mi.moris.day/packages/backend/test/unit/ap-request.ts

/*
 * SPDX-FileCopyrightText: syuilo and misskey-project
 * SPDX-License-Identifier: AGPL-3.0-only
 */

import * as assert from 'assert';
import httpSignature from '@peertube/http-signature';

import { genRsaKeyPair } from '@/misc/gen-key-pair.js';
import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js';
import { assertActivityMatchesUrls, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js';
import { IObject } from '@/core/activitypub/type.js';

export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => {
	return {
		scheme: 'Signature',
		params: {
			keyId: 'KeyID',	// dummy, not used for verify
			algorithm: algorithm,
			headers: ['(request-target)', 'date', 'host', 'digest'],	// dummy, not used for verify
			signature: signature,
		},
		signingString: signingString,
		algorithm: algorithm.toUpperCase(),
		keyId: 'KeyID',	// dummy, not used for verify
	};
};

function cartesianProduct<T, U>(a: T[], b: U[]): [T, U][] {
	return a.flatMap(a => b.map(b => [a, b] as [T, U]));
}

describe('ap-request', () => {
	test('createSignedPost with verify', async () => {
		const keypair = await genRsaKeyPair();
		const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey };
		const url = 'https://example.com/inbox';
		const activity = { a: 1 };
		const body = JSON.stringify(activity);
		const headers = {
			'User-Agent': 'UA',
		};

		const req = ApRequestCreator.createSignedPost({ key, url, body, additionalHeaders: headers });

		const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256');

		const result = httpSignature.verifySignature(parsed, keypair.publicKey);
		assert.deepStrictEqual(result, true);
	});

	test('createSignedGet with verify', async () => {
		const keypair = await genRsaKeyPair();
		const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey };
		const url = 'https://example.com/outbox';
		const headers = {
			'User-Agent': 'UA',
		};

		const req = ApRequestCreator.createSignedGet({ key, url, additionalHeaders: headers });

		const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256');

		const result = httpSignature.verifySignature(parsed, keypair.publicKey);
		assert.deepStrictEqual(result, true);
	});

	test('rejects non matching domain', () => {
		assert.doesNotThrow(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://alice.example.com/abc' } as IObject,
			[
				'https://alice.example.com/abc',
			],
			FetchAllowSoftFailMask.Strict,
		), 'validation should pass base case');
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://bob.example.com/abc' } as IObject,
			[
				'https://alice.example.com/abc',
			],
			FetchAllowSoftFailMask.Any,
		), 'validation should fail no matter what if the response URL is inconsistent with the object ID');
		
		// fix issues like threads
		// https://github.com/misskey-dev/misskey/issues/15039
		const withOrWithoutWWW = [
			'https://alice.example.com/abc',
			'https://www.alice.example.com/abc',
		];

		cartesianProduct(
			cartesianProduct(
				withOrWithoutWWW,
				withOrWithoutWWW,
			),
			withOrWithoutWWW,
		).forEach(([[a, b], c]) => {
			assert.doesNotThrow(() => assertActivityMatchesUrls(
				a,
				{ id: b } as IObject,
				[
					c,
				],
				FetchAllowSoftFailMask.Strict,
			), 'validation should pass with or without www. subdomain');
		});
	});

	test('cross origin lookup', () => {
		assert.doesNotThrow(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://bob.example.com/abc' } as IObject,
			[
				'https://bob.example.com/abc',
			],
			FetchAllowSoftFailMask.CrossOrigin | FetchAllowSoftFailMask.NonCanonicalId,
		), 'validation should pass if the response is otherwise consistent and cross-origin is allowed');
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://bob.example.com/abc' } as IObject,
			[
				'https://bob.example.com/abc',
			],
			FetchAllowSoftFailMask.Strict,
		), 'validation should fail if the response is otherwise consistent and cross-origin is not allowed');
	});

	test('rejects non-canonical ID', () => {
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.example.com/@alice',
			{ id: 'https://alice.example.com/users/alice' } as IObject,
			[
				'https://alice.example.com/users/alice'
			],
			FetchAllowSoftFailMask.Strict,
		), 'throws if the response ID did not exactly match the expected ID');
		assert.doesNotThrow(() => assertActivityMatchesUrls(
			'https://alice.example.com/@alice',
			{ id: 'https://alice.example.com/users/alice' } as IObject,
			[
				'https://alice.example.com/users/alice',
			],
			FetchAllowSoftFailMask.NonCanonicalId,
		), 'does not throw if non-canonical ID is allowed');
	});

	test('origin relaxed alignment', () => {
		assert.doesNotThrow(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://ap.alice.example.com/abc' } as IObject,
			[
				'https://ap.alice.example.com/abc',
			],
			FetchAllowSoftFailMask.MisalignedOrigin | FetchAllowSoftFailMask.NonCanonicalId,
		), 'validation should pass if response is a subdomain of the expected origin');
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.multi-tenant.example.com/abc',
			{ id: 'https://alice.multi-tenant.example.com/abc' } as IObject,
			[
				'https://bob.multi-tenant.example.com/abc',
			],
			FetchAllowSoftFailMask.MisalignedOrigin | FetchAllowSoftFailMask.NonCanonicalId,
		), 'validation should fail if response is a disjoint domain of the expected origin');
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://ap.alice.example.com/abc' } as IObject,
			[
				'https://ap.alice.example.com/abc',
			],
			FetchAllowSoftFailMask.Strict,
		), 'throws if relaxed origin is forbidden');
	});

	test('resist HTTP downgrade', () => {
		assert.throws(() => assertActivityMatchesUrls(
			'https://alice.example.com/abc',
			{ id: 'https://alice.example.com/abc' } as IObject,
			[
				'http://alice.example.com/abc',
			],
			FetchAllowSoftFailMask.Strict,
		), 'throws if HTTP downgrade is detected');
	});
});
chore: 著作権とライセンスについての情報を各ファイルに追加する (#11348) * chore: Add the SPDX information to each file Add copyright and licensing information as defined in version 3.0 of the REUSE Specification. * tweak format --------- Co-authored-by: syuilo <Syuilotan@yahoo.co.jp> 2023-07-27 14:31:52 +09:00			`/*`
(re) update SPDX-FileCopyrightText Fix #13290 2024-02-14 00:59:27 +09:00			`* SPDX-FileCopyrightText: syuilo and misskey-project`
chore: 著作権とライセンスについての情報を各ファイルに追加する (#11348) * chore: Add the SPDX information to each file Add copyright and licensing information as defined in version 3.0 of the REUSE Specification. * tweak format --------- Co-authored-by: syuilo <Syuilotan@yahoo.co.jp> 2023-07-27 14:31:52 +09:00			`* SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00			`import * as assert from 'assert';`
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`import httpSignature from '@peertube/http-signature';`

			`import { genRsaKeyPair } from '@/misc/gen-key-pair.js';`
			`import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js';`
Merge commit from fork * fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 19:21:34 +09:00			`import { assertActivityMatchesUrls, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js';`
			`import { IObject } from '@/core/activitypub/type.js';`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
			`export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => {`
			`return {`
			`scheme: 'Signature',`
			`params: {`
			`keyId: 'KeyID', // dummy, not used for verify`
			`algorithm: algorithm,`
test(backend): restore ap-request tests (#9997) Co-authored-by: tamaina <tamaina@hotmail.co.jp> 2023-02-24 16:10:48 +09:00			`headers: ['(request-target)', 'date', 'host', 'digest'], // dummy, not used for verify`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00			`signature: signature,`
			`},`
			`signingString: signingString,`
lint 2022-05-21 22:21:41 +09:00			`algorithm: algorithm.toUpperCase(),`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00			`keyId: 'KeyID', // dummy, not used for verify`
			`};`
			`};`

Merge commit from fork * fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 19:21:34 +09:00			`function cartesianProduct<T, U>(a: T[], b: U[]): [T, U][] {`
			`return a.flatMap(a => b.map(b => [a, b] as [T, U]));`
			`}`

revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`describe('ap-request', () => {`
			`test('createSignedPost with verify', async () => {`
			`const keypair = await genRsaKeyPair();`
			`const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey };`
			`const url = 'https://example.com/inbox';`
			`const activity = { a: 1 };`
			`const body = JSON.stringify(activity);`
			`const headers = {`
			`'User-Agent': 'UA',`
			`};`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`const req = ApRequestCreator.createSignedPost({ key, url, body, additionalHeaders: headers });`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256');`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`const result = httpSignature.verifySignature(parsed, keypair.publicKey);`
			`assert.deepStrictEqual(result, true);`
perf(federation): Ed25519署名に対応する (#13464) * 1. ed25519キーペアを発行・Personとして公開鍵を送受信 * validate additionalPublicKeys * getAuthUserFromApIdはmainを選ぶ * :v: * fix * signatureAlgorithm * set publicKeyCache lifetime * refresh * httpMessageSignatureAcceptable * ED25519_SIGNED_ALGORITHM * ED25519_PUBLIC_KEY_SIGNATURE_ALGORITHM * remove sign additionalPublicKeys signature requirements * httpMessageSignaturesSupported * httpMessageSignaturesImplementationLevel * httpMessageSignaturesImplementationLevel: '01' * perf(federation): Use hint for getAuthUserFromApId (#13470) * Hint for getAuthUserFromApId * とどのつまりこれでいいのか？ * use @misskey-dev/node-http-message-signatures * fix * signedPost, signedGet * ap-request.tsを復活させる * remove digest prerender * fix test? * fix test * add httpMessageSignaturesImplementationLevel to FederationInstance * ManyToOne * fetchPersonWithRenewal * exactKey * :v: * use const * use gen-key-pair fn. from '@misskey-dev/node-http-message-signatures' * update node-http-message-signatures * fix * @misskey-dev/node-http-message-signatures@0.0.0-alpha.11 * getAuthUserFromApIdでupdatePersonの頻度を増やす * cacheRaw.date * use requiredInputs https://github.com/misskey-dev/misskey/pull/13464#discussion_r1509964359 * update @misskey-dev/node-http-message-signatures * clean up * err msg * fix(backend): fetchInstanceMetadataのLockが永遠に解除されない問題を修正 Co-authored-by: まっちゃとーにゅ <17376330+u1-liquid@users.noreply.github.com> * fix httpMessageSignaturesImplementationLevel validation * fix test * fix * comment * comment * improve test * fix * use Promise.all in genRSAAndEd25519KeyPair * refreshAndprepareEd25519KeyPair * refreshAndfindKey * commetn * refactor public keys add * digestプリレンダを復活させる RFC実装時にどうするか考える * fix, async * fix * !== true * use save * Deliver update person when new key generated (not tested) https://github.com/misskey-dev/misskey/pull/13464#issuecomment-1977049061 * 循環参照で落ちるのを解消？ * fix? * Revert "fix?" This reverts commit 0082f6f8e8c5d5febd14933ba9a1ac643f70ca92. * a * logger * log * change logger * 秘密鍵の変更は、フラグではなく鍵を引き回すようにする * addAllKnowingSharedInboxRecipe * nanka meccha kaeta * delivre * キャッシュ有効チェックはロック取得前に行う * @misskey-dev/node-http-message-signatures@0.0.3 * PrivateKeyPem * getLocalUserPrivateKey * fix test * if * fix ap-request * update node-http-message-signatures * fix type error * update package * fix type * update package * retry no key * @misskey-dev/node-http-message-signatures@0.0.8 * fix type error * log keyid * logger * db-resolver * JSON.stringify * HTTP Signatureがなかったり使えなかったりしそうな場合にLD Signatureを活用するように * inbox-delayed use actor if no signature * ユーザーとキーの同一性チェックはhostの一致にする * log signature parse err * save array * とりあえずtryで囲っておく * fetchPersonWithRenewalでエラーが起きたら古いデータを返す * use transactionalEntityManager * fix spdx * @misskey-dev/node-http-message-signatures@0.0.10 * add comment * fix * publicKeyに配列が入ってもいいようにする https://github.com/misskey-dev/misskey/pull/13950 * define additionalPublicKeys * fix * merge fix * refreshAndprepareEd25519KeyPair → refreshAndPrepareEd25519KeyPair * remove gen-key-pair.ts * defaultMaxListeners = 512 * Revert "defaultMaxListeners = 512" This reverts commit f2c412c18057a9300540794ccbe4dfbf6d259ed6. * genRSAAndEd25519KeyPairではキーを直列に生成する? * maxConcurrency: 8 * maxConcurrency: 16 * maxConcurrency: 8 * Revert "genRSAAndEd25519KeyPairではキーを直列に生成する?" This reverts commit d0aada55c1ed5aa98f18731ec82f3ac5eb5a6c16. * maxWorkers: '90%' * Revert "maxWorkers: '90%'" This reverts commit 9e0a93f110456320d6485a871f014f7cdab29b33. * e2e/timelines.tsで個々のテストに対するtimeoutを削除, maxConcurrency: 32 * better error handling of this.userPublickeysRepository.delete * better comment * set result to keypairEntityCache * deliverJobConcurrency: 16, deliverJobPerSec: 1024, inboxJobConcurrency: 4 * inboxJobPerSec: 64 * delete request.headers['host']; * fix * // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! * move delete host * modify comment * modify comment * fix correct → collect * refreshAndfindKey → refreshAndFindKey * modify comment * modify attachLdSignature * getApId, InboxProcessorService * TODO * [skip ci] add CHANGELOG --------- Co-authored-by: MeiMei <30769358+mei23@users.noreply.github.com> Co-authored-by: まっちゃとーにゅ <17376330+u1-liquid@users.noreply.github.com> 2024-07-18 01:28:17 +09:00			`});`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`test('createSignedGet with verify', async () => {`
			`const keypair = await genRsaKeyPair();`
			`const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey };`
			`const url = 'https://example.com/outbox';`
			`const headers = {`
			`'User-Agent': 'UA',`
			`};`

