@fedify/fedify 2.1.0 → 2.1.2

package/dist/federation/{webfinger.test.js → webfinger.test.mjs}

@@ -1,51 +1,23 @@
-
-      import { Temporal } from "@js-temporal/polyfill";
-      import { URLPattern } from "urlpattern-polyfill";
-      globalThis.addEventListener = () => {};
-    
-import { assertEquals } from "../assert_equals-DSbWqCm3.js";
-import "../assert-MZs1qjMx.js";
-import "../assert_instance_of-DHz7EHNU.js";
-import { MemoryKvStore } from "../kv-QzKcOQgP.js";
-import "../deno-BRMCYThi.js";
-import { createFederation, handleWebFinger } from "../middleware-CZ8jOOa3.js";
-import "../client-CoCIaTNO.js";
-import "../router-D9eI0s4b.js";
-import "../types-CPz01LGH.js";
-import "../accept-D7sAxyNa.js";
-import "../key-BsSCz8Z_.js";
-import "../http-CKDim8Tw.js";
-import "../ld-Bo_Rx0Fc.js";
-import "../owner-Bj_IbwIT.js";
-import "../proof-u6Y358J-.js";
-import "../docloader-bVO2EvL9.js";
-import "../kv-cache-Bw2F2ABq.js";
-import "../inbox-CA9AUEGa.js";
-import "../builder-WiHhZvjW.js";
-import "../collection-CSzG2j1P.js";
-import "../keycache-CpGWAUbj.js";
-import "../negotiation-BlAuS_nr.js";
-import "../retry-mqLf4b-R.js";
-import "../send-CE8h59oe.js";
-import "../std__assert-X-_kMxKM.js";
-import "../assert_rejects-0h7I2Esa.js";
-import "../assert_throws-rjdMBf31.js";
-import "../assert_not_equals-f3m3epl3.js";
-import { createRequestContext } from "../context-Aqenou7c.js";
+import "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { n as createRequestContext } from "../context-Juj6bdHC.mjs";
+import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
+import "../std__assert-Duiq_YC9.mjs";
+import { t as MemoryKvStore } from "../kv-tL2TOE9X.mjs";
+import { a as createFederation, o as handleWebFinger } from "../middleware-DMZGXHm3.mjs";
 import { test } from "@fedify/fixture";
 import { Image, Link, Person } from "@fedify/vocab";
-
 //#region src/federation/webfinger.test.ts
 test("handleWebFinger()", async (t) => {
 	const url = new URL("https://example.com/.well-known/webfinger");
-	function createContext(url$1) {
-		const federation = createFederation({ kv: new MemoryKvStore() });
+	function createContext(url) {
 		const context = createRequestContext({
-			federation,
-			url: url$1,
+			federation: createFederation({ kv: new MemoryKvStore() }),
+			url,
 			data: void 0,
 			getActorUri(identifier) {
-				return new URL(`${url$1.origin}/users/${identifier}`);
+				return new URL(`${url.origin}/users/${identifier}`);
 			},
 			async getActor(handle) {
 				return await actorDispatcher(context, handle);
@@ -55,10 +27,9 @@ test("handleWebFinger()", async (t) => {
 				if (uri.protocol === "acct:") return null;
 				if (!uri.pathname.startsWith("/users/")) return null;
 				const paths = uri.pathname.split("/");
-				const identifier = paths[paths.length - 1];
 				return {
 					type: "actor",
-					identifier
+					identifier: paths[paths.length - 1]
 				};
 			}
 		});
@@ -90,11 +61,10 @@ test("handleWebFinger()", async (t) => {
