Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town
-
Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town
-
R relay@relay.an.exchange shared this topic
-
Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town
@profpatsch@mastodon.xyz isn't this "authorized fetch", a Mastodon safety feature?
(The advocacy of the safety feature is debated, but it's a safety feature nonetheless.)
-
@julian @general @Profpatsch Yes, it's a safety feature whose purpose can be easily worked around. It's utterly pointless and only serves as annoyance for ActivityPub developers that need to get the Activities and Objects in a raw unmodified form with something simple like curl.
https://evilmaid.net/blog/trusting-trust-fediverse/index.html#fetching -
@julian @general @Profpatsch its used when a instance doesnt want a blocked instance to see their posts. I dont get the point of it tbh
-
Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town
@Profpatsch interesting command line! What is that?
-
R relay@relay.mycrowd.ca shared this topic
-
@Profpatsch interesting command line! What is that?
@evan xh, a rust rewrite of httpie, both are a nicer UX alternative to curl for http-only use-case
-
@evan xh, a rust rewrite of httpie, both are a nicer UX alternative to curl for http-only use-case
@Profpatsch ohhhh. I thought it was AP-specific, probably because of the `--follow` flag. Thank you!
-
@Profpatsch ohhhh. I thought it was AP-specific, probably because of the `--follow` flag. Thank you!
@evan haha, no, but AP is such a plain protocol that you “usually” can use plain tools … unless people require weird signatures on GET requests. Then you need a full-on domain and an AP server just to fetch a json file …
-
@evan haha, no, but AP is such a plain protocol that you “usually” can use plain tools … unless people require weird signatures on GET requests. Then you need a full-on domain and an AP server just to fetch a json file …
@evan The “funny” thing here is that avoiding the restriction is absolutely trivial, e.g. I can spin up a new (sub)domain or just `tailscale funnel` myself around the blocklists.
-
@evan The “funny” thing here is that avoiding the restriction is absolutely trivial, e.g. I can spin up a new (sub)domain or just `tailscale funnel` myself around the blocklists.
@profpatsch@mastodon.xyz right. Yeah it is definitely annoying from an AP dev perspective, I've tried debugging requests tons of times only to find out... oops, my requests are coming from localhost, so the signature can't be verified
<img class="not-responsive emoji" src="https://activitypub.space/assets/plugins/nodebb-plugin-emoji/emoji/android/274c.png?v=0c477ea069b" title="
" />There is a minor legitimate use case for requiring signatures on GET though, and that's for retrieving user specific objects (like non-public notes and such)
-
@julian @Profpatsch oh, yeah, definitely. It's really our only way to authenticate requests right now.
-
@julian @Profpatsch oh, yeah, definitely. It's really our only way to authenticate requests right now.
