@rmdes/indiekit-endpoint-activitypub 1.0.22 → 1.0.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +5 -2
- package/lib/federation-setup.js +10 -10
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -185,8 +185,11 @@ export default class ActivityPubEndpoint {
|
|
|
185
185
|
router.use((req, res, next) => {
|
|
186
186
|
if (!self._fedifyMiddleware) return next();
|
|
187
187
|
if (req.method !== "GET" && req.method !== "HEAD") return next();
|
|
188
|
-
//
|
|
189
|
-
|
|
188
|
+
// Only delegate to Fedify for NodeInfo data endpoint (/nodeinfo/2.1).
|
|
189
|
+
// All other paths in this root-mounted router are handled by the
|
|
190
|
+
// content negotiation catch-all below. Passing arbitrary paths like
|
|
191
|
+
// /notes/... to Fedify causes harmless but noisy 404 warnings.
|
|
192
|
+
if (!req.path.startsWith("/nodeinfo/")) return next();
|
|
190
193
|
return self._fedifyMiddleware(req, res, next);
|
|
191
194
|
});
|
|
192
195
|
|
package/lib/federation-setup.js
CHANGED
|
@@ -296,17 +296,17 @@ export function setupFederation(options) {
|
|
|
296
296
|
}
|
|
297
297
|
|
|
298
298
|
return keyPairs;
|
|
299
|
-
})
|
|
300
|
-
.authorize(async (ctx, identifier, signedKey, _signedKeyOwner) => {
|
|
301
|
-
// Instance actor is always publicly accessible (prevents infinite loops)
|
|
302
|
-
const hostname = ctx.url?.hostname || "";
|
|
303
|
-
if (identifier === hostname) return true;
|
|
304
|
-
// Check if authorized fetch is enabled
|
|
305
|
-
const profile = await getProfile(collections);
|
|
306
|
-
if (!profile.authorizedFetch) return true;
|
|
307
|
-
// When enabled, require a valid HTTP Signature
|
|
308
|
-
return signedKey != null;
|
|
309
299
|
});
|
|
300
|
+
// NOTE: .authorize() is intentionally NOT chained here.
|
|
301
|
+
// Fedify's authorize predicate triggers HTTP Signature verification on
|
|
302
|
+
// every GET to the actor endpoint. When a remote server that requires
|
|
303
|
+
// authorized fetch (e.g. kobolds.online, void.ello.tech) requests our
|
|
304
|
+
// actor, Fedify tries to fetch THEIR public key to verify the signature.
|
|
305
|
+
// Those instances return 401, causing a FetchError that Fedify doesn't
|
|
306
|
+
// catch — resulting in 500s for those servers and error log spam.
|
|
307
|
+
// Authorized fetch requires authenticated document loading (using the
|
|
308
|
+
// instance actor's keys for outgoing fetches), which Fedify doesn't yet
|
|
309
|
+
// support out of the box. Re-enable once Fedify adds this capability.
|
|
310
310
|
|
|
311
311
|
// --- Inbox listeners ---
|
|
312
312
|
const inboxChain = federation.setInboxListeners(
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rmdes/indiekit-endpoint-activitypub",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.24",
|
|
4
4
|
"description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"indiekit",
|