feat: Add -A/--authorized-fetch option to fedify inbox command

[notJoon]

Summary

Adds the -A/--authorized-fetch flag to the fedify inbox command, enabling HTTP signature verification enforcement for all incoming requests.

Related Issue

• closes Add -A/--authorized-fetch option to fedify inbox command #229

Changes

• Adds the -A/--authorized-fetch flag to the fedify inbox command
• Added requireHttpSignature option to FederationFetchOptions interface
• Updated inbox handler to enforce HTTP signature verification

Checklist

• Did you add a changelog entry to the CHANGES.md?
• Did you write some relevant docs about this change (if it's a new feature)?
• Did you write a regression test to reproduce the bug (if it's a bug fix)?
• Did you write some tests for this change (if it's a new feature)?
• Did you run deno task test-all on your machine?

Testing

1. Start Server with authorized fetch

cd packages/cli deno run --allow-all src/mod.ts inbox -A --no-tunnel

Send unsigned request:

curl -i -X POST http://localhost:<PORT>/inbox \
    -H "Content-Type: application/activity+json" \
    -d '{
      "@context": "https://www.w3.org/ns/activitystreams",
      "type": "Create",
      "actor": "https://example.com/users/alice",
      "object": {"type": "Note", "content": "Hello!"}
    }'

logs

$ deno run --allow-read --allow-env --allow-write --allow-net --allow-run --allow-sys src/mod.ts inbox -A --no-tunnel --debug 2>&1 | tee inbox-server-without-verify.log

JSR specifiers are not yet supported in package.json: @std/assert@^0.226.0
JSR specifiers are not yet supported in package.json: @std/[email protected]
JSR specifiers are not yet supported in package.json: @std/yaml@^1.0.6
- Spinning up an ephemeral ActivityPub server...
➜ Listening on: http://localhost:63916/ (all interfaces)
06:46:30.568 DBG fedify·cli·tempserver Temporary server is listening on port "63916".
✔ The ephemeral ActivityPub server is up and running: http://localhost:63916/
- Spinning up an ephemeral ActivityPub server...
╭───────────────┬────────────────────────────────╮
│ Actor handle: │ i@localhost:63916              │
├───────────────┼────────────────────────────────┤
│ Actor URI:    │ http://localhost:63916/i       │
├───────────────┼────────────────────────────────┤
│ Actor inbox:  │ http://localhost:63916/i/inbox │
├───────────────┼────────────────────────────────┤
│ Shared inbox: │ http://localhost:63916/inbox   │
╰───────────────┴────────────────────────────────╯
06:46:46.705 DBG fedify·utils·kv-cache Using preloaded context: "https://www.w3.org/ns/activitystreams".
06:46:46.708 DBG fedify·utils·kv-cache Using preloaded context: "https://www.w3.org/ns/activitystreams".
06:46:46.711 DBG fedify·federation·inbox Linked Data Signatures are not verified.
06:46:46.711 DBG fedify·utils·kv-cache Using preloaded context: "https://www.w3.org/ns/activitystreams".
06:46:46.711 DBG fedify·utils·kv-cache Using preloaded context: "https://www.w3.org/ns/activitystreams".
06:46:46.712 DBG fedify·sig·proof Some attributions are not authenticated by the proofs: [ "https://example.com/users/alice" ].
06:46:46.713 DBG fedify·federation·inbox Object Integrity Proofs are not verified.
06:46:46.713 DBG fedify·sig·http Failed to verify; no Date header found.
06:46:46.714 ERR fedify·federation·inbox Failed to verify the request's HTTP Signatures.
06:46:46.714 WRN fedify·federation·http "POST" "/inbox": 401
╭────────────────┬────────────────────────────╮
│ Request #:     │ 0                          │
├────────────────┼────────────────────────────┤
│ Activity type: │ failed to parse            │
├────────────────┼────────────────────────────┤
│ HTTP request:  │ POST /inbox                │
├────────────────┼────────────────────────────┤
│ HTTP response: │ 401                        │
├────────────────┼────────────────────────────┤
│ Details        │ http://localhost:63916/r/0 │
╰────────────────┴────────────────────────────╯

[gemini-code-assist]

Summary of Changes

Hello @notJoon, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the security of the fedify inbox command by introducing a new flag that enables mandatory HTTP signature verification for all incoming ActivityPub requests. This ensures that only authenticated and untampered messages are processed, providing a critical layer of trust and integrity for federated interactions. The change integrates seamlessly into the existing framework, extending the FederationFetchOptions and updating the inbox handling logic to support this new security requirement.

