Unverified Commit cfc386c4 authored Jun 19, 2025 by Hong Minhee

Fix Mastodon RFC 9421 compatibility issue

Extend double-knocking to retry on 5xx errors as a temporary workaround
for Mastodon servers running bleeding-edge versions with RFC 9421
implementation bugs that return 500 Internal Server Error when receiving
RFC 9421 signatures. This allows fallback to draft-cavage signatures
for affected servers including mastodon.social.

parent e1cd3bef

CHANGES.md

+6 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,12 @@ Version 1.6.2

		To be released.

		- Fixed compatibility issue with Mastodon servers running bleeding-edge
		versions with RFC 9421 implementation bugs. Extended double-knocking
		to retry with draft-cavage-http-signatures-12 on `5xx` errors as a temporary
		workaround for Mastodon's RFC 9421 implementation that returns `500
		Internal Server Error`.


		Version 1.6.1
		-------------

fedify/sig/http.ts

+9 −1

Original line number	Diff line number	Diff line
		@@ -1263,7 +1263,15 @@ export async function doubleKnock(
		identity,
		options,
		);
		} else if (response.status === 400 \|\| response.status === 401) {
		} else if (
		// FIXME: Temporary hotfix for Mastodon RFC 9421 implementation bug (as of 2025-06-19).
		// Some Mastodon servers (including mastodon.social) are running bleeding edge versions
		// with RFC 9421 support that have a bug causing 500 Internal Server Error when receiving
		// RFC 9421 signatures. This extends double-knocking to 5xx errors as a workaround,
		// allowing fallback to draft-cavage signatures. This should be reverted once Mastodon
		// fixes their RFC 9421 implementation and affected servers are updated.
		response.status === 400 \|\| response.status === 401 \|\| response.status > 401
		) {
		// verification failed; retry with the other spec of HTTP Signatures
		// (double-knocking; see https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions)
		const spec = firstTrySpec === "draft-cavage-http-signatures-12"