@fedify/fedify 2.2.0-pr.695.16 → 2.2.0-pr.697.17

package/dist/federation/builder.test.mjs

@@ -1,11 +1,12 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
+import { n as RouterError } from "../router-CrMLXoOr.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import { a as assertExists } from "../std__assert-Duiq_YC9.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
 import { t as MemoryKvStore } from "../kv-tL2TOE9X.mjs";
-import { n as createFederationBuilder } from "../builder-7PVCiLiR.mjs";
+import { n as createFederationBuilder } from "../builder-0VkYL-Be.mjs";
 import { test } from "@fedify/fixture";
 import { Activity, Note, Person } from "@fedify/vocab";
 //#region src/federation/builder.test.ts
@@ -19,6 +20,8 @@ test("FederationBuilder", async (t) => {
 		builder.setActorDispatcher("/users/{identifier}", actorDispatcher);
 		const inboxListener = (_ctx, _activity) => {};
 		builder.setInboxListeners("/users/{identifier}/inbox").on(Activity, inboxListener);
+		const outboxListener = (_ctx, _activity) => {};
+		builder.setOutboxListeners("/users/{identifier}/outbox").on(Activity, outboxListener);
 		const objectDispatcher = (_ctx, _values) => {
 			return null;
 		};
@@ -50,12 +53,15 @@ test("FederationBuilder", async (t) => {
 		assertEquals(impl.router.route("/.well-known/webfinger")?.name, "webfinger");
 		assertEquals(impl.router.route("/users/test123")?.name, "actor");
 		assertEquals(impl.router.route("/users/test123/inbox")?.name, "inbox");
+		assertEquals(impl.router.route("/users/test123/outbox")?.name, "outbox");
 		assertEquals(impl.router.route("/notes/456")?.name, `object:${Note.typeId.href}`);
 		assertEquals(impl.router.route("/nodeinfo")?.name, "nodeInfo");
 		const actorCallbacksDispatcher = impl.actorCallbacks?.dispatcher;
 		assertExists(actorCallbacksDispatcher);
 		const inboxListeners = impl.inboxListeners;
 		assertExists(inboxListeners);
+		const outboxListeners = impl.outboxListeners;
+		assertExists(outboxListeners);
 		assertExists(impl.objectCallbacks[Note.typeId.href]);
 		assertExists(impl.nodeInfoDispatcher);
 		assertEquals(impl.router.build(`object:${Note.typeId.href}`, { id: "123" }), "/notes/123");
@@ -70,6 +76,24 @@ test("FederationBuilder", async (t) => {
 		assertExists(federation);
 		assertEquals(federation.kv, kv);
 	});
+	await t.step("should validate outbox listener paths", () => {
+		const builder = createFederationBuilder();
+		builder.setOutboxDispatcher("/users/{identifier}/outbox", () => ({ items: [] }));
+		assertThrows(() => builder.setOutboxListeners("/actors/{identifier}/outbox"), RouterError);
+		assertThrows(() => builder.setOutboxListeners("/users/outbox"), RouterError);
+		assertThrows(() => builder.setOutboxListeners("/users/{identifier}/outbox/{extra}"), RouterError);
+		assertThrows(() => builder.setOutboxListeners("/users/{identifier}/outbox/{identifier}"), RouterError);
+		const builderAfterInvalid = createFederationBuilder();
+		assertThrows(() => builderAfterInvalid.setOutboxListeners("/users/{identifier}/outbox/{extra}"), RouterError);
+		builderAfterInvalid.setOutboxListeners("/users/{identifier}/outbox");
+		const builder2 = createFederationBuilder();
+		builder2.setOutboxListeners("/users{/identifier}/outbox");
+		assertThrows(() => builder2.setOutboxDispatcher("/actors/{identifier}/outbox", () => ({ items: [] })), RouterError);
+		const builder3 = createFederationBuilder();
+		assertThrows(() => builder3.setOutboxListeners("/users{?identifier}/outbox"), RouterError);
+		const builder4 = createFederationBuilder();
+		assertThrows(() => builder4.setOutboxDispatcher("/users{?identifier}/outbox", () => ({ items: [] })), RouterError);
+	});
 	await t.step("should pass build options correctly", async () => {
 		const builder = createFederationBuilder();
 		const kv = new MemoryKvStore();

package/dist/federation/handler.test.mjs

@@ -1,18 +1,19 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as createRequestContext, t as createInboxContext } from "../context-Juj6bdHC.mjs";
+import { n as createOutboxContext, r as createRequestContext, t as createInboxContext } from "../context-Dk_tacqz.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import "../std__assert-Duiq_YC9.mjs";
+import { t as assertInstanceOf } from "../assert_instance_of-C4Ri6VuN.mjs";
 import { t as assert } from "../assert-ddO5KLpe.mjs";
 import { r as parseAcceptSignature } from "../accept-Dd__NiUL.mjs";
-import { s as signRequest } from "../http-RZPxDWq5.mjs";
+import { s as signRequest } from "../http-CFmrJbuT.mjs";
 import { a as rsaPrivateKey3, c as rsaPublicKey3, s as rsaPublicKey2 } from "../keys-BAK-tUlf.mjs";
 import { t as MemoryKvStore } from "../kv-tL2TOE9X.mjs";
-import { a as createFederation, c as handleCollection, d as handleObject, f as respondWithObject, l as handleCustomCollection, p as respondWithObjectIfAcceptable, s as handleActor, u as handleInbox } from "../middleware-BjVx-_bv.mjs";
-import { t as InboxListenerSet } from "../inbox-CmYvcSMM.mjs";
+import { c as handleActor, d as handleInbox, f as handleObject, h as respondWithObjectIfAcceptable, l as handleCollection, m as respondWithObject, o as createFederation, p as handleOutbox, u as handleCustomCollection } from "../middleware-DbCHS-GH.mjs";
+import { t as ActivityListenerSet } from "../activity-listener-Ck3JZ_hR.mjs";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
-import { Create, Note, Person, Tombstone } from "@fedify/vocab";
+import { Activity, Create, Note, Person, Tombstone } from "@fedify/vocab";
 import { FetchError } from "@fedify/vocab-runtime";
 //#region src/federation/handler.test.ts
 const QUOTE_CONTEXT_TERMS = {
@@ -1126,6 +1127,366 @@ test("handleInbox()", async () => {
 	assertEquals(onNotFoundCalled, null);
 	assertEquals(response.status, 400);
 });
+test("handleOutbox()", async () => {
+	const activity = new Create({
+		id: new URL("https://example.com/activities/1"),
+		actor: new URL("https://example.com/users/someone"),
+		object: new Note({
+			id: new URL("https://example.com/notes/1"),
+			attribution: new URL("https://example.com/users/someone"),
+			content: "Hello, world!"
+		})
+	});
+	const requestUrl = "https://example.com/users/someone/outbox";
+	const requestBody = JSON.stringify(await activity.toJsonLd());
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const createRequestContextPair = (body = requestBody) => {
+		const request = new Request(requestUrl, {
+			method: "POST",
+			body
+		});
+		return {
+			request,
+			context: createRequestContext({
+				federation,
+				request,
+				url: new URL(request.url),
+				data: void 0,
+				getActorUri(identifier) {
+					return new URL(`https://example.com/users/${identifier}`);
+				}
+			})
+		};
+	};
+	let onNotFoundCalled = null;
+	const onNotFound = (request) => {
+		onNotFoundCalled = request;
+		return new Response("Not found", { status: 404 });
+	};
+	let onUnauthorizedCalled = null;
+	const onUnauthorized = (request) => {
+		onUnauthorizedCalled = request;
+		return new Response("Unauthorized", { status: 401 });
+	};
+	const actorDispatcher = (ctx, identifier) => {
+		if (identifier !== "someone") return null;
+		return new Person({
+			id: ctx.getActorUri(identifier),
+			name: "Someone"
+		});
+	};
+	const listeners = new ActivityListenerSet();
+	const seen = [];
+	listeners.add(Activity, (ctx, activity) => {
+		seen.push(`${ctx.identifier}:${activity.id?.href}`);
+	});
+	let { request, context } = createRequestContextPair();
+	let response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher: void 0,
+		outboxListeners: listeners,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onNotFoundCalled, request);
+	assertEquals(response.status, 404);
+	onNotFoundCalled = null;
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "nobody",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onNotFoundCalled, request);
+	assertEquals(response.status, 404);
+	onNotFoundCalled = null;
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		authorizePredicate: () => false,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertInstanceOf(onUnauthorizedCalled, Request);
+	assertEquals(onUnauthorizedCalled === request, false);
+	assertEquals(response.status, 401);
+	assertEquals(seen, []);
+	onNotFoundCalled = null;
+	onUnauthorizedCalled = null;
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher: () => null,
+		outboxListeners: listeners,
+		authorizePredicate: () => false,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertInstanceOf(onUnauthorizedCalled, Request);
+	assertEquals(response.status, 401);
+	onUnauthorizedCalled = null;
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		authorizePredicate: () => true,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onUnauthorizedCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	assertEquals(response.headers.get("content-type"), "text/plain; charset=utf-8");
+	assertEquals(seen, [`someone:${activity.id?.href}`]);
+	onUnauthorizedCalled = null;
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		authorizePredicate: async (ctx) => {
+			await ctx.request.json();
+			return true;
+		},
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(onUnauthorizedCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	assertEquals(response.headers.get("content-type"), "text/plain; charset=utf-8");
+	assertEquals(seen, [`someone:${activity.id?.href}`, `someone:${activity.id?.href}`]);
+	onUnauthorizedCalled = null;
+	({request, context} = createRequestContextPair());
+	let unauthorizedBody = null;
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		authorizePredicate: async (ctx) => {
