From 06e521cfa7df5c6489222e2b0b83b3e84ffdc8d8 Mon Sep 17 00:00:00 2001 From: Ricardo Date: Thu, 19 Feb 2026 12:52:02 +0100 Subject: [PATCH] fix: skip Fedify middleware for non-GET requests in contentNegotiationRoutes The contentNegotiationRoutes getter is mounted at root / and was passing ALL requests through Fedify, including POST requests to admin routes. fromExpressRequest() calls Readable.toWeb(req) which consumes the body stream, causing "response body object should not be distributed or locked" errors when admin controllers try to read req.body. The v1.0.2 fix only protected routesPublic (mounted at /activitypub). This fixes the actual culprit by skipping non-GET/HEAD methods in contentNegotiationRoutes, since content negotiation and NodeInfo are both GET-only concerns. --- index.js | 4 ++++ package.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index d0f2fb8..16181a1 100644 --- a/index.js +++ b/index.js @@ -150,8 +150,12 @@ export default class ActivityPubEndpoint { const self = this; // Let Fedify handle NodeInfo data (/nodeinfo/2.1) + // Only pass GET/HEAD requests — POST/PUT/DELETE must not go through + // Fedify here, because fromExpressRequest() consumes the body stream, + // breaking Express body-parsed routes downstream (e.g. admin forms). router.use((req, res, next) => { if (!self._fedifyMiddleware) return next(); + if (req.method !== "GET" && req.method !== "HEAD") return next(); return self._fedifyMiddleware(req, res, next); }); diff --git a/package.json b/package.json index ff82906..ad365b9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@rmdes/indiekit-endpoint-activitypub", - "version": "1.0.2", + "version": "1.0.3", "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.", "keywords": [ "indiekit",