svemagie/indiekit-endpoint-activitypub
1
0
Fork 0
mirror of https://github.com/svemagie/indiekit-endpoint-activitypub.git synced 2026-04-02 15:44:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: centralize unsigned fallback in lookupWithSecurity

Browse Source 
Some servers (e.g., tags.pub) return 400 for signed GET requests.
Previously only followActor had an unsigned fallback — all other
callers (resolve, unfollowActor, profile viewer, messages, post
detail, OG unfurl) would silently fail.

Fix: moved the fallback logic into lookupWithSecurity itself. When
an authenticated documentLoader is provided and the lookup fails,
it automatically retries without the loader (unsigned GET). This
fixes ALL AP resolution paths in one place — resolve, follow,
unfollow, profile viewing, message sending, quote fetching.

Removed individual fallbacks in followActor and resolve controller
since the central helper now handles it.
This commit is contained in:
Ricardo
2026-03-21 19:16:05 +01:00
parent 94c4546234
commit 76e9ba0b35
4 changed files with 32 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
index.js
View File

@@ -721,19 +721,13 @@ export default class ActivityPubEndpoint {
);
// Resolve the remote actor to get their inbox
// Try authenticated document loader first (for Authorized Fetch servers),
// fall back to unsigned if that fails (some servers reject signed GETs)
// lookupWithSecurity handles signed→unsigned fallback automatically
const documentLoader = await ctx.getDocumentLoader({
identifier: handle,
});
let remoteActor = await lookupWithSecurity(ctx, actorUrl, {
const remoteActor = await lookupWithSecurity(ctx, actorUrl, {
documentLoader,
});
if (!remoteActor) {
// Retry without authentication — some servers (e.g., tags.pub)
// may reject or mishandle signed GET requests
remoteActor = await lookupWithSecurity(ctx, actorUrl);
}
if (!remoteActor) {
return { ok: false, error: "Could not resolve remote actor" };
}