activitypub/import.go

@@ -415,29 +415,14 @@ func ImportRemoteAccountByAPUrl(apUrl string) (*models.User, error) {
 		return nil, other.Error("activitypub", "failed to get server actor", err)
 	}
 	var response *http.Response
-	// Try a rfc9421 based signature first for the request, if it fails, fall back to cavage
-	// Reason: Implementations should be switching over from cavage to the final implementation
-	// (rfc9421) slowly, but might not support the latter. Double-knocking will work
-	// around this
-	response, err = webshared.RequestSignedRFC9421("GET", apUrl, nil, linstromActor)
+	response, err = webshared.RequestSignedCavage("GET", apUrl, nil, linstromActor)
 	if err != nil {
-		return nil, other.Error("activitypub", "failed to complete rfc9421 signed request", err)
+		return nil, other.Error("activitypub", "failed to complete cavage signed request", err)
 	}
+	defer response.Body.Close()
 	body, _ := io.ReadAll(response.Body)
-	response.Body.Close()
 	if response.StatusCode != 200 {
-		log.Debug().
-			Int("status-code", response.StatusCode).
-			Msg("RFC9421 signed request failed, trying cavage signature")
-		response, err = webshared.RequestSignedCavage("GET", apUrl, nil, linstromActor)
-		if err != nil {
-			return nil, other.Error("activitypub", "failed to complete cavage signed request", err)
-		}
-		body, _ = io.ReadAll(response.Body)
-		response.Body.Close()
-		if response.StatusCode != 200 {
-			return nil, fmt.Errorf("activitypub: invalid status code: %v", response.StatusCode)
-		}
+		return nil, fmt.Errorf("activitypub: invalid status code: %v", response.StatusCode)
 	}
 	var data inboundImportUser
 	err = json.Unmarshal(body, &data)

web/public/middleware/authFetchCheck.go

@@ -76,7 +76,6 @@ func BuildAuthorizedFetchCheck(forNonGet bool, forGet bool) webutils.HandlerBuil
 				h.ServeHTTP(w, r)
 				return
 			}
-			// TODO: Implement RFC9421 checks next to cabage check
 			rawDate := r.Header.Get("Date")
 			date, err := http.ParseTime(rawDate)
 			if err != nil {

web/shared/clientRfc9421.go

@@ -33,7 +33,9 @@ Links for home:
 func RequestSignedRFC9421(
 	method, target string,
 	body []byte,
-	actor *models.User,
+	keyId string,
+	privateKeyBytes []byte,
+	useEd bool,
 ) (*http.Response, error) {
 	req, err := http.NewRequest(method, target, bytes.NewBuffer(slices.Clone(body)))
 	if err != nil {
@@ -44,7 +46,7 @@ func RequestSignedRFC9421(
 	signerFields := httpsign.Headers("@request-target", "content-digest")
 	if config.GlobalConfig.Experimental.UseEd25519Keys {
 		signer, err = httpsign.NewEd25519Signer(
-			actor.PrivateKeyEd,
+			privateKeyBytes,
 			httpsign.NewSignConfig(),
 			signerFields,
 		)
@@ -52,7 +54,7 @@ func RequestSignedRFC9421(
 			return nil, err
 		}
 	} else {
-		key, err := x509.ParsePKCS1PrivateKey(actor.PrivateKeyRsa)
+		key, err := x509.ParsePKCS1PrivateKey(privateKeyBytes)
 		if err != nil {
 			return nil, err
 		}
@@ -61,15 +63,9 @@ func RequestSignedRFC9421(
 			return nil, err
 		}
 	}
-	clientConfig := httpsign.NewClientConfig().SetSigner(signer)
-	if config.GlobalConfig.Experimental.UseEd25519Keys {
-		clientConfig = clientConfig.SetSignatureName("sig-ed")
-	} else {
-		clientConfig = clientConfig.SetSignatureName("sig-rsa")
-	}
 	client := httpsign.NewClient(
 		RequestClient,
-		clientConfig,
+		httpsign.NewClientConfig().SetSigner(signer).SetSignatureName("sig1"),
 	)
 	res, err := client.Do(req)
 	return res, err
@@ -120,6 +116,7 @@ func applyDefaultHeaders(r *http.Request) {
 		"Linstrom "+shared.Version+" ("+config.GlobalConfig.General.GetFullDomain()+")",
 	)
 	r.Header.Add("Date", time.Now().UTC().Format(http.TimeFormat))
+	r.Header.Add("Host", config.GlobalConfig.General.GetFullDomain())
 	r.Header.Add("Accept", "application/activity+json")
 }