@rmdes/indiekit-endpoint-activitypub 3.8.1 → 3.8.3

package/index.js

@@ -238,6 +238,21 @@ export default class ActivityPubEndpoint {
         console.info(`[federation-diag] POST ${req.path} from=${ua.slice(0, 60)} bodyParsed=${bodyParsed} readable=${req.readable}`);
       }
 
+      // Fedify's acceptsJsonLd() treats Accept: */* as NOT accepting JSON-LD
+      // (it only returns true for explicit application/activity+json etc.).
+      // Remote servers fetching actor URLs for HTTP Signature verification
+      // (e.g. tags.pub) often omit Accept or use */* — they get HTML back
+      // instead of the actor JSON, causing "public key not found" errors.
+      // Fix: for GET requests to actor paths, upgrade ambiguous Accept headers
+      // to application/activity+json so Fedify serves JSON-LD. Explicit
+      // text/html requests (browsers) are unaffected.
+      if (req.method === "GET" && /^\/users\/[^/]+\/?$/.test(req.path)) {
+        const accept = req.get("accept") || "";
+        if (!accept.includes("text/html") && !accept.includes("application/xhtml+xml")) {
+          req.headers["accept"] = "application/activity+json";
+        }
+      }
+
       return self._fedifyMiddleware(req, res, next);
     });
 
@@ -764,7 +779,7 @@ export default class ActivityPubEndpoint {
         (remoteActor.icon
           ? (await remoteActor.icon)?.url?.href || ""
           : "");
-      const inbox = remoteActor.inbox?.id?.href || "";
+      const inbox = remoteActor.inboxId?.href || "";
       const sharedInbox = remoteActor.endpoints?.sharedInbox?.href || "";
 
       await this._collections.ap_following.updateOne(

package/lib/federation-setup.js

@@ -154,7 +154,16 @@ export function setupFederation(options) {
           };
           if (keyPairs.length > 0) {
             appOptions.publicKey = keyPairs[0].cryptographicKey;
-            appOptions.assertionMethods = keyPairs.map((k) => k.multikey);
+            // Only include Ed25519 keys in assertionMethod (Object Integrity Proofs).
+            // RSA keys belong only in publicKey (HTTP Signatures). Putting the RSA
+            // Multikey in assertionMethod with the same #main-key id as the
+            // CryptographicKey in publicKey causes id collisions — servers that
+            // traverse JSON-LD properties alphabetically (assertionMethod before
+            // publicKey) find the Multikey first, which has no publicKeyPem,
+            // and fail signature verification.
+            appOptions.assertionMethods = keyPairs
+              .filter((k) => k.privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5")
+              .map((k) => k.multikey);
           }
           return new Application(appOptions);
         }
@@ -753,7 +762,12 @@ export async function buildPersonActor(
 
   if (keyPairs.length > 0) {
     personOptions.publicKey = keyPairs[0].cryptographicKey;
-    personOptions.assertionMethods = keyPairs.map((k) => k.multikey);
+    // Only include Ed25519 keys in assertionMethod (Object Integrity Proofs).
+    // RSA keys belong only in publicKey (HTTP Signatures). See instance actor
+    // above for the full explanation of why this filter is necessary.
+    personOptions.assertionMethods = keyPairs
+      .filter((k) => k.privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5")
+      .map((k) => k.multikey);
   }
 
   // Build profile field attachments (PropertyValue).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.8.1",
+  "version": "3.8.3",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",