Refactor: move federation inside runInbox to avoid double signature verification

Author: sij411

packages/cli/src/inbox.tsx

@@ -3,10 +3,12 @@
 import {
   type Context,
   createFederation,
+  type Federation,
   generateCryptoKeyPair,
   MemoryKvStore,
   verifyRequest,
 } from "@fedify/fedify";
+import type { DocumentLoader } from "@fedify/vocab-runtime";
 import {
   Accept,
   Activity,
@@ -110,7 +112,7 @@ export const inboxCommand = command(
         "--authorized-fetch",
         {
           description:
-            message`Enable authorized fetch mode. Incoming requests without valid HTTP signatures with 401 Unauthorized will be rejected.`,
+            message`Enable authorized fetch mode. Incoming requests without valid HTTP signatures will be rejected with 401 Unauthorized.`,
         },
       ),
     }),
@@ -123,23 +125,177 @@ export const inboxCommand = command(
   },
 );
 
+// Module-level state
+const activities: ActivityEntry[] = [];
+const acceptFollows: string[] = [];
+const peers: Record<string, Actor> = {};
+const followers: Record<string, Actor> = {};
+
 export async function runInbox(
   command: InferValue<typeof inboxCommand>,
 ) {
-  const fetch = createFetchHandler({
-    actorName: command.actorName,
-    actorSummary: command.actorSummary,
-  }, command.authorizedFetch);
-  const sendDeleteToPeers = createSendDeleteToPeers({
-    actorName: command.actorName,
-    actorSummary: command.actorSummary,
-  });
-
   // Enable Debug mode if requested
   if (command.debug) {
     await configureLogging();
   }
 
+  // Create federation inside runInbox to configure skipSignatureVerification
+  const federationDocumentLoader = await getDocumentLoader();
+  const authorizedFetchEnabled = command.authorizedFetch ?? false;
+
+  const federation = createFederation<ContextData>({
+    kv: new MemoryKvStore(),
+    documentLoaderFactory: () => federationDocumentLoader,
+    // When authorizedFetch is enabled, we verify all requests manually,
+    // so skip federation's inbox signature verification to avoid double verification
+    skipSignatureVerification: authorizedFetchEnabled,
+  });
+
+  const time = Temporal.Now.instant();
+  let actorKeyPairs: CryptoKeyPair[] | undefined = undefined;
+
+  // Set up actor dispatcher
+  federation
+    .setActorDispatcher("/{identifier}", async (ctx, identifier) => {
+      if (identifier !== "i") return null;
+      return new Application({
+        id: ctx.getActorUri(identifier),
+        preferredUsername: identifier,
+        name: ctx.data.actorName,
+        summary: ctx.data.actorSummary,
+        inbox: ctx.getInboxUri(identifier),
+        endpoints: new Endpoints({
+          sharedInbox: ctx.getInboxUri(),
+        }),
+        followers: ctx.getFollowersUri(identifier),
+        following: ctx.getFollowingUri(identifier),
+        outbox: ctx.getOutboxUri(identifier),
+        manuallyApprovesFollowers: true,
+        published: time,
+        icon: new Image({
+          url: new URL("https://fedify.dev/logo.png"),
+          mediaType: "image/png",
+        }),
+        publicKey: (await ctx.getActorKeyPairs(identifier))[0].cryptographicKey,
+        assertionMethods: (await ctx.getActorKeyPairs(identifier))
+          .map((pair) => pair.multikey),
+        url: ctx.getActorUri(identifier),
+      });
+    })
+    .setKeyPairsDispatcher(async (_ctxData, identifier) => {
+      if (identifier !== "i") return [];
+      if (actorKeyPairs == null) {
+        actorKeyPairs = [
+          await generateCryptoKeyPair("RSASSA-PKCS1-v1_5"),
+          await generateCryptoKeyPair("Ed25519"),
+        ];
+      }
+      return actorKeyPairs;
+    });
+
+  // Set up inbox listeners
+  federation
+    .setInboxListeners("/{identifier}/inbox", "/inbox")
+    .setSharedKeyDispatcher((_) => ({ identifier: "i" }))
+    .on(Activity, async (ctx, activity) => {
+      activities[ctx.data.activityIndex].activity = activity;
+      for await (const actor of activity.getActors()) {
+        if (actor.id != null) peers[actor.id.href] = actor;
+      }
+      for await (const actor of activity.getAttributions()) {
+        if (actor.id != null) peers[actor.id.href] = actor;
+      }
+      if (activity instanceof Follow) {
+        if (acceptFollows.length < 1) return;
+        const objectId = activity.objectId;
+        if (objectId == null) return;
+        const parsed = ctx.parseUri(objectId);
+        if (parsed?.type !== "actor" || parsed.identifier !== "i") return;
+        const { identifier } = parsed;
+        const follower = await activity.getActor();
+        if (!isActor(follower)) return;
+        const accepts = await matchesActor(follower, acceptFollows);
+        if (!accepts || activity.id == null) {
+          logger.debug("Does not accept follow from {actor}.", {
+            actor: follower.id?.href,
+          });
+          return;
+        }
+        logger.debug("Accepting follow from {actor}.", {
+          actor: follower.id?.href,
+        });
+        followers[activity.id.href] = follower;
+        await ctx.sendActivity(
+          { identifier },
+          follower,
+          new Accept({
+            id: new URL(`#accepts/${follower.id?.href}`, ctx.getActorUri("i")),
+            actor: ctx.getActorUri(identifier),
+            object: activity.id,
+          }),
+        );
+      }
+    });
+
+  // Set up collection dispatchers
+  federation
+    .setFollowersDispatcher("/{identifier}/followers", (_ctx, identifier) => {
+      if (identifier !== "i") return null;
+      const items: Recipient[] = [];
+      for (const follower of Object.values(followers)) {
+        if (follower.id == null) continue;
+        items.push(follower);
+      }
+      return { items };
+    })
+    .setCounter((_ctx, identifier) => {
+      if (identifier !== "i") return null;
+      return Object.keys(followers).length;
+    });
+
+  federation
+    .setFollowingDispatcher(
+      "/{identifier}/following",
+      (_ctx, _identifier) => null,
+    )
+    .setCounter((_ctx, _identifier) => 0);
+
+  federation
+    .setOutboxDispatcher("/{identifier}/outbox", (_ctx, _identifier) => null)
+    .setCounter((_ctx, _identifier) => 0);
+
+  federation.setNodeInfoDispatcher("/nodeinfo/2.1", (_ctx) => {
+    return {
+      software: {
+        name: "fedify-cli",
+        version: metadata.version,
+        repository: new URL("https://github.com/fedify-dev/fedify"),
+      },
+      protocols: ["activitypub"],
+      usage: {
+        users: {
+          total: 1,
+          activeMonth: 1,
+          activeHalfyear: 1,
+        },
+        localComments: 0,
+        localPosts: 0,
+      },
+    };
+  });
+
+  // Create handlers with the configured federation
+  const fetch = createFetchHandler(
+    federation,
+    federationDocumentLoader,
+    { actorName: command.actorName, actorSummary: command.actorSummary },
+    authorizedFetchEnabled,
+  );
+  const sendDeleteToPeers = createSendDeleteToPeers(
+    federation,
+    { actorName: command.actorName, actorSummary: command.actorSummary },
+  );
+
   const spinner = ora({
     text: "Spinning up an ephemeral ActivityPub server...",
     discardStdin: false,
@@ -212,63 +368,8 @@ export async function runInbox(
   printServerInfo(fedCtx);
 }
 