			`const req = ApRequestCreator.createSignedGet({ key, url, additionalHeaders: headers });`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256');`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00
revert 5f88d56d96 バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため 2024-07-20 21:33:20 +09:00			`const result = httpSignature.verifySignature(parsed, keypair.publicKey);`
			`assert.deepStrictEqual(result, true);`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00			`});`
Merge commit from fork * fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 19:21:34 +09:00
			`test('rejects non matching domain', () => {`
			`assert.doesNotThrow(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://alice.example.com/abc' } as IObject,`
			`[`
			`'https://alice.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'validation should pass base case');`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://bob.example.com/abc' } as IObject,`
			`[`
			`'https://alice.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.Any,`
			`), 'validation should fail no matter what if the response URL is inconsistent with the object ID');`

			`// fix issues like threads`
			`// https://github.com/misskey-dev/misskey/issues/15039`
			`const withOrWithoutWWW = [`
			`'https://alice.example.com/abc',`
			`'https://www.alice.example.com/abc',`
			`];`

			`cartesianProduct(`
			`cartesianProduct(`
			`withOrWithoutWWW,`
			`withOrWithoutWWW,`
			`),`
			`withOrWithoutWWW,`
			`).forEach(([[a, b], c]) => {`
			`assert.doesNotThrow(() => assertActivityMatchesUrls(`
			`a,`
			`{ id: b } as IObject,`
			`[`
			`c,`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'validation should pass with or without www. subdomain');`
			`});`
			`});`

			`test('cross origin lookup', () => {`
			`assert.doesNotThrow(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://bob.example.com/abc' } as IObject,`
			`[`
			`'https://bob.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.CrossOrigin \| FetchAllowSoftFailMask.NonCanonicalId,`
			`), 'validation should pass if the response is otherwise consistent and cross-origin is allowed');`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://bob.example.com/abc' } as IObject,`
			`[`
			`'https://bob.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'validation should fail if the response is otherwise consistent and cross-origin is not allowed');`
			`});`

			`test('rejects non-canonical ID', () => {`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/@alice',`
			`{ id: 'https://alice.example.com/users/alice' } as IObject,`
			`[`
			`'https://alice.example.com/users/alice'`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'throws if the response ID did not exactly match the expected ID');`
			`assert.doesNotThrow(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/@alice',`
			`{ id: 'https://alice.example.com/users/alice' } as IObject,`
			`[`
			`'https://alice.example.com/users/alice',`
			`],`
			`FetchAllowSoftFailMask.NonCanonicalId,`
			`), 'does not throw if non-canonical ID is allowed');`
			`});`

			`test('origin relaxed alignment', () => {`
			`assert.doesNotThrow(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://ap.alice.example.com/abc' } as IObject,`
			`[`
			`'https://ap.alice.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.MisalignedOrigin \| FetchAllowSoftFailMask.NonCanonicalId,`
			`), 'validation should pass if response is a subdomain of the expected origin');`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.multi-tenant.example.com/abc',`
			`{ id: 'https://alice.multi-tenant.example.com/abc' } as IObject,`
			`[`
			`'https://bob.multi-tenant.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.MisalignedOrigin \| FetchAllowSoftFailMask.NonCanonicalId,`
			`), 'validation should fail if response is a disjoint domain of the expected origin');`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://ap.alice.example.com/abc' } as IObject,`
			`[`
			`'https://ap.alice.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'throws if relaxed origin is forbidden');`
			`});`

			`test('resist HTTP downgrade', () => {`
			`assert.throws(() => assertActivityMatchesUrls(`
			`'https://alice.example.com/abc',`
			`{ id: 'https://alice.example.com/abc' } as IObject,`
			`[`
			`'http://alice.example.com/abc',`
			`],`
			`FetchAllowSoftFailMask.Strict,`
			`), 'throws if HTTP downgrade is detected');`
			`});`
Refactor request (#7814) * status code * Test ap-request.ts https://github.com/mei23/crytest/blob/4397fc5e70536e4175fe56e974ca83b8047bef3a/test/ap-request.ts * tune 2021-10-16 17:16:24 +09:00			`});`