 	await t.step("no actor dispatcher", async () => {
 		const context = createContext(url);
 		const request = context.request;
-		const response = await handleWebFinger(request, {
+		assertEquals((await handleWebFinger(request, {
 			context,
 			onNotFound
-		});
-		assertEquals(response.status, 404);
+		})).status, 404);
 		assertEquals(onNotFoundCalled, request);
 	});
 	onNotFoundCalled = null;
@@ -114,8 +84,7 @@ test("handleWebFinger()", async (t) => {
 		const u = new URL(url);
 		u.searchParams.set("resource", " invalid ");
 		const context = createContext(u);
-		const request = new Request(u);
-		const response = await handleWebFinger(request, {
+		const response = await handleWebFinger(new Request(u), {
 			context,
 			actorDispatcher,
 			onNotFound
@@ -221,12 +190,11 @@ test("handleWebFinger()", async (t) => {
 		u.searchParams.set("resource", "acct:no-one@example.com");
 		const context = createContext(u);
 		const request = context.request;
-		const response = await handleWebFinger(request, {
+		assertEquals((await handleWebFinger(request, {
 			context,
 			actorDispatcher,
 			onNotFound
-		});
-		assertEquals(response.status, 404);
+		})).status, 404);
 		assertEquals(onNotFoundCalled, request);
 	});
 	onNotFoundCalled = null;
@@ -522,16 +490,14 @@ test("handleWebFinger()", async (t) => {
 			onNotFound
 		});
 		assertEquals(response.status, 200);
-		const result = await response.json();
-		const expectedWithCustomLinks = {
+		assertEquals(await response.json(), {
 			...expected,
 			links: [...expected.links, {
 				rel: "http://ostatus.org/schema/1.0/subscribe",
 				template: "https://example.com/follow?acct={uri}"
 			}]
-		};
-		assertEquals(result, expectedWithCustomLinks);
+		});
 	});
 });
-
-//#endregion
+//#endregion
+export {};

package/dist/{http-DhH623ma.js → http-BLZWcpzg.js}

@@ -1,133 +1,25 @@
-
-          import { Temporal } from "@js-temporal/polyfill";
-          import { URLPattern } from "urlpattern-polyfill";
-        
+import { Temporal } from "@js-temporal/polyfill";
+import "urlpattern-polyfill";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 import { encodeHex } from "byte-encodings/hex";
 import { Item, decodeDict, encodeDict, encodeItem } from "structured-field-values";
+import { FetchError, getDocumentLoader } from "@fedify/vocab-runtime";
 import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_URL_FULL } from "@opentelemetry/semantic-conventions";
 import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
-import { FetchError, getDocumentLoader } from "@fedify/vocab-runtime";
-
 //#region deno.json
 var name = "@fedify/fedify";
-var version = "2.1.0";
-var license = "MIT";
-var exports = {
-	".": "./src/mod.ts",
-	"./compat": "./src/compat/mod.ts",
-	"./federation": "./src/federation/mod.ts",
-	"./nodeinfo": "./src/nodeinfo/mod.ts",
-	"./otel": "./src/otel/mod.ts",
-	"./runtime": "./src/runtime/mod.ts",
-	"./sig": "./src/sig/mod.ts",
-	"./utils": "./src/utils/mod.ts",
-	"./vocab": "./src/vocab/mod.ts"
