Handle unverified inbound activities#611
Conversation
issues-auto-labeler
bot
added
activitypub/interop
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the handling and observability of inbound activities within the Fedify framework, specifically focusing on signature verification. It provides developers with finer-grained control over how unverified activities are processed, moving beyond a simple rejection to allow for custom responses based on the specific reason for verification failure. Concurrently, it improves debugging capabilities by exposing detailed failure reasons through both API return types and OpenTelemetry tracing, ensuring that applications can react intelligently to various network and security-related issues during activity processing. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Add Federatable.onUnverifiedActivity() so applications can inspect inbound activities whose signatures could not be verified without weakening the existing guarantee that inbox listeners only receive verified activities. Expose detailed HTTP signature failure reasons and key-fetch results, preserve key-cache and fetch-key tracing behavior, and surface the new verification details through OpenTelemetry span data and FedifySpanExporter records. Update the manual and changelog entries and add regression tests covering malformed signatures, deleted-key retries, cached unavailable keys, and telemetry output. Fixes fedify-dev#472 Co-Authored-By: OpenAI Codex <codex@openai.com>
dahlia
force-pushed
the
on-unverified-activity
branch
from
1846a7b to
8f635c6
Compare
Register the unverified-activity hook from InboxListenerSetters instead of Federatable so the API stays grouped with inbox listener configuration and reads naturally in the chaining flow. Update the builder, mock federation, tests, documentation, and changelog text to reflect the new registration point without changing the underlying inbox verification behavior. fedify-dev#472 Co-Authored-By: OpenAI Codex <codex@openai.com>
|
@codex review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a robust mechanism for handling unverified inbound activities by adding the Federatable.onUnverifiedActivity() hook. This allows applications to define custom logic for activities that fail signature verification, which is particularly useful for handling Delete activities from actors whose keys are no longer accessible. The changes are well-supported by a more detailed signature verification API (verifyRequestDetailed) that provides structured failure reasons, and enhanced observability through new OpenTelemetry attributes. The implementation is clean, well-tested across multiple packages, and the documentation has been updated accordingly. Overall, this is an excellent enhancement to the library's flexibility and debugging capabilities.
Note: Security Review did not run due to the size of the PR.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a new onUnverifiedActivity() handler for inspecting inbound activities that fail signature verification, allowing for custom response handling instead of the default 401 Unauthorized. The implementation also adds verifyRequestDetailed() to provide more granular information about signature verification failures, such as unsigned requests or key fetch errors. These details are also exposed through new OpenTelemetry attributes for improved tracing. The associated documentation and tests have been updated to cover these new features. The changes are logically sound and consistently applied throughout the codebase.
Note: Security Review did not run due to the size of the PR.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 192e8cbca2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR addresses #472 by enabling Fedify applications to inspect inbound activities whose HTTP signatures could not be verified. Instead of always returning 401 Unauthorized, applications can now register a callback to handle unverified activities (e.g., accepting Delete activities from actors whose keys return 410 Gone).
Changes:
- Added
InboxListenerSetters.onUnverifiedActivity()with supporting typesUnverifiedActivityHandlerandUnverifiedActivityReason, and wired the callback through the federation builder, middleware, and inbox handler so unverified activities can be intercepted before the default401response. - Introduced
verifyRequestDetailed()andfetchKeyDetailed()with structured failure result types (VerifyRequestDetailedResult,VerifyRequestFailureReason,FetchKeyErrorResult,FetchKeyDetailedResult) to distinguish unsigned requests, invalid signatures, and key-fetch failures, and extendedFetchErrorin@fedify/vocab-runtimewith an optionalresponsefield. - Added OpenTelemetry attributes for HTTP signature failure reasons and key-fetch details, updated
FedifySpanExporterand documentation accordingly.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/vocab-runtime/src/request.ts | Added optional response field to FetchError |
| packages/vocab-runtime/src/docloader.ts | Pass cloned response to FetchError on HTTP errors |
| packages/vocab-runtime/src/docloader.test.ts | Tests for FetchError.response |
| packages/testing/src/mock.ts | Added onUnverifiedActivity stub to mock federation |
| packages/fedify/src/sig/key.ts | Added fetchKeyDetailed, FetchKeyDetailedResult, FetchKeyErrorResult, withFetchKeySpan helper |
| packages/fedify/src/sig/key.test.ts | Tests for fetchKeyDetailed |
| packages/fedify/src/sig/http.ts | Added verifyRequestDetailed, detailed result types, failure helpers, span recording |
| packages/fedify/src/sig/http.test.ts | Tests for verifyRequestDetailed |
| packages/fedify/src/otel/exporter.ts | Added failure reason fields to SignatureVerificationDetails |
| packages/fedify/src/otel/exporter.test.ts | Tests for new exporter fields |
| packages/fedify/src/federation/middleware.ts | Pass unverifiedActivityHandler to inbox handler |
| packages/fedify/src/federation/middleware.test.ts | Integration tests for onUnverifiedActivity |
| packages/fedify/src/federation/handler.ts | Use verifyRequestDetailed, invoke unverified activity handler |
| packages/fedify/src/federation/handler.test.ts | Tests for handler with unverified activity details |
