fedify

Released on September 15, 2024.

• Fixed a bug where even if the ActorCallbackSetters.mapHandle() method was called, a WebFinger username was used as an actor's handle. [#136]

Released on September 11, 2024.

• Actors, collections, and objects now can have their URIs that do not consist of a WebFinger username, which means actors can change their fediverse handles.

  • Added ActorCallbackSetters.mapHandle() method.
  • Added ActorHandleMapper type.

• Added quoteUrl property to Article, ChatMessage, Note, and Question classes in Activity Vocabulary API.

  • Added Article.quoteUrl property.
  • new Article() constructor now accepts quoteUrl option.
  • Article.clone() method now accepts quoteUrl option.
  • Added ChatMessage.quoteUrl property.
  • new ChatMessage() constructor now accepts quoteUrl option.
  • ChatMessage.clone() method now accepts quoteUrl option.
  • Added Note.quoteUrl property.
  • new Note() constructor now accepts quoteUrl option.
  • Note.clone() method now accepts quoteUrl option.
  • Added Question.quoteUrl property.
  • new Question() constructor now accepts quoteUrl option.
  • Question.clone() method now accepts quoteUrl option.

• The element type of the liked collection is now Object or URL instead of Like.

  • Changed the type of Federation.setLikedDispatcher() method's second parameter to CollectionDispatcher<Object | URL, RequestContext<TContextData>, TContextData, void> (was CollectionDispatcher<Like, RequestContext<TContextData>, TContextData, void>).

• Removed expand option of Object.toJsonLd() method, which was deprecated in version 0.14.0. Use format: "expand" option instead.

• Added Context.lookupObject() method.

• Default document loaders now recognize ActivityStream objects in more ways:

  • Loaders now recognize alternate ActivityStreams objects in the Link header.
  • Loaders now recognize alternate ActivityStreams objects in the <link>/<a> HTML elements.

• Added allowPrivateAddress option to CreateFederationOptions interface.

• Fixed a bug where the WebFinger response had had a subject property with an unmatched URI to the requested resource when a non-acct: URI was given.

• Renamed the short option -c for --compact of fedify lookup command to -C to avoid conflict with the short option -c for --cache-dir.

• Added -r/--raw option to fedify lookup command to output the raw JSON object.

Released on September 6, 2024.

• Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Released on September 6, 2024.

• Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Released on September 1, 2024.

• Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Released on September 1, 2024.

• Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Released on August 30, 2024.

• Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Released on August 30, 2024.

• Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Released on August 29, 2024.

• Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

• Fixed a bug where the Compact Activity tab of fedify inbox command's web interface had shown an expanded JSON-LD object instead of a compacted one.

Released on August 29, 2024.

• Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

Released on August 27, 2024.

• Removed the limitation that the sendActivity({ handle: string }, "followers", Activity) overload is only available for RequestContext but not for Context. Now it is available for both. [#115]

  • Added Context.sendActivity({ handle: string }, "followers", Activity) overload.
  • Added type parameter TContext to CollectionsDispatcher type's first parameter to distinguish between RequestContext and Context.
  • The first parameter of CollectionDispatcher type became TContext (was RequestContext).
  • Added type parameter TContext to CollectionsCursor type's first parameter to distinguish between RequestContext and Context.
  • The first parameter of CollectionCursor type became TContext (was RequestContext).
  • Added type parameter TContext to CollectionsCallbackSetters type's first parameter to distinguish between RequestContext and Context.

• Added source property to Object class in Activity Vocabulary API. [#114]

  • Added Object.source property.
  • new Object() constructor now accepts source option.
  • Object.clone() method now accepts source option.

• Added Source class to Activity Vocabulary API. [#114]

• Added aliases property to Actor type in Activity Vocabulary API.