-};
-var imports = {
-	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
-	"@std/assert": "jsr:@std/assert@^0.226.0",
-	"@std/url": "jsr:@std/url@^0.225.1",
-	"asn1js": "npm:asn1js@^3.0.7",
-	"fast-check": "npm:fast-check@^3.22.0",
-	"fetch-mock": "npm:fetch-mock@^12.5.2",
-	"json-canon": "npm:json-canon@^1.0.1",
-	"jsonld": "npm:jsonld@^9.0.0",
-	"pkijs": "npm:pkijs@^3.3.3",
-	"structured-field-values": "npm:structured-field-values@^2.0.4",
-	"uri-template-router": "npm:uri-template-router@^1.0.0",
-	"url-template": "npm:url-template@^3.1.1"
-};
-var exclude = [
-	".test-report.xml",
-	"apidoc/",
-	"dist/",
-	"node_modules/",
-	"npm/",
-	"pnpm-lock.yaml",
-	"src/cfworkers/dist/",
-	"src/cfworkers/fixtures/",
-	"src/cfworkers/imports.ts",
-	"src/cfworkers/README.md",
-	"src/cfworkers/server.ts",
-	"src/cfworkers/server.js",
-	"src/cfworkers/server.js.map"
-];
-var publish = { "exclude": [
-	"**/*.test.ts",
-	"src/testing/",
-	"tsdown.config.ts",
-	"scripts/",
-	"wrangler.toml"
-] };
-var tasks = {
-	"codegen": "deno task -f @fedify/vocab compile",
-	"cache": {
-		"command": "deno cache src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"check": {
-		"command": "deno fmt --check && deno lint && deno check src/**/*.ts",
-		"dependencies": ["codegen"]
-	},
-	"test": {
-		"command": "deno test --check --doc --allow-read --allow-write --allow-env --unstable-kv --trace-leaks --parallel",
-		"dependencies": ["codegen"]
-	},
-	"coverage": "deno task test --clean --coverage && deno coverage --html coverage",
-	"bench": {
-		"command": "deno bench --allow-read --allow-write --allow-net --allow-env --allow-run --unstable-kv",
-		"dependencies": ["codegen"]
-	},
-	"apidoc": {
-		"command": "deno doc --html --name=Fedify --output=apidoc/ src/mod.ts",
-		"dependencies": ["codegen"]
-	},
-	"publish": {
-		"command": "deno publish",
-		"dependencies": ["codegen"]
-	},
-	"pnpm:install": "pnpm install --silent",
-	"pnpm:build": {
-		"command": "pnpm exec tsdown",
-		"dependencies": ["pnpm:build-vocab"]
-	},
-	"test:node": {
-		"command": "cd dist/ && node --test",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:bun": {
-		"command": "cd dist/ && bun test --timeout 60000",
-		"dependencies": ["pnpm:build"]
-	},
-	"test:cfworkers": {
-		"command": "pnpm exec wrangler deploy --dry-run --outdir src/cfworkers && node --import=tsx src/cfworkers/client.ts",
-		"dependencies": ["pnpm:build"]
-	},
-	"test-all": { "dependencies": [
-		"check",
-		"test",
-		"test:node",
-		"test:bun",
-		"test:cfworkers"
-	] }
-};
-var deno_default = {
-	name,
-	version,
-	license,
-	exports,
-	imports,
-	exclude,
-	publish,
-	tasks
-};
-
+var version = "2.1.2";
 //#endregion
 //#region src/sig/accept.ts
 /**
+* `Accept-Signature` header parsing, serialization, and validation utilities
+* for RFC 9421 §5 challenge-response negotiation.
+*
+* @module
+*/
+/**
 * Parses an `Accept-Signature` header value (RFC 9421 §5.1) into an
 * array of {@link AcceptSignatureMember} objects.
 *
@@ -258,7 +150,6 @@ function fulfillAcceptSignature(entry, localKeyId, localAlg) {
 		expires: entry.parameters.expires
 	};
 }
-
 //#endregion
 //#region src/sig/key.ts
 /**
@@ -274,8 +165,7 @@ function validateCryptoKey(key, type) {
 	if (!key.extractable) throw new TypeError("The key is not extractable.");
 	if (key.algorithm.name !== "RSASSA-PKCS1-v1_5" && key.algorithm.name !== "Ed25519") throw new TypeError("Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  More algorithms will be added in the future!");
 	if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
-		const algorithm = key.algorithm;
-		if (algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
+		if (key.algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
 	}
 }
 /**
@@ -342,8 +232,7 @@ async function importJwk(jwk, type) {
 }
 async function withFetchKeySpan(keyId, tracerProvider, fetcher) {
 	tracerProvider ??= trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("activitypub.fetch_key", {
+	return await tracerProvider.getTracer(name, version).startActiveSpan("activitypub.fetch_key", {
 		kind: SpanKind.CLIENT,
 		attributes: {
 			"http.method": "GET",
@@ -404,41 +293,41 @@ function fetchKey(keyId, cls, options = {}) {
 async function fetchKeyDetailed(keyId, cls, options = {}) {
 	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
 	return await withFetchKeySpan(cacheKey, options.tracerProvider, async () => {
-		return await fetchKeyWithResult(cacheKey, cls, options, async (cacheKey$1, keyId$1, keyCache, logger) => {
-			const fetchError = await keyCache?.getFetchError?.(cacheKey$1);
+		return await fetchKeyWithResult(cacheKey, cls, options, async (cacheKey, keyId, keyCache, logger) => {
+			const fetchError = await keyCache?.getFetchError?.(cacheKey);
 			if (fetchError != null) {
-				logger.debug("Entry {keyId} found in cache with preserved fetch failure details.", { keyId: keyId$1 });
+				logger.debug("Entry {keyId} found in cache with preserved fetch failure details.", { keyId });
 				return {
 					key: null,
 					cached: true,
 					fetchError
 				};
 			}
-			logger.debug("Entry {keyId} found in cache, but no fetch failure details are available.", { keyId: keyId$1 });
+			logger.debug("Entry {keyId} found in cache, but no fetch failure details are available.", { keyId });
 			return {
 				key: null,
 				cached: true
 			};
-		}, async (error, cacheKey$1, keyId$1, keyCache, logger) => {
+		}, async (error, cacheKey, keyId, keyCache, logger) => {
 			logger.debug("Failed to fetch key {keyId}.", {
-				keyId: keyId$1,
+				keyId,
 				error
 			});
-			await keyCache?.set(cacheKey$1, null);
+			await keyCache?.set(cacheKey, null);
 			if (error instanceof FetchError && error.response != null) {
-				const fetchError$1 = {
+				const fetchError = {
 					status: error.response.status,
 					response: error.response.clone()
 				};
-				await keyCache?.setFetchError?.(cacheKey$1, fetchError$1);
+				await keyCache?.setFetchError?.(cacheKey, fetchError);
 				return {
 					key: null,
 					cached: false,
-					fetchError: fetchError$1
+					fetchError
 				};
 			}
 			const fetchError = { error: error instanceof Error ? error : new Error(String(error)) };
-			await keyCache?.setFetchError?.(cacheKey$1, fetchError);
+			await keyCache?.setFetchError?.(cacheKey, fetchError);
 			return {
 				key: null,
 				cached: false,
@@ -484,8 +373,8 @@ async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoade
 				contextLoader,
 				tracerProvider
 			});
-		} catch (e$1) {
-			if (e$1 instanceof TypeError) {
+		} catch (e) {
+			if (e instanceof TypeError) {
 				logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
 				await keyCache?.set(cacheKey, null);
 				await clearFetchErrorMetadata(cacheKey, keyCache);
@@ -494,7 +383,7 @@ async function resolveFetchedKey(document, cacheKey, keyId, cls, { documentLoade
 					cached: false
 				};
 			}
-			throw e$1;
+			throw e;
 		}
 	}
 	let key = null;
@@ -575,40 +464,38 @@ async function fetchKeyWithResult(cacheKey, cls, options, onCachedUnavailable, o
 	logger.debug("Fetching key {keyId} to verify signature...", { keyId });
 	let document;
 	try {
-		const remoteDocument = await (options.documentLoader ?? getDocumentLoader())(keyId);
-		document = remoteDocument.document;
