("\n");
 	const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, new TextEncoder().encode(message));
 	const sigHeader = `keyId="${keyId.href}",algorithm="rsa-sha256",headers="${headerNames.join(" ")}",signature="${(0, byte_encodings_base64.encodeBase64)(signature)}"`;
 	headers.set("Signature", sigHeader);
@@ -731,9 +616,7 @@ const derivedComponents = {
 * @returns The formatted signature string.
 */
 function formatRfc9421Signature(signature, components, parameters, label = "sig1") {
-	const signatureInputValue = `${label}=(${components.map((c) => formatComponentId(c)).join(" ")});${parameters}`;
-	const signatureValue = `${label}=:${(0, byte_encodings_base64.encodeBase64)(signature)}:`;
-	return [signatureInputValue, signatureValue];
+	return [`${label}=(${components.map((c) => formatComponentId(c)).join(" ")});${parameters}`, `${label}=:${(0, byte_encodings_base64.encodeBase64)(signature)}:`];
 }
 /**
 * Parse RFC 9421 Signature-Input header.
@@ -745,7 +628,7 @@ function parseRfc9421SignatureInput(signatureInput) {
 	try {
 		dict = (0, structured_field_values.decodeDict)(signatureInput);
 	} catch (error) {
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -785,7 +668,7 @@ function parseRfc9421Signature(signature) {
 	try {
 		dict = (0, structured_field_values.decodeDict)(signature);
 	} catch (error) {
-		(0, __logtape_logtape.getLogger)([
+		(0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -839,12 +722,11 @@ async function signRequestRfc9421(request, privateKey, keyId, span, currentTime,
 		value: "content-digest",
 		params: {}
 	}] : []];
-	const expires = rfc9421Options?.expires === true ? (currentTime.epochMilliseconds / 1e3 | 0) + 3600 : void 0;
 	const signatureParams = formatRfc9421SignatureParameters({
 		algorithm: "rsa-v1_5-sha256",
 		keyId,
 		created,
-		expires,
+		expires: rfc9421Options?.expires === true ? (currentTime.epochMilliseconds / 1e3 | 0) + 3600 : void 0,
 		nonce: rfc9421Options?.nonce,
 		tag: rfc9421Options?.tag
 	});
@@ -954,13 +836,11 @@ async function verifyRequest(request, options = {}) {
 * @since 2.1.0
 */
 async function verifyRequestDetailed(request, options = {}) {
-	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.verify", async (span) => {
+	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.verify", async (span) => {
 		if (span.isRecording()) {
-			span.setAttribute(__opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, request.method);
-			span.setAttribute(__opentelemetry_semantic_conventions.ATTR_URL_FULL, request.url);
-			for (const [name$1, value] of request.headers) span.setAttribute((0, __opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name$1), value);
+			span.setAttribute(_opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_METHOD, request.method);
+			span.setAttribute(_opentelemetry_semantic_conventions.ATTR_URL_FULL, request.url);
+			for (const [name, value] of request.headers) span.setAttribute((0, _opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name), value);
 		}
 		try {
 			let spec = options.spec;
@@ -969,11 +849,11 @@ async function verifyRequestDetailed(request, options = {}) {
 			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, options);
 			else result = await verifyRequestDraft(request, span, options);
 			recordVerificationResult(span, result);
-			if (!result.verified) span.setStatus({ code: __opentelemetry_api.SpanStatusCode.ERROR });
+			if (!result.verified) span.setStatus({ code: _opentelemetry_api.SpanStatusCode.ERROR });
 			return result;
 		} catch (error) {
 			span.setStatus({
-				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
@@ -983,7 +863,7 @@ async function verifyRequestDetailed(request, options = {}) {
 	});
 }
 async function verifyRequestDraft(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"http"
@@ -1131,7 +1011,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	if (keyIdUrl == null) return invalidSignatureResult(null);
 	span?.setAttribute("http_signatures.key_id", keyId);
 	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, __fedify_vocab.CryptographicKey, {
+	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, _fedify_vocab.CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
@@ -1148,11 +1028,10 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 		logger.debug("Failed to verify; required headers missing in the Signature header: {headers}.", { headers });
 		return invalidSignatureResult(keyIdUrl);
 	}
-	const message = headerNames.map((name$1) => `${name$1}: ` + (name$1 === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name$1 === "(created)" ? sigValues.created ?? "" : name$1 === "(expires)" ? sigValues.expires ?? "" : name$1 === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name$1))).join("\n");
+	const message = headerNames.map((name) => `${name}: ` + (name === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name === "(created)" ? sigValues.created ?? "" : name === "(expires)" ? sigValues.expires ?? "" : name === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name))).join("\n");
 	const sig = (0, byte_encodings_base64.decodeBase64)(signature);
