Fedify 0.12.0

Released on July 24, 2024.

• The fedify command is now available on npm. [#104]

• Incoming activities are now queued before being dispatched to the inbox listener if the queue option is provided to the createFederation() function. [#70]

  • The type of InboxListener callback type's first parameter became Context (was RequestContext).
  • The type of InboxErrorHandler callback type's first parameter became Context (was RequestContext).
  • The type of SharedInboxKeyDispatcher callback type's first parameter became Context (was RequestContext).

• Implemented fully customizable retry policy for failed tasks in the task queue. By default, the task queue retries the failed tasks with an exponential backoff policy with decorrelated jitter.

  • Added outboxRetryPolicy option to CreateFederationOptions interface.
  • Added inboxRetryPolicy option to CreateFederationOptions interface. [#70]
  • Added RetryPolicy callback type.
  • Added RetryContext interface.
  • Added createExponentialBackoffPolicy() function.
  • Added CreateExponentialBackoffPolicyOptions interface.

• Federation object now allows its task queue to be started manually. [#53]

  • Added manuallyStartQueue option to CreateFederationOptions interface.
  • Added Federation.startQueue() method.

• Made the router able to be insensitive to trailing slashes in the URL paths. [#81]

  • Added trailingSlashInsensitive option to CreateFederationOptions interface.
  • Added RouterOptions interface.
  • Added an optional parameter to new Router() constructor.

• Added ChatMessage class to Activity Vocabulary API. [#85]

• Added Move class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added Read class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added Travel class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added View class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added TentativeAccept class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added TentativeReject class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Improved multitenancy (virtual hosting) support. [#66]

  • Added Context.hostname property.
  • Added Context.host property.
  • Added Context.origin property.
  • The type of ActorKeyPairsDispatcher<TContextData>'s first parameter became Context (was TContextData).

• During verifying HTTP Signatures and Object Integrity Proofs, once fetched public keys are now cached. [#107]

  • The verifyRequest() function now caches the fetched public keys when the keyCache option is provided.
  • The verifyProof() function now caches the fetched public keys when the keyCache option is provided.
  • The verifyObject() function now caches the fetched public keys when the keyCache option is provided.
  • Added KeyCache interface.
  • Added VerifyRequestOptions.keyCache property.
  • Added VerifyProofOptions.keyCache property.
  • Added VerifyObjectOptions.keyCache property.
  • Added FederationKvPrefixes.publicKey property.

• The built-in document loaders now recognize JSON-LD context provided in an HTTP Link header. [#6]

  • The fetchDocumentLoader() function now recognizes the Link header with the http://www.w3.org/ns/json-ld#context link relation.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that recognizes the Link header with the http://www.w3.org/ns/json-ld#context link relation.

• Deprecated Federation.sendActivity() method. Use Context.sendActivity() method instead.

• The last parameter of Federation.sendActivity() method is no longer optional. Also, it now takes the required contextData option.

• Removed Context.getHandleFromActorUri() method which was deprecated in version 0.9.0. Use Context.parseUri() method instead.

• Removed @fedify/fedify/httpsig module which was deprecated in version 0.9.0. Use @fedify/fedify/sig module instead.

  • Removed sign() function.
  • Removed verify() function.
  • Removed VerifyOptions interface.

• Fixed a bug where the lookupWebFinger() function had incorrectly queried if the given resource was a URL starts with http: or had a non-default port number.

• Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • Added an optional second parameter to the fetchDocumentLoader() function, which can be used to allow fetching private network addresses.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • Added an optional second parameter to the getAuthenticatedDocumentLoader() function, which can be used to allow fetching private network addresses.

• Added fedify init subcommand. [#105]

• Added more log messages using the LogTape library. Currently the below logger categories are used:

  • ["fedify", "federation", "queue"]

Fedify 0.11.3

Released on July 15, 2024.

• Fixed a bug where use of Federation.setInboxDispatcher() after Federation.setInboxListeners() had caused a RouterError to be thrown even if the paths match. [#101 by Fabien O'Carroll]

Fedify 0.11.2

Released on July 9, 2024.

• Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Fedify 0.10.2

Released on July 9, 2024.

• Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Fedify 0.9.3

Released on July 9, 2024.

• Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Fedify 0.11.1

Released on July 5, 2024.

• Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Fedify 0.10.1

Released on July 5, 2024.

• Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Fedify 0.9.2

Released on July 5, 2024.

• Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Fedify 0.11.0

Released on June 29, 2024.

• Improved runtime type error messages for Activity Vocabulary API. [#79]

• Added suppressError option to dereferencing accessors of Activity Vocabulary classes.

• Added more collection dispatchers. [#78]

  • Added Federation.setInboxDispatcher() method. [#71]
  • Added Federation.setLikedDispatcher() method.
  • Added Context.getLikedUri() method.
  • Added { type: "liked"; handle: string } case to ParseUriResult type.
  • Renamed linked property (which was a typo) to liked in Application, Group, Organization, Person, and Service classes.
  • Added Federation.setFeaturedDispatcher() method.
  • Added Context.getFeaturedUri() method.
  • Added { type: "featured"; handle: string } case to ParseUriResult type.
  • Added Federation.setFeaturedTagsDispatcher() method.
  • Added Context.getFeaturedTagsUri() method.
  • Added { type: "featuredTags"; handle: string } case to ParseUriResult type.

• Frequently used JSON-LD contexts are now preloaded. [#74]

  • The fetchDocumentLoader() function now preloads the following JSON-LD contexts:

    • https://www.w3.org/ns/activitystreams
    • https://w3id.org/security/v1
    • https://w3id.org/security/data-integrity/v1
    • https://www.w3.org/ns/did/v1
    • https://w3id.org/security/multikey/v1

  • The default rules for kvCache() function are now 5 minutes for all URLs.

• Added Invite class to Activity Vocabulary API. [#65, #80 by Randy Wressell]

• Added Join class to Activity Vocabulary API. [#65, #80 by Randy Wressell]

• Added Leave class to Activity Vocabulary API. [#65, #80 by Randy Wressell]

• Added Listen class to Activity Vocabulary API. [#65, #80 by Randy Wressell]

• Added Offer class to Activity Vocabulary API. [#65, #76 by Lee Dogeon]

• The below properties of Collection and CollectionPage in Activity Vocabulary API now do not accept Link objects:

  • Collection.current
  • Collection.first
  • Collection.last
  • CollectionPage.partOf
  • CollectionPage.next
  • CollectionPage.prev

• Added featured property to Actor types in Activity Vocabulary API. [#78]

  • Added Application.getFeatured() method.
  • Added Application.featuredId property.
  • new Application() constructor now accepts featured option.
  • Application.clone() method now accepts featured option.
  • Added Group.getFeatured() method.
  • Added Group.featuredId property.
  • new Group() constructor now accepts featured option.
  • Group.clone() method now accepts featured option.
  • Added Organization.getFeatured() method.
  • Added Organization.featuredId property.
  • new Organization() constructor now accepts featured option.
  • Organization.clone() method now accepts featured option.
  • Added Person.getFeatured() method.
  • Added Person.featuredId property.
  • new Person() constructor now accepts featured option.
  • Person.clone() method now accepts featured option.
  • Added Service.getFeatured() method.
  • Added Service.featuredId property.
  • new Service() constructor now accepts featured option.
  • Service.clone() method now accepts featured option.

• Added featuredTags property to Actor types in Activity Vocabulary API. [#78]

  • Added Application.getFeaturedTags() method.
  • Added Application.featuredTagsId property.
  • new Application() constructor now accepts featuredTags option.
  • Application.clone() method now accepts featuredTags option.
  • Added Group.getFeaturedTags() method.
  • Added Group.featuredTagsId property.
  • new Group() constructor now accepts featuredTags option.
  • Group.clone() method now accepts featuredTags option.
  • Added Organization.getFeaturedTags() method.
  • Added Organization.featuredTagsId property.
  • new Organization() constructor now accepts featuredTags option.
  • Organization.clone() method now accepts featuredTags option.
  • Added Person.getFeaturedTags() method.
  • Added Person.featuredTagsId property.
  • new Person() constructor now accepts featuredTags option.
  • Person.clone() method now accepts featuredTags option.
  • Added Service.getFeaturedTags() method.
  • Added Service.featuredTagsId property.
  • new Service() constructor now accepts featuredTags option.
  • Service.clone() method now accepts featuredTags option.

