@fedify/fedify 2.3.0-dev.1145 → 2.3.0-dev.1150

package/dist/{proof-BkRyFchv.js → proof-I3EokKN-.js}

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { O as name, _ as measureSignatureKeyFetch, d as validateCryptoKey, f as getDurationMs, k as version, p as getFederationMetrics, s as fetchKey } from "./http-B2hxA7dO.js";
+import { O as name, _ as measureSignatureKeyFetch, d as validateCryptoKey, f as getDurationMs, k as version, p as getFederationMetrics, s as fetchKey } from "./http-WbS1gKzr.js";
 import { getLogger } from "@logtape/logtape";
 import { Activity, CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1, PUBLIC_COLLECTION, getTypeId, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
@@ -15,6 +15,290 @@ const logger$3 = getLogger([
 	"sig",
 	"ld"
 ]);
+const localContext = [
+	"https://w3id.org/identity/v1",
+	"https://www.w3.org/ns/activitystreams",
+	"https://w3id.org/security/v1",
+	"https://w3id.org/security/data-integrity/v1"
+];
+const localContextUrls = new Set(localContext);
+const builtInContextLoader = getDocumentLoader();
+const disallowedJsonLdKeywords = new Set([
+	"@graph",
+	"@included",
+	"@reverse"
+]);
+/** @internal */
+var UnsafeJsonLdError = class extends TypeError {
+	keyword;
+	constructor(keyword) {
+		super(`Unsupported JSON-LD keyword: ${keyword}.`);
+		this.keyword = keyword;
+		this.name = "UnsafeJsonLdError";
+	}
+};
+/** @internal */
+var InvalidContextReferenceError = class extends TypeError {
+	reference;
+	constructor(reference) {
+		super(`Invalid JSON-LD context reference: ${reference}.`);
+		this.reference = reference;
+		this.name = "InvalidContextReferenceError";
+	}
+};
+function createLoadingRemoteContextFailedError(reference, cause) {
+	const message = cause instanceof Error ? cause.message : String(cause);
+	const error = /* @__PURE__ */ new Error(`Dereferencing a URL did not result in a valid JSON-LD context: ${reference}. ${message}`);
+	error.name = "jsonld.InvalidUrl";
+	error.details = {
+		code: "loading remote context failed",
+		url: reference
+	};
+	error.cause = cause;
+	return error;
+}
+/** @internal */
+function isClearlyMalformedContextReference(reference) {
+	for (const char of reference) {
+		const code = char.charCodeAt(0);
+		if (code <= 32 || code === 127) return true;
+	}
+	if (/^[A-Za-z][A-Za-z0-9+.-]*:/.test(reference) && !URL.canParse(reference)) return true;
+	for (let i = 0; i < reference.length; i++) {
+		if (reference[i] !== "%") continue;
+		if (i + 2 >= reference.length || !/[0-9A-Fa-f]/.test(reference[i + 1]) || !/[0-9A-Fa-f]/.test(reference[i + 2])) return true;
+		i += 2;
+	}
+	if (reference.startsWith("./") || reference.startsWith("../") || reference.startsWith("/") || reference.startsWith("//")) {
+		for (const char of reference) if ("[]<>\"\\^`{|}".includes(char)) return true;
+	}
+	return false;
+}
+function cloneRemoteDocument(remoteDocument) {
+	return structuredClone(remoteDocument);
+}
+function createMemoizedDocumentLoader(documentLoader) {
+	const cache = /* @__PURE__ */ new Map();
+	return async (url, options) => {
+		const cacheKey = URL.canParse(url) ? new URL(url).href : url;
+		let remoteDocument = cache.get(cacheKey);
+		if (remoteDocument == null) {
+			remoteDocument = Promise.resolve(documentLoader(url, options)).then(cloneRemoteDocument);
+			remoteDocument.catch(() => {
+				if (cache.get(cacheKey) === remoteDocument) cache.delete(cacheKey);
+			});
+			cache.set(cacheKey, remoteDocument);
+		}
+		return cloneRemoteDocument(await remoteDocument);
+	};
+}
+/** @internal */
+function wrapContextLoaderForJsonLd(contextLoader) {
+	const loader = contextLoader ?? builtInContextLoader;
+	return async (url, options) => {
+		try {
+			return await loader(url, options);
+		} catch (error) {
+			if (!isInvalidUrlTypeError(error)) throw error;
+			if (isClearlyMalformedContextReference(url)) throw new InvalidContextReferenceError(url);
+			throw createLoadingRemoteContextFailedError(url, error);
+		}
+	};
+}
+/** @internal */
