Loading CHANGES.md +12 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,18 @@ To be released. [#251]: https://github.com/fedify-dev/fedify/pull/251 Version 1.6.2 ------------- Released on June 19, 2025. - Fixed compatibility issue with Mastodon servers running bleeding-edge versions with RFC 9421 implementation bugs. Extended double-knocking to retry with draft-cavage-http-signatures-12 on `5xx` errors as a temporary workaround for Mastodon's RFC 9421 implementation that returns `500 Internal Server Error`. Version 1.6.1 ------------- Loading fedify/sig/http.ts +9 −1 Original line number Diff line number Diff line Loading @@ -1263,7 +1263,15 @@ export async function doubleKnock( identity, options, ); } else if (response.status === 400 || response.status === 401) { } else if ( // FIXME: Temporary hotfix for Mastodon RFC 9421 implementation bug (as of 2025-06-19). // Some Mastodon servers (including mastodon.social) are running bleeding edge versions // with RFC 9421 support that have a bug causing 500 Internal Server Error when receiving // RFC 9421 signatures. This extends double-knocking to 5xx errors as a workaround, // allowing fallback to draft-cavage signatures. This should be reverted once Mastodon // fixes their RFC 9421 implementation and affected servers are updated. response.status === 400 || response.status === 401 || response.status > 401 ) { // verification failed; retry with the other spec of HTTP Signatures // (double-knocking; see https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions) const spec = firstTrySpec === "draft-cavage-http-signatures-12" Loading Loading
CHANGES.md +12 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,18 @@ To be released. [#251]: https://github.com/fedify-dev/fedify/pull/251 Version 1.6.2 ------------- Released on June 19, 2025. - Fixed compatibility issue with Mastodon servers running bleeding-edge versions with RFC 9421 implementation bugs. Extended double-knocking to retry with draft-cavage-http-signatures-12 on `5xx` errors as a temporary workaround for Mastodon's RFC 9421 implementation that returns `500 Internal Server Error`. Version 1.6.1 ------------- Loading
fedify/sig/http.ts +9 −1 Original line number Diff line number Diff line Loading @@ -1263,7 +1263,15 @@ export async function doubleKnock( identity, options, ); } else if (response.status === 400 || response.status === 401) { } else if ( // FIXME: Temporary hotfix for Mastodon RFC 9421 implementation bug (as of 2025-06-19). // Some Mastodon servers (including mastodon.social) are running bleeding edge versions // with RFC 9421 support that have a bug causing 500 Internal Server Error when receiving // RFC 9421 signatures. This extends double-knocking to 5xx errors as a workaround, // allowing fallback to draft-cavage signatures. This should be reverted once Mastodon // fixes their RFC 9421 implementation and affected servers are updated. response.status === 400 || response.status === 401 || response.status > 401 ) { // verification failed; retry with the other spec of HTTP Signatures // (double-knocking; see https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions) const spec = firstTrySpec === "draft-cavage-http-signatures-12" Loading
