http_signatures: tweak order of route aliases

We expect most requests to be made for the actual canonical ID,
so check this one first (starting without query headers matching the
predominant albeit spec-breaking version).

Also avoid unnecessary rerewrites of the digest header on each route
alias by just setting it once before iterating through aliases.

lib/pleroma/web/plugs/http_signature_plug.ex

@@ -77,10 +77,6 @@ defp assign_valid_signature_on_route_aliases(conn, [path | rest]) do
       |> put_req_header("(request-target)", request_target)
       |> maybe_put_created_psudoheader()
       |> maybe_put_expires_psudoheader()
-      |> case do
-        %{assigns: %{digest: digest}} = conn -> put_req_header(conn, "digest", digest)
-        conn -> conn
-      end
 
     conn
     |> assign(:valid_signature, HTTPSignatures.validate_conn(conn))
@@ -93,7 +89,13 @@ defp maybe_assign_valid_signature(conn) do
       # set (request-target) header to the appropriate value
       # we also replace the digest header with the one we computed
       possible_paths =
-        route_aliases(conn) ++ [conn.request_path, conn.request_path <> "?#{conn.query_string}"]
+        [conn.request_path, conn.request_path <> "?#{conn.query_string}" | route_aliases(conn)]
+
+      conn =
+        case conn do
+          %{assigns: %{digest: digest}} = conn -> put_req_header(conn, "digest", digest)
+          conn -> conn
+        end
 
       assign_valid_signature_on_route_aliases(conn, possible_paths)
     else