+function getNormalizationContextLoader(contextLoader) {
+	const loader = wrapContextLoaderForJsonLd(contextLoader);
+	return createMemoizedDocumentLoader(async (url, options) => {
+		if (URL.canParse(url)) {
+			const normalizedUrl = new URL(url).href;
+			if (localContextUrls.has(normalizedUrl)) return await builtInContextLoader(normalizedUrl, options);
+		}
+		return await loader(url, options);
+	});
+}
+/** @internal */
+async function compactJsonLd(jsonLd, contextLoader) {
+	const hasLds = typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+	const signature = hasLds ? jsonLd.signature : void 0;
+	const normalizationContextLoader = getNormalizationContextLoader(contextLoader);
+	const document = hasLds ? detachSignature(jsonLd) : jsonLd;
+	await assertNoGraphBeforeCompaction(document, normalizationContextLoader);
+	const compacted = await jsonld.compact(document, localContext, { documentLoader: normalizationContextLoader });
+	if (hasLds && typeof compacted === "object" && compacted != null) compacted.signature = signature;
+	assertSafeJsonLd(compacted);
+	return compacted;
+}
+function createInvalidRemoteContextError(reference) {
+	const error = /* @__PURE__ */ new Error(`Dereferencing a URL did not result in a JSON object. The response was valid JSON, but it was not a JSON object. URL: "${reference}".`);
+	error.name = "jsonld.InvalidUrl";
+	error.details = {
+		code: "invalid remote context",
+		url: reference
+	};
+	return error;
+}
+function getRemoteContext(remoteDocument, reference) {
+	const { contextUrl, documentUrl } = remoteDocument;
+	let { document } = remoteDocument;
+	if (typeof document === "string") document = JSON.parse(document);
+	if (typeof document !== "object" || document == null || Array.isArray(document)) throw createInvalidRemoteContextError(reference);
+	let context = "@context" in document ? document["@context"] : {};
+	if (contextUrl != null) context = Array.isArray(context) ? [...context, contextUrl] : [context, contextUrl];
+	return {
+		context,
+		baseUrl: documentUrl ?? reference
+	};
+}
+function createGraphAliasContextState() {
+	return {
+		graphTerms: /* @__PURE__ */ new Set(),
+		jsonTerms: /* @__PURE__ */ new Set(),
+		propertyContexts: /* @__PURE__ */ new Map(),
+		termTargets: /* @__PURE__ */ new Map()
+	};
+}
+function cloneGraphAliasContextState(state) {
+	return {
+		graphTerms: new Set(state.graphTerms),
+		jsonTerms: new Set(state.jsonTerms),
+		propertyContexts: new Map(state.propertyContexts),
+		termTargets: new Map(state.termTargets)
+	};
+}
+function resolveContextTarget(target, state) {
+	if (target === "@graph") return target;
+	const mapped = state.termTargets.get(target);
+	if (mapped == null) return target;
+	return mapped;
+}
+function getDirectContextTarget(definition) {
+	if (definition === null) return null;
+	if (typeof definition === "string") return definition;
+	if (typeof definition === "object" && definition != null && "@id" in definition) {
+		const id = definition["@id"];
+		if (id === null) return null;
+		if (typeof id === "string") return id;
+	}
+}
+function isJsonTypedDefinition(definition) {
+	return typeof definition === "object" && definition != null && "@type" in definition && definition["@type"] === "@json";
+}
+function resolveLocalContextTarget(target, state, localTargets, seen = /* @__PURE__ */ new Set()) {
+	if (target === "@graph") return target;
+	if (seen.has(target)) return target;
+	seen.add(target);
+	if (localTargets.has(target)) {
+		const localTarget = localTargets.get(target);
+		return localTarget == null ? target : resolveLocalContextTarget(localTarget, state, localTargets, seen);
+	}
+	return resolveContextTarget(target, state);
+}
+function refreshGraphAliases(state) {
+	state.graphTerms.clear();
+	for (const [term, target] of state.termTargets) if (target === "@graph") state.graphTerms.add(term);
+}
+function normalizeContextReference(reference, baseUrl) {
+	if (baseUrl != null) return new URL(reference, baseUrl).href;
+	return URL.canParse(reference) ? new URL(reference).href : reference;
