@fedify/fedify 2.2.2 → 2.2.3

package/dist/temporal-LL61Ddf2.mjs

@@ -0,0 +1,95 @@
+import { Temporal } from "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { c as getNormalizationContextLoader } from "./ld-tusP_XxG.mjs";
+import jsonld from "@fedify/vocab-runtime/jsonld";
+//#region src/federation/temporal.ts
+function isPlainObject(value) {
+	return typeof value === "object" && value != null && !Array.isArray(value);
+}
+function normalizeDateTimeLiteral(value) {
+	return value.substring(19).match(/[Z+-]/) ? value : value + "Z";
+}
+function isMalformedDateTimeLiteral(value) {
+	if (typeof value !== "string") return false;
+	try {
+		Temporal.Instant.from(normalizeDateTimeLiteral(value));
+		return false;
+	} catch {
+		return true;
+	}
+}
+function isMalformedDurationLiteral(value) {
+	if (typeof value !== "string") return false;
+	try {
+		Temporal.Duration.from(value);
+		return false;
+	} catch {
+		return true;
+	}
+}
+const TEMPORAL_DATE_TIME_IRIS = new Set([
+	"https://www.w3.org/ns/activitystreams#deleted",
+	"https://www.w3.org/ns/activitystreams#endTime",
+	"https://www.w3.org/ns/activitystreams#published",
+	"https://www.w3.org/ns/activitystreams#startTime",
+	"https://www.w3.org/ns/activitystreams#updated",
+	"http://purl.org/dc/terms/created",
+	"https://w3id.org/security#created"
+]);
+const TEMPORAL_DURATION_IRIS = new Set(["https://www.w3.org/ns/activitystreams#duration"]);
+const QUESTION_CLOSED_IRI = "https://www.w3.org/ns/activitystreams#closed";
+const XSD_DATE_TIME_IRI = "http://www.w3.org/2001/XMLSchema#dateTime";
+function hasMalformedExpandedDateTimeLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedDateTimeLiteral);
+	return isPlainObject(value) && "@value" in value && isMalformedDateTimeLiteral(value["@value"]);
+}
+function hasMalformedExpandedQuestionClosedLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedQuestionClosedLiteral);
+	if (!isPlainObject(value) || !("@value" in value)) return false;
+	const literal = value["@value"];
+	if (typeof literal === "boolean") return false;
+	if (typeof literal !== "string") return false;
+	if (value["@type"] !== XSD_DATE_TIME_IRI) return false;
+	if (new Date(literal).toString() === "Invalid Date") return false;
+	return isMalformedDateTimeLiteral(literal);
+}
+function hasMalformedExpandedDurationLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedDurationLiteral);
+	return isPlainObject(value) && "@value" in value && isMalformedDurationLiteral(value["@value"]);
+}
+function hasMalformedKnownTemporalLiteralInternal(value, visited) {
+	if (Array.isArray(value)) return value.some((item) => hasMalformedKnownTemporalLiteralInternal(item, visited));
+	if (!isPlainObject(value)) return false;
+	if (visited.has(value)) return false;
+	visited.add(value);
+	if ("@value" in value) return false;
+	for (const [key, child] of Object.entries(value)) {
+		if (TEMPORAL_DATE_TIME_IRIS.has(key)) {
+			if (hasMalformedExpandedDateTimeLiteral(child)) return true;
+			continue;
+		}
+		if (key === QUESTION_CLOSED_IRI) {
+			if (hasMalformedExpandedQuestionClosedLiteral(child)) return true;
+			continue;
+		}
+		if (TEMPORAL_DURATION_IRIS.has(key)) {
+			if (hasMalformedExpandedDurationLiteral(child)) return true;
+			continue;
+		}
+		if (hasMalformedKnownTemporalLiteralInternal(child, visited)) return true;
+	}
+	return false;
+}
+async function hasMalformedKnownTemporalLiteral(value, contextLoader) {
+	try {
+		return hasMalformedKnownTemporalLiteralInternal(await jsonld.expand(value, {
+			documentLoader: getNormalizationContextLoader(contextLoader),
+			keepFreeFloatingNodes: true
+		}), /* @__PURE__ */ new Set());
+	} catch {
+		return false;
+	}
+}
+//#endregion
+export { hasMalformedKnownTemporalLiteral as t };

package/dist/testing/mod.d.mts

@@ -617,6 +617,42 @@ interface InboxMessage {
   readonly id: ReturnType<typeof crypto.randomUUID>;
   readonly baseUrl: string;
   readonly activity: unknown;
+  /**
+   * The normalized JSON-LD representation of a signed inbox activity that
+   * Fedify already compacted successfully while accepting the request.  Queue
+   * workers can reuse this producer-side parse cache under stricter loader or
+   * network constraints without changing the raw payload preserved for
+   * forwarding.
+   *
+   * This may exist even when {@link ldSignatureVerified} is `false`, because
+   * fallback-authenticated traffic and already-queued backlog items can still
+   * depend on the cached normalized form to avoid re-fetching remote custom
+   * contexts during worker processing.
+   *
+   * This is optional for backward compatibility with messages that were
+   * queued by older Fedify versions or that were already in a queue before
+   * upgrading.
+   *
+   * Fedify keeps this on the queued message itself instead of an external
+   * sidecar because generic queue backends do not provide reliable lifecycle
+   * guarantees for auxiliary storage across retries and redeliveries.
+   *
+   * @internal
+   */
+  readonly normalizedActivity?: unknown;
+  /**
+   * Whether the producer actually verified the Linked Data Signature before
+   * queueing this message.  This lets workers distinguish verified LDS replay
+   * from other authenticated inbox traffic that merely happened to include a
+   * signature block.  This provenance marker is separate from the optional
+   * normalizedActivity parse cache.
+   *
+   * `undefined` preserves backward compatibility with older queued messages
+   * that predate this marker.
+   *
+   * @internal
+   */
+  readonly ldSignatureVerified?: boolean;
   readonly started: string;
   readonly attempt: number;
   readonly identifier: string | null;
@@ -1993,9 +2029,12 @@ interface InboxContext<TContextData> extends Context<TContextData> {
    * Forwards a received activity to the recipients' inboxes.  The forwarded
    * activity will be signed in HTTP Signatures by the forwarder, but its
    * payload will not be modified, i.e., Linked Data Signatures and Object
-   * Integrity Proofs will not be added.  Therefore, if the activity is not
-   * signed (i.e., it has neither Linked Data Signatures nor Object Integrity
-   * Proofs), the recipient probably will not trust the activity.
+   * Integrity Proofs will not be added.  Even when Fedify internally
+   * normalizes a Linked Data Signature activity for parsing, this method still
+   * forwards the original received payload so the sender's signatures/proofs
+   * are preserved as-is.  Therefore, if the activity is not signed (i.e., it
+   * has neither Linked Data Signatures nor Object Integrity Proofs), the
+   * recipient probably will not trust the activity.
    * @param forwarder The forwarder's identifier or the forwarder's username
    *                  or the forwarder's key pair(s).
    * @param recipients The recipients of the activity.
@@ -2011,9 +2050,12 @@ interface InboxContext<TContextData> extends Context<TContextData> {
    * Forwards a received activity to the recipients' inboxes.  The forwarded
    * activity will be signed in HTTP Signatures by the forwarder, but its
    * payload will not be modified, i.e., Linked Data Signatures and Object
-   * Integrity Proofs will not be added.  Therefore, if the activity is not
-   * signed (i.e., it has neither Linked Data Signatures nor Object Integrity
-   * Proofs), the recipient probably will not trust the activity.
+   * Integrity Proofs will not be added.  Even when Fedify internally
+   * normalizes a Linked Data Signature activity for parsing, this method still
+   * forwards the original received payload so the sender's signatures/proofs
+   * are preserved as-is.  Therefore, if the activity is not signed (i.e., it
+   * has neither Linked Data Signatures nor Object Integrity Proofs), the
+   * recipient probably will not trust the activity.
    * @param forwarder The forwarder's identifier or the forwarder's username.
    * @param recipients In this case, it must be `"followers"`.
    * @param options Options for forwarding the activity.

package/dist/utils/docloader.test.mjs

@@ -5,9 +5,9 @@ import { t as esm_default } from "../esm-DVILvP5e.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import "../std__assert-CRDpx_HF.mjs";
 import { t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
-import { l as verifyRequest } from "../http-Bslazr8_.mjs";
+import { l as verifyRequest } from "../http-C_edJspG.mjs";
 import { i as rsaPrivateKey2 } from "../keys-DGu1NFwu.mjs";
-import { t as getAuthenticatedDocumentLoader } from "../docloader-BqX3RfO-.mjs";
+import { t as getAuthenticatedDocumentLoader } from "../docloader-Da15YRxG.mjs";
 import { mockDocumentLoader, test } from "@fedify/fixture";
 import { UrlError } from "@fedify/vocab-runtime";
 //#region src/utils/docloader.test.ts

package/dist/utils/mod.cjs

@@ -1,6 +1,6 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_kv_cache = require("../kv-cache-Csre9hbs.cjs");
+const require_kv_cache = require("../kv-cache-DmGi6uC-.cjs");
 exports.getAuthenticatedDocumentLoader = require_kv_cache.getAuthenticatedDocumentLoader;
 exports.kvCache = require_kv_cache.kvCache;

package/dist/utils/mod.js

@@ -1,4 +1,4 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../kv-cache-BYBaA6NP.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../kv-cache-C4DGZ_t4.js";
 export { getAuthenticatedDocumentLoader, kvCache };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",
@@ -153,9 +153,9 @@
     "uri-template-router": "^1.0.0",
     "url-template": "^3.1.1",
     "urlpattern-polyfill": "^10.1.0",
-    "@fedify/vocab": "2.2.2",
-    "@fedify/webfinger": "2.2.2",
-    "@fedify/vocab-runtime": "2.2.2"
+    "@fedify/vocab": "2.2.3",
+    "@fedify/vocab-runtime": "2.2.3",
+    "@fedify/webfinger": "2.2.3"
   },
   "devDependencies": {
     "@std/assert": "npm:@jsr/std__assert@^0.226.0",
@@ -167,8 +167,8 @@
     "tsx": "^4.19.4",
     "typescript": "^6.0.0",
     "wrangler": "^4.17.0",
-    "@fedify/vocab-tools": "^2.2.2",
-    "@fedify/fixture": "2.0.0"
+    "@fedify/fixture": "2.0.0",
+    "@fedify/vocab-tools": "^2.2.3"
   },
   "scripts": {
     "build:self": "tsdown",

