@fedify/fedify 2.3.0-dev.1110 → 2.3.0-dev.1114

package/dist/{kv-cache-C3NWWiTg.js → kv-cache-Wc5ezcVW.js}

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { d as validateCryptoKey, t as doubleKnock } from "./http-O8MYWwk8.js";
+import { d as validateCryptoKey, t as doubleKnock } from "./http-CpzZ9zsb.js";
 import { getLogger } from "@logtape/logtape";
 import { curry } from "es-toolkit";
 import { UrlError, createActivityPubRequest, getRemoteDocument, logRequest, preloadedContexts, validatePublicUrl } from "@fedify/vocab-runtime";

package/dist/{ld-BNkk2Yal.mjs → ld-B5D5THhl.mjs}

@@ -1,8 +1,9 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-hqC7tKJn.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-DW1EVmtP.mjs";
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
+import { a as measureSignatureKeyFetch, n as getFederationMetrics, t as getDurationMs } from "./metrics-ek3ilf6c.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-B4I8H5Lc.mjs";
 import { getLogger } from "@logtape/logtape";
 import { Activity, CryptographicKey, Object as Object$1, getTypeId } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
@@ -146,6 +147,17 @@ function detachSignature(jsonLd) {
 }
 /**
 * Verifies Linked Data Signatures of the given JSON-LD document.
+*
+* This is a low-level utility that only checks the cryptographic signature
+* and (optionally) the cached key.  It does not run the JSON-LD parsing,
+* attribution, and owner checks that a complete inbound LD verification
+* needs.  For incoming activities, prefer {@link verifyJsonLd}, which is
+* the public verification entry point and the one that emits the
+* `activitypub.signature.verification.duration` metric for the LD path.
+* `verifySignature` itself only emits
+* `activitypub.signature.key_fetch.duration`, since the rest of the work
+* that the verification-duration metric is meant to cover happens in
+* `verifyJsonLd`.
 * @param jsonLd The JSON-LD document to verify.
 * @param options Options for verifying the signature.
 * @returns The public key that signed the document or `null` if the signature
@@ -165,7 +177,7 @@ async function verifySignature(jsonLd, options = {}) {
 		});
 		return null;
 	}
-	const { key, cached } = await fetchKey(new URL(sig.creator), CryptographicKey, options);
+	const { key, cached } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, options));
 	if (key == null) return null;
 	const sigOpts = {
 		...sig,
@@ -205,13 +217,13 @@ async function verifySignature(jsonLd, options = {}) {
 			keyId: sig.creator,
 			...sig
 		});
-		const { key } = await fetchKey(new URL(sig.creator), CryptographicKey, {
+		const { key } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),
 				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 			}
-		});
+		}));
 		if (key == null) return null;
 		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
 	}
@@ -223,6 +235,33 @@ async function verifySignature(jsonLd, options = {}) {
 	return null;
 }
 /**
+* Known Linked Data Signature `type` values, used to keep
+* `ld_signatures.type` on a bounded set of spec-defined string values.
+* Fedify only signs and verifies `RsaSignature2017`; other values come in
+* only from external documents and are dropped from the metric attribute to
+* avoid attacker-controlled cardinality.
+*/
+const LD_KNOWN_SIGNATURE_TYPES = new Set(["RsaSignature2017"]);
+/**
+* Reports only whether a `signature` key is present on the document, with
+* no shape check on its value.  This is intentionally looser than
+* {@link hasSignature} (which validates a full `RsaSignature2017` shape)
+* and {@link hasSignatureLike} (which structurally accepts several known
+* suites): `verifyJsonLd` needs to tell a document with a malformed or
+* unsupported signature payload (classified as `rejected`) apart from a
+* truly unsigned document (classified as `missing`), and only this
+* presence-only check captures both cases.
+*/
+function hasLdSignatureProperty(jsonLd) {
+	return typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+}
+function getLdSignatureObject(jsonLd) {
+	if (!hasLdSignatureProperty(jsonLd)) return void 0;
+	const { signature } = jsonLd;
+	if (typeof signature !== "object" || signature == null || Array.isArray(signature)) return;
+	return signature;
+}
+/**
 * Verify the authenticity of the given JSON-LD document using Linked Data
 * Signatures.  If the document is signed, this function verifies the signature
 * and checks if the document is attributed to the owner of the public key.
@@ -233,14 +272,22 @@ async function verifySignature(jsonLd, options = {}) {
 */
 async function verifyJsonLd(jsonLd, options = {}) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		let signatureType;
 		try {
 			const object = await Object$1.fromJsonLd(jsonLd, options);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", getTypeId(object).href);
-			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
-				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
-				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
-				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
+			const sig = getLdSignatureObject(jsonLd);
+			if (sig != null) {
+				if (typeof sig.creator === "string") span.setAttribute("ld_signatures.key_id", sig.creator);
+				if (typeof sig.signatureValue === "string") span.setAttribute("ld_signatures.signature", sig.signatureValue);
+				if (typeof sig.type === "string") {
+					span.setAttribute("ld_signatures.type", sig.type);
+					if (LD_KNOWN_SIGNATURE_TYPES.has(sig.type)) signatureType = sig.type;
+				}
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof Activity) for (const uri of object.actorIds) attributions.add(uri.href);
@@ -255,14 +302,18 @@ async function verifyJsonLd(jsonLd, options = {}) {
 				logger.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
 				return false;
 			}
+			verified = true;
 			return true;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : hasLdSignatureProperty(jsonLd) ? "rejected" : "missing";
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "linked_data", classified, { ldType: signatureType });
 			span.end();
 		}
 	});

package/dist/{send-hokVCPu6.mjs → metrics-ek3ilf6c.mjs}

@@ -1,15 +1,15 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-hqC7tKJn.mjs";
-import { n as doubleKnock } from "./http-BLopFpvC.mjs";
-import { getLogger } from "@logtape/logtape";
-import { SpanKind, SpanStatusCode, metrics, trace } from "@opentelemetry/api";
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
+import { metrics } from "@opentelemetry/api";
 //#region src/federation/metrics.ts
 var FederationMetrics = class {
 	deliverySent;
 	deliveryPermanentFailure;
 	signatureVerificationFailure;
+	signatureVerificationDuration;
+	signatureKeyFetchDuration;
 	deliveryDuration;
 	inboxProcessingDuration;
 	httpServerRequestCount;
@@ -34,6 +34,14 @@ var FederationMetrics = class {
 			description: "ActivityPub signature verification failures.",
 			unit: "{failure}"
 		});
+		this.signatureVerificationDuration = meter.createHistogram("activitypub.signature.verification.duration", {
+			description: "Duration of ActivityPub signature verification, including local key lookup and remote key fetches.",
+			unit: "ms"
+		});
+		this.signatureKeyFetchDuration = meter.createHistogram("activitypub.signature.key_fetch.duration", {
+			description: "Duration of public key lookup performed during ActivityPub signature verification.",
+			unit: "ms"
+		});
 		this.deliveryDuration = meter.createHistogram("activitypub.delivery.duration", {
 			description: "Duration of ActivityPub delivery attempts.",
 			unit: "ms"
@@ -127,6 +135,23 @@ var FederationMetrics = class {
 		if (remoteHost != null) attributes["activitypub.remote.host"] = remoteHost;
 		this.signatureVerificationFailure.add(1, attributes);
 	}
+	recordSignatureVerificationDuration(durationMs, kind, result, extra = {}) {
+		const attributes = {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.result": result
+		};
+		if (extra.algorithm != null) attributes["http_signatures.algorithm"] = extra.algorithm;
+		if (extra.failureReason != null) attributes["http_signatures.failure_reason"] = extra.failureReason;
+		if (extra.ldType != null) attributes["ld_signatures.type"] = extra.ldType;
+		if (extra.cryptosuite != null) attributes["object_integrity_proofs.cryptosuite"] = extra.cryptosuite;
+		this.signatureVerificationDuration.record(durationMs, attributes);
+	}
+	recordSignatureKeyFetchDuration(durationMs, kind, result) {
+		this.signatureKeyFetchDuration.record(durationMs, {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.key_fetch.result": result
+		});
+	}
 	recordInboxProcessingDuration(activityType, durationMs) {
 		this.inboxProcessingDuration.record(durationMs, { "activitypub.activity.type": activityType });
 	}
@@ -207,6 +232,29 @@ function recordOutboxEnqueue(meterProvider, outboxQueue, message) {
 	}, message.attempt);
 }
 /**
+* Times an awaited public key fetch and records exactly one
+* `activitypub.signature.key_fetch.duration` measurement, classifying the
+* outcome as `hit`, `fetched`, or `error` based on the `cached` flag and
+* whether the returned key is non-null.  Errors thrown by the fetch are
+* reported as `error` and rethrown, so verifier behavior is unchanged.
+*
+* Shared by the three signature verifiers (HTTP, Linked Data, Object
+* Integrity Proofs); the only per-call variation is the
+* `activitypub.signature.kind` attribute value.
+* @since 2.3.0
+*/
+async function measureSignatureKeyFetch(meterProvider, kind, fetch) {
+	const start = performance.now();
+	try {
+		const result = await fetch();
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, result.key != null ? result.cached ? "hit" : "fetched" : "error");
+		return result;
+	} catch (error) {
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, "error");
+		throw error;
+	}
+}
+/**
 * Whether the given thrown value is an `AbortError`.
 *
 * `processQueuedTask` distinguishes aborted tasks (recorded as
@@ -263,220 +311,4 @@ function getDurationMs(start) {
 	return Math.max(0, performance.now() - start);
 }
 //#endregion
-//#region src/federation/send.ts
-/**
-* Extracts the inbox URLs from recipients.
-* @param parameters The parameters to extract the inboxes.
-*                   See also {@link ExtractInboxesParameters}.
-* @returns The inboxes as a map of inbox URL to actor URIs.
-*/
-function extractInboxes({ recipients, preferSharedInbox, excludeBaseUris }) {
-	const inboxes = {};
-	for (const recipient of recipients) {
-		let inbox;
-		let sharedInbox = false;
-		if (preferSharedInbox && recipient.endpoints?.sharedInbox != null) {
-			inbox = recipient.endpoints.sharedInbox;
-			sharedInbox = true;
-		} else inbox = recipient.inboxId;
-		if (inbox != null && recipient.id != null) {
-			if (excludeBaseUris != null && excludeBaseUris.some((u) => u.origin === inbox?.origin)) continue;
-			inboxes[inbox.href] ??= {
-				actorIds: /* @__PURE__ */ new Set(),
-				sharedInbox
-			};
-			inboxes[inbox.href].actorIds.add(recipient.id.href);
-		}
-	}
-	return inboxes;
-}
-/**
-* Sends an {@link Activity} to an inbox.
-*
-* @param parameters The parameters for sending the activity.
-*                   See also {@link SendActivityParameters}.
-* @throws {Error} If the activity fails to send.
-*/
-function sendActivity(options) {
-	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
-	return tracerProvider.getTracer(name, version).startActiveSpan("activitypub.send_activity", {
-		kind: SpanKind.CLIENT,
-		attributes: { "activitypub.shared_inbox": options.sharedInbox ?? false }
-	}, async (span) => {
-		if (options.activityId != null) span.setAttribute("activitypub.activity.id", options.activityId);
-		if (options.activityType != null) span.setAttribute("activitypub.activity.type", options.activityType);
-		try {
-			await sendActivityInternal({
-				...options,
-				tracerProvider
-			}, span);
-		} catch (e) {
-			span.setStatus({
-				code: SpanStatusCode.ERROR,
-				message: String(e)
-			});
-			throw e;
-		} finally {
-			span.end();
-		}
-	});
-}
-const MAX_ERROR_RESPONSE_BODY_BYTES = 1024;
-function getActivityActorId(activity) {
-	if (!isRecord(activity)) return void 0;
-	return getIdValue(activity.actor);
-}
-function getIdValue(value) {
-	if (typeof value === "string" && value !== "") return value;
-	if (value instanceof URL) return value.href;
-	if (Array.isArray(value)) {
-		for (const item of value) {
-			const id = getIdValue(item);
-			if (id != null) return id;
-		}
-		return;
-	}
-	if (isRecord(value)) return getIdValue(value.id);
-}
-function isRecord(value) {
-	return typeof value === "object" && value != null;
-}
-async function readLimitedResponseBody(response, maxBytes) {
-	if (response.body == null) return "";
-	const reader = response.body.getReader();
-	const decoder = new TextDecoder();
-	const chunks = [];
-	let totalBytes = 0;
-	let truncated = false;
-	try {
-		while (true) {
-			const { done, value } = await reader.read();
-			if (done) break;
-			if (totalBytes + value.length > maxBytes) {
-				const remaining = maxBytes - totalBytes;
-				if (remaining > 0) chunks.push(decoder.decode(value.slice(0, remaining), { stream: true }));
-				truncated = true;
-				break;
-			}
-			chunks.push(decoder.decode(value, { stream: true }));
-			totalBytes += value.length;
-		}
-	} finally {
-		reader.releaseLock();
-	}
-	let result = chunks.join("");
-	if (truncated) result += "… (truncated)";
