Add HTTP signatures to all outgoing ActivityPub GET requests#11284
Add HTTP signatures to all outgoing ActivityPub GET requests#11284
Conversation
|
Picking a random account to sign the requests with is poor metadata hygeine. It would be desirable to ensure that |
|
Instance actor is in the works, but this will do for now. It's only a random account when the "contact account" is not configured. But in either case it's the same account every time. The only risk/downside to this approach vs dedicated instance actor account is that personal accounts may be suspended on the remote end for personal reasons--or, in the case of reports, the remote admin may misinterpret the actions as personal rather than automated. |
Gargron
force-pushed
the
feature-sign-all-requests
branch
2 times, most recently
from
099b8c2 to
4a4ca1f
Compare
Gargron
force-pushed
the
feature-sign-all-requests
branch
from
4a4ca1f to
878cdd6
Compare
ClearlyClaire
left a comment
ClearlyClaire
left a comment
There was a problem hiding this comment.
Looks ok to me. Even though I agree an instance actor would be way cleaner, for this particular use case it seems like a good interim solution.
3 participants
This was a lot simpler than I thought it would be. All ActivityPub fetches are using
fetch_resourceso that's the only place where we need to add a signing account, besidesFetchResourceServicewhich works with HTML pages as well.I'm removing the code for attempting to fetch without signature if fetch with signature fails because if #11269 will be enabled in the long-term it will be a waste of time.
Change default
keyIdformat fromaccttouri