#httpsignatures — Public Fediverse posts

We're excited to announce the release of #Fedify 1.6.1, which marks the beginning of the 1.6 series following the retraction of version 1.6.0. This release introduces significant new capabilities that expand Fedify's deployment options and enhance security compatibility across the #fediverse.

🌐 Cloudflare Workers support

Fedify 1.6 introduces first-class support for Cloudflare Workers, enabling #serverless deployment of #ActivityPub applications at the edge.

New components

• WorkersKvStore: A key–value store implementation using Cloudflare's KV API for persistent storage in Workers environments
• WorkersMessageQueue: A message queue implementation leveraging Cloudflare Queues for reliable message processing

Key features

• Seamless integration with #Cloudflare's serverless runtime
• Automatic handling of queue message processing through Workers' queue() method
• Support for Node.js compatibility flag required for Fedify's cryptographic operations
• Manual queue processing via Federation.processQueuedTask() method

For a complete working example, see the Cloudflare Workers example in the Fedify repository.

🏗️ Federation builder pattern

Fedify 1.6 introduces the FederationBuilder class and createFederationBuilder() function to support deferred federation instantiation. This pattern provides several benefits:

• Deferred instantiation: Set up dispatchers and listeners before creating the federation object
• Better code organization: Avoid circular dependencies and improve project structure
• Cloudflare #Workers compatibility: Accommodates binding-based architectures where resources are passed as arguments rather than globals
• Modular setup: Build complex federations piece by piece before instantiation

The builder pattern is particularly useful for large applications and environments like Cloudflare Workers where configuration data is only available at runtime.

🔐 HTTP Message Signatures (RFC 9421)

Fedify 1.6 implements the official HTTP Message Signatures standard (RFC 9421) specification, the final revision of the HTTP Signatures specification.

Double-knocking mechanism

To ensure maximum compatibility across the fediverse, Fedify 1.6 introduces an intelligent double-knocking mechanism:

1. Primary attempt: RFC 9421 (HTTP Message Signatures) for modern implementations
2. Fallback: Draft cavage version for legacy compatibility
3. Adaptive caching: The system remembers which version each server supports to optimize future requests

This approach ensures seamless communication with both modern and legacy ActivityPub implementations while positioning Fedify at the forefront of security standards.

Interoperability testing

The RFC 9421 implementation has been thoroughly tested for interoperability with existing ActivityPub implementations that support RFC 9421 signature verification:

• Mitra 4.4.0: Successfully verified Fedify-generated RFC 9421 signatures
• Mastodon 4.4.0 development version: Tested RFC 9421 signature verification against Fedify's implementation (refer to Mastodon PR #34814, though Mastodon 4.4.0 has not yet been released)

These tests confirm that other ActivityPub implementations can successfully verify RFC 9421 signatures generated by Fedify, ensuring proper federation as the ecosystem gradually adopts the official specification. While these implementations currently support verification of RFC 9421 signatures, they do not yet generate RFC 9421 signatures themselves—making Fedify one of the first ActivityPub implementations to support both generation and verification of the modern standard.

🔍 WebFinger enhancements

Dedicated WebFinger lookup

The new Context.lookupWebFinger() method provides direct access to WebFinger data, offering developers more granular control over account discovery and resource resolution beyond the higher-level Context.lookupObject() method.

🛠 Context API improvements

Context data replacement

The new Context.clone() method enables dynamic context data replacement, providing greater flexibility in request processing and data flow management. This is particularly useful for middleware implementations and complex request routing scenarios.

🚀 Migration considerations

Backward compatibility

Fedify 1.6 maintains full backward compatibility with existing applications. The new HTTP Message Signatures and double-knocking mechanisms work transparently without requiring any code changes.

Node.js version requirement

Important: Fedify 1.6 requires Node.js 22.0.0 or later for Node.js environments. This change does not affect applications using Deno or Bun runtimes. If you're currently using Node.js, please ensure your environment meets this requirement before upgrading.

New deployment options

For new deployments, consider leveraging Cloudflare Workers support for:

• Global edge deployment with low latency
• Serverless scaling and automatic resource management
• Integration with Cloudflare's ecosystem of services

🎯 Looking forward

Fedify 1.6 represents a significant expansion of deployment possibilities while maintaining the framework's commitment to broad compatibility across the fediverse. The addition of Cloudflare Workers support opens new architectural patterns for federated applications, while the RFC 9421 implementation ensures Fedify stays current with emerging ActivityPub security standards.

For detailed migration guides, API documentation, and examples, please visit the Fedify documentation. Join our community on Matrix or Discord for support and discussions.

#fedidev #RFC9421 #HTTPSignatures #HTTPMessageSignatures #CloudflareWorkers

We're excited to announce the release of #Fedify 1.6.1, which marks the beginning of the 1.6 series following the retraction of version 1.6.0. This release introduces significant new capabilities that expand Fedify's deployment options and enhance security compatibility across the #fediverse.

🌐 Cloudflare Workers support

Fedify 1.6 introduces first-class support for Cloudflare Workers, enabling #serverless deployment of #ActivityPub applications at the edge.

New components

• WorkersKvStore: A key–value store implementation using Cloudflare's KV API for persistent storage in Workers environments
• WorkersMessageQueue: A message queue implementation leveraging Cloudflare Queues for reliable message processing

Key features

• Seamless integration with #Cloudflare's serverless runtime
• Automatic handling of queue message processing through Workers' queue() method
• Support for Node.js compatibility flag required for Fedify's cryptographic operations
• Manual queue processing via Federation.processQueuedTask() method

For a complete working example, see the Cloudflare Workers example in the Fedify repository.

