Merge tag '1.4.11' into 1.5-maintenance

Fedify 1.4.11

Author: dahlia

CHANGES.md

@@ -8,6 +8,14 @@ Version 1.5.3
 
 To be released.
 
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
 
 Version 1.5.2
 -------------
@@ -158,6 +166,20 @@ Released on March 28, 2025.
 [multibase]: https://github.com/multiformats/js-multibase
 
 
+Version 1.4.11
+--------------
+
+Released on May 16, 2025.
+
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+
 Version 1.4.10
 --------------
 
@@ -382,6 +404,20 @@ Released on February 5, 2025.
 [#195]: https://github.com/fedify-dev/fedify/issues/195
 
 
+Version 1.3.18
+--------------
+
+Released on May 16, 2025.
+
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+
 Version 1.3.17
 --------------
 
@@ -722,6 +758,20 @@ Released on November 30, 2024.
 [#193]: https://github.com/fedify-dev/fedify/issues/193
 
 
+Version 1.2.22
+--------------
+
+Released on May 16, 2025.
+
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+
 Version 1.2.21
 --------------
 
@@ -1110,6 +1160,20 @@ Released on October 31, 2024.
 [#118]: https://github.com/fedify-dev/fedify/issues/118
 
 
+Version 1.1.22
+--------------
+
+Released on May 16, 2025.
+
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+
 Version 1.1.21
 --------------
 
@@ -1539,6 +1603,22 @@ Released on October 20, 2024.
 [#150]: https://github.com/fedify-dev/fedify/issues/150
 
 
+Version 1.0.25
+--------------
+
+Released on May 16, 2025.
+
+ -  Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which
+    caused a `500 Internal Server Error` when the received activity had
+    an invalid JSON-LD syntax.  Now it logs the error and responds with
+    a `400 Bad Request` error instead.  [[#232]]
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+[#232]: https://github.com/fedify-dev/fedify/issues/232
+
+
 Version 1.0.24
 --------------
 

src/federation/handler.test.ts

@@ -1271,6 +1271,41 @@ test("handleInbox()", async () => {
   });
   assertEquals(onNotFoundCalled, null);
   assertEquals(response.status, 202);
+
+  const invalidRequest = new Request("https://example.com/", {
+    method: "POST",
+    body: JSON.stringify({
+      "@context": [
+        "https://www.w3.org/ns/activitystreams",
+        true,
+        23,
+      ],
+      type: "Create",
+      object: { type: "Note", content: "Hello, world!" },
+      actor: "https://example.com/users/alice",
+    }),
+  });
+  const signedInvalidRequest = await signRequest(
+    invalidRequest,
+    rsaPrivateKey3,
+    rsaPublicKey3.id!,
+  );
+  const signedInvalidContext = createRequestContext({
+    request: signedInvalidRequest,
+    url: new URL(signedInvalidRequest.url),
+    data: undefined,
+    documentLoader: mockDocumentLoader,
+  });
+  response = await handleInbox(signedInvalidRequest, {
+    recipient: null,
+    context: signedContext,
+    inboxContextFactory(_activity) {
+      return createInboxContext(signedInvalidContext);
+    },
+    ...inboxOptions,
+  });
+  assertEquals(onNotFoundCalled, null);
+  assertEquals(response.status, 400);
 });
 
 test("respondWithObject()", async () => {

src/federation/handler.ts

@@ -596,12 +596,24 @@ async function handleInboxInternal<TContextData>(
     });
   }
   const keyCache = new KvKeyCache(kv, kvPrefixes.publicKey, ctx);
-  const ldSigVerified = await verifyJsonLd(json, {
-    contextLoader: ctx.contextLoader,
-    documentLoader: ctx.documentLoader,
-    keyCache,
-    tracerProvider,
-  });
+  let ldSigVerified: boolean;
+  try {
+    ldSigVerified = await verifyJsonLd(json, {
+      contextLoader: ctx.contextLoader,
+      documentLoader: ctx.documentLoader,
+      keyCache,
+      tracerProvider,
+    });
+  } catch (error) {
+    if (error instanceof Error && error.name === "jsonld.SyntaxError") {
+      logger.error("Failed to parse JSON-LD:\n{error}", { recipient, error });
+      return new Response("Invalid JSON-LD.", {
+        status: 400,
+        headers: { "Content-Type": "text/plain; charset=utf-8" },
+      });
+    }
+    ldSigVerified = false;
+  }
   const jsonWithoutSig = detachSignature(json);
   let activity: Activity | null = null;
   if (ldSigVerified) {