+		document = (await (options.documentLoader ?? getDocumentLoader())(keyId)).document;
 	} catch (error) {
 		return await onFetchError(error, cacheKey, keyId, keyCache, logger);
 	}
 	return await resolveFetchedKey(document, cacheKey, keyId, cls, options, logger);
 }
 async function fetchKeyInternal(keyId, cls, options = {}) {
-	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
-	return await fetchKeyWithResult(cacheKey, cls, options, (_cacheKey, _keyId, _keyCache, _logger) => {
+	return await fetchKeyWithResult(typeof keyId === "string" ? new URL(keyId) : keyId, cls, options, (_cacheKey, _keyId, _keyCache, _logger) => {
 		return {
 			key: null,
 			cached: true
 		};
-	}, async (error, cacheKey$1, keyId$1, keyCache, logger) => {
+	}, async (error, cacheKey, keyId, keyCache, logger) => {
 		logger.debug("Failed to fetch key {keyId}.", {
-			keyId: keyId$1,
+			keyId,
 			error
 		});
-		await keyCache?.set(cacheKey$1, null);
-		if (error instanceof FetchError && error.response != null) await keyCache?.setFetchError?.(cacheKey$1, {
+		await keyCache?.set(cacheKey, null);
+		if (error instanceof FetchError && error.response != null) await keyCache?.setFetchError?.(cacheKey, {
 			status: error.response.status,
 			response: error.response.clone()
 		});
-		else await keyCache?.setFetchError?.(cacheKey$1, { error: error instanceof Error ? error : new Error(String(error)) });
+		else await keyCache?.setFetchError?.(cacheKey, { error: error instanceof Error ? error : new Error(String(error)) });
 		return {
 			key: null,
 			cached: false
 		};
 	});
 }
-
 //#endregion
 //#region src/sig/http.ts
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Signs a request using the given private key.
 * @param request The request to sign.
@@ -620,9 +507,7 @@ async function fetchKeyInternal(keyId, cls, options = {}) {
 */
 async function signRequest(request, privateKey, keyId, options = {}) {
 	validateCryptoKey(privateKey, "private");
-	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.sign", async (span) => {
+	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.sign", async (span) => {
 		try {
 			const spec = options.spec ?? "draft-cavage-http-signatures-12";
 			let signed;
@@ -631,7 +516,7 @@ async function signRequest(request, privateKey, keyId, options = {}) {
 			if (span.isRecording()) {
 				span.setAttribute(ATTR_HTTP_REQUEST_METHOD, signed.method);
 				span.setAttribute(ATTR_URL_FULL, signed.url);
-				for (const [name$1, value] of signed.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name$1), value);
+				for (const [name, value] of signed.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name), value);
 				span.setAttribute("http_signatures.key_id", keyId.href);
 			}
 			return signed;
@@ -659,8 +544,8 @@ async function signRequestDraft(request, privateKey, keyId, span, currentTime, b
 	}
 	if (!headers.has("Date")) headers.set("Date", currentTime == null ? (/* @__PURE__ */ new Date()).toUTCString() : new Date(currentTime.toString()).toUTCString());
 	const serialized = [["(request-target)", `${request.method.toLowerCase()} ${url.pathname}`], ...headers];
-	const headerNames = serialized.map(([name$1]) => name$1);
-	const message = serialized.map(([name$1, value]) => `${name$1}: ${value.trim()}`).join("\n");
+	const headerNames = serialized.map(([name]) => name);
+	const message = serialized.map(([name, value]) => `${name}: ${value.trim()}`).join("\n");
 	const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, new TextEncoder().encode(message));
 	const sigHeader = `keyId="${keyId.href}",algorithm="rsa-sha256",headers="${headerNames.join(" ")}",signature="${encodeBase64(signature)}"`;
 	headers.set("Signature", sigHeader);
@@ -730,9 +615,7 @@ const derivedComponents = {
 * @returns The formatted signature string.
 */
 function formatRfc9421Signature(signature, components, parameters, label = "sig1") {
-	const signatureInputValue = `${label}=(${components.map((c) => formatComponentId(c)).join(" ")});${parameters}`;
-	const signatureValue = `${label}=:${encodeBase64(signature)}:`;
-	return [signatureInputValue, signatureValue];
+	return [`${label}=(${components.map((c) => formatComponentId(c)).join(" ")});${parameters}`, `${label}=:${encodeBase64(signature)}:`];
 }
 /**
 * Parse RFC 9421 Signature-Input header.