  • Added Application.getAliases() method.
  • Added Application.getAlias() method.
  • new Application() constructor now accepts alias option.
  • new Application() constructor now accepts aliases option.
  • Application.clone() method now accepts alias option.
  • Application.clone() method now accepts aliases option.
  • Added Group.getAliases() method.
  • Added Group.getAlias() method.
  • new Group() constructor now accepts alias option.
  • new Group() constructor now accepts aliases option.
  • Group.clone() method now accepts alias option.
  • Group.clone() method now accepts aliases option.
  • Added Organization.getAliases() method.
  • Added Organization.getAlias() method.
  • new Organization() constructor now accepts alias option.
  • new Organization() constructor now accepts aliases option.
  • Organization.clone() method now accepts alias option.
  • Organization.clone() method now accepts aliases option.
  • Added Person.getAliases() method.
  • Added Person.getAlias() method.
  • new Person() constructor now accepts alias option.
  • new Person() constructor now accepts aliases option.
  • Person.clone() method now accepts alias option.
  • Person.clone() method now accepts aliases option.
  • Added Service.getAliases() method.
  • Added Service.getAlias() method.
  • new Service() constructor now accepts alias option.
  • new Service() constructor now accepts aliases option.
  • Service.clone() method now accepts alias option.
  • Service.clone() method now accepts aliases option.

• Improved the performance of Object.toJsonLd() method.

  • Object.toJsonLd() method no longer guarantees that the returned JSON-LD object is compacted unless the format: "compact" option is provided.
  • Added format option to Object.toJsonLd() method.
  • Deprecated expand option of Object.toJsonLd() method. Use format: "expand" option instead.
  • The context option of Object.toJsonLd() method is now only applicable to format: "compact". Otherwise, it throws a TypeError.

• The getActorHandle() function now supports cross-origin WebFinger resources.

• The lookupWebFinger() and getActorHandle() functions no more throw an error when they fail to reach the WebFinger resource.

• Collection dispatchers now set the id property of the OrderedCollection/OrderedCollectionPage objects that they return to the their canonical URI.

• Now fedify init generates a default tsconfig.json file on Node.js and Bun, and fills the deno.json file with the default compilerOptions on Deno.

Released on August 18, 2024.

• Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Released on August 18, 2024.

• Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Released on August 7, 2024.

• Added closed property to Question class in Activity Vocabulary API.

  • Added Question.closed property.
  • new Question() constructor now accepts closed option.
  • Question.clone() method now accepts closed option.

• Added voters property to Question class in Activity Vocabulary API.

  • Added Question.voters property.
  • new Question() constructor now accepts voters option.
  • Question.clone() method now accepts voters option.

• HTTP Signatures verficiation now can be optionally skipped for the sake of testing. [#110]

  • The type of CreateFederationOptions.signatureTimeWindow property became Temporal.DurationLike | false (was Temporal.DurationLike).
  • The type of VerifyRequestOptions.timeWindow property became Temporal.DurationLike | false (was Temporal.DurationLike).
  • Added CreateFederationOptions.skipSignatureVerification property.

• Removed the singular actor key pair dispatcher APIs which were deprecated in version 0.10.0.

  • Removed the last parameter of the ActorDispatcher callback type. Use Context.getActorKeyPairs() method instead.
  • Removed ActorKeyPairDispatcher type. Use ActorKeyPairsDispatcher type instead.
  • Removed ActorCallbackSetters.setKeyPairDispatcher() method. Use ActorCallbackSetters.setKeyPairsDispatcher() method instead.
  • Removed Context.getActorKey() method. Use Context.getActorKeyPairs() method instead.

• The Federation is no more a class, but an interface, which has been planned since version 0.10.0. [#69]

  • new Federation() constructor is removed. Use createFederation() function instead.
  • Removed Federation.sendActivity() method. Use Context.sendActivity() method instead.
  • Removed Federation class.
  • Added Federation interface.
  • Removed FederationParameters interface.

• Added fedify tunnel command to expose a local HTTP server to the public internet.

• A scaffold project generated by the fedify init command has several changes:

  • Added support for Express framework.
  • Added support for Nitro framework.
  • Now a scaffold project uses a x-forwarded-fetch middleware to support X-Forwarded-Proto and X-Forwarded-Host headers.
  • Now a scaffold project has hot reloading by default.
  • Now a scaffold project has logging configuration using the LogTape library.

• Added more log messages using the LogTape library. Currently the below logger categories are used:

  • ["fedify", "webfinger", "server"]

Released on July 31, 2024.

• Fixed a bug where incoming activities had not been enqueued even if the queue option was provided to the createFederation() function.

Released on July 27, 2024.