Highlights

• New CLI Option: Introduced the -A/--authorized-fetch option to the fedify inbox command, allowing users to explicitly require HTTP signature verification for all incoming requests.
• Enhanced Security: When enabled, this option enforces HTTP signature verification, returning a 401 Unauthorized response for any unsigned requests, thereby bolstering the security of the inbox.
• API Extension: Added a requireHttpSignature?: boolean property to the FederationFetchOptions interface, providing programmatic control over this security feature within the Fedify library.
• Inbox Handler Logic: Updated the internal inbox handler to respect the new requireHttpSignature option, conditionally applying signature verification based on its value and existing skipSignatureVerification settings.
• Comprehensive Testing: New tests have been added to validate the behavior of the requireHttpSignature option, covering scenarios with both signed and unsigned requests, and its interaction with skipSignatureVerification.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully adds the -A/--authorized-fetch flag to enforce HTTP signature verification. The implementation is logical, with changes correctly propagated through the CLI, federation, and handler layers. I've included a couple of review comments on the new test file to suggest improvements for code clarity and to enhance test coverage for an important edge case related to this new security feature.

[gemini-code-assist]

The tests for requireHttpSignature are good, but they don't seem to cover a specific edge case. The current tests use an unsigned activity body, so activity is null inside handleInbox before the HTTP signature check. This means the tests only validate the activity == null part of the condition activity == null || (requireHttpSignature ?? false).

It would be beneficial to add a test case for when an activity is successfully parsed from a Linked Data Signature (so activity != null), but requireHttpSignature: true is also set. This would ensure that HTTP signature verification is correctly enforced even when a valid LD-Signature is present.

A suggested test flow would be:

1. Create a request with a body containing a valid LD-Signed activity.
2. Call handleInbox with this request and requireHttpSignature: true. It should fail with a 401 because there's no HTTP signature.
3. Sign the same request with an HTTP signature.
4. Call handleInbox again. It should now succeed with a 202.

This would provide more complete coverage for this new security feature.

[gemini-code-assist]

The clone: undefined property is unnecessary and potentially confusing. The options parameter of createInboxContext is of type RequestContextOptions, which does not have a clone property. The unsignedContext object also does not have a clone property, so there is no need to explicitly set it to undefined. This should be removed for clarity. This applies to all similar occurrences in this file.

Suggested change

	return createInboxContext({ ...unsignedContext, clone: undefined });
	return createInboxContext({ ...unsignedContext });

[github-actions]

The latest push to this pull request has been published to JSR and npm as a pre-release:

Package	Version	JSR	npm
@fedify/fedify	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/cli	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/amqp	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/cfworkers	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/denokv	2.0.0-pr.474.1879+be9e2989	JSR
@fedify/elysia	2.0.0-pr.474.1879+be9e2989		npm
@fedify/express	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/h3	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/hono	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/koa	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/nestjs	2.0.0-pr.474.1879+be9e2989		npm
@fedify/next	2.0.0-pr.474.1879+be9e2989		npm
@fedify/postgres	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/redis	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/sqlite	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/sveltekit	2.0.0-pr.474.1879+be9e2989	JSR	npm
@fedify/testing	2.0.0-pr.474.1879+be9e2989	JSR	npm

[github-actions]

The docs for this pull request have been published:

https://b85efd4b.fedify.pages.dev

[dahlia]

Thank you for working on this feature! The -A/--authorized-fetch option for fedify inbox will be very helpful for testing. However, I'd like to suggest a different implementation approach that better aligns with Fedify's existing access control architecture.

I believe using .authorize() is the more “Fedify way” to implement this feature. Would you be open to refactoring the implementation to use the existing callback API? I'm happy to provide more guidance or examples if needed.

[dahlia]

The current implementation adds a new requireHttpSignature field to FederationFetchOptions and InboxHandlerParameters, which duplicates functionality that already exists in Fedify's .authorize() callback API.

According to our access control documentation, the standard way to enable authorized fetch in Fedify is through the .authorize() method:

federation
  .setActorDispatcher("/users/{identifier}", async (ctx, identifier) => {
    // ...
  })
  .authorize(async (ctx, identifier) => {
    const signedKeyOwner = await ctx.getSignedKeyOwner();
    if (signedKeyOwner == null) return false;
    return !await isBlocked(identifier, signedKeyOwner);
  });

The .authorize() callback provides a flexible, dispatcher-level mechanism for access control that:

• Follows Fedify's established patterns
• Allows fine-grained control (per-actor, per-collection, etc.)
• Is already documented and understood by users
• Supports complex authorization logic beyond simple HTTP signature checks

Instead of adding a new field that bypasses the existing API, I suggest implementing the -A/--authorized-fetch option by registering an .authorize() callback in the CLI code:

// In packages/cli/src/inbox.tsx
federation
  .setInboxListeners("/users/{identifier}/inbox", "/inbox")
  .authorize(async (ctx, identifier) => {
    if (!command.authorizedFetch) return true;  // Allow all if -A not set
    const signedKeyOwner = await ctx.getSignedKeyOwner();
    return signedKeyOwner != null;  // Only allow signed requests
  });