Merge tag '1.3.1'

Fedify 1.3.1

CHANGES.md

@@ -9,6 +9,15 @@ Version 1.4.0
 To be released.
 
 
+Version 1.3.1
+-------------
+
+Released on December 11, 2024.
+
+ -  Fixed idempotence check in inbox listeners to ensure activities for
+    different origins are processed correctly.
+
+
 Version 1.3.0
 -------------
 
@@ -126,6 +135,15 @@ Released on November 30, 2024.
 [#193]: https://github.com/dahlia/fedify/issues/193
 
 
+Version 1.2.9
+-------------
+
+Released on December 11, 2024.
+
+ -  Fixed idempotence check in inbox listeners to ensure activities for
+    different origins are processed correctly.
+
+
 Version 1.2.8
 -------------
 
@@ -145,7 +163,7 @@ Released on November 23, 2024.
 Version 1.2.7
 -------------
 
-Released on December 22, 2024.
+Released on November 22, 2024.
 
  -  Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError`
     when the *.well-known/webfinger* redirects to a relative URI.  [[#166]]
@@ -154,7 +172,7 @@ Released on December 22, 2024.
 Version 1.2.6
 -------------
 
-Released on December 19, 2024.
+Released on November 19, 2024.
 
  -  Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been
     able to be set to an `OrderedCollectionPage` object, even though it is
@@ -332,6 +350,15 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.9
+-------------
+
+Released on December 11, 2024.
+
+ -  Fixed idempotence check in inbox listeners to ensure activities for
+    different origins are processed correctly.
+
+
 Version 1.1.8
 -------------
 
@@ -417,7 +444,7 @@ Released on November 19, 2024.
 Version 1.1.5
 -------------
 
-Released on December 14, 2024.
+Released on November 14, 2024.
 
  -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
     mysterious behavior.  [[#159]]
@@ -579,10 +606,19 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.12
+--------------
+
+Released on December 11, 2024.
+
+ -  Fixed idempotence check in inbox listeners to ensure activities for
+    different origins are processed correctly.
+
+
 Version 1.0.11
 --------------
 
-Released on December 22, 2024.
+Released on November 22, 2024.
 
  -  Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError`
     when the *.well-known/webfinger* redirects to a relative URI.  [[#166]]
@@ -591,7 +627,7 @@ Released on December 22, 2024.
 Version 1.0.10
 --------------
 
-Released on December 19, 2024.
+Released on November 19, 2024.
 
  -  Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been
     able to be set to an `OrderedCollectionPage` object, even though it is
@@ -648,7 +684,7 @@ Released on December 19, 2024.
 Version 1.0.9
 -------------
 
-Released on December 14, 2024.
+Released on November 14, 2024.
 
  -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
     mysterious behavior.  [[#159]]

src/federation/inbox.ts

@@ -119,6 +119,7 @@ export async function routeActivity<TContextData>(
   const logger = getLogger(["fedify", "federation", "inbox"]);
   const cacheKey = activity.id == null ? null : [
     ...kvPrefixes.activityIdempotence,
+    ctx.origin,
     activity.id.href,
   ] satisfies KvKey;
   if (cacheKey != null) {

src/federation/middleware.test.ts

@@ -671,10 +671,11 @@ test("Federation.setInboxListeners()", async (t) => {
     assertEquals(response.status, 401);
 
     // Personal inbox + HTTP Signatures (RSA)
+    const activityPayload = await activity().toJsonLd(options);
     let request = new Request("https://example.com/users/john/inbox", {
       method: "POST",
       headers: { "Content-Type": "application/activity+json" },
-      body: JSON.stringify(await activity().toJsonLd(options)),
+      body: JSON.stringify(activityPayload),
     });
     request = await signRequest(
       request,
@@ -693,6 +694,37 @@ test("Federation.setInboxListeners()", async (t) => {
       ["https://example.com/person", "https://example.com/users/john#main-key"],
     ]);
 
+    // Idempotence check
+    response = await federation.fetch(request, { contextData: undefined });
+    assertEquals(inbox.length, 1);
+
+    // Idempotence check with different origin (host)
+    inbox.shift();
+    request = new Request("https://another.host/users/john/inbox", {
+      method: "POST",
+      headers: { "Content-Type": "application/activity+json" },
+      body: JSON.stringify(activityPayload),
+    });
+    request = await signRequest(
+      request,
+      rsaPrivateKey3,
+      new URL("https://example.com/person2#key3"),
+    );
+    response = await federation.fetch(request, { contextData: undefined });
+    assertEquals(inbox.length, 1);
+    assertEquals(inbox[0][1].actorId, new URL("https://example.com/person2"));
+    assertEquals(response.status, 202);
+
+    while (authenticatedRequests.length > 0) authenticatedRequests.shift();
+    assertEquals(authenticatedRequests, []);
+    await inbox[0][0].documentLoader("https://example.com/person");
+    assertEquals(authenticatedRequests, [
+      [
+        "https://example.com/person",
+        "https://another.host/users/john#main-key",
+      ],
+    ]);
+
     // Shared inbox + HTTP Signatures (RSA)
     inbox.shift();
     request = new Request("https://example.com/inbox", {

src/federation/middleware.ts

@@ -686,6 +686,7 @@ export class FederationImpl<TContextData> implements Federation<TContextData> {
     }
     const cacheKey = activity.id == null ? null : [
       ...this.kvPrefixes.activityIdempotence,
+      context.origin,
       activity.id.href,
     ] satisfies KvKey;
     if (cacheKey != null) {