Setting up various ActivityPub implementations lately (small, single user stuff and one larger one). The incoming requests are rivers of DELETEs, most of which have never actually interacted my instance before. I understand the reasoning, but wish there w...
-
Setting up various ActivityPub implementations lately (small, single user stuff and one larger one). The incoming requests are rivers of DELETEs, most of which have never actually interacted my instance before.
I understand the reasoning, but wish there was a layer above my instance directing irrelevant AP traffic away from my little single user server.
Recommendation: Don't federate with large instances if you're just tinkering around with stuff.
-
@[email protected] I'm surprised that servers just spray Deletes to every known instance, but I can see the reasoning: if every received instance shares the delete to every known server, it propagates more thoroughly.
It may be worth maintaining a lookup table for object ids purely to handle this scenario, eh...
-
J julian moved this topic from Uncategorized on
-
I think I just put together why this is happening, thank you for helping connect those dots. This is inbox forwarding, which is actually feasible at scale in this case because there's no longer any actor to host a verification key, meaning the messages have to go out unsigned. Right?
-
Jeff Sikesreplied to Jenniferplusplus on last edited by
@jenniferplusplus Hmmm I'm not going to even pretend to be on y'all's level here but with Terence Eden's little single file PHP server I can see DELETEs coming in and there are signatures in the message received. When I visit the actor's page on the instance, I got a 403 on a mastodon instance.
-
@[email protected] @[email protected] are they signatures from the now-deleted user? I'd assume they'd not resolve if you tried to verify them.
However deletes you could sign using the instance signature, if your instance has one.
-
Jeff Sikesreplied to Guest on last edited by [email protected]
@julian @jenniferplusplus In this example, the request body contains an activity type of Delete with an RsaSignature2017 included for the deleted user (actor and creator are both pointing to deleted user) with a #main-key fragment identifier.
The header has the same actor URL (keyId) with a #main-key fragment, but with an rsa-sha256 signature.
This is coming from a Mastodon instance.
-
Jenniferplusplusreplied to Jeff Sikes on last edited by
