Merge tag '1.7.5'

dahlia · dahlia · commit 777674dd855c · 2025-07-15T17:09:31.000+09:00
Fedify 1.7.5
diff --git a/CHANGES.md b/CHANGES.md
@@ -30,7 +30,7 @@ To be released.
      -  Added optional `KvStore.cas()` method.
      -  Added `MemoryKvStore.cas()` method.
      -  Added `DenoKvStore.cas()` method.
-  
+
  -  Added options to customize the temporary actor information when running
     `fedify inbox` command.  [[#262], [#285] by Hasang Cho]
 
@@ -77,6 +77,16 @@ To be released.
 [#285]: https://github.com/fedify-dev/fedify/pull/285
 
 
+Version 1.7.5
+-------------
+
+Released on July 15, 2025.
+
+ -  Fixed `TypeError: unusable` error that occurred when `doubleKnock()`
+    encountered redirects during HTTP signature retry attempts.
+    [[#294], [#295]]
+
+
 Version 1.7.4
 -------------
 
@@ -150,6 +160,19 @@ Released on June 25, 2025.
 [#252]: https://github.com/fedify-dev/fedify/pull/252
 
 
+Version 1.6.6
+-------------
+
+Released on July 15, 2025.
+
+ -  Fixed `TypeError: unusable` error that occurred when `doubleKnock()`
+    encountered redirects during HTTP signature retry attempts.
+    [[#294], [#295]]
+
+[#294]: https://github.com/fedify-dev/fedify/issues/294
+[#295]: https://github.com/fedify-dev/fedify/pull/295
+
+
 Version 1.6.5
 -------------
 
diff --git a/docs/README.md b/docs/README.md
@@ -4,17 +4,18 @@ Fedify docs
 This directory contains the source files of the Fedify docs.  The docs are
 written in Markdown format and are built with [VitePress].
 
-In order to build the docs locally, you need to install [Bun]
-first.  Then you can run the following commands (assuming you are in
+In order to build the docs locally, you need to install [Node.js] and [pnpm]
+first. Then you can run the following commands (assuming you are in
 the *docs/* directory):
 
 ~~~~ bash
-bun install
-bun run dev
+pnpm install
+pnpm dev
 ~~~~
 
 Once the development server is running, you can open your browser and navigate
 to *http://localhost:5173/* to view the docs.
 
 [VitePress]: https://vitepress.dev/
-[Bun]: https://bun.sh/
+[Node.js]: https://nodejs.org/
+[pnpm]: https://pnpm.io/
diff --git a/fedify/sig/http.test.ts b/fedify/sig/http.test.ts
@@ -1877,3 +1877,61 @@ test("verifyRequest() [rfc9421] error handling for invalid signature base creati
     "Verification should fail gracefully for malformed signature inputs",
   );
 });
+
+test("doubleKnock() regression test for TypeError: unusable bug #294", async () => {
+  // This test reproduces the bug where request.clone().body in the second redirect
+  // handling path causes "TypeError: unusable" when the body is consumed before
+  // subsequent clone() calls in signRequest functions.
+
+  fetchMock.spyGlobal();
+
+  let requestCount = 0;
+
+  // Mock server that:
+  // 1. Returns 401 for first spec (triggers retry with different spec)
+  // 2. Returns 302 redirect for second spec (triggers redirect handling)
+  // 3. Returns 200 for final destination
+  fetchMock.post("https://example.com/inbox-retry-redirect", (_cl) => {
+    requestCount++;
+
+    if (requestCount === 1) {
+      // First request: reject to trigger retry with different spec
+      return new Response("Unauthorized", { status: 401 });
+    } else if (requestCount === 2) {
+      // Second request: redirect to trigger the problematic redirect handling
+      return Response.redirect("https://example.com/final-destination", 302);
+    }
+
+    return new Response("Should not reach here", { status: 500 });
+  });
+
+  // Mock final destination
+  fetchMock.post("https://example.com/final-destination", () => {
+    return new Response("Success", { status: 200 });
+  });
+
+  const request = new Request("https://example.com/inbox-retry-redirect", {
+    method: "POST",
+    body: "Test activity content",
+    headers: {
+      "Content-Type": "application/activity+json",
+    },
+  });
+
+  // This should trigger the bug: 401 -> retry -> 302 -> TypeError: unusable
+  // because the second redirect path uses request.clone().body instead of
+  // await request.clone().arrayBuffer()
+  const response = await doubleKnock(
+    request,
+    {
+      keyId: rsaPublicKey2.id!,
+      privateKey: rsaPrivateKey2,
+    },
+  );
+
+  // The test should pass after the fix
+  assertEquals(response.status, 200);
+  assertEquals(requestCount, 2, "Should make 2 requests before redirect");
+
+  fetchMock.hardReset();
+});
diff --git a/fedify/sig/http.ts b/fedify/sig/http.ts
@@ -1221,6 +1221,34 @@ export interface DoubleKnockOptions {
   tracerProvider?: TracerProvider;
 }
 
+/**
+ * Helper function to create a new Request for redirect handling.
+ * @param request The original request.
+ * @param location The redirect location.
+ * @param body The request body as ArrayBuffer or undefined.
+ * @returns A new Request object for the redirect.
+ */
+function createRedirectRequest(
+  request: Request,
+  location: string,
+  body: ArrayBuffer | undefined,
+): Request {
+  return new Request(location, {
+    method: request.method,
+    headers: request.headers,
+    body,
+    redirect: "manual",
+    signal: request.signal,
+    mode: request.mode,
+    credentials: request.credentials,
+    referrer: request.referrer,
+    referrerPolicy: request.referrerPolicy,
+    integrity: request.integrity,
+    keepalive: request.keepalive,
+    cache: request.cache,
+  });
+}
+
 /**
  * Performs a double-knock request to the given URL.  For the details of
  * double-knocking, see
@@ -1264,19 +1292,7 @@ export async function doubleKnock(
       ? await request.clone().arrayBuffer()
       : undefined;
     return doubleKnock(
-      new Request(location, {
-        method: request.method,
-        headers: request.headers,
-        body,
-        redirect: "manual",
-        signal: request.signal,
-        mode: request.mode,
-        credentials: request.credentials,
-        referrer: request.referrer,
-        referrerPolicy: request.referrerPolicy,
-        integrity: request.integrity,
-        keepalive: request.keepalive,
-      }),
+      createRedirectRequest(request, location, body),
       identity,
       options,
     );
@@ -1322,11 +1338,15 @@ export async function doubleKnock(
       response.headers.has("Location")
     ) {
       const location = response.headers.get("Location")!;
+      // IMPORTANT: Use arrayBuffer() instead of .body to prevent "TypeError: unusable"
+      // When using .body (ReadableStream), subsequent clone() calls in signRequest functions
+      // will fail because the stream has already been consumed. Using arrayBuffer() ensures
+      // the body can be safely cloned for HTTP signature generation.
       const body = request.method !== "GET" && request.method !== "HEAD"
-        ? request.clone().body
-        : null;
+        ? await request.clone().arrayBuffer()
+        : undefined;
       return doubleKnock(
-        new Request(location, { ...request, body }),
+        createRedirectRequest(request, location, body),
         identity,
         options,
       );