 	span?.setAttribute("http_signatures.signature", (0, byte_encodings_hex.encodeHex)(sig));
-	const verified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));
-	if (!verified) {
+	if (!await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message))) {
 		if (cached) {
 			logger.debug("Failed to verify with the cached key {keyId}; signature {signature} is invalid.  Retrying with the freshly fetched key...", {
 				keyId,
@@ -1166,7 +1045,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				currentTime,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
-					set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
+					set: async (keyId, key) => await keyCache?.set(keyId, key)
 				}
 			});
 		}
@@ -1244,7 +1123,7 @@ async function verifyRfc9421ContentDigest(digestHeader, body) {
 	return false;
 }
 async function verifyRequestRfc9421(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
-	const logger = (0, __logtape_logtape.getLogger)([
+	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
 		"http"
@@ -1328,9 +1207,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				failure = invalidSignatureResult(keyId);
 				continue;
 			}
-			const body = await request.arrayBuffer();
-			const digestValid = await verifyRfc9421ContentDigest(contentDigestHeader, body);
-			if (!digestValid) {
+			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
 				failure = invalidSignatureResult(keyId);
 				continue;
@@ -1342,7 +1219,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 			failure = invalidSignatureResult(null);
 			continue;
 		}
-		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, __fedify_vocab.CryptographicKey, {
+		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, _fedify_vocab.CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
@@ -1388,8 +1265,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", (0, byte_encodings_hex.encodeHex)(sigBytes));
 		try {
-			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes);
-			if (verified) return {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) return {
 				verified: true,
 				key,
 				signatureLabel: sigName
@@ -1403,7 +1279,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					currentTime,
 					keyCache: {
 						get: () => Promise.resolve(void 0),
-						set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
+						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
 					spec: "rfc9421"
 				});
@@ -1460,7 +1336,11 @@ function createRedirectRequest(request, location, body) {
 * @since 1.6.0
 */
 async function doubleKnock(request, identity, options = {}) {
+	return await doubleKnockInternal(request, identity, options);
+}
+async function doubleKnockInternal(request, identity, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 	const { specDeterminer, log, tracerProvider, signal } = options;
+	visited.add(request.url);
 	const origin = new URL(request.url).origin;
 	const firstTrySpec = specDeterminer == null ? "rfc9421" : await specDeterminer.determineSpec(origin);
 	const body = options.body !== void 0 ? options.body : request.method !== "GET" && request.method !== "HEAD" ? await request.clone().arrayBuffer() : null;
@@ -1475,13 +1355,15 @@ async function doubleKnock(request, identity, options = {}) {
 		signal
 	});
 	if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-		const location = response.headers.get("Location");
-		return doubleKnock(createRedirectRequest(request, location, body), identity, {
+		if (redirected >= DEFAULT_MAX_REDIRECTION) throw new _fedify_vocab_runtime.FetchError(request.url, `Too many redirections (${redirected + 1})`);
+		const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+		if (visited.has(redirectRequest.url)) throw new _fedify_vocab_runtime.FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+		return doubleKnockInternal(redirectRequest, identity, {
 			...options,
 			body
-		});
+		}, redirected + 1, visited);
 	} else if (response.status === 400 || response.status === 401 || response.status > 401) {
-		const logger = (0, __logtape_logtape.getLogger)([
+		const logger = (0, _logtape_logtape.getLogger)([
 			"fedify",
 			"sig",
 			"http"
@@ -1522,13 +1404,10 @@ async function doubleKnock(request, identity, options = {}) {
 					redirect: "manual",
 					signal
 				});
-				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const location = response.headers.get("Location");
-					return doubleKnock(createRedirectRequest(request, location, body), identity, {
-						...options,
-						body
-					});
-				}
+				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) return doubleKnock(createRedirectRequest(request, response.headers.get("Location"), body), identity, {
+					...options,
+					body
+				});
 			}
 			if (fulfilled && response.status < 300) {
 				await specDeterminer?.rememberSpec(origin, "rfc9421");
@@ -1554,11 +1433,13 @@ async function doubleKnock(request, identity, options = {}) {
 			signal
 		});
 		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-			const location = response.headers.get("Location");
-			return doubleKnock(createRedirectRequest(request, location, body), identity, {