• Fixed a bug where fedify init -w hono had generated scaffold files without Fedify integration.
• Fixed a bug where fedify init -r bun -w hono had generated scaffold files with a wrong port number (was 3000).

Released on July 24, 2024.

• The fedify command is now available on npm. [#104]

• Incoming activities are now queued before being dispatched to the inbox listener if the queue option is provided to the createFederation() function. [#70]

  • The type of InboxListener callback type's first parameter became Context (was RequestContext).
  • The type of InboxErrorHandler callback type's first parameter became Context (was RequestContext).
  • The type of SharedInboxKeyDispatcher callback type's first parameter became Context (was RequestContext).

• Implemented fully customizable retry policy for failed tasks in the task queue. By default, the task queue retries the failed tasks with an exponential backoff policy with decorrelated jitter.

  • Added outboxRetryPolicy option to CreateFederationOptions interface.
  • Added inboxRetryPolicy option to CreateFederationOptions interface. [#70]
  • Added RetryPolicy callback type.
  • Added RetryContext interface.
  • Added createExponentialBackoffPolicy() function.
  • Added CreateExponentialBackoffPolicyOptions interface.

• Federation object now allows its task queue to be started manually. [#53]

  • Added manuallyStartQueue option to CreateFederationOptions interface.
  • Added Federation.startQueue() method.

• Made the router able to be insensitive to trailing slashes in the URL paths. [#81]

  • Added trailingSlashInsensitive option to CreateFederationOptions interface.
  • Added RouterOptions interface.
  • Added an optional parameter to new Router() constructor.

• Added ChatMessage class to Activity Vocabulary API. [#85]

• Added Move class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added Read class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added Travel class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added View class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added TentativeAccept class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Added TentativeReject class to Activity Vocabulary API. [#65, #92 by Lee Dogeon]

• Improved multitenancy (virtual hosting) support. [#66]

  • Added Context.hostname property.
  • Added Context.host property.
  • Added Context.origin property.
  • The type of ActorKeyPairsDispatcher<TContextData>'s first parameter became Context (was TContextData).

• During verifying HTTP Signatures and Object Integrity Proofs, once fetched public keys are now cached. [#107]

  • The verifyRequest() function now caches the fetched public keys when the keyCache option is provided.
  • The verifyProof() function now caches the fetched public keys when the keyCache option is provided.
  • The verifyObject() function now caches the fetched public keys when the keyCache option is provided.
  • Added KeyCache interface.
  • Added VerifyRequestOptions.keyCache property.
  • Added VerifyProofOptions.keyCache property.
  • Added VerifyObjectOptions.keyCache property.
  • Added FederationKvPrefixes.publicKey property.

• The built-in document loaders now recognize JSON-LD context provided in an HTTP Link header. [#6]

  • The fetchDocumentLoader() function now recognizes the Link header with the http://www.w3.org/ns/json-ld#context link relation.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that recognizes the Link header with the http://www.w3.org/ns/json-ld#context link relation.

• Deprecated Federation.sendActivity() method. Use Context.sendActivity() method instead.

• The last parameter of Federation.sendActivity() method is no longer optional. Also, it now takes the required contextData option.

• Removed Context.getHandleFromActorUri() method which was deprecated in version 0.9.0. Use Context.parseUri() method instead.

• Removed @fedify/fedify/httpsig module which was deprecated in version 0.9.0. Use @fedify/fedify/sig module instead.

  • Removed sign() function.
  • Removed verify() function.
  • Removed VerifyOptions interface.

• Fixed a bug where the lookupWebFinger() function had incorrectly queried if the given resource was a URL starts with http: or had a non-default port number.

• Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • Added an optional second parameter to the fetchDocumentLoader() function, which can be used to allow fetching private network addresses.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
  • Added an optional second parameter to the getAuthenticatedDocumentLoader() function, which can be used to allow fetching private network addresses.

• Added fedify init subcommand. [#105]

• Added more log messages using the LogTape library. Currently the below logger categories are used:

  • ["fedify", "federation", "queue"]

Released on July 15, 2024.

• Fixed a bug where use of Federation.setInboxDispatcher() after Federation.setInboxListeners() had caused a RouterError to be thrown even if the paths match. [#101 by Fabien O'Carroll]

Released on July 9, 2024.

• Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Released on July 9, 2024.

• Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

  • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
  • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.