Problem fetching users from a re-created instance

[Kradyz]

Issue Summary

If an instance is deleted and re-created at the same domain, and a username is used again at the re-created instance, the user's information can't be fetched from other instances.

Steps to Reproduce

Attempting to access these two users from instances that went down and then back up will fail:

https://lemmy.ml/u/Sal@mander.xyz
https://lemmy.ml/u/QuentinCallaghan@sopuli.xyz

The error is either:
Code: FetchError: invalid json response body at http://lemmy:8536/api/v3/user?sort=New

Or:
504 Gateway Time-out.

New users with different usernames can be fetched:
https://lemmy.ml/u/new_name@mander.xyz

It could also be an issue related specifically with admin accounts.

Technical details

The log was generated by restarting the docker images, and then trying to access both https://lemmy.ml/u/new_name@mander.xyz https://lemmy.ml/u/Sal@mander.xyz through a FireFox browser.

lemmy_log.LOG

[dessalines]

a username is used again at the re-created instance

This breaks activitypub. An activitypub actor id must be unique, and you recreated one with new public and private keys. No instance that has your old one will work with it, because it properly treats the new one as trying to impersonate or as a fake.

[asonix]

fwiw mastodon, pleroma, and others implement "blind key rotation" which generates new public & private keys for actors every time they delete a post (or something along those lines)

[Nutomic]

This breaks activitypub. An activitypub actor id must be unique, and you recreated one with new public and private keys. No instance that has your old one will work with it, because it properly treats the new one as trying to impersonate or as a fake.

I dont think this is correct. Lemmy only uses signatures to verify incoming activities, but not when fetching remote users/communities. In that case, it is simply updated after some basic validity checks, but without any signature verification.

@Mander-git Your problem is with webfinger (which is used to resolve @Sal@mander.xyz to the actual user profile url). The following request throws an error, maybe server logs will tell you why.

curl "https://mander.xyz/.well-known/webfinger?resource=acct:Sal@mander.xyz"

[Kradyz]

Thank you to the three of you. I have run the curl command and I have attached the immediate output:

curl_log.LOG

I am not able to understand what this means.

[dessalines]

Lowercase seemed to work fine:

curl "https://mander.xyz/.well-known/webfinger?resource=acct:sal@mander.xyz"

{"subject":"acct:sal@mander.xyz","links":[]}

I see we do have a lowercase unique index on the table: "idx_person_lower_actor_id" UNIQUE, btree (lower(actor_id::text))

but haven't actually done a migration to convert the existing names and actor_ids to lower case, or enforced it on the back end.

[Kradyz]

Going through the issues, I noticed that this issue is a duplicate of #1955

[SnipeAT]

a username is used again at the re-created instance

This breaks activitypub. An activitypub actor id must be unique, and you recreated one with new public and private keys. No instance that has your old one will work with it, because it properly treats the new one as trying to impersonate or as a fake.

Does this mean if I delete and rebuild my instance, I'm doomed to never recover my username? It seems I'm running into this issue now that I've rebuilt and recreated my account using the same name. Or will by keys eventually expire and I'll be able to post again?

[Nutomic]

Lemmy refetches users and their public keys every 24 hours, so after that time the federation will work fine.

[SnipeAT]

Thank you kind sir!