Merge tag '1.2.5'

Fedify 1.2.5
dahlia · Nov 14, 2024 · 82935bd · 82935bd
2 parents 450a693 + 3177d0b
commit 82935bd
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 0 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -33,6 +33,25 @@ To be released.
 [#162]: https://github.com/dahlia/fedify/issues/162
 
 
+Version 1.2.5
+-------------
+
+Released on December 14, 2024.
+
+ -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
+    mysterious behavior.  [[#159]]
+
+     -  The `verifyRequest()` function no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "sig", "http"]`
+        logger category and returns `null`.
+     -  The `Federation.fetch()` method no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "federation",
+        "inbox"]` logger category and responds with a `500 Internal Server
+        Error`.
+
+
 Version 1.2.4
 -------------
 
@@ -138,6 +157,25 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.5
+-------------
+
+Released on December 14, 2024.
+
+ -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
+    mysterious behavior.  [[#159]]
+
+     -  The `verifyRequest()` function no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "sig", "http"]`
+        logger category and returns `null`.
+     -  The `Federation.fetch()` method no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "federation",
+        "inbox"]` logger category and responds with a `500 Internal Server
+        Error`.
+
+
 Version 1.1.4
 -------------
 
@@ -284,6 +322,25 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.9
+-------------
+
+Released on December 14, 2024.
+
+ -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
+    mysterious behavior.  [[#159]]
+
+     -  The `verifyRequest()` function no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "sig", "http"]`
+        logger category and returns `null`.
+     -  The `Federation.fetch()` method no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "federation",
+        "inbox"]` logger category and responds with a `500 Internal Server
+        Error`.
+
+
 Version 1.0.8
 -------------
 
@@ -549,6 +606,27 @@ Released on September 26, 2024.
 [#137]: https://github.com/dahlia/fedify/issues/137
 
 
+Version 0.15.7
+--------------
+
+Released on November 14, 2024.
+
+ -  Suppressed a `TypeError` with a message <q>unusable</q> due to Node.js's
+    mysterious behavior.  [[#159]]
+
+     -  The `verifyRequest()` function no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "sig", "http"]`
+        logger category and returns `null`.
+     -  The `Federation.fetch()` method no longer throws a `TypeError`
+        when a given `Request` object's body is already consumed or locked.
+        Instead, it logs an error message to the `["fedify", "federation",
+        "inbox"]` logger category and responds with a `500 Internal Server
+        Error`.
+
+[#159]: https://github.com/dahlia/fedify/issues/159
+
+
 Version 0.15.6
 --------------
 

diff --git a/src/federation/handler.ts b/src/federation/handler.ts
@@ -389,6 +389,19 @@ export async function handleInbox<TContextData>(
       return await onNotFound(request);
     }
   }
+  if (request.bodyUsed) {
+    logger.error("Request body has already been read.", { identifier });
+    return new Response("Internal server error.", {
+      status: 500,
+      headers: { "Content-Type": "text/plain; charset=utf-8" },
+    });
+  } else if (request.body?.locked) {
+    logger.error("Request body is locked.", { identifier });
+    return new Response("Internal server error.", {
+      status: 500,
+      headers: { "Content-Type": "text/plain; charset=utf-8" },
+    });
+  }
   let json: unknown;
   try {
     json = await request.clone().json();

diff --git a/src/sig/http.ts b/src/sig/http.ts
@@ -123,6 +123,19 @@ export async function verifyRequest(
     VerifyRequestOptions = {},
 ): Promise<CryptographicKey | null> {
   const logger = getLogger(["fedify", "sig", "http"]);
+  if (request.bodyUsed) {
+    logger.error(
+      "Failed to verify; the request body is already consumed.",
+      { url: request.url },
+    );
+    return null;
+  } else if (request.body?.locked) {
+    logger.error(
+      "Failed to verify; the request body is locked.",
+      { url: request.url },
+    );
+    return null;
+  }
   const originalRequest = request;
   request = request.clone();
   const dateHeader = request.headers.get("Date");