Loading CHANGES.md +247 −0 Original line number Diff line number Diff line Loading @@ -125,6 +125,61 @@ To be released. [#375]: https://github.com/fedify-dev/fedify/issues/375 Version 1.8.8 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.8.7 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.8.6 ------------- Released on August 24, 2025. ### @fedify/nestjs - Fixed a critical error that prevented the middleware from processing ActivityPub requests in NestJS applications. The middleware now correctly handles request bodies that have been pre-processed by other NestJS middleware or interceptors. [[#279], [#386] by Jaeyeol Lee] [#279]: https://github.com/fedify-dev/fedify/issues/279 [#386]: https://github.com/fedify-dev/fedify/pull/386 ### @fedify/testing - Updated exports to include context creation functions. [[#382] by Colin Mitchell] - Added `createContext()` function. - Added `createInboxContext()` function. - Added `createRequestContext()` function. [#382]: https://github.com/fedify-dev/fedify/pull/382 Version 1.8.5 ------------- Loading Loading @@ -412,6 +467,30 @@ the versioning. [iTerm]: https://iterm2.com/ Version 1.7.11 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.7.10 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.7.9 ------------- Loading Loading @@ -550,6 +629,30 @@ Released on June 25, 2025. [#252]: https://github.com/fedify-dev/fedify/pull/252 Version 1.6.10 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.6.9 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.6.8 ------------- Loading Loading @@ -691,6 +794,30 @@ the versioning. [#242]: https://github.com/fedify-dev/fedify/pull/242 Version 1.5.7 ------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.5.6 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.5.5 ------------- Loading Loading @@ -878,6 +1005,30 @@ Released on March 28, 2025. [multibase]: https://github.com/multiformats/js-multibase Version 1.4.15 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.4.14 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.4.13 -------------- Loading Loading @@ -1140,6 +1291,30 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.22 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.3.21 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.3.20 -------------- Loading Loading @@ -1520,6 +1695,30 @@ Released on November 30, 2024. [#193]: https://github.com/fedify-dev/fedify/issues/193 Version 1.2.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.2.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.2.23 -------------- Loading Loading @@ -1933,6 +2132,30 @@ Released on October 31, 2024. [#118]: https://github.com/fedify-dev/fedify/issues/118 Version 1.1.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.1.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.1.23 -------------- Loading Loading @@ -2387,6 +2610,30 @@ Released on October 20, 2024. [#150]: https://github.com/fedify-dev/fedify/issues/150 Version 1.0.28 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.0.27 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.0.26 -------------- Loading docs/manual/integration.md +7 −2 Original line number Diff line number Diff line Loading @@ -401,6 +401,7 @@ import { RequestMethod, } from '@nestjs/common'; import { ConfigModule } from '@nestjs/config'; import * as express from 'express'; import { AppController } from './app.controller'; import { AppService } from './app.service'; import { DatabaseModule } from './database/database.module'; Loading Loading @@ -447,8 +448,12 @@ export class AppModule implements NestModule { }, ); // Apply middleware to all routes except auth endpoints consumer.apply(fedifyMiddleware).forRoutes({ path: '*', method: RequestMethod.ALL }); // Fedify middleware requires the raw request body for HTTP signature verification // so we apply `express.raw()` before `fedifyMiddleware` to preserve the body. consumer.apply( express.raw({ type: '*/*' }), fedifyMiddleware ).forRoutes({ path: '*', method: RequestMethod.ALL }); } } ~~~~ Loading mise.toml +1 −1 Original line number Diff line number Diff line [tools] bun = "latest" deno = "2.4.4" deno = "2.4.5" node = "22" "npm:pnpm" = "latest" packages/fedify/src/runtime/docloader.test.ts +26 −0 Original line number Diff line number Diff line Loading @@ -189,6 +189,32 @@ test("getDocumentLoader()", async (t) => { }); }); fetchMock.get("https://example.com/xhtml-link", { body: `<html> <head> <meta charset="utf-8" /> <link rel=alternate type="application/activity+json" href="https://example.com/object" /> </head> </html>`, headers: { "Content-Type": "application/xhtml+xml; charset=utf-8" }, }); await t.step("XHTML <link>", async () => { assertEquals(await fetchDocumentLoader("https://example.com/xhtml-link"), { contextUrl: null, documentUrl: "https://example.com/object", document: { "@context": "https://www.w3.org/ns/activitystreams", id: "https://example.com/object", name: "Fetched object", type: "Object", }, }); }); fetchMock.get("https://example.com/html-a", { body: `<html> <head> Loading packages/fedify/src/runtime/docloader.ts +2 −1 Original line number Diff line number Diff line Loading @@ -254,7 +254,8 @@ export async function getRemoteDocument( contentType === "application/xhtml+xml" || contentType?.startsWith("application/xhtml+xml;")) ) { const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\/?>/ig; const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig; const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig; const html = await response.text(); let m: RegExpExecArray | null; Loading Loading
CHANGES.md +247 −0 Original line number Diff line number Diff line Loading @@ -125,6 +125,61 @@ To be released. [#375]: https://github.com/fedify-dev/fedify/issues/375 Version 1.8.8 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.8.7 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.8.6 ------------- Released on August 24, 2025. ### @fedify/nestjs - Fixed a critical error that prevented the middleware from processing ActivityPub requests in NestJS applications. The middleware now correctly handles request bodies that have been pre-processed by other NestJS middleware or interceptors. [[#279], [#386] by Jaeyeol Lee] [#279]: https://github.com/fedify-dev/fedify/issues/279 [#386]: https://github.com/fedify-dev/fedify/pull/386 ### @fedify/testing - Updated exports to include context creation functions. [[#382] by Colin Mitchell] - Added `createContext()` function. - Added `createInboxContext()` function. - Added `createRequestContext()` function. [#382]: https://github.com/fedify-dev/fedify/pull/382 Version 1.8.5 ------------- Loading Loading @@ -412,6 +467,30 @@ the versioning. [iTerm]: https://iterm2.com/ Version 1.7.11 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.7.10 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.7.9 ------------- Loading Loading @@ -550,6 +629,30 @@ Released on June 25, 2025. [#252]: https://github.com/fedify-dev/fedify/pull/252 Version 1.6.10 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.6.9 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.6.8 ------------- Loading Loading @@ -691,6 +794,30 @@ the versioning. [#242]: https://github.com/fedify-dev/fedify/pull/242 Version 1.5.7 ------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.5.6 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.5.5 ------------- Loading Loading @@ -878,6 +1005,30 @@ Released on March 28, 2025. [multibase]: https://github.com/multiformats/js-multibase Version 1.4.15 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.4.14 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.4.13 -------------- Loading Loading @@ -1140,6 +1291,30 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.22 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.3.21 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.3.20 -------------- Loading Loading @@ -1520,6 +1695,30 @@ Released on November 30, 2024. [#193]: https://github.com/fedify-dev/fedify/issues/193 Version 1.2.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.2.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.2.23 -------------- Loading Loading @@ -1933,6 +2132,30 @@ Released on October 31, 2024. [#118]: https://github.com/fedify-dev/fedify/issues/118 Version 1.1.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.1.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.1.23 -------------- Loading Loading @@ -2387,6 +2610,30 @@ Released on October 20, 2024. [#150]: https://github.com/fedify-dev/fedify/issues/150 Version 1.0.28 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.0.27 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `<link>` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.0.26 -------------- Loading
docs/manual/integration.md +7 −2 Original line number Diff line number Diff line Loading @@ -401,6 +401,7 @@ import { RequestMethod, } from '@nestjs/common'; import { ConfigModule } from '@nestjs/config'; import * as express from 'express'; import { AppController } from './app.controller'; import { AppService } from './app.service'; import { DatabaseModule } from './database/database.module'; Loading Loading @@ -447,8 +448,12 @@ export class AppModule implements NestModule { }, ); // Apply middleware to all routes except auth endpoints consumer.apply(fedifyMiddleware).forRoutes({ path: '*', method: RequestMethod.ALL }); // Fedify middleware requires the raw request body for HTTP signature verification // so we apply `express.raw()` before `fedifyMiddleware` to preserve the body. consumer.apply( express.raw({ type: '*/*' }), fedifyMiddleware ).forRoutes({ path: '*', method: RequestMethod.ALL }); } } ~~~~ Loading
mise.toml +1 −1 Original line number Diff line number Diff line [tools] bun = "latest" deno = "2.4.4" deno = "2.4.5" node = "22" "npm:pnpm" = "latest"
packages/fedify/src/runtime/docloader.test.ts +26 −0 Original line number Diff line number Diff line Loading @@ -189,6 +189,32 @@ test("getDocumentLoader()", async (t) => { }); }); fetchMock.get("https://example.com/xhtml-link", { body: `<html> <head> <meta charset="utf-8" /> <link rel=alternate type="application/activity+json" href="https://example.com/object" /> </head> </html>`, headers: { "Content-Type": "application/xhtml+xml; charset=utf-8" }, }); await t.step("XHTML <link>", async () => { assertEquals(await fetchDocumentLoader("https://example.com/xhtml-link"), { contextUrl: null, documentUrl: "https://example.com/object", document: { "@context": "https://www.w3.org/ns/activitystreams", id: "https://example.com/object", name: "Fetched object", type: "Object", }, }); }); fetchMock.get("https://example.com/html-a", { body: `<html> <head> Loading
packages/fedify/src/runtime/docloader.ts +2 −1 Original line number Diff line number Diff line Loading @@ -254,7 +254,8 @@ export async function getRemoteDocument( contentType === "application/xhtml+xml" || contentType?.startsWith("application/xhtml+xml;")) ) { const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\/?>/ig; const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig; const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig; const html = await response.text(); let m: RegExpExecArray | null; Loading
