From cad9829cd73472362113fe515ac75694cc539f18 Mon Sep 17 00:00:00 2001 From: Ricardo Date: Sat, 21 Mar 2026 18:06:14 +0100 Subject: [PATCH] fix: fallback to unsigned lookup when authenticated fetch fails in followActor Some servers (e.g., tags.pub relay) reject or mishandle HTTP-signed GET requests during actor resolution. The authenticated document loader is tried first (required by Authorized Fetch servers like hachyderm.io), then falls back to unsigned fetch if it returns null. Same pattern should apply to unfollowActor. --- index.js | 10 ++++++++-- package.json | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/index.js b/index.js index b53cdb7..9f2d331 100644 --- a/index.js +++ b/index.js @@ -721,13 +721,19 @@ export default class ActivityPubEndpoint { ); // Resolve the remote actor to get their inbox - // Use authenticated document loader for servers requiring Authorized Fetch + // Try authenticated document loader first (for Authorized Fetch servers), + // fall back to unsigned if that fails (some servers reject signed GETs) const documentLoader = await ctx.getDocumentLoader({ identifier: handle, }); - const remoteActor = await lookupWithSecurity(ctx,actorUrl, { + let remoteActor = await lookupWithSecurity(ctx, actorUrl, { documentLoader, }); + if (!remoteActor) { + // Retry without authentication — some servers (e.g., tags.pub) + // may reject or mishandle signed GET requests + remoteActor = await lookupWithSecurity(ctx, actorUrl); + } if (!remoteActor) { return { ok: false, error: "Could not resolve remote actor" }; } diff --git a/package.json b/package.json index f9408b5..7f719e7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@rmdes/indiekit-endpoint-activitypub", - "version": "3.7.1", + "version": "3.7.2", "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.", "keywords": [ "indiekit",