svemagie.net/indiekit-server
1
0
Fork 0
Code Issues 1 Actions Packages Projects Releases Activity

fix: suppress fedify inbox HTTP Signature verify errors to fatal
Deploy Indiekit Server / deploy (push) Successful in 1m28s
Details

Browse Source 
Both ["fedify","federation","inbox"] and ["fedify","runtime","docloader"]
are now suppressed to lowestLevel:"fatal". The inbox errors ("Failed to
verify the request's HTTP Signatures") are expected noise from deleted/
migrated actors and are not actionable.

Updates marker from ap-inbox-delivery-debug-A to ap-inbox-delivery-debug-A-fatal.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sven
2026-04-12 20:54:14 +02:00
parent 50002ffc72
commit 015438839b
2 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLAUDE.md
+1 -1
View File
@@ -183,7 +183,7 @@ npm install git+https://gitea.giersig.eu/svemagie/indiekit-endpoint-activitypub
| Liked posts show as not-liked in thread context (ancestors/descendants) | Context endpoint used empty interaction Sets — fixed by `patch-ap-interactions-context-state` | | Liked posts show as not-liked in thread context (ancestors/descendants) | Context endpoint used empty interaction Sets — fixed by `patch-ap-interactions-context-state` |
| "Empty reply from server" on webmention poller | Poller routing through nginx (returns 444 for wrong Host) — must use `INDIEKIT_DIRECT_URL` | | "Empty reply from server" on webmention poller | Poller routing through nginx (returns 444 for wrong Host) — must use `INDIEKIT_DIRECT_URL` |
| HTTP Signature 401 errors on all inbound activities | nginx forwarding wrong `Host` header — fixed by `patch-ap-signature-host-header` (overrides to `blog.giersig.eu`) | | HTTP Signature 401 errors on all inbound activities | nginx forwarding wrong `Host` header — fixed by `patch-ap-signature-host-header` (overrides to `blog.giersig.eu`) |
| HTTP Signature verify errors flooding logs for deleted/migrated actors | Expected noise — `patch-ap-inbox-delivery-debug` suppresses to `fatal`; real errors surface at `error` level | | HTTP Signature verify errors flooding logs for deleted/migrated actors | Expected noise — `patch-ap-inbox-delivery-debug` (in `patch-ap-federation-infra.mjs`) suppresses both `["fedify","federation","inbox"]` and `["fedify","runtime","docloader"]` to `lowestLevel: "fatal"`. Current marker: `ap-inbox-delivery-debug-A-fatal` |
| Mastodon client (Phanpy, etc.) gets 401 on all authenticated endpoints ~10 min after login | OAuth access token inherited the auth code's 10-min `expiresAt` — fixed by `patch-ap-oauth-token-expiry-fix` (`$unset: { expiresAt }` during code exchange) | | Mastodon client (Phanpy, etc.) gets 401 on all authenticated endpoints ~10 min after login | OAuth access token inherited the auth code's 10-min `expiresAt` — fixed by `patch-ap-oauth-token-expiry-fix` (`$unset: { expiresAt }` during code exchange) |
| Mastodon client gets 401 on all requests immediately (not just after 10 min) | "Autorisiertes Abrufen erfordern" (authorized fetch / secure mode) is enabled — unsigned GET requests to actor/collections are rejected. Error message "access token is invalid" is misleading; it comes from the authorized-fetch layer, not OAuth. Fix: disable authorized fetch in AP admin settings. Trade-off: blocked servers can still fetch public posts, but this is acceptable for a public blog. | | Mastodon client gets 401 on all requests immediately (not just after 10 min) | "Autorisiertes Abrufen erfordern" (authorized fetch / secure mode) is enabled — unsigned GET requests to actor/collections are rejected. Error message "access token is invalid" is misleading; it comes from the authorized-fetch layer, not OAuth. Fix: disable authorized fetch in AP admin settings. Trade-off: blocked servers can still fetch public posts, but this is acceptable for a public blog. |
| "OAuth callback failed. Missing parameters." | `state` parameter not echoed — fixed in fork (`b54146c`) | | "OAuth callback failed. Missing parameters." | `state` parameter not echoed — fixed in fork (`b54146c`) |
scripts/patch-ap-federation-infra.mjs
+10 -10
View File
@@ -125,17 +125,8 @@ const PATCHES = [
{ {
name: "inbox-delivery-debug/inbox-logger-level", name: "inbox-delivery-debug/inbox-logger-level",
files: apPath("lib/federation-setup.js"), files: apPath("lib/federation-setup.js"),
marker: "// [patch] ap-inbox-delivery-debug-A", marker: "// [patch] ap-inbox-delivery-debug-A-fatal",
oldSnippet: ` { oldSnippet: ` {
// Noise guard: HTTP Signature verification failures are expected for
// incoming activities from servers with expired/gone keys (e.g. deleted
// actors, migrated servers). These produce high log volume with no
// actionable signal — suppress everything below fatal.
category: ["fedify", "federation", "inbox"],
sinks: ["console"],
lowestLevel: "fatal",
},`,
newSnippet: ` {
// Surfacing real verification failures (wrong key, clock skew, digest // Surfacing real verification failures (wrong key, clock skew, digest
// mismatch) at "error" level while keeping high-volume key-fetch // mismatch) at "error" level while keeping high-volume key-fetch
// 404/410 warnings from deleted actors silent. // [patch] ap-inbox-delivery-debug-A // 404/410 warnings from deleted actors silent. // [patch] ap-inbox-delivery-debug-A
@@ -143,6 +134,15 @@ const PATCHES = [
sinks: ["console"], sinks: ["console"],
lowestLevel: "error", lowestLevel: "error",
},`, },`,
newSnippet: ` {
// Noise guard: HTTP Signature verification failures are expected for
// incoming activities from servers with expired/gone keys (e.g. deleted
// actors, migrated servers). These produce high log volume with no
// actionable signal — suppress everything below fatal. // [patch] ap-inbox-delivery-debug-A-fatal
category: ["fedify", "federation", "inbox"],
sinks: ["console"],
lowestLevel: "fatal",
},`,
}, },
// ── inbox-delivery-debug Fix B: federation-bridge.js — request-level logging ─ // ── inbox-delivery-debug Fix B: federation-bridge.js — request-level logging ─