@@ -838,12 +721,11 @@ async function signRequestRfc9421(request, privateKey, keyId, span, currentTime,
 		value: "content-digest",
 		params: {}
 	}] : []];
-	const expires = rfc9421Options?.expires === true ? (currentTime.epochMilliseconds / 1e3 | 0) + 3600 : void 0;
 	const signatureParams = formatRfc9421SignatureParameters({
 		algorithm: "rsa-v1_5-sha256",
 		keyId,
 		created,
-		expires,
+		expires: rfc9421Options?.expires === true ? (currentTime.epochMilliseconds / 1e3 | 0) + 3600 : void 0,
 		nonce: rfc9421Options?.nonce,
 		tag: rfc9421Options?.tag
 	});
@@ -953,13 +835,11 @@ async function verifyRequest(request, options = {}) {
 * @since 2.1.0
 */
 async function verifyRequestDetailed(request, options = {}) {
-	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	return await tracer.startActiveSpan("http_signatures.verify", async (span) => {
+	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("http_signatures.verify", async (span) => {
 		if (span.isRecording()) {
 			span.setAttribute(ATTR_HTTP_REQUEST_METHOD, request.method);
 			span.setAttribute(ATTR_URL_FULL, request.url);
-			for (const [name$1, value] of request.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name$1), value);
+			for (const [name, value] of request.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name), value);
 		}
 		try {
 			let spec = options.spec;
@@ -1147,11 +1027,10 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 		logger.debug("Failed to verify; required headers missing in the Signature header: {headers}.", { headers });
 		return invalidSignatureResult(keyIdUrl);
 	}
-	const message = headerNames.map((name$1) => `${name$1}: ` + (name$1 === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name$1 === "(created)" ? sigValues.created ?? "" : name$1 === "(expires)" ? sigValues.expires ?? "" : name$1 === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name$1))).join("\n");
+	const message = headerNames.map((name) => `${name}: ` + (name === "(request-target)" ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}` : name === "(created)" ? sigValues.created ?? "" : name === "(expires)" ? sigValues.expires ?? "" : name === "host" ? request.headers.get("host") ?? new URL(request.url).host : request.headers.get(name))).join("\n");
 	const sig = decodeBase64(signature);
 	span?.setAttribute("http_signatures.signature", encodeHex(sig));
-	const verified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));
-	if (!verified) {
+	if (!await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message))) {
 		if (cached) {
 			logger.debug("Failed to verify with the cached key {keyId}; signature {signature} is invalid.  Retrying with the freshly fetched key...", {
 				keyId,
@@ -1165,7 +1044,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				currentTime,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
-					set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
+					set: async (keyId, key) => await keyCache?.set(keyId, key)
 				}
 			});
 		}
@@ -1327,9 +1206,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				failure = invalidSignatureResult(keyId);
 				continue;
 			}
-			const body = await request.arrayBuffer();
-			const digestValid = await verifyRfc9421ContentDigest(contentDigestHeader, body);
-			if (!digestValid) {
+			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
 				failure = invalidSignatureResult(keyId);
 				continue;
@@ -1387,8 +1264,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", encodeHex(sigBytes));
 		try {
-			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes);
-			if (verified) return {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) return {
 				verified: true,
 				key,
 				signatureLabel: sigName
@@ -1402,7 +1278,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					currentTime,
 					keyCache: {
 						get: () => Promise.resolve(void 0),
-						set: async (keyId$1, key$1) => await keyCache?.set(keyId$1, key$1)
+						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
 					spec: "rfc9421"
 				});
@@ -1459,7 +1335,11 @@ function createRedirectRequest(request, location, body) {
 * @since 1.6.0
 */
 async function doubleKnock(request, identity, options = {}) {
+	return await doubleKnockInternal(request, identity, options);
+}
+async function doubleKnockInternal(request, identity, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 	const { specDeterminer, log, tracerProvider, signal } = options;
+	visited.add(request.url);
 	const origin = new URL(request.url).origin;
 	const firstTrySpec = specDeterminer == null ? "rfc9421" : await specDeterminer.determineSpec(origin);
 	const body = options.body !== void 0 ? options.body : request.method !== "GET" && request.method !== "HEAD" ? await request.clone().arrayBuffer() : null;
@@ -1474,11 +1354,13 @@ async function doubleKnock(request, identity, options = {}) {
 		signal
 	});
 	if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-		const location = response.headers.get("Location");
-		return doubleKnock(createRedirectRequest(request, location, body), identity, {
+		if (redirected >= DEFAULT_MAX_REDIRECTION) throw new FetchError(request.url, `Too many redirections (${redirected + 1})`);
+		const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+		if (visited.has(redirectRequest.url)) throw new FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+		return doubleKnockInternal(redirectRequest, identity, {
 			...options,
 			body
-		});
+		}, redirected + 1, visited);
 	} else if (response.status === 400 || response.status === 401 || response.status > 401) {
 		const logger = getLogger([
 			"fedify",
@@ -1521,13 +1403,10 @@ async function doubleKnock(request, identity, options = {}) {
 					redirect: "manual",
 					signal
 				});
-				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const location = response.headers.get("Location");
-					return doubleKnock(createRedirectRequest(request, location, body), identity, {
-						...options,
-						body
-					});
-				}
+				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) return doubleKnock(createRedirectRequest(request, response.headers.get("Location"), body), identity, {
+					...options,
+					body
+				});
 			}
 			if (fulfilled && response.status < 300) {
 				await specDeterminer?.rememberSpec(origin, "rfc9421");
@@ -1553,11 +1432,13 @@ async function doubleKnock(request, identity, options = {}) {
 			signal
 		});
 		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-			const location = response.headers.get("Location");
-			return doubleKnock(createRedirectRequest(request, location, body), identity, {
+			if (redirected >= DEFAULT_MAX_REDIRECTION) throw new FetchError(request.url, `Too many redirections (${redirected + 1})`);
+			const redirectRequest = createRedirectRequest(request, response.headers.get("Location"), body);
+			if (visited.has(redirectRequest.url)) throw new FetchError(request.url, `Redirect loop detected: ${redirectRequest.url}`);
+			return doubleKnockInternal(redirectRequest, identity, {
 				...options,
 				body
-			});
+			}, redirected + 1, visited);
 		} else if (response.status !== 400 && response.status !== 401) await specDeterminer?.rememberSpec(origin, spec);
 	} else await specDeterminer?.rememberSpec(origin, firstTrySpec);
 	return response;
@@ -1589,6 +1470,5 @@ function timingSafeEqual(a, b) {
 	result |= lenA ^ lenB;
 	return result === 0;
 }
-
 //#endregion
-export { deno_default, doubleKnock, exportJwk, fetchKey, fetchKeyDetailed, formatAcceptSignature, fulfillAcceptSignature, generateCryptoKeyPair, importJwk, parseAcceptSignature, parseRfc9421SignatureInput, signRequest, validateAcceptSignature, validateCryptoKey, verifyRequest, verifyRequestDetailed };
+export { version as _, verifyRequestDetailed as a, fetchKeyDetailed as c, validateCryptoKey as d, formatAcceptSignature as f, name as g, validateAcceptSignature as h, verifyRequest as i, generateCryptoKeyPair as l, parseAcceptSignature as m, parseRfc9421SignatureInput as n, exportJwk as o, fulfillAcceptSignature as p, signRequest as r, fetchKey as s, doubleKnock as t, importJwk as u };