+			await ctx.request.json();
+			return false;
+		},
+		onNotFound,
+		onUnauthorized: async (request) => {
+			onUnauthorizedCalled = request;
+			unauthorizedBody = await request.text();
+			return new Response("Unauthorized", { status: 401 });
+		}
+	});
+	assertInstanceOf(onUnauthorizedCalled, Request);
+	assertEquals((unauthorizedBody ?? "").includes("\"type\":\"Create\""), true);
+	assertEquals([response.status, await response.text()], [401, "Unauthorized"]);
+	const invalidRequest = new Request("https://example.com/users/someone/outbox", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [
+				"https://www.w3.org/ns/activitystreams",
+				true,
+				23
+			],
+			type: "Create",
+			object: {
+				type: "Note",
+				content: "Hello, world!"
+			},
+			actor: "https://example.com/users/alice"
+		})
+	});
+	const invalidContext = createRequestContext({
+		federation,
+		request: invalidRequest,
+		url: new URL(invalidRequest.url),
+		data: void 0,
+		getActorUri(identifier) {
+			return new URL(`https://example.com/users/${identifier}`);
+		}
+	});
+	let invalidActivityId;
+	let invalidActivityType;
+	response = await handleOutbox(invalidRequest, {
+		identifier: "someone",
+		context: invalidContext,
+		outboxContextFactory(identifier, _json, activityId, activityType) {
+			invalidActivityId = activityId;
+			invalidActivityType = activityType;
+			return createOutboxContext({
+				...invalidContext,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(response.status, 400);
+	assertEquals(invalidActivityId, void 0);
+	assertEquals(invalidActivityType, "Create");
+	const mismatchedActorJson = await activity.toJsonLd();
+	const missingActorRequest = new Request("https://example.com/users/someone/outbox", {
+		method: "POST",
+		body: JSON.stringify({
+			...mismatchedActorJson,
+			actor: void 0
+		})
+	});
+	const missingActorContext = createRequestContext({
+		federation,
+		request: missingActorRequest,
+		url: new URL(missingActorRequest.url),
+		data: void 0,
+		getActorUri(identifier) {
+			return new URL(`https://example.com/users/${identifier}`);
+		}
+	});
+	let missingActorErrorMessage = null;
+	response = await handleOutbox(missingActorRequest, {
+		identifier: "someone",
+		context: missingActorContext,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...missingActorContext,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		outboxErrorHandler: (_ctx, error) => {
+			missingActorErrorMessage = error.message;
+		},
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals([response.status, await response.text()], [400, "The posted activity has no actor."]);
+	assertEquals(missingActorErrorMessage, "The posted activity has no actor.");
+	const mismatchedActorRequest = new Request("https://example.com/users/someone/outbox", {
+		method: "POST",
+		body: JSON.stringify({
+			...mismatchedActorJson,
+			actor: "https://example.com/users/somebody-else"
+		})
+	});
+	const mismatchedActorContext = createRequestContext({
+		federation,
+		request: mismatchedActorRequest,
+		url: new URL(mismatchedActorRequest.url),
+		data: void 0,
+		getActorUri(identifier) {
+			return new URL(`https://example.com/users/${identifier}`);
+		}
+	});
+	let mismatchedActorErrorMessage = null;
+	response = await handleOutbox(mismatchedActorRequest, {
+		identifier: "someone",
+		context: mismatchedActorContext,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...mismatchedActorContext,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: listeners,
+		outboxErrorHandler: (_ctx, error) => {
+			mismatchedActorErrorMessage = error.message;
+		},
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals([response.status, await response.text()], [400, "The activity actor does not match the outbox owner."]);
+	assertEquals(mismatchedActorErrorMessage, "The activity actor does not match the outbox owner.");
+	const throwingListeners = new ActivityListenerSet();
+	let onErrorCalled = false;
+	throwingListeners.add(Create, () => {
+		throw new Error("Boom");
+	});
+	({request, context} = createRequestContextPair());
+	response = await handleOutbox(request, {
+		identifier: "someone",
+		context,
+		outboxContextFactory(identifier) {
+			return createOutboxContext({
+				...context,
+				clone: void 0,
+				identifier
+			});
+		},
+		actorDispatcher,
+		outboxListeners: throwingListeners,
+		outboxErrorHandler: (_ctx, _error) => {
+			onErrorCalled = true;
+		},
+		onNotFound,
+		onUnauthorized
+	});
+	assertEquals(response.status, 500);
+	assertEquals(onErrorCalled, true);
+});
 test("respondWithObject()", async () => {
 	const response = await respondWithObject(new Note({
 		id: new URL("https://example.com/notes/1"),
@@ -1163,7 +1524,7 @@ test("respondWithObject()", async () => {
 test("handleInbox() - authentication bypass vulnerability", async () => {
 	const federation = createFederation({ kv: new MemoryKvStore() });
 	let processedActivity;
-	const inboxListeners = new InboxListenerSet();
+	const inboxListeners = new ActivityListenerSet();
 	inboxListeners.add(Create, (_ctx, activity) => {
 		processedActivity = activity;
 	});
@@ -1587,7 +1948,7 @@ test("handleInbox() records OpenTelemetry span events", async () => {
 			publicKey: rsaPublicKey2
 		});
 	};
-	const listeners = new InboxListenerSet();
+	const listeners = new ActivityListenerSet();
 	let receivedActivity = null;
 	listeners.add(Create, (_ctx, activity) => {
 		receivedActivity = activity;
@@ -1693,7 +2054,7 @@ test("handleInbox() records unverified HTTP signature details", async () => {
 			acceptSignatureNonce: ["acceptSignatureNonce"]
 		},
 		actorDispatcher,
-		inboxListeners: new InboxListenerSet(),
+		inboxListeners: new ActivityListenerSet(),
 		inboxErrorHandler: void 0,
 		unverifiedActivityHandler() {
 			return new Response("", { status: 202 });