-	return result;
-}
-async function sendActivityInternal({ activity, activityId, activityType, keys, inbox, headers, specDeterminer, meterProvider, tracerProvider }, span) {
-	const logger = getLogger([
-		"fedify",
-		"federation",
-		"outbox"
-	]);
-	const federationMetrics = getFederationMetrics(meterProvider);
-	const started = performance.now();
-	let deliverySuccess = false;
-	headers = new Headers(headers);
-	headers.set("Content-Type", "application/activity+json");
-	const request = new Request(inbox, {
-		method: "POST",
-		headers,
-		body: JSON.stringify(activity)
-	});
-	let rsaKey = null;
-	for (const key of keys) if (key.privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
-		rsaKey = key;
-		break;
-	}
-	if (rsaKey == null) logger.warn("No supported key found to sign the request to {inbox}.  The request will be sent without a signature.  In order to sign the request, at least one RSASSA-PKCS1-v1_5 key must be provided.", {
-		inbox: inbox.href,
-		keys: keys.map((pair) => ({
-			keyId: pair.keyId.href,
-			privateKey: pair.privateKey
-		}))
-	});
-	let response;
-	try {
-		response = rsaKey == null ? await fetch(request) : await doubleKnock(request, rsaKey, {
-			tracerProvider,
-			specDeterminer
-		});
-	} catch (error) {
-		logger.error("Failed to send activity {activityId} to {inbox}:\n{error}", {
-			activityId,
-			inbox: inbox.href,
-			error
-		});
-		federationMetrics.recordDelivery(inbox, getDurationMs(started), false, activityType);
-		throw error;
-	}
-	try {
-		if (!response.ok) {
-			let error;
-			try {
-				error = await readLimitedResponseBody(response, MAX_ERROR_RESPONSE_BODY_BYTES);
-			} catch (_) {
-				error = "";
-			}
-			logger.error("Failed to send activity {activityId} to {inbox} ({status} {statusText}):\n{error}", {
-				activityId,
-				inbox: inbox.href,
-				status: response.status,
-				statusText: response.statusText,
-				error
-			});
-			throw new SendActivityError(inbox, response.status, `Failed to send activity ${activityId} to ${inbox.href} (${response.status} ${response.statusText}):\n${error}`, error);
-		}
-		deliverySuccess = true;
-		const eventAttributes = {
-			"activitypub.inbox.url": inbox.href,
-			"activitypub.activity.id": activityId ?? ""
-		};
-		if (activityType != null) eventAttributes["activitypub.activity.type"] = activityType;
-		const actorId = getActivityActorId(activity);
-		if (actorId != null) eventAttributes["activitypub.actor.id"] = actorId;
-		span.addEvent("activitypub.activity.sent", eventAttributes);
-	} finally {
-		federationMetrics.recordDelivery(inbox, getDurationMs(started), deliverySuccess, activityType);
-	}
-}
-/**
-* An error that is thrown when an activity fails to send to a remote inbox.
-* It contains structured information about the failure, including the HTTP
-* status code, the inbox URL, and the response body.
-* @since 2.0.0
-*/
-var SendActivityError = class extends Error {
-	/**
-	* The inbox URL that the activity was being sent to.
-	*/
-	inbox;
-	/**
-	* The HTTP status code returned by the inbox.
-	*/
-	statusCode;
-	/**
-	* The response body from the inbox, if any.  Note that this may be
-	* truncated to a maximum of 1 KiB to prevent excessive memory consumption
-	* when remote servers return large error pages (e.g., Cloudflare error pages).
-	* If truncated, the string will end with `"… (truncated)"`.
-	*/
-	responseBody;
-	/**
-	* Creates a new {@link SendActivityError}.
-	* @param inbox The inbox URL.
-	* @param statusCode The HTTP status code.
-	* @param message The error message.
-	* @param responseBody The response body.
-	*/
-	constructor(inbox, statusCode, message, responseBody) {
-		super(message);
-		this.name = "SendActivityError";
-		this.inbox = inbox;
-		this.statusCode = statusCode;
-		this.responseBody = responseBody;
-	}
-};
-//#endregion
-export { getFederationMetrics as a, recordOutboxEnqueue as c, getDurationMs as i, extractInboxes as n, getRemoteHost as o, sendActivity as r, isAbortError as s, SendActivityError as t };
+export { measureSignatureKeyFetch as a, isAbortError as i, getFederationMetrics as n, recordOutboxEnqueue as o, getRemoteHost as r, getDurationMs as t };