enable-mastodon-apps icon indicating copy to clipboard operation
enable-mastodon-apps copied to clipboard
verified publisher icon akirk

Timeline: impossible to access Fediverse links from within timeline

Open jeherve opened this issue 9 months ago • 3 comments

I was able to reproduce this in Tusky.

Steps to reproduce

  1. On a site running ActivityPub, Friends, and EMA, start following someone.
  2. In your timeline, you will see their posts.
  3. That person may publish a post with a link to another Fediverse instance.
  4. Click on the link. You will receive a rest_no_route error

Image

jeherve avatar Mar 03 '25 10:03 jeherve

Thanks for reporting, could you find out the URL it tries to access?

akirk avatar Mar 03 '25 10:03 akirk

I believe it was /api/v1/statuses/60743/context. For reference, 60743 refers to this: https://herve.bzh/api/v1/statuses/60743

(on a different topic, is it expected for this endpoint to return data even when not authenticated?)

jeherve avatar Mar 03 '25 10:03 jeherve

Thanks, I have just done some work on this endpoint, I'll do some more testing.

( on a different topic, is it expected for this endpoint to return data even when not authenticated?)

Yes, quoting the docs:

View a single status

GET /api/v1/statuses/:id HTTP/1.1

Obtain information about a status.

Returns: Status OAuth: Public for public statuses, user token + read:statuses for private statuses

And:

Get parent and child statuses in context

GET /api/v1/statuses/:id/context HTTP/1.1

View statuses above and below this status in the thread.

Returns: Context OAuth: Public for public statuses limited to 40 ancestors and 60 descendants with a maximum depth of 20. User token + read:statuses for up to 4,096 ancestors, 4,096 descendants, unlimited depth, and private statuses.

I think we could enforce stronger privacy, I was just following what Mastodon servers do.

akirk avatar Mar 03 '25 10:03 akirk