New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Kitsune to sign outgoing GET requests #267
Comments
Definitely a good addition Something I also want to mention is that GoToSocial's default mode is "authorized fetch" mode, so to federate with any GoToSocial instance, we have to sign our fetches |
So... here is my abstract idea to choose the key to sign the request: If the fetch request is initiated by a user with valid session: Use the user key to sign the request. |
I think the use of users' keys has some privacy implications (which I've elaborated on at mastodon/mastodon#34 (comment)) and believe that the system actor's key should be used instead whenever the user's key isn't necessary (e.g. when fetching the outbox of a remote actor whom the requesting user isn't following). However, I'm not aware of a feature of Kitsune as it stands that fetches remote objects by users' request and doesn't require the user's key. The closest one is |
Currently, Kitsune is not signing profile GET requests and able to federate with instances which does not require signed GET requests.
However, some Mastodon instances require signed requests to fetch profile and (public / unlisted) toots.
Proposal
Implement signed GET request to enhance interoperability between some Mastodon instances
The text was updated successfully, but these errors were encountered: