Skip to content
This repository has been archived by the owner on Jan 31, 2024. It is now read-only.

feat: authorised fetch #217

Open
dakkar opened this issue Dec 8, 2023 · 2 comments
Open

feat: authorised fetch #217

dakkar opened this issue Dec 8, 2023 · 2 comments

Comments

@dakkar
Copy link
Contributor

dakkar commented Dec 8, 2023

Summary

some other fedi software allow enforcing that all GET requests with Accept: application/activity+json be signed, and will refuse to serve both unsigned requests, and signed requests from blocked / silenced / restricted instances.

Purpose

Some writing about this: https://hub.sunny.garden/2023/06/28/what-does-authorized_fetch-actually-do/
and https://docs.joinmastodon.org/admin/config/#authorized_fetch

The main effect is to make it much harder for blocked instances (and random data harversters) to retrieve profiles and notes

(this feature was suggested by mia on Discord)
@Mar0xy
Copy link
Contributor

Mar0xy commented Dec 8, 2023
edited
Loading

misskey-dev/misskey#6731

(prob apply same config to inbox)

@dakkar
Copy link
Contributor Author

dakkar commented Dec 8, 2023

that PR adds code to sign outbound GET requests

I'm talking about validating signatures to inbound GET requests

It's the difference between

$ curl -H 'Accept:application/activity+json' https://social.treehouse.systems/@dysfun
{"error":"Request not signed"}

and

$ curl -H 'Accept:application/activity+json' https://s.thenautilus.net/@dakkar
(my whole profile

PrivateGER referenced this issue in PrivateGER/Sharkey Dec 24, 2023
merge: authorized fetch (#247)
fd57c7e 
Closes #217
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dakkar @Mar0xy