• Added target property to Activity class in Activity Vocabulary API.

  • Added Activity.getTarget() method.
  • Added Activity.getTargets() method.
  • Added Activity.targetId property.
  • Added Activity.targetIds property.
  • new Activity() constructor now accepts target option.
  • new Activity() constructor now accepts targets option.
  • Activity.clone() method now accepts target option.
  • Activity.clone() method now accepts targets option.

• Added result property to Activity class in Activity Vocabulary API.

  • Added Activity.getResult() method.
  • Added Activity.getResults() method.
  • Added Activity.resultId property.
  • Added Activity.resultIds property.
  • new Activity() constructor now accepts result option.
  • new Activity() constructor now accepts results option.
  • Activity.clone() method now accepts result option.
  • Activity.clone() method now accepts results option.

• Added origin property to Activity class in Activity Vocabulary API.

  • Added Activity.getOrigin() method.
  • Added Activity.getOrigins() method.
  • Added Activity.originId property.
  • Added Activity.originIds property.
  • new Activity() constructor now accepts origin option.
  • new Activity() constructor now accepts origins option.
  • Activity.clone() method now accepts origin option.
  • Activity.clone() method now accepts origins option.

• Added instrument property to Activity class in Activity Vocabulary API.

  • Added Activity.getInstrument() method.
  • Added Activity.getInstruments() method.
  • Added Activity.instrumentId property.
  • Added Activity.instrumentIds property.
  • new Activity() constructor now accepts instrument option.
  • new Activity() constructor now accepts instruments option.
  • Activity.clone() method now accepts instrument option.
  • Activity.clone() method now accepts instruments option.

• The items property of OrderedCollection and OrderedCollectionPage in Activity Vocabulary API is now represented as orderedItems (was items) in JSON-LD.

• The key pair or the key pair for signing outgoing HTTP requests made from the shared inbox now can be configured. This improves the compatibility with other ActivityPub implementations that require authorized fetches (i.e., secure mode).

  • Added SharedInboxKeyDispatcher type.
  • Renamed InboxListenerSetter interface to InboxListenerSetters.
  • Added InboxListenerSetters.setSharedKeyDispatcher() method.

• Followed up the change in eddsa-jcs-2022 specification for Object Integrity Proofs. [FEP-8b32, #54]

Fedify 0.10.0

Released on June 18, 2024.

Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.

• Besides RSA-PKCS#1-v1.5, Fedify now supports Ed25519 for signing and verifying the activities. [#55]

  • Added an optional parameter to generateCryptoKeyPair() function, algorithm, which can be either "RSASSA-PKCS1-v1_5" or "Ed25519".
  • The importJwk() function now accepts Ed25519 keys.
  • The exportJwk() function now exports Ed25519 keys.
  • The importSpki() function now accepts Ed25519 keys.
  • The exportJwk() function now exports Ed25519 keys.

• Now multiple key pairs can be registered for an actor. [FEP-521a, #55]

  • Added Context.getActorKeyPairs() method.
  • Deprecated Context.getActorKey() method. Use Context.getActorKeyPairs() method instead.
  • Added ActorKeyPair interface.
  • Added ActorCallbackSetters.setKeyPairsDispatcher() method.
  • Added ActorKeyPairsDispatcher type.
  • Deprecated ActorCallbackSetters.setKeyPairDispatcher() method.
  • Deprecated ActorKeyPairDispatcher type.
  • Deprecated the third parameter of the ActorDispatcher callback type. Use Context.getActorKeyPairs() method instead.

• Added Multikey class to Activity Vocabulary API. [FEP-521a, #55]

  • Added importMultibaseKey() function.
  • Added exportMultibaseKey() function.

• Added assertionMethod property to the Actor types in the Activity Vocabulary API. [FEP-521a, #55]

  • Added Application.getAssertionMethod() method.
  • Added Application.getAssertionMethods() method.
  • new Application() constructor now accepts assertionMethod option.
  • new Application() constructor now accepts assertionMethods option.
  • Application.clone() method now accepts assertionMethod option.
  • Application.clone() method now accepts assertionMethods option.
  • Added Group.getAssertionMethod() method.
  • Added Group.getAssertionMethods() method.
  • new Group() constructor now accepts assertionMethod option.
  • new Group() constructor now accepts assertionMethods option.
  • Group.clone() method now accepts assertionMethod option.
  • Group.clone() method now accepts assertionMethods option.
  • Added Organization.getAssertionMethod() method.
  • Added Organization.getAssertionMethods() method.
  • new Organization() constructor now accepts assertionMethod option.
  • new Organization() constructor now accepts assertionMethods option.
  • Organization.clone() method now accepts assertionMethod option.
  • Organization.clone() method now accepts assertionMethods option.
  • Added Person.getAssertionMethod() method.
  • Added Person.getAssertionMethods() method.
  • new Person() constructor now accepts assertionMethod option.
  • new Person() constructor now accepts assertionMethods option.
  • Person.clone() method now accepts assertionMethod option.
  • Person.clone() method now accepts assertionMethods option.
  • Added Service.getAssertionMethod() method.
  • Added Service.getAssertionMethods() method.
  • new Service() constructor now accepts assertionMethod option.
  • new Service() constructor now accepts assertionMethods option.
  • Service.clone() method now accepts assertionMethod option.
  • Service.clone() method now accepts assertionMethods option.

• Added DataIntegrityProof class to Activity Vocabulary API. [FEP-8b32, #54]

• Added proof property to the Object class in the Activity Vocabulary API. [FEP-8b32, #54]

  • Added Object.getProof() method.
  • Added Object.getProofs() method.
  • new Object() constructor now accepts proof option.
  • new Object() constructor now accepts proofs option.
  • Object.clone() method now accepts proof option.
  • Object.clone() method now accepts proofs option.

• Implemented Object Integrity Proofs. [FEP-8b32, #54]

  • If there are any Ed25519 key pairs, the Context.sendActivity() and Federation.sendActivity() methods now make Object Integrity Proofs for the activity to be sent.
  • If the incoming activity has Object Integrity Proofs, the inbox listener now verifies them and ignores HTTP Signatures (if any).
  • Added signObject() function.
  • Added SignObjectOptions interface.
  • Added createProof() function.
  • Added CreateProofOptions interface.
  • Added verifyObject() function.
  • Added VerifyObjectOptions interface.
  • Added verifyProof() function.
  • Added VerifyProofOptions interface.
  • Added fetchKey() function.
  • Added FetchKeyOptions interface.
  • Added SenderKeyPair interface.
  • The type of Federation.sendActivity() method's first parameter became SenderKeyPair[] (was { keyId: URL; privateKey: CryptoKey }).
  • The Context.sendActivity() method's first parameter now accepts SenderKeyPair[] as well.

• In the future, Federation class will become an interface. For the forward compatibility, the following changes are made:

  • Added createFederation() function.
  • Added CreateFederationOptions interface.
  • Deprecated new Federation() constructor. Use createFederation() function instead.
  • Deprecated FederationParameters interface.

• Added Arrive class to Activity Vocabulary API. [#65, #68 by Randy Wressell]

• Added Question class to Activity Vocabulary API.

• Added context option to Object.toJsonLd() method. This applies to any subclasses of the Object class too.

• Deprecated treatHttps option in FederationParameters interface. Instead, use the x-forwarded-fetch library to recognize the X-Forwarded-Host and X-Forwarded-Proto headers.

• Removed the Federation.handle() method which was deprecated in version 0.6.0.

• Removed the integrateHandlerOptions() function from @fedify/fedify/x/fresh which was deprecated in version 0.6.0.

• Ephemeral actors and inboxes that the fedify inbox command spawns are now more interoperable with other ActivityPub implementations.

  • Ephemeral actors now have the following properties: summary, following, followers, outbox, manuallyApprovesFollowers, and url.
  • Improved the compatibility of the fedify inbox command with Misskey and Mitra.

• Added more log messages using the LogTape library. Currently the below logger categories are used:

  • ["fedify", "sig", "proof"]
  • ["fedify", "sig", "key"]
  • ["fedify", "vocab", "lookup"]
  • ["fedify", "webfinger", "lookup"]