🏗️ Federation builder pattern

Fedify 1.6 introduces the FederationBuilder class and createFederationBuilder() function to support deferred federation instantiation. This pattern provides several benefits:

• Deferred instantiation: Set up dispatchers and listeners before creating the federation object
• Better code organization: Avoid circular dependencies and improve project structure
• Cloudflare #Workers compatibility: Accommodates binding-based architectures where resources are passed as arguments rather than globals
• Modular setup: Build complex federations piece by piece before instantiation

The builder pattern is particularly useful for large applications and environments like Cloudflare Workers where configuration data is only available at runtime.

🔐 HTTP Message Signatures (RFC 9421)

Fedify 1.6 implements the official HTTP Message Signatures standard (RFC 9421) specification, the final revision of the HTTP Signatures specification.

Double-knocking mechanism

To ensure maximum compatibility across the fediverse, Fedify 1.6 introduces an intelligent double-knocking mechanism:

1. Primary attempt: RFC 9421 (HTTP Message Signatures) for modern implementations
2. Fallback: Draft cavage version for legacy compatibility
3. Adaptive caching: The system remembers which version each server supports to optimize future requests

This approach ensures seamless communication with both modern and legacy ActivityPub implementations while positioning Fedify at the forefront of security standards.

Interoperability testing

The RFC 9421 implementation has been thoroughly tested for interoperability with existing ActivityPub implementations that support RFC 9421 signature verification:

• Mitra 4.4.0: Successfully verified Fedify-generated RFC 9421 signatures
• Mastodon 4.4.0 development version: Tested RFC 9421 signature verification against Fedify's implementation (refer to Mastodon PR #34814, though Mastodon 4.4.0 has not yet been released)

These tests confirm that other ActivityPub implementations can successfully verify RFC 9421 signatures generated by Fedify, ensuring proper federation as the ecosystem gradually adopts the official specification. While these implementations currently support verification of RFC 9421 signatures, they do not yet generate RFC 9421 signatures themselves—making Fedify one of the first ActivityPub implementations to support both generation and verification of the modern standard.

🔍 WebFinger enhancements

Dedicated WebFinger lookup

The new Context.lookupWebFinger() method provides direct access to WebFinger data, offering developers more granular control over account discovery and resource resolution beyond the higher-level Context.lookupObject() method.

🛠 Context API improvements

Context data replacement

The new Context.clone() method enables dynamic context data replacement, providing greater flexibility in request processing and data flow management. This is particularly useful for middleware implementations and complex request routing scenarios.

🚀 Migration considerations

Backward compatibility

Fedify 1.6 maintains full backward compatibility with existing applications. The new HTTP Message Signatures and double-knocking mechanisms work transparently without requiring any code changes.

Node.js version requirement

Important: Fedify 1.6 requires Node.js 22.0.0 or later for Node.js environments. This change does not affect applications using Deno or Bun runtimes. If you're currently using Node.js, please ensure your environment meets this requirement before upgrading.

New deployment options

For new deployments, consider leveraging Cloudflare Workers support for:

• Global edge deployment with low latency
• Serverless scaling and automatic resource management
• Integration with Cloudflare's ecosystem of services

🎯 Looking forward

Fedify 1.6 represents a significant expansion of deployment possibilities while maintaining the framework's commitment to broad compatibility across the fediverse. The addition of Cloudflare Workers support opens new architectural patterns for federated applications, while the RFC 9421 implementation ensures Fedify stays current with emerging ActivityPub security standards.

For detailed migration guides, API documentation, and examples, please visit the Fedify documentation. Join our community on Matrix or Discord for support and discussions.

#fedidev #RFC9421 #HTTPSignatures #HTTPMessageSignatures #CloudflareWorkers

My #SolidProject client and server are now ready for efficient access control demos on #BigData using the HTTP WG's 's "Signing HTTP Messages".

I can demo with a server publishing N resources (in this case, #LinkedData Event Stream (#LDES) data.
The client is implemented in #Scala using #http4s, and the server uses #Akka.
The libraries can be compiled to JS for use on #nodeJS frameworks too. Native is not far off, either.
The client need make no more than N+2 requests:

1. Request 1 on a resource R returning a "401 Unauthorised"
2. a max of 2 requests to get the access control rules
3. from there on, N signed requests using #HttpSignatures (when those all fall in the same container space)

Solid clients are essentially like Search Engine crawlers fetching data on the web, so they need to jump around from website to website. Having approx 2 requests extra per website for auth is very interesting in that scenario.

Note: those 2 requests can be cached, so those may be only needed once over a long period of time. The connection efficiency is possible by combining the following pieces:

• using the IETF's HTTPSig (a version from the beginning of the year)
• using default rules (part of the spec)
• caching of ACLs on the client
• the use of a "defaultAccessContainer" link header to reduce the number of requests.

I am trying to work out who may be interested in such a technical demo, what a good time for it may be, ...
so please just comment here or send me a mail at [email protected]

Notes so far on #Mastodon's #ActivityPub implementation, covering basics on #WebFinger, #HTTPSignatures, #JSONLD signatures, and #ActivityStream vocab. Pretty much a loosely-organized collection of links to useful specs and implementations for understanding how Mastodon specifically does things.

https://raphaelluckom.com/posts/Things%20I%27ve%20learned%20about%20ActivityPub%20so%20far.html