+			if (redirected >= DEFAULT_MAX_REDIRECTION) throw new _fedify_vocab_runtime.FetchError(request.url, `Too many redirections (${redirected + 1})`);
+			const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+			if (visited.has(redirectRequest.url)) throw new _fedify_vocab_runtime.FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+			return doubleKnockInternal(redirectRequest, identity, {
 				...options,
 				body
-			});
+			}, redirected + 1, visited);
 		} else if (response.status !== 400 && response.status !== 401) await specDeterminer?.rememberSpec(origin, spec);
 	} else await specDeterminer?.rememberSpec(origin, firstTrySpec);
 	return response;
@@ -1590,101 +1471,106 @@ function timingSafeEqual(a, b) {
 	result |= lenA ^ lenB;
 	return result === 0;
 }
-
 //#endregion
-Object.defineProperty(exports, 'deno_default', {
-  enumerable: true,
-  get: function () {
-    return deno_default;
-  }
+Object.defineProperty(exports, "doubleKnock", {
+	enumerable: true,
+	get: function() {
+		return doubleKnock;
+	}
 });
-Object.defineProperty(exports, 'doubleKnock', {
-  enumerable: true,
-  get: function () {
-    return doubleKnock;
-  }
+Object.defineProperty(exports, "exportJwk", {
+	enumerable: true,
+	get: function() {
+		return exportJwk;
+	}
 });
-Object.defineProperty(exports, 'exportJwk', {
-  enumerable: true,
-  get: function () {
-    return exportJwk;
-  }
+Object.defineProperty(exports, "fetchKey", {
+	enumerable: true,
+	get: function() {
+		return fetchKey;
+	}
 });
-Object.defineProperty(exports, 'fetchKey', {
-  enumerable: true,
-  get: function () {
-    return fetchKey;
-  }
+Object.defineProperty(exports, "fetchKeyDetailed", {
+	enumerable: true,
+	get: function() {
+		return fetchKeyDetailed;
+	}
 });
-Object.defineProperty(exports, 'fetchKeyDetailed', {
-  enumerable: true,
-  get: function () {
-    return fetchKeyDetailed;
-  }
+Object.defineProperty(exports, "formatAcceptSignature", {
+	enumerable: true,
+	get: function() {
+		return formatAcceptSignature;
+	}
 });
-Object.defineProperty(exports, 'formatAcceptSignature', {
-  enumerable: true,
-  get: function () {
-    return formatAcceptSignature;
-  }
+Object.defineProperty(exports, "fulfillAcceptSignature", {
+	enumerable: true,
+	get: function() {
+		return fulfillAcceptSignature;
+	}
 });
-Object.defineProperty(exports, 'fulfillAcceptSignature', {
-  enumerable: true,
-  get: function () {
-    return fulfillAcceptSignature;
-  }
+Object.defineProperty(exports, "generateCryptoKeyPair", {
+	enumerable: true,
+	get: function() {
+		return generateCryptoKeyPair;
+	}
 });
-Object.defineProperty(exports, 'generateCryptoKeyPair', {
-  enumerable: true,
-  get: function () {
-    return generateCryptoKeyPair;
-  }
+Object.defineProperty(exports, "importJwk", {
+	enumerable: true,
+	get: function() {
+		return importJwk;
+	}
+});
+Object.defineProperty(exports, "name", {
+	enumerable: true,
+	get: function() {
+		return name;
+	}
 });
-Object.defineProperty(exports, 'importJwk', {
-  enumerable: true,
-  get: function () {
-    return importJwk;
-  }
+Object.defineProperty(exports, "parseAcceptSignature", {
+	enumerable: true,
+	get: function() {
+		return parseAcceptSignature;
+	}
+});
+Object.defineProperty(exports, "parseRfc9421SignatureInput", {
+	enumerable: true,
+	get: function() {
+		return parseRfc9421SignatureInput;
+	}
 });
-Object.defineProperty(exports, 'parseAcceptSignature', {
-  enumerable: true,
-  get: function () {
-    return parseAcceptSignature;
-  }
+Object.defineProperty(exports, "signRequest", {
+	enumerable: true,
+	get: function() {
+		return signRequest;
+	}
 });
-Object.defineProperty(exports, 'parseRfc9421SignatureInput', {
-  enumerable: true,
-  get: function () {
-    return parseRfc9421SignatureInput;
-  }
+Object.defineProperty(exports, "validateAcceptSignature", {
+	enumerable: true,
+	get: function() {
+		return validateAcceptSignature;
+	}
 });
-Object.defineProperty(exports, 'signRequest', {
-  enumerable: true,
-  get: function () {
-    return signRequest;
-  }
+Object.defineProperty(exports, "validateCryptoKey", {
+	enumerable: true,
+	get: function() {
+		return validateCryptoKey;
+	}
 });
-Object.defineProperty(exports, 'validateAcceptSignature', {
-  enumerable: true,
-  get: function () {
-    return validateAcceptSignature;
-  }
+Object.defineProperty(exports, "verifyRequest", {
+	enumerable: true,
+	get: function() {
+		return verifyRequest;
+	}
 });
-Object.defineProperty(exports, 'validateCryptoKey', {
-  enumerable: true,
-  get: function () {
-    return validateCryptoKey;
-  }
+Object.defineProperty(exports, "verifyRequestDetailed", {
+	enumerable: true,
+	get: function() {
+		return verifyRequestDetailed;
+	}
 });
-Object.defineProperty(exports, 'verifyRequest', {
-  enumerable: true,
-  get: function () {
-    return verifyRequest;
-  }
+Object.defineProperty(exports, "version", {
+	enumerable: true,
+	get: function() {
+		return version;
+	}
 });
-Object.defineProperty(exports, 'verifyRequestDetailed', {
-  enumerable: true,
-  get: function () {
-    return verifyRequestDetailed;
-  }
-});