package/dist/ld-BPA4jaBc.mjs

@@ -1,279 +0,0 @@
-import "@js-temporal/polyfill";
-import "urlpattern-polyfill";
-globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-DCXSCeB3.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-Dk8-s0bs.mjs";
-import { Activity, CryptographicKey, Object as Object$1, getTypeId } from "@fedify/vocab";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
-import { getDocumentLoader } from "@fedify/vocab-runtime";
-import { getLogger } from "@logtape/logtape";
-import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
-import { encodeHex } from "byte-encodings/hex";
-import jsonld from "@fedify/vocab-runtime/jsonld";
-//#region src/sig/ld.ts
-const logger = getLogger([
-	"fedify",
-	"sig",
-	"ld"
-]);
-/**
-* Attaches a LD signature to the given JSON-LD document.
-* @param jsonLd The JSON-LD document to attach the signature to.  It is not
-*               modified.
-* @param signature The signature to attach.
-* @returns The JSON-LD document with the attached signature.
-* @throws {TypeError} If the input document is not a valid JSON-LD document.
-* @since 1.0.0
-*/
-function attachSignature(jsonLd, signature) {
-	if (typeof jsonLd !== "object" || jsonLd == null) throw new TypeError("Failed to attach signature; invalid JSON-LD document.");
-	return {
-		...jsonLd,
-		signature
-	};
-}
-/**
-* Creates a LD signature for the given JSON-LD document.
-* @param jsonLd The JSON-LD document to sign.
-* @param privateKey The private key to sign the document.
-* @param keyId The ID of the public key that corresponds to the private key.
-* @param options Additional options for creating the signature.
-*                See also {@link CreateSignatureOptions}.
-* @return The created signature.
-* @throws {TypeError} If the private key is invalid or unsupported.
-* @since 1.0.0
-*/
-async function createSignature(jsonLd, privateKey, keyId, { contextLoader, created } = {}) {
-	validateCryptoKey(privateKey, "private");
-	if (privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5") throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
-	const options = {
-		"@context": "https://w3id.org/identity/v1",
-		creator: keyId.href,
-		created: created?.toString() ?? (/* @__PURE__ */ new Date()).toISOString()
-	};
-	const message = await hashJsonLd(options, contextLoader) + await hashJsonLd(jsonLd, contextLoader);
-	const messageBytes = new TextEncoder().encode(message);
-	const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, messageBytes);
-	return {
-		...options,
-		type: "RsaSignature2017",
-		signatureValue: encodeBase64(signature)
-	};
-}
-/**
-* Signs the given JSON-LD document with the private key and returns the signed
-* JSON-LD document.
-* @param jsonLd The JSON-LD document to sign.
-* @param privateKey The private key to sign the document.
-* @param keyId The key ID to use in the signature.  It will be used by the
-*              verifier to fetch the corresponding public key.
-* @param options Additional options for signing the document.
-*                See also {@link SignJsonLdOptions}.
-* @returns The signed JSON-LD document.
-* @throws {TypeError} If the private key is invalid or unsupported.
-* @since 1.0.0
-*/
-async function signJsonLd(jsonLd, privateKey, keyId, options) {
-	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.sign", { attributes: { "ld_signatures.key_id": keyId.href } }, async (span) => {
-		try {
-			const signature = await createSignature(jsonLd, privateKey, keyId, options);
-			if (span.isRecording()) {
-				span.setAttribute("ld_signatures.type", signature.type);
-				span.setAttribute("ld_signatures.signature", encodeHex(decodeBase64(signature.signatureValue)));
-			}
-			return attachSignature(jsonLd, signature);
-		} catch (error) {
-			span.setStatus({
-				code: SpanStatusCode.ERROR,
-				message: String(error)
-			});
-			throw error;
-		} finally {
-			span.end();
-		}
-	});
-}
-/**
-* Checks if the given JSON-LD document has a Linked Data Signature-like
-* object, without restricting it to a single suite-specific shape.
-* @param jsonLd The JSON-LD document to check.
-* @returns `true` if the document has a signature-like object; `false`
-*          otherwise.
-* @since 2.2.0
-*/
-function hasSignatureLike(jsonLd) {
-	if (typeof jsonLd !== "object" || jsonLd == null) return false;
-	const signature = jsonLd.signature;
-	const hasReference = (value) => {
-		if (typeof value === "string") return true;
-		if (Array.isArray(value)) return value.some(hasReference);
-		return typeof value === "object" && value != null && ("id" in value && typeof value.id === "string" || "@id" in value && typeof value["@id"] === "string");
-	};
-	const hasSignatureObject = (value) => {
-		if (typeof value !== "object" || value == null) return false;
-		const signatureRecord = value;
-		return (typeof signatureRecord.type === "string" || Array.isArray(signatureRecord.type) && signatureRecord.type.some((item) => typeof item === "string")) && (hasReference(signatureRecord.creator) || hasReference(signatureRecord.verificationMethod)) && (typeof signatureRecord.signatureValue === "string" || typeof signatureRecord.jws === "string");
-	};
-	return Array.isArray(signature) ? signature.some(hasSignatureObject) : hasSignatureObject(signature);
-}
-/**
-* Checks if the given JSON-LD document has a Linked Data Signature.
-* @param jsonLd The JSON-LD document to check.
-* @returns `true` if the document has a signature; `false` otherwise.
-* @since 1.0.0
-*/
-function hasSignature(jsonLd) {
-	if (typeof jsonLd !== "object" || jsonLd == null) return false;
-	if ("signature" in jsonLd) {
