@rmdes/indiekit-endpoint-activitypub 1.0.23 → 1.0.25

package/index.js

@@ -185,13 +185,11 @@ export default class ActivityPubEndpoint {
     router.use((req, res, next) => {
       if (!self._fedifyMiddleware) return next();
       if (req.method !== "GET" && req.method !== "HEAD") return next();
-      // Skip Fedify for admin routes — handled by authenticated router.
-      // This router is mounted at "/" so paths include the full mountPath prefix
-      // (e.g. /activitypub/admin/...), not just /admin/...
-      const mp = self.options.mountPath;
-      if (req.path.startsWith("/admin") || req.path.startsWith(`${mp}/admin`)) return next();
-      // Skip Fedify for the bare dashboard path (e.g. /activitypub)
-      if (req.path === mp || req.path === `${mp}/`) return next();
+      // Only delegate to Fedify for NodeInfo data endpoint (/nodeinfo/2.1).
+      // All other paths in this root-mounted router are handled by the
+      // content negotiation catch-all below. Passing arbitrary paths like
+      // /notes/... to Fedify causes harmless but noisy 404 warnings.
+      if (!req.path.startsWith("/nodeinfo/")) return next();
       return self._fedifyMiddleware(req, res, next);
     });
 

package/lib/federation-setup.js

@@ -212,13 +212,14 @@ export function setupFederation(options) {
       return null;
     })
     .mapAlias((_ctx, alias) => {
-      // Resolve profile URL and /@handle patterns via WebFinger
+      // Resolve profile URL and /@handle patterns via WebFinger.
+      // Must return { identifier } or { username }, not a bare string.
       if (!publicationUrl) return null;
       try {
         const pub = new URL(publicationUrl);
         if (alias.hostname !== pub.hostname) return null;
         const path = alias.pathname.replace(/\/$/, "");
-        if (path === "" || path === `/@${handle}`) return handle;
+        if (path === "" || path === `/@${handle}`) return { identifier: handle };
       } catch { /* ignore */ }
       return null;
     })
@@ -296,17 +297,17 @@ export function setupFederation(options) {
       }
 
       return keyPairs;
-    })
-    .authorize(async (ctx, identifier, signedKey, _signedKeyOwner) => {
-      // Instance actor is always publicly accessible (prevents infinite loops)
-      const hostname = ctx.url?.hostname || "";
-      if (identifier === hostname) return true;
-      // Check if authorized fetch is enabled
-      const profile = await getProfile(collections);
-      if (!profile.authorizedFetch) return true;
-      // When enabled, require a valid HTTP Signature
-      return signedKey != null;
     });
+    // NOTE: .authorize() is intentionally NOT chained here.
+    // Fedify's authorize predicate triggers HTTP Signature verification on
+    // every GET to the actor endpoint. When a remote server that requires
+    // authorized fetch (e.g. kobolds.online, void.ello.tech) requests our
+    // actor, Fedify tries to fetch THEIR public key to verify the signature.
+    // Those instances return 401, causing a FetchError that Fedify doesn't
+    // catch — resulting in 500s for those servers and error log spam.
+    // Authorized fetch requires authenticated document loading (using the
+    // instance actor's keys for outgoing fetches), which Fedify doesn't yet
+    // support out of the box. Re-enable once Fedify adds this capability.
 
   // --- Inbox listeners ---
   const inboxChain = federation.setInboxListeners(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "1.0.23",
+  "version": "1.0.25",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",