| packages/fedify/src/federation/federation.ts | Added onUnverifiedActivity to InboxListenerSetters interface |
| packages/fedify/src/federation/callback.ts | Added UnverifiedActivityReason and UnverifiedActivityHandler types |
| packages/fedify/src/federation/builder.ts | Builder implementation for onUnverifiedActivity |
| packages/fedify/src/federation/builder.test.ts | Tests for builder copying the handler |
| docs/manual/opentelemetry.md | Documented new OTel attributes |
| docs/manual/inbox.md | Documented onUnverifiedActivity with example |
| CHANGES.md | Changelog entries |
Expose the new detailed HTTP signature and key-fetch APIs from @fedify/fedify/sig so the documented public surface is available to supported consumers instead of only internal source-path imports. fedify-dev#611 (comment) fedify-dev#611 (comment) fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
Add regression tests for fetchKeyDetailed() so both fetchError variants are exercised: HTTP failures that carry a Response and non-HTTP failures that only expose the thrown Error. fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
Refactor fetchKeyDetailed() and fetchKeyInternal() to share the cache lookup, remote document fetch, and fetched-document resolution paths so key-fetch behavior is kept in one place. This keeps the detailed fetch-error reporting added in this PR while reducing the risk that later bug fixes or behavior changes would diverge between the detailed and legacy code paths. fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
|
@codex review |
|
/gemini review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 342e5d0521
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Code Review
This pull request introduces a valuable feature for handling unverified inbound activities by adding the onUnverifiedActivity handler and providing detailed signature verification results. The changes are well-implemented across the signature verification, request handling, and OpenTelemetry exporting layers. The related documentation and tests have been updated thoroughly to reflect these new capabilities.
Note: Security Review did not run due to the size of the PR.
Persist negative key-cache entries and their fetch failure metadata through KvKeyCache so repeated verification attempts can keep reporting keyFetchError details instead of degrading to invalidSignature after the first miss. Also add regression coverage for cached-null persistence, fetch-error metadata round-tripping, and inbox retries that should continue seeing the original 410 result. fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
|
@codex review |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a robust mechanism for handling unverified inbound activities, a valuable addition for dealing with real-world federation scenarios like deleted actors. The changes are well-structured, introducing onUnverifiedActivity() for custom handling, verifyRequestDetailed() for granular failure reasons, and extending FetchError to include the original HTTP response. The implementation is consistent across the codebase, with corresponding updates to tests, documentation, and OpenTelemetry instrumentation. The refactoring in the signature verification and key fetching logic is clean and effectively isolates the new functionality. Overall, this is a high-quality contribution that enhances Fedify's error handling and observability.
Note: Security Review did not run due to the size of the PR.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 991f18e02a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Give KvKeyCache a short TTL for unavailable keys and persisted fetch-failure metadata so temporary network errors or 5xx responses do not poison signature verification indefinitely. Also add regression coverage for expiring unavailable entries and for round-tripping stored fetch-failure metadata. fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
Catch exceptions thrown by onUnverifiedActivity(), forward them to inboxErrorHandler, and fall back to the default 401 response instead of letting unverified deliveries escape as uncaught 500s. Add regression coverage to ensure hook failures are reported to the inbox error handler and still produce the default unauthorized response. fedify-dev#611 (comment) Co-Authored-By: OpenAI Codex <codex@openai.com>
|
@codex review |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a valuable feature for handling unverified inbound activities by adding the onUnverifiedActivity hook. This provides applications with more granular control over federation behavior, especially in real-world scenarios like handling deleted actors. The introduction of verifyRequestDetailed and the propagation of detailed failure reasons, including HTTP status codes from key fetches, significantly improve the observability and debugging capabilities of the library. The changes are well-structured, thoroughly tested, and clearly documented.
Note: Security Review did not run due to the size of the PR.
|
Codex Review: Didn't find any major issues. Nice work! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
Fixes #472
This PR adds
InboxListenerSetters.onUnverifiedActivity()so applications can inspect inbound activities whose signatures could not be verified and optionally return a custom response instead of falling back to the default401 Unauthorizedbehavior.It also introduces detailed HTTP signature verification results so callers can distinguish unsigned requests, invalid signatures, and signing-key fetch failures without weakening the existing guarantee that normal inbox listeners only receive verified activities.
What changed
InboxListenerSetters.onUnverifiedActivity()and the related public typesUnverifiedActivityHandlerandUnverifiedActivityReasonin packages/fedify/src/federation/.verifyRequestDetailed()and the related public typesVerifyRequestDetailedResult,VerifyRequestFailureReason, andFetchKeyErrorResultin packages/fedify/src/sig/.FetchError.responsein packages/vocab-runtime/src/request.ts.activitypub.fetch_keytracing while exposing detailed HTTP-signature failure information.FedifySpanExporterin packages/fedify/src/otel/.