-		const signature = jsonLd.signature;
-		if (typeof signature !== "object" || signature == null) return false;
-		return "type" in signature && signature.type === "RsaSignature2017" && "creator" in signature && typeof signature.creator === "string" && "created" in signature && typeof signature.created === "string" && "signatureValue" in signature && typeof signature.signatureValue === "string";
-	}
-	return false;
-}
-/**
-* Detaches Linked Data Signatures from the given JSON-LD document.
-* @param jsonLd The JSON-LD document to modify.
-* @returns The modified JSON-LD document.  If the input document does not
-*          contain a signature, the original document is returned.
-* @since 1.0.0
-*/
-function detachSignature(jsonLd) {
-	if (typeof jsonLd !== "object" || jsonLd == null) return jsonLd;
-	const doc = { ...jsonLd };
-	delete doc.signature;
-	return doc;
-}
-/**
-* Verifies Linked Data Signatures of the given JSON-LD document.
-* @param jsonLd The JSON-LD document to verify.
-* @param options Options for verifying the signature.
-* @returns The public key that signed the document or `null` if the signature
-*          is invalid or the key is not found.
-* @since 1.0.0
-*/
-async function verifySignature(jsonLd, options = {}) {
-	if (!hasSignature(jsonLd)) return null;
-	const sig = jsonLd.signature;
-	let signature;
-	try {
-		signature = decodeBase64(sig.signatureValue);
-	} catch (error) {
-		logger.debug("Failed to verify; invalid base64 signatureValue: {signatureValue}", {
-			...sig,
-			error
-		});
-		return null;
-	}
-	const { key, cached } = await fetchKey(new URL(sig.creator), CryptographicKey, options);
-	if (key == null) return null;
-	const sigOpts = {
-		...sig,
-		"@context": "https://w3id.org/identity/v1"
-	};
-	delete sigOpts.type;
-	delete sigOpts.id;
-	delete sigOpts.signatureValue;
-	let sigOptsHash;
-	try {
-		sigOptsHash = await hashJsonLd(sigOpts, options.contextLoader);
-	} catch (error) {
-		logger.warn("Failed to verify; failed to hash the signature options: {signatureOptions}\n{error}", {
-			signatureOptions: sigOpts,
-			error
-		});
-		return null;
-	}
-	const document = { ...jsonLd };
-	delete document.signature;
-	let docHash;
-	try {
-		docHash = await hashJsonLd(document, options.contextLoader);
-	} catch (error) {
-		logger.warn("Failed to verify; failed to hash the document: {document}\n{error}", {
-			document,
-			error
-		});
-		return null;
-	}
-	const encoder = new TextEncoder();
-	const message = sigOptsHash + docHash;
-	const messageBytes = encoder.encode(message);
-	if (await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes)) return key;
-	if (cached) {
-		logger.debug("Failed to verify with the cached key {keyId}; signature {signatureValue} is invalid.  Retrying with the freshly fetched key...", {
-			keyId: sig.creator,
-			...sig
-		});
-		const { key } = await fetchKey(new URL(sig.creator), CryptographicKey, {
-			...options,
-			keyCache: {
-				get: () => Promise.resolve(void 0),
-				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
-			}
-		});
-		if (key == null) return null;
-		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
-	}
-	logger.debug("Failed to verify with the fetched key {keyId}; signature {signatureValue} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
-		keyId: sig.creator,
-		...sig,
-		message
-	});
-	return null;
-}
-/**
-* Verify the authenticity of the given JSON-LD document using Linked Data
-* Signatures.  If the document is signed, this function verifies the signature
-* and checks if the document is attributed to the owner of the public key.
-* If the document is not signed, this function returns `false`.
-* @param jsonLd The JSON-LD document to verify.
-* @param options Options for verifying the document.
-* @returns `true` if the document is authentic; `false` otherwise.
-*/
-async function verifyJsonLd(jsonLd, options = {}) {
-	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.verify", async (span) => {
-		try {
-			const object = await Object$1.fromJsonLd(jsonLd, options);
-			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
-			span.setAttribute("activitypub.object.type", getTypeId(object).href);
-			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
-				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
-				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
-				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
-			}
-			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
-			if (object instanceof Activity) for (const uri of object.actorIds) attributions.add(uri.href);
-			const key = await verifySignature(jsonLd, options);
-			if (key == null) return false;
-			if (key.ownerId == null) {
-				logger.debug("Key {keyId} has no owner.", { keyId: key.id?.href });
-				return false;
-			}
-			attributions.delete(key.ownerId.href);
-			if (attributions.size > 0) {
-				logger.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
-				return false;
-			}
-			return true;
-		} catch (error) {
-			span.setStatus({
-				code: SpanStatusCode.ERROR,
-				message: String(error)
-			});
-			throw error;
-		} finally {
-			span.end();
-		}
-	});
-}
-async function hashJsonLd(jsonLd, contextLoader) {
-	const canon = await jsonld.canonize(jsonLd, {
-		format: "application/n-quads",
-		documentLoader: contextLoader ?? getDocumentLoader()
-	});
-	const encoder = new TextEncoder();
-	return encodeHex(await crypto.subtle.digest("SHA-256", encoder.encode(canon)));
-}
-//#endregion
-export { signJsonLd as a, hasSignatureLike as i, createSignature as n, verifyJsonLd as o, detachSignature as r, verifySignature as s, attachSignature as t };