diff --git a/CLAUDE.md b/CLAUDE.md index 4e30e220..5714f274 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -183,7 +183,7 @@ npm install git+https://gitea.giersig.eu/svemagie/indiekit-endpoint-activitypub | Liked posts show as not-liked in thread context (ancestors/descendants) | Context endpoint used empty interaction Sets — fixed by `patch-ap-interactions-context-state` | | "Empty reply from server" on webmention poller | Poller routing through nginx (returns 444 for wrong Host) — must use `INDIEKIT_DIRECT_URL` | | HTTP Signature 401 errors on all inbound activities | nginx forwarding wrong `Host` header — fixed by `patch-ap-signature-host-header` (overrides to `blog.giersig.eu`) | -| HTTP Signature verify errors flooding logs for deleted/migrated actors | Expected noise — `patch-ap-inbox-delivery-debug` suppresses to `fatal`; real errors surface at `error` level | +| HTTP Signature verify errors flooding logs for deleted/migrated actors | Expected noise — `patch-ap-inbox-delivery-debug` (in `patch-ap-federation-infra.mjs`) suppresses both `["fedify","federation","inbox"]` and `["fedify","runtime","docloader"]` to `lowestLevel: "fatal"`. Current marker: `ap-inbox-delivery-debug-A-fatal` | | Mastodon client (Phanpy, etc.) gets 401 on all authenticated endpoints ~10 min after login | OAuth access token inherited the auth code's 10-min `expiresAt` — fixed by `patch-ap-oauth-token-expiry-fix` (`$unset: { expiresAt }` during code exchange) | | Mastodon client gets 401 on all requests immediately (not just after 10 min) | "Autorisiertes Abrufen erfordern" (authorized fetch / secure mode) is enabled — unsigned GET requests to actor/collections are rejected. Error message "access token is invalid" is misleading; it comes from the authorized-fetch layer, not OAuth. Fix: disable authorized fetch in AP admin settings. Trade-off: blocked servers can still fetch public posts, but this is acceptable for a public blog. | | "OAuth callback failed. Missing parameters." | `state` parameter not echoed — fixed in fork (`b54146c`) | diff --git a/scripts/patch-ap-federation-infra.mjs b/scripts/patch-ap-federation-infra.mjs index b3462a2f..3b2e180d 100644 --- a/scripts/patch-ap-federation-infra.mjs +++ b/scripts/patch-ap-federation-infra.mjs @@ -125,17 +125,8 @@ const PATCHES = [ { name: "inbox-delivery-debug/inbox-logger-level", files: apPath("lib/federation-setup.js"), - marker: "// [patch] ap-inbox-delivery-debug-A", + marker: "// [patch] ap-inbox-delivery-debug-A-fatal", oldSnippet: ` { - // Noise guard: HTTP Signature verification failures are expected for - // incoming activities from servers with expired/gone keys (e.g. deleted - // actors, migrated servers). These produce high log volume with no - // actionable signal — suppress everything below fatal. - category: ["fedify", "federation", "inbox"], - sinks: ["console"], - lowestLevel: "fatal", - },`, - newSnippet: ` { // Surfacing real verification failures (wrong key, clock skew, digest // mismatch) at "error" level while keeping high-volume key-fetch // 404/410 warnings from deleted actors silent. // [patch] ap-inbox-delivery-debug-A @@ -143,6 +134,15 @@ const PATCHES = [ sinks: ["console"], lowestLevel: "error", },`, + newSnippet: ` { + // Noise guard: HTTP Signature verification failures are expected for + // incoming activities from servers with expired/gone keys (e.g. deleted + // actors, migrated servers). These produce high log volume with no + // actionable signal — suppress everything below fatal. // [patch] ap-inbox-delivery-debug-A-fatal + category: ["fedify", "federation", "inbox"], + sinks: ["console"], + lowestLevel: "fatal", + },`, }, // ── inbox-delivery-debug Fix B: federation-bridge.js — request-level logging ─