+}
+/** @internal */
+function isInvalidUrlTypeError(error) {
+	const code = error.code;
+	return error instanceof TypeError && (code === "ERR_INVALID_URL" || /^Invalid URL(?::|$)/.test(error.message) || / cannot be parsed as a URL\.?$/.test(error.message));
+}
+async function applyGraphAliasContext(state, context, documentLoader, remoteContextCache, baseUrl = null, processingContexts = /* @__PURE__ */ new Set()) {
+	if (context === null) return createGraphAliasContextState();
+	let nextState = cloneGraphAliasContextState(state);
+	if (Array.isArray(context)) {
+		for (const item of context) nextState = await applyGraphAliasContext(nextState, item, documentLoader, remoteContextCache, baseUrl, processingContexts);
+		return nextState;
+	}
+	if (typeof context === "string") {
+		const reference = normalizeContextReference(context, baseUrl);
+		const cacheKey = `${baseUrl ?? ""}\n${reference}`;
+		if (processingContexts.has(cacheKey)) return nextState;
+		processingContexts.add(cacheKey);
+		try {
+			let remoteContext = remoteContextCache.get(cacheKey);
+			if (remoteContext == null) {
+				remoteContext = (async () => {
+					try {
+						return getRemoteContext(await documentLoader(reference), reference);
+					} catch (error) {
+						if (reference === context && isInvalidUrlTypeError(error) && isClearlyMalformedContextReference(context)) throw new InvalidContextReferenceError(context);
+						throw error;
+					}
+				})();
+				remoteContextCache.set(cacheKey, remoteContext);
+			}
+			const loadedRemoteContext = await remoteContext;
+			return await applyGraphAliasContext(nextState, loadedRemoteContext.context, documentLoader, remoteContextCache, loadedRemoteContext.baseUrl, processingContexts);
+		} finally {
+			processingContexts.delete(cacheKey);
+		}
+	}
+	if (typeof context === "object" && context != null) {
+		if ("@import" in context && typeof context["@import"] === "string") nextState = await applyGraphAliasContext(nextState, context["@import"], documentLoader, remoteContextCache, baseUrl, processingContexts);
+		const localTargets = /* @__PURE__ */ new Map();
+		for (const [term, definition] of globalThis.Object.entries(context)) {
+			if (term.startsWith("@")) continue;
+			const target = getDirectContextTarget(definition);
+			if (target == null) localTargets.set(term, null);
+			else if (typeof target === "string") localTargets.set(term, target);
+			else localTargets.delete(term);
+		}
+		for (const [term, definition] of globalThis.Object.entries(context)) {
+			if (term.startsWith("@")) continue;
+			if (localTargets.has(term)) {
+				const directTarget = localTargets.get(term);
+				if (directTarget == null) nextState.termTargets.set(term, null);
+				else nextState.termTargets.set(term, resolveLocalContextTarget(directTarget, nextState, localTargets));
+			} else nextState.termTargets.delete(term);
+			if (typeof definition === "object" && definition != null && "@context" in definition) nextState.propertyContexts.set(term, {
+				context: definition["@context"],
+				baseUrl
+			});
+			else nextState.propertyContexts.delete(term);
+			if (isJsonTypedDefinition(definition)) nextState.jsonTerms.add(term);
+			else nextState.jsonTerms.delete(term);
+		}
+		refreshGraphAliases(nextState);
+	}
+	return nextState;
+}
+async function assertNoGraphBeforeCompaction(jsonLd, documentLoader, inheritedState = createGraphAliasContextState(), propertyContext, remoteContextCache = /* @__PURE__ */ new Map()) {
+	if (Array.isArray(jsonLd)) {
+		for (const item of jsonLd) await assertNoGraphBeforeCompaction(item, documentLoader, inheritedState, propertyContext, remoteContextCache);
+		return;
+	}
+	if (typeof jsonLd !== "object" || jsonLd == null) return;
+	const jsonLiteralWrapper = isJsonLiteralWrapper(jsonLd);
+	let state = inheritedState;
+	if (propertyContext !== void 0) state = await applyGraphAliasContext(state, propertyContext.context, documentLoader, remoteContextCache, propertyContext.baseUrl);