-const federationDocumentLoader = await getDocumentLoader();
-
-const federation = createFederation<ContextData>({
-  kv: new MemoryKvStore(),
-  documentLoaderFactory: () => {
-    return federationDocumentLoader;
-  },
-});
-
-const time = Temporal.Now.instant();
-let actorKeyPairs: CryptoKeyPair[] | undefined = undefined;
-
-federation
-  .setActorDispatcher("/{identifier}", async (ctx, identifier) => {
-    if (identifier !== "i") return null;
-    return new Application({
-      id: ctx.getActorUri(identifier),
-      preferredUsername: identifier,
-      name: ctx.data.actorName,
-      summary: ctx.data.actorSummary,
-      inbox: ctx.getInboxUri(identifier),
-      endpoints: new Endpoints({
-        sharedInbox: ctx.getInboxUri(),
-      }),
-      followers: ctx.getFollowersUri(identifier),
-      following: ctx.getFollowingUri(identifier),
-      outbox: ctx.getOutboxUri(identifier),
-      manuallyApprovesFollowers: true,
-      published: time,
-      icon: new Image({
-        url: new URL("https://fedify.dev/logo.png"),
-        mediaType: "image/png",
-      }),
-      publicKey: (await ctx.getActorKeyPairs(identifier))[0].cryptographicKey,
-      assertionMethods: (await ctx.getActorKeyPairs(identifier))
-        .map((pair) => pair.multikey),
-      url: ctx.getActorUri(identifier),
-    });
-  })
-  .setKeyPairsDispatcher(async (_ctxData, identifier) => {
-    if (identifier !== "i") return [];
-    if (actorKeyPairs == null) {
-      actorKeyPairs = [
-        await generateCryptoKeyPair("RSASSA-PKCS1-v1_5"),
-        await generateCryptoKeyPair("Ed25519"),
-      ];
-    }
-    return actorKeyPairs;
-  });
-
-const activities: ActivityEntry[] = [];
-
-const acceptFollows: string[] = [];
-
-const peers: Record<string, Actor> = {};
-
 function createSendDeleteToPeers(
+  federation: Federation<ContextData>,
   actorOptions: { actorName: string; actorSummary: string },
 ): (server: TemporaryServer) => Promise<void> {
   return async function sendDeleteToPeers(
@@ -301,97 +402,6 @@ function createSendDeleteToPeers(
   };
 }
 
-const followers: Record<string, Actor> = {};
-
-federation
-  .setInboxListeners("/{identifier}/inbox", "/inbox")
-  .setSharedKeyDispatcher((_) => ({ identifier: "i" }))
-  .on(Activity, async (ctx, activity) => {
-    activities[ctx.data.activityIndex].activity = activity;
-    for await (const actor of activity.getActors()) {
-      if (actor.id != null) peers[actor.id.href] = actor;
-    }
-    for await (const actor of activity.getAttributions()) {
-      if (actor.id != null) peers[actor.id.href] = actor;
-    }
-    if (activity instanceof Follow) {
-      if (acceptFollows.length < 1) return;
-      const objectId = activity.objectId;
-      if (objectId == null) return;
-      const parsed = ctx.parseUri(objectId);
-      if (parsed?.type !== "actor" || parsed.identifier !== "i") return;
-      const { identifier } = parsed;
-      const follower = await activity.getActor();
-      if (!isActor(follower)) return;
-      const accepts = await matchesActor(follower, acceptFollows);
-      if (!accepts || activity.id == null) {
-        logger.debug("Does not accept follow from {actor}.", {
-          actor: follower.id?.href,
-        });
-        return;
-      }
-      logger.debug("Accepting follow from {actor}.", {
-        actor: follower.id?.href,
-      });
-      followers[activity.id.href] = follower;
-      await ctx.sendActivity(
-        { identifier },
-        follower,
-        new Accept({
-          id: new URL(`#accepts/${follower.id?.href}`, ctx.getActorUri("i")),
-          actor: ctx.getActorUri(identifier),
-          object: activity.id,
-        }),
-      );
-    }
-  });
-
-federation
-  .setFollowersDispatcher("/{identifier}/followers", (_ctx, identifier) => {
-    if (identifier !== "i") return null;
-    const items: Recipient[] = [];
-    for (const follower of Object.values(followers)) {
-      if (follower.id == null) continue;
-      items.push(follower);
-    }
-    return { items };
-  })
-  .setCounter((_ctx, identifier) => {
-    if (identifier !== "i") return null;
-    return Object.keys(followers).length;
-  });
-
-federation
-  .setFollowingDispatcher(
-    "/{identifier}/following",
-    (_ctx, _identifier) => null,
-  )
-  .setCounter((_ctx, _identifier) => 0);
-
-federation
-  .setOutboxDispatcher("/{identifier}/outbox", (_ctx, _identifier) => null)
-  .setCounter((_ctx, _identifier) => 0);
-
-federation.setNodeInfoDispatcher("/nodeinfo/2.1", (_ctx) => {
-  return {
-    software: {
-      name: "fedify-cli",
-      version: metadata.version,
-      repository: new URL("https://github.com/fedify-dev/fedify"),
-    },
-    protocols: ["activitypub"],
-    usage: {
-      users: {
-        total: 1,
-        activeMonth: 1,
-        activeHalfyear: 1,
-      },
-      localComments: 0,
-      localPosts: 0,
-    },
-  };
-});
-
 function printServerInfo(fedCtx: Context<ContextData>): void {
   const table = new Table({
     chars: tableStyle,
@@ -493,6 +503,8 @@ app.get("/r/:idx{[0-9]+}", (c) => {
 });
 
 function createFetchHandler(
+  federation: Federation<ContextData>,
+  documentLoader: DocumentLoader,
   actorOptions: { actorName: string; actorSummary: string },
   authorizedFetchEnabled: boolean,
 ): (request: Request) => Promise<Response> {
@@ -505,9 +517,7 @@ function createFetchHandler(
     }
 
     if (authorizedFetchEnabled) {
-      const key = await verifyRequest(request, {
-        documentLoader: federationDocumentLoader,
-      });
+      const key = await verifyRequest(request, { documentLoader });
       if (key == null) {
         logger.error(
           "Unauthorized request: HTTP Signature verification failed for {method} {path}",