fix: fallback to unsigned lookup when authenticated fetch fails in followActor

Some servers (e.g., tags.pub relay) reject or mishandle HTTP-signed GET requests during actor resolution. The authenticated document loader is tried first (required by Authorized Fetch servers like hachyderm.io), then falls back to unsigned fetch if it returns null. Same pattern should apply to unfollowActor.
2026-03-21 18:06:14 +01:00
parent ccb9cc99a2
commit cad9829cd7
2 changed files with 9 additions and 3 deletions
@@ -721,13 +721,19 @@ export default class ActivityPubEndpoint {
      );

      // Resolve the remote actor to get their inbox
-      // Use authenticated document loader for servers requiring Authorized Fetch
+      // Try authenticated document loader first (for Authorized Fetch servers),
+      // fall back to unsigned if that fails (some servers reject signed GETs)
      const documentLoader = await ctx.getDocumentLoader({
        identifier: handle,
      });
-      const remoteActor = await lookupWithSecurity(ctx,actorUrl, {
+      let remoteActor = await lookupWithSecurity(ctx, actorUrl, {
        documentLoader,
      });
+      if (!remoteActor) {
+        // Retry without authentication — some servers (e.g., tags.pub)
+        // may reject or mishandle signed GET requests
+        remoteActor = await lookupWithSecurity(ctx, actorUrl);
+      }
      if (!remoteActor) {
        return { ok: false, error: "Could not resolve remote actor" };
      }
@@ -1,6 +1,6 @@
 {
  "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.7.1",
+  "version": "3.7.2",
  "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
  "keywords": [
    "indiekit",