+	if ("@context" in jsonLd) state = await applyGraphAliasContext(state, jsonLd["@context"], documentLoader, remoteContextCache);
+	for (const [key, value] of globalThis.Object.entries(jsonLd)) {
+		if (key === "@context") continue;
+		if (jsonLiteralWrapper && key === "@value") continue;
+		if (key === "@graph" || state.graphTerms.has(key)) throw new UnsafeJsonLdError("@graph");
+		if (state.jsonTerms.has(key)) continue;
+		await assertNoGraphBeforeCompaction(value, documentLoader, state, state.propertyContexts.get(key), remoteContextCache);
+	}
+}
+function isJsonLiteralWrapper(value) {
+	return "@value" in value && (value["@type"] === "@json" || value.type === "@json");
+}
+/** @internal */
+function assertSafeJsonLd(jsonLd) {
+	if (Array.isArray(jsonLd)) for (const item of jsonLd) assertSafeJsonLd(item);
+	else if (typeof jsonLd === "object" && jsonLd != null) {
+		const jsonLiteralWrapper = isJsonLiteralWrapper(jsonLd);
+		for (const [key, value] of globalThis.Object.entries(jsonLd)) {
+			if (disallowedJsonLdKeywords.has(key)) throw new UnsafeJsonLdError(key);
+			if (jsonLiteralWrapper && key === "@value") continue;
+			assertSafeJsonLd(value);
+		}
+	}
+}
 /**
 * Attaches a LD signature to the given JSON-LD document.
 * @param jsonLd The JSON-LD document to attach the signature to.  It is not
@@ -269,13 +553,25 @@ function getLdSignatureObject(jsonLd) {
 * @returns `true` if the document is authentic; `false` otherwise.
 */
 async function verifyJsonLd(jsonLd, options = {}) {
+	return await verifyJsonLdInternal(jsonLd, options, true);
+}
+/** @internal */
+async function verifyCompactJsonLd(jsonLd, options = {}) {
+	return await verifyJsonLdInternal(jsonLd, options, false);
+}
+async function verifyJsonLdInternal(jsonLd, options, compact) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.verify", async (span) => {
 		const start = performance.now();
 		let verified = false;
 		let threw = false;
 		let signatureType;
 		try {
-			const object = await Object$1.fromJsonLd(jsonLd, options);
+			const verificationOptions = hasSignature(jsonLd) ? {
+				...options,
+				contextLoader: getNormalizationContextLoader(options.contextLoader)
+			} : options;
+			const compacted = compact ? hasSignature(jsonLd) ? await compactJsonLd(jsonLd, options.contextLoader) : jsonLd : jsonLd;
+			const object = await Object$1.fromJsonLd(compacted, verificationOptions);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", getTypeId(object).href);
 			const sig = getLdSignatureObject(jsonLd);
@@ -289,7 +585,7 @@ async function verifyJsonLd(jsonLd, options = {}) {
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof Activity) for (const uri of object.actorIds) attributions.add(uri.href);
-			const key = await verifySignature(jsonLd, options);
+			const key = await verifySignature(compacted, verificationOptions);
 			if (key == null) return false;
 			if (key.ownerId == null) {
 				logger$3.debug("Key {keyId} has no owner.", { keyId: key.id?.href });
@@ -1105,4 +1401,4 @@ async function verifyObject(cls, jsonLd, options = {}) {
 	return object;
 }
 //#endregion
-export { verifyProof as a, getKeyOwner as c, detachSignature as d, hasSignatureLike as f, verifySignature as h, verifyObject as i, attachSignature as l, verifyJsonLd as m, hasProofLike as n, normalizeOutgoingActivityJsonLd as o, signJsonLd as p, signObject as r, doesActorOwnKey as s, createProof as t, createSignature as u };
+export { verifySignature as C, verifyJsonLd as S, hasSignatureLike as _, verifyProof as a, signJsonLd as b, getKeyOwner as c, attachSignature as d, compactJsonLd as f, hasSignature as g, getNormalizationContextLoader as h, verifyObject as i, InvalidContextReferenceError as l, detachSignature as m, hasProofLike as n, normalizeOutgoingActivityJsonLd as o, createSignature as p, signObject as r, doesActorOwnKey as s, createProof as t, assertSafeJsonLd as u, isClearlyMalformedContextReference as v, wrapContextLoaderForJsonLd as w, verifyCompactJsonLd as x, isInvalidUrlTypeError as y };

package/dist/{proof-CSo0S8OK.mjs → proof-V_lafPmA.mjs}

@@ -1,9 +1,9 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-h0TWFuEz.mjs";
-import { n as getDurationMs, r as getFederationMetrics, s as measureSignatureKeyFetch } from "./metrics-E0hAHtLZ.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-Dh2OK1XQ.mjs";
+import { n as version, t as name } from "./deno-CKFE6Uya.mjs";
+import { n as getDurationMs, r as getFederationMetrics, s as measureSignatureKeyFetch } from "./metrics-7Vy9FvEw.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-N0zP_oJA.mjs";
 import { n as preloadedOnlyDocumentLoader } from "./public-audience-N3pyOx2p.mjs";
 import { r as normalizeOutgoingActivityJsonLd } from "./outgoing-jsonld-BgFLCJQ_.mjs";
 import { getLogger } from "@logtape/logtape";

package/dist/{send-jzrTV1FU.mjs → send-Cc2_10tF.mjs}

@@ -1,9 +1,9 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-h0TWFuEz.mjs";
-import { n as getDurationMs, r as getFederationMetrics } from "./metrics-E0hAHtLZ.mjs";
-import { n as doubleKnock } from "./http-QzW9IWfs.mjs";
+import { n as version, t as name } from "./deno-CKFE6Uya.mjs";
+import { n as getDurationMs, r as getFederationMetrics } from "./metrics-7Vy9FvEw.mjs";
+import { n as doubleKnock } from "./http-vHCgbhTg.mjs";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 //#region src/federation/send.ts

package/dist/sig/http.test.mjs

@@ -7,8 +7,8 @@ import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from
 import { t as assertThrows } from "../assert_throws-BOkhLGYc.mjs";
 import { t as assert } from "../assert-OguE97r2.mjs";
 import { t as esm_default } from "../esm-BQRw925N.mjs";
-import { t as exportJwk } from "../key-Dh2OK1XQ.mjs";
-import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-QzW9IWfs.mjs";
+import { t as exportJwk } from "../key-N0zP_oJA.mjs";
+import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-vHCgbhTg.mjs";
 import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-C3kae-6B.mjs";
 import { createTestMeterProvider, createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError, exportSpki } from "@fedify/vocab-runtime";

package/dist/sig/key.test.mjs

@@ -5,7 +5,7 @@ import { t as assertEquals } from "../assert_equals-C-ZRDbaf.mjs";
 import "../std__assert-BBjXFNOb.mjs";
 import { t as assertRejects } from "../assert_rejects-DN60FHPX.mjs";
 import { t as assertThrows } from "../assert_throws-BOkhLGYc.mjs";
-import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-Dh2OK1XQ.mjs";
+import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-N0zP_oJA.mjs";
 import { c as rsaPublicKey3, i as rsaPrivateKey2, o as rsaPublicKey1, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
 import { CryptographicKey, Multikey } from "@fedify/vocab";
 import { createTestMeterProvider, createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";