From 8174578c5bfc45057be71b99425a9b93decaec98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Sun, 11 May 2025 22:31:00 -0400
Subject: [PATCH 1/2] fix: closes #13405, catch errors in ap.verify

---
 src/activitypub/index.js | 82 ++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 41 deletions(-)

diff --git a/src/activitypub/index.js b/src/activitypub/index.js
index e055522d81..c87a0654f3 100644
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -232,49 +232,49 @@ ActivityPub.verify = async (req) => {
 		return false;
 	}
 
-	// Break the signature apart
-	let { keyId, headers, signature, algorithm, created, expires } = req.headers.signature.split(',').reduce((memo, cur) => {
-		const split = cur.split('="');
-		const key = split.shift();
-		const value = split.join('="');
-		memo[key] = value.slice(0, -1);
-		return memo;
-	}, {});
-
-	const acceptableHashes = getHashes();
-	if (algorithm === 'hs2019' || !acceptableHashes.includes(algorithm)) {
-		algorithm = 'sha256';
-	}
-
-	// Re-construct signature string
-	const signed_string = headers.split(' ').reduce((memo, cur) => {
-		switch (cur) {
-			case '(request-target)': {
-				memo.push(`${cur}: ${String(req.method).toLowerCase()} ${req.baseUrl}${req.path}`);
-				break;
-			}
-
-			case '(created)': {
-				memo.push(`${cur}: ${created}`);
-				break;
-			}
-
-			case '(expires)': {
-				memo.push(`${cur}: ${expires}`);
-				break;
-			}
-
-			default: {
-				memo.push(`${cur}: ${req.headers[cur]}`);
-				break;
-			}
-		}
-
-		return memo;
-	}, []).join('\n');
-
 	// Verify the signature string via public key
 	try {
+		// Break the signature apart
+		let { keyId, headers, signature, algorithm, created, expires } = req.headers.signature.split(',').reduce((memo, cur) => {
+			const split = cur.split('="');
+			const key = split.shift();
+			const value = split.join('="');
+			memo[key] = value.slice(0, -1);
+			return memo;
+		}, {});
+
+		const acceptableHashes = getHashes();
+		if (algorithm === 'hs2019' || !acceptableHashes.includes(algorithm)) {
+			algorithm = 'sha256';
+		}
+
+		// Re-construct signature string
+		const signed_string = headers.split(' ').reduce((memo, cur) => {
+			switch (cur) {
+				case '(request-target)': {
+					memo.push(`${cur}: ${String(req.method).toLowerCase()} ${req.baseUrl}${req.path}`);
+					break;
+				}
+
+				case '(created)': {
+					memo.push(`${cur}: ${created}`);
+					break;
+				}
+
+				case '(expires)': {
+					memo.push(`${cur}: ${expires}`);
+					break;
+				}
+
+				default: {
+					memo.push(`${cur}: ${req.headers[cur]}`);
+					break;
+				}
+			}
+
+			return memo;
+		}, []).join('\n');
+
 		// Retrieve public key from remote instance
 		ActivityPub.helpers.log(`[activitypub/verify] Retrieving pubkey for ${keyId}`);
 		const { publicKeyPem } = await ActivityPub.fetchPublicKey(keyId);

From fcf9e8b796d81db1c7e50561f25b78e5ebfe3bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 12 May 2025 09:01:32 -0400
Subject: [PATCH 2/2] chore: up mentions

---
 install/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index 9b6429f93e..eca4d69ed8 100644
--- a/install/package.json
+++ b/install/package.json
@@ -103,7 +103,7 @@
         "nodebb-plugin-emoji": "6.0.2",
         "nodebb-plugin-emoji-android": "4.1.1",
         "nodebb-plugin-markdown": "13.1.2",
-        "nodebb-plugin-mentions": "4.7.4",
+        "nodebb-plugin-mentions": "4.7.5",
         "nodebb-plugin-spam-be-gone": "2.3.2",
         "nodebb-plugin-web-push": "0.7.4",
         "nodebb-rewards-essentials": "1.0.2",