-
-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] unable to follow lemmy communities #2697
Comments
Possibly related: #1468 |
Also possibly related: LemmyNet/lemmy#4451 |
I'm reasonably certain it's an authorised fetch issue. You should be able to see it if you look at the logs when you do a request. Lemmy should be trying to deliver an "accept" of the follow request (you should see an incoming request with a Lemmy user agent) but it'll lack a signature/fail validation. In which case we drop it on the floor. |
Mm, POST requests to an inbox should be authorized. It's just GET requests that Lemmy doesn't (by default) sign. |
The other issue linked above implies that following should work, just that replies doesn't. I'll try to pull logs in a moment. |
|
Mmmhmm, those logs confirm what I was thinking. If Lemmy doesn't sign their GET requests then they won't be able to fetch your Actor to see who's making the Follow request. So they won't be able to send anything back to you either, because they don't know what your Inbox address is, or who you even are. This means that Lemmy also probably doesn't work with mastodon instances that have secure mode switched on. |
Lemmy has an admin setting for authorized fetch which Ive enabled on our test server. It would be good if you can follow one of the communities and tell me what is wrong with the signature. In principle there should be no problem as its using the same signing logic as for inbox activities. |
@Nutomic I tried but got an error that |
Sorry my bad, use ds9.lemmy.ml which has open federation and also has signed fetch enabled. |
Alrighty, here's what happens:
So GtS makes the POST to Lemmy. Looks like while the POST request is still pending, Lemmy tries to fetch the Actor who did the POST. Signature authentication fails for whatever reason (you sure that GET request is signed?), so GtS returns 401 to Lemmy. And then Lemmy returns Bad Request to GoToSocial, thereby terminating the POST. |
Yes those steps sound normal. I was hoping you could tell me what exactly is wrong with the signature of the GET request. From what I can see it should definitely be signed in the same was as POST requests to the inbox. |
As far as I can tell, it's just not signed. Or not signed in a way that GtS even recognizes as a signature. Could you link me to your HTTP signature logic? |
Okay I found a problem where the private key wasnt passed in properly. This is fixed now on ds9, can you give it another try? I did try to fetch from a gotosocial instance myself, but it just returns |
GtS has a similar complaint to mastodon:
It oughtn't return Internal Server Error but nevermind.
while preferredUsername is an optional property according to AP afaik most implementations (including GtS and Mastodon) use that username for quite a lot of things internally the "canonical" way to do instance actor usernames is to just use the hostname of the instance, so in this case something like |
Thats odd considering you can easily extract the domain from the url. Anyway Ive added that field and deployed it. But now Mastodon is throwing |
Bear in mind that Mastodon etc don't necessarily know it's the instance actor. Also bear in mind that "instance actor" isn't even a concept in ActivityPub full stop, it's just a convention that many implementations have adopted (in my opinion, wrongly, but that's another story...). So Mastodon is treating the instance actor just like any other actor and trying to resolve it through webfinger. I believe GoToSocial will fail on the same hurdle, but I don't have time to check right now. Generally speaking, webfinger is a good way of checking "does this account really exist on this server, according to the server itself". This avoids issues where a user on an instance just uploads some JSON that looks like an actor, and points people to it. If remote servers can't resolve the supposed actor using webfinger, they know it's not legit (just one example). |
Webfinger works for the instance actor on GtS. For example, the GtS instance: https://gts.superseriousbusiness.org/.well-known/webfinger?resource=acct:gts.superseriousbusiness.org@superseriousbusiness.org As long as its a local account, which the instance actor is, webfinger will work. But yeah, if GtS sees an account by Lemmy's instance actor, it'll try and resolve it using Webfinger, in order to amongst other things determine where to retrieve the signing key from. Same for Pleroma/Akkoma and the Misskeys I believe. |
Alright I added those changes and again deployed them to ds9.lemmy.ml. It seems to be working now, I can fetch a Mastodon user which requires authorized fetch. |
@Nutomic i just attempted a follow of one of your test users on ds9.lemmy.ml and am getting the following error:
any idea why you're hitting the root level path in response to the AP request flow? |
Lemmy has the instance actor at |
Can we conclude this is fixed now? It doesn't sound like there's anything left to do. |
I guess if someone on GtS can follow a lemmy actor and get posts delivered then it should be OK. @Nutomic can you confirm whether that's the case now? |
You can try following https://ds9.lemmy.ml/u/nutomic |
I haven't upgraded GtS to 0.15 yet, but I was able to follow the "nutomic" user account from my instance as well as the "ZZZ Test Community 1" community. |
Nothing changed on the GtS side related to this, so no need to upgrade (though do upgrade, it's a good release 😄). Sounds like the implementation changes in Lemmy have resolved the issue and everything's working correctly now with instances that enforce authorized fetch. I'll close this for now, but if you notice there's still problems feel free to reopen it. |
Describe the bug with a clear and concise description of what the bug is.
I’ve tried on a few different occasions to follow various lemmy communities, however my requests always get stuck in “Requested”. I’m able to follow many Mastodon instances without issue, so I think my federation setup is working generally. When I search for the community in my instance, the profile data and icon are fetched without issue.
What's your GoToSocial Version?
V0.13.3
GoToSocial Arch
amd64 binary
What happened?
No response
What you expected to happen?
No response
How to reproduce it?
Anything else we need to know?
No response
The text was updated successfully, but these errors were encountered: