[wip] use Authorized fetch #723
No reviewers
Labels
No labels
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Plume/Plume#723
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "epsilon-phase/authorized-fetch"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Many activitypub servers are starting to enable Mastodon style authorized fetch for security reasons. As plume does not sign the user fetches, this means it is not possible to fetch actor information from these servers
The current solution is rather hacky, but it is the best we can figure out without more input and guidance. The ideal solution is to have a quasi actor that can sign these requests and be transparent to the user. As of now it merely fetches the first local user that comes to hand and signs the request with their information.
Codecov Report
Pull request closed