package/dist/federation/idempotency.test.mjs

@@ -4,9 +4,9 @@ globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import "../std__assert-Duiq_YC9.mjs";
 import { n as ed25519PrivateKey, r as ed25519PublicKey, t as ed25519Multikey } from "../keys-BAK-tUlf.mjs";
-import { n as signObject } from "../proof--CpZsF_p.mjs";
+import { r as signObject } from "../proof-C50gFNxj.mjs";
 import { t as MemoryKvStore } from "../kv-tL2TOE9X.mjs";
-import { a as createFederation } from "../middleware-BjVx-_bv.mjs";
+import { o as createFederation } from "../middleware-DbCHS-GH.mjs";
 import { mockDocumentLoader, test } from "@fedify/fixture";
 import { Create, Follow, Person } from "@fedify/vocab";
 //#region src/federation/idempotency.test.ts

package/dist/federation/inbox.test.mjs

@@ -3,12 +3,12 @@ import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
-import { t as InboxListenerSet } from "../inbox-CmYvcSMM.mjs";
+import { t as ActivityListenerSet } from "../activity-listener-Ck3JZ_hR.mjs";
 import { test } from "@fedify/fixture";
 import { Activity, Create, Invite, Offer, Update } from "@fedify/vocab";
 //#region src/federation/inbox.test.ts
-test("InboxListenerSet", () => {
-	const listeners = new InboxListenerSet();
+test("ActivityListenerSet", () => {
+	const listeners = new ActivityListenerSet();
 	const activity = new Activity({});
 	const offer = new Offer({});
 	const invite = new Invite({});