@fedify/fedify 2.3.0-dev.1110 → 2.3.0-dev.1119

package/dist/send-BPhyR5Oo.mjs

@@ -0,0 +1,225 @@
+import "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { n as version, t as name } from "./deno-DVsHS7rA.mjs";
+import { n as getFederationMetrics, t as getDurationMs } from "./metrics-C4attqv0.mjs";
+import { n as doubleKnock } from "./http-DUV8ysti.mjs";
+import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+//#region src/federation/send.ts
+/**
+* Extracts the inbox URLs from recipients.
+* @param parameters The parameters to extract the inboxes.
+*                   See also {@link ExtractInboxesParameters}.
+* @returns The inboxes as a map of inbox URL to actor URIs.
+*/
+function extractInboxes({ recipients, preferSharedInbox, excludeBaseUris }) {
+	const inboxes = {};
+	for (const recipient of recipients) {
+		let inbox;
+		let sharedInbox = false;
+		if (preferSharedInbox && recipient.endpoints?.sharedInbox != null) {
+			inbox = recipient.endpoints.sharedInbox;
+			sharedInbox = true;
+		} else inbox = recipient.inboxId;
+		if (inbox != null && recipient.id != null) {
+			if (excludeBaseUris != null && excludeBaseUris.some((u) => u.origin === inbox?.origin)) continue;
+			inboxes[inbox.href] ??= {
+				actorIds: /* @__PURE__ */ new Set(),
+				sharedInbox
+			};
+			inboxes[inbox.href].actorIds.add(recipient.id.href);
+		}
+	}
+	return inboxes;
+}
+/**
+* Sends an {@link Activity} to an inbox.
+*
+* @param parameters The parameters for sending the activity.
+*                   See also {@link SendActivityParameters}.
+* @throws {Error} If the activity fails to send.
+*/
+function sendActivity(options) {
+	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
+	return tracerProvider.getTracer(name, version).startActiveSpan("activitypub.send_activity", {
+		kind: SpanKind.CLIENT,
+		attributes: { "activitypub.shared_inbox": options.sharedInbox ?? false }
+	}, async (span) => {
+		if (options.activityId != null) span.setAttribute("activitypub.activity.id", options.activityId);
+		if (options.activityType != null) span.setAttribute("activitypub.activity.type", options.activityType);
+		try {
+			await sendActivityInternal({
+				...options,
+				tracerProvider
+			}, span);
+		} catch (e) {
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String(e)
+			});
+			throw e;
+		} finally {
+			span.end();
+		}
+	});
+}
+const MAX_ERROR_RESPONSE_BODY_BYTES = 1024;
+function getActivityActorId(activity) {
+	if (!isRecord(activity)) return void 0;
+	return getIdValue(activity.actor);
+}
+function getIdValue(value) {
+	if (typeof value === "string" && value !== "") return value;
+	if (value instanceof URL) return value.href;
+	if (Array.isArray(value)) {
+		for (const item of value) {
+			const id = getIdValue(item);
+			if (id != null) return id;
+		}
+		return;
+	}
+	if (isRecord(value)) return getIdValue(value.id);
+}
+function isRecord(value) {
+	return typeof value === "object" && value != null;
+}
+async function readLimitedResponseBody(response, maxBytes) {
+	if (response.body == null) return "";
+	const reader = response.body.getReader();
+	const decoder = new TextDecoder();
+	const chunks = [];
+	let totalBytes = 0;
+	let truncated = false;
+	try {
+		while (true) {
+			const { done, value } = await reader.read();
+			if (done) break;
+			if (totalBytes + value.length > maxBytes) {
+				const remaining = maxBytes - totalBytes;
+				if (remaining > 0) chunks.push(decoder.decode(value.slice(0, remaining), { stream: true }));
+				truncated = true;
+				break;
+			}
+			chunks.push(decoder.decode(value, { stream: true }));
+			totalBytes += value.length;
+		}
+	} finally {
+		reader.releaseLock();
+	}
+	let result = chunks.join("");
+	if (truncated) result += "… (truncated)";
+	return result;
+}
+async function sendActivityInternal({ activity, activityId, activityType, keys, inbox, headers, specDeterminer, meterProvider, tracerProvider }, span) {
+	const logger = getLogger([
+		"fedify",
+		"federation",
+		"outbox"
+	]);
+	const federationMetrics = getFederationMetrics(meterProvider);
+	const started = performance.now();
+	let deliverySuccess = false;
+	headers = new Headers(headers);
+	headers.set("Content-Type", "application/activity+json");
+	const request = new Request(inbox, {
+		method: "POST",
+		headers,
+		body: JSON.stringify(activity)
+	});
+	let rsaKey = null;
+	for (const key of keys) if (key.privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
+		rsaKey = key;
+		break;
+	}
+	if (rsaKey == null) logger.warn("No supported key found to sign the request to {inbox}.  The request will be sent without a signature.  In order to sign the request, at least one RSASSA-PKCS1-v1_5 key must be provided.", {
+		inbox: inbox.href,
+		keys: keys.map((pair) => ({
+			keyId: pair.keyId.href,
+			privateKey: pair.privateKey
+		}))
+	});
+	let response;
+	try {
+		response = rsaKey == null ? await fetch(request) : await doubleKnock(request, rsaKey, {
+			tracerProvider,
+			specDeterminer
+		});
+	} catch (error) {
+		logger.error("Failed to send activity {activityId} to {inbox}:\n{error}", {
+			activityId,
+			inbox: inbox.href,
+			error
+		});
+		federationMetrics.recordDelivery(inbox, getDurationMs(started), false, activityType);
+		throw error;
+	}
+	try {
+		if (!response.ok) {
+			let error;
+			try {
+				error = await readLimitedResponseBody(response, MAX_ERROR_RESPONSE_BODY_BYTES);
+			} catch (_) {
+				error = "";
+			}
+			logger.error("Failed to send activity {activityId} to {inbox} ({status} {statusText}):\n{error}", {
+				activityId,
+				inbox: inbox.href,
+				status: response.status,
+				statusText: response.statusText,
+				error
+			});
+			throw new SendActivityError(inbox, response.status, `Failed to send activity ${activityId} to ${inbox.href} (${response.status} ${response.statusText}):\n${error}`, error);
+		}
+		deliverySuccess = true;
+		const eventAttributes = {
+			"activitypub.inbox.url": inbox.href,
+			"activitypub.activity.id": activityId ?? ""
+		};
+		if (activityType != null) eventAttributes["activitypub.activity.type"] = activityType;
+		const actorId = getActivityActorId(activity);
+		if (actorId != null) eventAttributes["activitypub.actor.id"] = actorId;
+		span.addEvent("activitypub.activity.sent", eventAttributes);
+	} finally {
+		federationMetrics.recordDelivery(inbox, getDurationMs(started), deliverySuccess, activityType);
+	}
+}
+/**
+* An error that is thrown when an activity fails to send to a remote inbox.
+* It contains structured information about the failure, including the HTTP
+* status code, the inbox URL, and the response body.
+* @since 2.0.0
+*/
+var SendActivityError = class extends Error {
+	/**
+	* The inbox URL that the activity was being sent to.
+	*/
+	inbox;
+	/**
+	* The HTTP status code returned by the inbox.
+	*/
+	statusCode;
+	/**
+	* The response body from the inbox, if any.  Note that this may be
+	* truncated to a maximum of 1 KiB to prevent excessive memory consumption
+	* when remote servers return large error pages (e.g., Cloudflare error pages).
+	* If truncated, the string will end with `"… (truncated)"`.
+	*/
+	responseBody;
+	/**
+	* Creates a new {@link SendActivityError}.
+	* @param inbox The inbox URL.
+	* @param statusCode The HTTP status code.
+	* @param message The error message.
+	* @param responseBody The response body.
+	*/
+	constructor(inbox, statusCode, message, responseBody) {
+		super(message);
+		this.name = "SendActivityError";
+		this.inbox = inbox;
+		this.statusCode = statusCode;
+		this.responseBody = responseBody;
+	}
+};
+//#endregion
+export { extractInboxes as n, sendActivity as r, SendActivityError as t };

package/dist/sig/accept.test.mjs

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature, t as formatAcceptSignature } from "../accept-CceiKpCy.mjs";
+import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature, t as formatAcceptSignature } from "../accept-CgDcxvjV.mjs";
 import { test } from "@fedify/fixture";
 import { deepStrictEqual, strictEqual } from "node:assert/strict";
 //#region src/sig/accept.test.ts

package/dist/sig/http.test.mjs

@@ -2,15 +2,15 @@ import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import { i as assertExists, t as assertStringIncludes } from "../std__assert-CRDpx_HF.mjs";
-import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import { r as assertExists, t as assertStringIncludes } from "../std__assert-BTEgfoJo.mjs";
+import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
 import { t as esm_default } from "../esm-sdtqOUPu.mjs";
-import { t as exportJwk } from "../key-DW1EVmtP.mjs";
-import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-BLopFpvC.mjs";
-import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-C3kae-6B.mjs";
-import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
+import { t as exportJwk } from "../key-BoWaYRHm.mjs";
+import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-DUV8ysti.mjs";
+import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-CSYsOMFG.mjs";
+import { createTestMeterProvider, createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError, exportSpki } from "@fedify/vocab-runtime";
 import { encodeBase64 } from "byte-encodings/base64";
 //#region src/sig/http.test.ts
@@ -230,6 +230,212 @@ test("verifyRequestDetailed() records failure details on span", async () => {
 	assertEquals(span.attributes["http_signatures.key_id"], keyId.href);
 	assertEquals(span.attributes["http_signatures.key_fetch_status"], 410);
 });
+test("verifyRequestDetailed() records verification duration metric", async (t) => {
+	const buildSignedRequest = () => signRequest(new Request("https://example.com/inbox", {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/activity+json",
+			accept: "application/ld+json"
+		},
+		body: JSON.stringify({
+			"@context": "https://www.w3.org/ns/activitystreams",
+			type: "Create",
+			actor: "https://example.com/key2"
+		})
+	}), rsaPrivateKey2, new URL("https://example.com/key2"));
+	await t.step("verified path emits one measurement", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert((await verifyRequestDetailed(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		const measurement = measurements[0];
+		assertEquals(measurement.type, "histogram");
+		assertGreaterOrEqual(measurement.value, 0);
+		assertEquals(measurement.attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurement.attributes["activitypub.signature.result"], "verified");
+		assertEquals(measurement.attributes["http_signatures.algorithm"], "rsa-sha256");
+		assertFalse("http_signatures.failure_reason" in measurement.attributes);
+	});
+	await t.step("missing signature is recorded as result=missing", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const result = await verifyRequestDetailed(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: { "Content-Type": "application/activity+json" },
+			body: "{}"
+		}), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "noSignature");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "missing");
+		assertFalse("http_signatures.failure_reason" in measurements[0].attributes);
+	});
+	await t.step("invalid signature is recorded as result=rejected with failure_reason", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const result = await verifyRequestDetailed(new Request("https://example.com/", {
+			method: "POST",
+			headers: {
+				Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+				Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+				Signature: "keyId=\"https://example.com/key2\",headers=\"(request-target) date digest\",signature=\"AAAA\""
+			},
+			body: ""
+		}), {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "invalidSignature");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["http_signatures.failure_reason"], "invalidSignature");
+	});
+	await t.step("key fetch failure is recorded as result=rejected with failure_reason=keyFetchError", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const keyId = new URL("https://gone.example/actors/alice#main-key");
+		const result = await verifyRequestDetailed(await signRequest(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/activity+json",
+				accept: "application/ld+json"
+			},
+			body: JSON.stringify({
+				"@context": "https://www.w3.org/ns/activitystreams",
+				type: "Create",
+				actor: "https://gone.example/actors/alice"
+			})
+		}), rsaPrivateKey2, keyId), {
+			contextLoader: mockDocumentLoader,
+			documentLoader(url) {
+				if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
+				return mockDocumentLoader(url);
+			},
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "keyFetchError");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["http_signatures.failure_reason"], "keyFetchError");
+	});
+	await t.step("verifyRequest() wrapper emits exactly one measurement, not two", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+	});
+	await t.step("cached-key retry emits one measurement, not two", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { "https://example.com/key2": rsaPublicKey1 };
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(keyId) {
+					return Promise.resolve(cache[keyId.href]);
+				},
+				set(keyId, k) {
+					cache[keyId.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+	});
+	await t.step("key fetch records result=fetched on a cold cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].type, "histogram");
+		assertGreaterOrEqual(measurements[0].value, 0);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("key fetch records result=hit when served from the key cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { "https://example.com/key2": rsaPublicKey2 };
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(keyId) {
+					return Promise.resolve(cache[keyId.href]);
+				},
+				set(keyId, k) {
+					cache[keyId.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+	});
+	await t.step("key fetch records result=error when the remote key returns HTTP 410", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const keyId = new URL("https://gone.example/actors/alice#main-key");
+		assertFalse((await verifyRequestDetailed(await signRequest(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/activity+json",
+				accept: "application/ld+json"
+			},
+			body: "{}"
+		}), rsaPrivateKey2, keyId), {
+			contextLoader: mockDocumentLoader,
+			documentLoader(url) {
+				if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
+				return mockDocumentLoader(url);
+			},
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "error");
+	});
+	await t.step("draft-cavage with unknown algorithm omits the algorithm metric attribute", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse((await verifyRequestDetailed(new Request("https://example.com/", {
+			method: "POST",
+			headers: {
+				Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+				Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+				Signature: "keyId=\"https://example.com/key2\",algorithm=\"x-attacker-supplied\",headers=\"(request-target) date digest\",signature=\"AAAA\""
+			},
+			body: ""
+		}), {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertFalse("http_signatures.algorithm" in measurements[0].attributes);
+	});
+});
 test("signRequest() and verifyRequest() [rfc9421] implementation", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");

package/dist/sig/key.test.mjs

@@ -2,11 +2,11 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
-import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-DW1EVmtP.mjs";
-import { c as rsaPublicKey3, i as rsaPrivateKey2, o as rsaPublicKey1, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
+import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-BoWaYRHm.mjs";
+import { c as rsaPublicKey3, i as rsaPrivateKey2, o as rsaPublicKey1, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-CSYsOMFG.mjs";
 import { CryptographicKey, Multikey } from "@fedify/vocab";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError } from "@fedify/vocab-runtime";

package/dist/sig/ld.test.mjs

@@ -2,14 +2,14 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
-import { i as generateCryptoKeyPair } from "../key-DW1EVmtP.mjs";
-import { a as rsaPrivateKey3, c as rsaPublicKey3, i as rsaPrivateKey2, n as ed25519PrivateKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
-import { a as signJsonLd, i as hasSignatureLike, n as createSignature, o as verifyJsonLd, r as detachSignature, s as verifySignature, t as attachSignature } from "../ld-BNkk2Yal.mjs";
+import { i as generateCryptoKeyPair } from "../key-BoWaYRHm.mjs";
+import { a as rsaPrivateKey3, c as rsaPublicKey3, i as rsaPrivateKey2, n as ed25519PrivateKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-CSYsOMFG.mjs";
+import { a as signJsonLd, i as hasSignatureLike, n as createSignature, o as verifyJsonLd, r as detachSignature, s as verifySignature, t as attachSignature } from "../ld-B5K1mSuG.mjs";
 import { CryptographicKey } from "@fedify/vocab";
-import { mockDocumentLoader, test } from "@fedify/fixture";
+import { createTestMeterProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { encodeBase64 } from "byte-encodings/base64";
 //#region src/sig/ld.test.ts
 test("attachSignature()", () => {
@@ -249,5 +249,138 @@ test("verifyJsonLd()", async () => {
 		contextLoader: mockDocumentLoader
 	}));
 });
+test("verifyJsonLd() records verification duration metric", async (t) => {
+	await t.step("verified path records result=verified with bounded type", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		const m = measurements[0];
+		assertEquals(m.type, "histogram");
+		assertGreaterOrEqual(m.value, 0);
+		assertEquals(m.attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(m.attributes["activitypub.signature.result"], "verified");
+		assertEquals(m.attributes["ld_signatures.type"], "RsaSignature2017");
+	});
+	await t.step("missing signature records result=missing without type", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd(document, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "missing");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+	await t.step("invalid signature records result=rejected", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...testVector,
+			signature: {
+				...testVector.signature,
+				signatureValue: encodeBase64(new Uint8Array([
+					1,
+					2,
+					3,
+					4
+				]))
+			}
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["ld_signatures.type"], "RsaSignature2017");
+	});
+	await t.step("malformed (null) signature property records result=rejected, not missing", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...document,
+			signature: null
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+	await t.step("key fetch records result=fetched on a cold cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertGreaterOrEqual(measurements[0].value, 0);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("missing signature emits no key_fetch measurement", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd(document, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.key_fetch.duration").length, 0);
+	});
+	await t.step("cached-key retry emits two key_fetch measurements: hit then fetched", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				async get(keyId) {
+					return new CryptographicKey({
+						id: keyId,
+						owner: new URL("https://activitypub.academy/users/brauca_darradiul"),
+						publicKey: (await generateCryptoKeyPair("RSASSA-PKCS1-v1_5")).publicKey
+					});
+				},
+				set(_keyId, _key) {
+					return Promise.resolve();
+				}
+			}
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 2);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+		assertEquals(measurements[1].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("unknown signature type omits the ld_signatures.type metric attribute", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...testVector,
+			signature: {
+				...testVector.signature,
+				type: "MadeUpSignature9999"
+			}
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+});
 //#endregion
 export {};

package/dist/sig/mod.cjs

@@ -1,8 +1,8 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_http = require("../http-DV0il3vk.cjs");
-const require_proof = require("../proof-BD92WeqV.cjs");
+const require_http = require("../http-CubOB9wq.cjs");
+const require_proof = require("../proof-BUWfVr6Q.cjs");
 exports.attachSignature = require_proof.attachSignature;
 exports.createProof = require_proof.createProof;
 exports.createSignature = require_proof.createSignature;

package/dist/sig/mod.d.cts

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-C87EWkO0.cjs";
+import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-D6aw3j2U.cjs";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "../owner-DEvZuyOE.cjs";
-import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-DXY9JF28.cjs";
+import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-BDhgfjP7.cjs";
 export { AcceptSignatureMember, AcceptSignatureParameters, CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, FulfillAcceptSignatureResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, Rfc9421SignRequestOptions, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, formatAcceptSignature, fulfillAcceptSignature, generateCryptoKeyPair, getKeyOwner, hasProofLike, hasSignatureLike, importJwk, parseAcceptSignature, signJsonLd, signObject, signRequest, validateAcceptSignature, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };