hyphacoop
MentionToActor validation doesn't support aliases
I'm getting a follow request from GoToSocial rejected by the Social Inbox because the webfingered account @[email protected] solves to @[email protected] and doesn't pass validations. The accounts @[email protected] and @[email protected] are the same and should be considered as such.
I think we're also not supporting cases where people set a webfinger for their main domain to point to their fediverse account. I've seen a blog post about this somewhere.
What's the reason for this verification? At least it should support subdomains.
{
"level": 30,
"time": 1736010311357,
"pid": 883966,
"hostname": "srv2",
"reqId": "req-h7ix",
"res": {
"statusCode": 404
},
"err": {
"type": "NotFoundError",
"message": "Webmention endpoint returned invalid subject for https://fedi.doma.in/.well-known/webfinger?resource=acct:[email protected]",
"stack": "NotFoundError: Webmention endpoint returned invalid subject for https://fedi.doma.in/.well-known/webfinger?resource=acct:[email protected]\n at ActivityPubSystem.mentionToActor (file://src/server/apsystem.ts:482:13)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async Object.<anonymous> (file://src/server/api/i nbox.ts:97:31)",
"status": 404,
"statusCode": 404,
"expose": true
},
"msg": "Webmention endpoint returned invalid subject for https://fedi.doma.in/.well-known/webfinger?resource=acct:[email protected]"
}
Nice catch!
Could you post the webfinger records being returned? I'm unable to resolve that URL
We just verify that the webfinger is returning the same account as what we requested in case there's a static site or something where entering a different resource returns the static (different) address.
https://github.com/hyphacoop/social.distributed.press/blob/main/src/server/apsystem.ts#L481
Are there other examples of aliased sites or docs on how this aliasing is supposed to work?
Here's some info I found on aliases.
https://agha.dev/blog/creating-a-mastodon-alias/
Sorry, I missed the notification for your request!
You can see here that the person used the original subject from fosstodon, so the Social Inbox wouldn't validate it either: https://agha.dev/.well-known/webfinger
This is the webfinger result for the GtS account for https://fedi.doma.in/.well-known/webfinger?resource=acct:[email protected] (I'm anonymizing the domain). This instance is under a subdomain but configured to serve accounts from the main domain, so setting the acct param to either domain or subdomain will serve the same subject. I believe this is because the Social Inbox is rebuilding the subject using the domain from the signing key, but didn't dig further. I think other instances would do the same.
I did a quick check on Mastodon's code and didn't find it doing this type of validation currently.
{
"subject": "acct:[email protected]",
"aliases": [
"https://fedi.doma.in/users/fauno",
"https://fedi.doma.in/@fauno"
],
"links": [
{
"rel": "http://webfinger.net/rel/profile-page",
"type": "text/html",
"href": "https://fedi.doma.in/@fauno"
},
{
"rel": "self",
"type": "application/activity+json",
"href": "https://fedi.doma.in/users/fauno"
}
]
}