#dev 2023-06-23

2023-06-23 UTC
saptaks and oxtyped joined the channel
#
[snarfed] [timothy_chambe]++
#
Loqi [timothy_chambe] has 1 karma in this channel over the last year (22 in all channels)
#
[snarfed] interesting, Mastodon now shows verified rel-me links in search results: https://snarfed.org/mastodon-search.png
#
[snarfed] and notably that's cross-instance
#
[snarfed] did we ever figure out how to do verified links in AP so Mastodon will recognize them?
#
aaronpk i tried a few things and gave up
neatnik joined the channel
#
[snarfed] I searched https://socialhub.activitypub.rocks/ and https://github.com/mastodon/mastodon/issues just now, didn't find anything obvious
#
[snarfed] closest was https://github.com/mastodon/mastodon/issues/20159#issuecomment-1307861787 , which says that each instance does its own verification of remote users' profile links. which still begs the question of how we trigger that verification from non-Mastodon AP
#
Loqi [preview] [afontenot] > When interacting with a different instance, it could try to redo the verification This already exists, instances do their own verification. You only have to trust your instance owner / admin, not the instance of the user that's claiming verifica...
#
aaronpk i tried sending an update activity to trigger the verification but it didn't seem to work
#
aaronpk but also i wasn't diving into the code base, I was just looking at it from the outside
[jacky] joined the channel
#
[jacky] that _is_ a neat function to add for a microsub-enabled client tho
#
[jacky] especially if it's able to peek into your /contacts
#
[snarfed] aaronpk any chance you have notes anywhere on what you tried?
#
aaronpk no, it was pretty scatter shot
#
aaronpk it's hard to debug when there's no way to know what's going on at the other end
#
[snarfed] np
#
[snarfed] right
#
[snarfed] you can run a local Mastodon to test against, but then you have two problems
#
aaronpk i did actually try that, but i don't even know enough about how it's built to do any debugging
#
[jacky] MiTM monitor? hehe
#
[snarfed] [jacky] the verification logic is internal to Mastodon, and happens in the Sidekiq task queue, so there's not much/any network traffic to look at
#
[jacky] hmm
#
[jacky] that's so weird it's not documented
#
aaronpk I do remember trying to find the code that does the verification too, but it was so buried in many layers of class hierarchy that I couldn't find anything useful
btrem and willnorris_ joined the channel
#
vladimyr aaronpk: https://github.com/mastodon/mastodon/blob/v4.1.2/app/services/verify_link_service.rb
#
vladimyr It is very simple service and only thing you really need to know is that Nokogiri is DOM implementation in ruby enabling you to query selectors and xpaths on provided html string
#
vladimyr This gets triggered each time you update your mastodon profile and is completely independent from activitypub side of things
#
vladimyr This is mastodon specific
strugee joined the channel
#
vladimyr I mean when you go and add or change links at your mastodon profile which is not something you can do by activitypub message/call
#
vladimyr Oh you were talking about remote profile verification, well haven't looked into the code but I'd assume it just calles same sidekiq service with account info exchanged with remote instance
#
[snarfed] "account info exchanged with remote instance" is the key question. we're not aware of a Mastodon-specific server to server API, only ActivityPub, which implies that that's doable from outside Mastodon
#
vladimyr It probably gets triggered each time you do the search with some cache involved cause I know for a fact that your own profile links are also periodically re-verified simply due to volatile nature of urls
#
[snarfed] sure, the key question is how to do it for a non-Mastodon account. we don't yet know that anyone's done that, but we also don't know what would prevent it
tei_ joined the channel
#
[snarfed] you'd hope that the link check for remote profiles works the same way as for local profiles: you fetch each link, and if it has a rel-me link back to the actor's AS2 `url` field, it's verified
#
vladimyr That's relatively easy to check, just host somewhere fake actpub actor
#
vladimyr Only json blob describing the user
#
vladimyr Search for that url
#
vladimyr And put inside urls you want to verify
#
[snarfed] right. aaronpk evidently tried it a few different ways, sounds like including the obvious ways like that, but never got it to work
#
vladimyr He tried sending update activity
#
vladimyr If I understood correctly
#
vladimyr What I'm saying is do the foo.example.com/actor.json and put inside that json reference to bar.example.com
#
vladimyr Host index.html on bar.example.com pointing back to foo.example.com/actor.json
#
vladimyr And search on your masto instance for foo.example.com/actor.json
#
vladimyr That should be enough to force mastodon to take that actpub blob, extract profile link and start verificafion dance?
#
vladimyr Also this "validation" logic is blissfully naive and not to be really trusted
#
vladimyr Cause it works by
#
vladimyr 1. find all rel=me links and anchors
#
vladimyr 2. If it matches canonical actor url it is verified
#
vladimyr 3. If not take only first of them, do the head request and check if it redirects to cannonical actor url
#
[snarfed] right, I understand what you're proposing. and aaronpk didn't describe what he tried: https://chat.indieweb.org/dev/2023-06-23#t1687483479551500
#
vladimyr (not sure why only the first one is checked)
#
Loqi [preview] [aaronpk] no, it was pretty scatter shot
#
[snarfed] why is that not to be trusted? assuming https, if the external page points to the Mastodon profile URL with rel=me, it is asserting that it's the Mastodon user
#
[snarfed] in any case, I agree, this hopefully should work in theory. want to try it and see if it works?
#
vladimyr Because bad people can be creative in such manner that they serve different responses for head and get requests
#
[snarfed] sure, but that's on them
#
[snarfed] in any case, please do let us know if you get this working, that'd be great progress!
#
[snarfed] oh and more importantly the link verification is _bidirectional_, ie you need add a link to your Mastodon profile _and_ have that URL serve a rel-me link back to your profile. if a bad actor points a rel-me link at your profile, that alone isn't enough
strugee joined the channel
#
vladimyr Um, let's see, I need two domains/locations, one responding with actpub actor json and another with html and instance from which I need to trigger search
#
vladimyr I can try on any public instance
#
vladimyr And for quick and diry test I could use replit.com or val.town or anything like that
#
vladimyr Shouldn't require too much code
#
vladimyr And I have example from screenshot to guide me
#
vladimyr (also you are right, it is on user if they mess up verification I'm just saying I'm not a fan of switching http method cause it makes it harder to debug)
#
[snarfed] I set it up just now too. my Bridgy Fed account @snarfed.org@snarfed.org has a profile link to https://snarfed.org/, which now has rel-me links back to both the AS2 actor id https://fed.brid.gy/snarfed.org and its url https://fed.brid.gy/r/https://snarfed.org/ . we'll see if it gets a green check anywhere
#
vladimyr (and it is not entirely up to /standard/ cause it misses http link headers which should be interchangeable with link elements)
strugee_ joined the channel
#
vladimyr Did I miss something?
#
Loqi misses something too
#
vladimyr Lol
#
vladimyr We all miss something Loqi :D
#
vladimyr [snarfed]: great! (Side note: matrix bridge is flaky so if sometimes seems I ignore what you are saying that's because I literally didn't get those messages :/)
#
[snarfed] np. and oof that's unfortunate, the bridge has one job
#
vladimyr Exactly but I'll manage by switching between matrix and chat archive
alecjonathon_, angelo, eitilt, jan6, jeremycherfas, omz13, sknebel, pharalia, chenghiz_, vikanezrimaya, ancarda, darylsun, eb_, alecjonathon, capjamesg, vikanezrimaya_, srushe, eb, Xe, strugee_, Ruxton, benji, superkuh, jjuran, ben_thatmustbeme and moose333 joined the channel
#
vladimyr Um [snarfed] I'm doing some debugging and according to my very scientific tests your account is /webfingerable/ only from acct: uri?
#
[snarfed] Bridgy Fed webfinger should be pretty loose, it doesn't require acct:
aaronpk, Seirdy, jonnybarnes, ludovicchabant, Kaja and gnoo joined the channel
#
[snarfed] https://snarfed.org/.well-known/webfinger?resource=acct:snarfed.org@snarfed.org and https://snarfed.org/.well-known/webfinger?resource=snarfed.org@snarfed.org both work
#
vladimyr Scratch that, I can webfinger snarfed.org but it serves redirect
gnoo, superkuh, ludovicchabant, Kaja, ben_thatmustbeme, jjuran, Seirdy, jonnybarnes, aaronpk, moose333, benji, sknebel, chenghiz_, omz13, jeremycherfas, eitilt, Ruxton, angelo, IWDiscord, Saphire, laker, sebsel, vilhalmer, Seirdy_, [0x3b0b], vladimyr, bkil, olaf[m], klez, voxpelli, mretka, joshproehl, sebbu, epoch_, gwg_, sivoais, Zegnat, trwnh, petermolnar, IWSlackGateway, [Ana_R], [schmarty], [tantek], [tw2113_Slack_], [timothy_chambe], [snarfed], [KevinMarks], wagle, saptaks, [jacky], willnorris_, Guest4437, Xe, capjamesg, ancarda, strugee_, pharalia, rubenwardy, BinarySavior, prologic, oenone, Gorro_Rojo[theyi, Aidhan, JaeItIts[m], shreyanjain[m], oodani, jbrr[m], Soni, kushal, lockywolf, lanodan, nsh, bret, gxt__, rhiaro, holiday_1, oxtyped, neatnik, eb, alecjonathon, srushe, vikanezrimaya and jan6 joined the channel
#
[snarfed] I don't have any reason to believe this is a webfinger issue. plus link verification doesn't use webfinger afaik
#
vladimyr Right, right
#
vladimyr This is super weird... I'm using mastodon.social that is definitely aware of your existence and searching for
#
vladimyr a) snarfed.com - gives nothing
#
[snarfed] http://snarfed.org
#
vladimyr Sorry s/com/org
#
vladimyr Did correct search, just typed wrong domain here inside chat
#
[snarfed] yeah Mastodon interop in search is flaky like that sometimes 🤷
#
vladimyr b) your fed bridgy actor id - nothing
#
[snarfed] searching for the handle @snarfed.org@snarfed.org works
#
vladimyr c) your @snarfed.org@snarfed.org - finally fetches your profile but shows link as unverified
#
[snarfed] right
#
[snarfed] I don't think I've ever seen a non-Mastodon profile with a verified link
#
vladimyr What's interesting tho is if I refresh mastodon page after it shows your profile fetched by acct uri
#
vladimyr Aka I'm looking at https://mastodon.social/@snarfed.org@snarfed.org
#
vladimyr Hit refresh
#
[snarfed] right, it redirects to my site
#
vladimyr Because of actor url I suppose
#
[snarfed] since that's what's in my actor `url` field
#
[snarfed] right. same if you "Open original page" on one of my posts inside Mastodon, it opens the post on my web site. both deliberate, since the account is my web site, federated into the fediverse
#
vladimyr That's pretty weird handing of url from mastodon end, depending how you land on it you'll get different result 🙃
#
[snarfed] maybe surprising though, you're right
#
[snarfed] yup. that behavior is also different if you're logged into the Mastodon instance vs logged out
#
[snarfed] 🤷
#
vladimyr imagines folks coming from Twitter experiencing Heisen-urls for the first time :D
#
[snarfed] just one of the many sources of confusion
#
vladimyr This gets better and better...
#
vladimyr So I went and checked two akkoma servers social.kernel.org and nixnet.social
#
vladimyr And from those you are totally unreachable
#
vladimyr No matter what I input in that search field (homepage, actor id or acct uri) it gives nothing
#
[snarfed] interop, whee
#
vladimyr Then I thought maybe that's because those instances don't know about you but they should still be able to pull your profile using webfinger
#
[snarfed] yup!
#
[snarfed] thank you for all the testing. feel free to add details to https://github.com/snarfed/bridgy-fed/issues/374 and other issues, I have issues filed for a handful of implementations that don't have full interop yet
#
Loqi [preview] [snarfed] #374 support Akkoma
#
vladimyr Now I need to find someones X Y personal mastodon instance that never heard about you that's still able at least find you through acct uri before I simply conclude that this whole thing is broken beyond repair 🙃
#
[tantek] [Simon_Willison] has his own Masto instance I believe
#
vladimyr Tried that one
#
vladimyr But our friend [snarfed] is fedi celebrity so posts reached that one too :D
#
[snarfed] I tested this all before I had any fedi followers, and it's also working for new people who sign up for Bridgy Fed, so I'm not too worried about the webfinger interop w/Mastodon and at least some other fediverse servers
#
vladimyr I never thought I said this but now I actually need some of those defederated dumpster fires cause they shouldn't receive your posts
#
[tantek] what are there be dragons?
#
Loqi 🗺🐉 Here be dragons is in general a warning of potential dangers or dangerous areas, originally on physical maps, on the IndieWeb it refers to particularly problematic silos that usually formed in response to entire sets of abusive behaviors and accounts being banned from Twitter https://indieweb.org/there_be_dragons
#
[tantek] ^ might some dumpster fires there
#
vladimyr scores first victory today!
#
vladimyr https://fedi.aeracode.org/@snarfed.org@snarfed.org
#
vladimyr Could find you here but server doesn't know about any of your prior activity!
#
Loqi [preview] Ryan Barrett
#
[snarfed] 🎉
#
vladimyr Bonus points for proving the theory without stepping in shittiest corners of fediverse
#
vladimyr This is private instance of takahe (I hope I spelled that right) author https://fedi.aeracode.org/@andrew
#
Loqi [preview] Andrew Godwin
#
vladimyr Django powered multiuser masto alternative
#
vladimyr This is just great /s https://ttm.sh/BZH.jpeg
IWSlackGateway and [snarfed] joined the channel
#
[snarfed] Calckey, hmm, ok. https://github.com/snarfed/bridgy-fed/issues/531
#
[snarfed] interop is hard 🤷
#
Loqi [preview] [snarfed] #531 support Calckey
#
shreyanjain[m] Kinda sad that Mastodon's implementation of AP is sorta the de facto now
#
[snarfed] yup
#
vladimyr This is baffling, this should end up being simple webfinger request
[tantek] joined the channel
#
[tantek] shreyanjain[m] it's what happens with /monoculture especially in the absence of a test suite
#
[tantek] [snarfed] that issue on like/repost detection problems is wild. been reading the progress comments you've made. wow
#
vladimyr More visibility/searchability tales
#
vladimyr So tchncs calckey instance procial.tchncs.de is unable to locate (obv previously unknown) https://fedi.aeracode.org/@andrew
#
Loqi [preview] Andrew Godwin
#
vladimyr But akkoma running on social.kernel.org returns search result for https://fedi.aeracode.org/@andrew
#
Loqi [preview] Andrew Godwin
#
vladimyr And doesn't show any posts meaning it wasn't previously aware of their existance
#
vladimyr Now this is interesting
#
vladimyr What makes akkoma able to pull Andrew's profile from their personal instance
#
vladimyr And not [snarfed]'s from bridgy fed
#
vladimyr And why calckey can't do both
#
vladimyr Mind you akkoma was able to find profile both by actor id and acct: uri
#
vladimyr This matrix of interop inconsistencies happily grows -.-
#
[tantek] what is Calckey
#
Loqi It looks like we don't have a page for "Calckey" yet. Would you like to create it? (Or just say "Calckey is ____", a sentence describing the term)
#
[tantek] ^ vladimyr could you provide a short dfn for calckey and perhaps a GitHub repo link?
#
[tantek] what is Akkoma
#
Loqi It looks like we don't have a page for "Akkoma" yet. Would you like to create it? (Or just say "Akkoma is ____", a sentence describing the term)
#
[tantek] ^ same for that?
#
[tantek] I just created a stub Lemmy page if that helps as a brief example: https://indieweb.org/Lemmy
#
vladimyr (sure, once I grab proper keyboard 🙃)
#
vladimyr Now I went to some random pleroma (what akkoma forked from) instance (stereophonic.space) and searched for Andrew and got this :O https://ttm.sh/BZa.jpeg
#
vladimyr Pardon my French but what the flying duck is this, I gave it exact url!
#
vladimyr Same thing with acct uri -.-
#
vladimyr I believe it is safe to conclude that search in fediverse is beyond broken
#
vladimyr Idea for fed.itoo.ls No2 - make working profile search
#
vladimyr And to make things even worse who knows do all those described behaviours totally flip once you log into that instance...
#
vladimyr And I'm really not into the mood of making dozens dummy fedi accounts...
#
[tantek] Working profile search, across fediverse and indieweb h-cards (cc capjamesg) would be amazing!
#
vladimyr goes outside to touch some grass
#
[tantek] Like a distributed social web address book!
#
[tantek] touchgrass++
#
Loqi touchgrass has 1 karma over the last year
gRegor joined the channel
#
[snarfed] thanks for the kind words [tantek]!
#
[snarfed] and vladimyr please do post any updates to the Bridgy Fed interop issues based on your experiments!
#
[snarfed] accomplishment for the night, got verified links working in Mastodon! search for @snarfed.org@snarfed.org on https://indieweb.social/
Ludo joined the channel
#
vladimyr Really, how? :O
#
vladimyr What did you do?
#
vladimyr Ok, tried from Simon Willison's instance and doesn't show as verified, tried from mastodon.social and still doesn't show as verified but indieweb.social works!
#
vladimyr What kind of weird sorcery is this 😕
#
vladimyr fosstodon.org - not verified
#
vladimyr front-end.social - not verified
#
vladimyr toot.cafe - not verified
#
vladimyr m.webtoo.ls - not verified
#
vladimyr Maybe it rechecks links on receiving new actpub activity 🤔
#
vladimyr m.webtoo.ls - haven't seen you in a week
#
vladimyr toot.cafe - boost from Jun 14
#
vladimyr front-end.social - post from Jun 9
#
vladimyr fosstodon.org - same as toot.cafe
#
vladimyr mastodon.social - same as ^
#
vladimyr indieweb.social - same as ^
#
vladimyr So it's not activity based unless you sent some ap activity in the background 🤔
#
vladimyr (also m.webtoo.ls - post from Jun 13)
#
vladimyr Doesn't make any sense
#
vladimyr Just taking indieweb.social and toot.cafe in comparison - shows same [snarfed]'s timeline, same mastodon version, only difference I can spot is one less follower reported on toot.cafe
sebsel joined the channel
#
vladimyr Ok, more ways in which mastodon search is broken https://blog.maartenballiauw.be/post/2022/11/05/mastodon-own-donain-without-hosting-server.html#d57ed121
#
vladimyr They simply copied webfinger jrd from their masto instance and statically hosted it under their domain
#
vladimyr Which makes in turn results in:
#
vladimyr > this approach works much like a catch-all e-mail address. @anything@yourdomain.com will match, unless you add a bit more scripting to only show a result for resources you want to be discoverable
#
vladimyr But it works only if search is made by logged in user ⚠️
pharalia joined the channel
#
vladimyr And then on top of that there is interesting case of Simon Willison who is searchable (even though I'm not logged in) https://ttm.sh/BLF.jpeg
#
vladimyr (screenshot taken from mastodon.social instance
#
vladimyr They host their own personal mastodon instance on fedi.simonwillison.net
#
vladimyr So naturally when you search for @simon@simonwillison.net webfinger should ask simonwillison.net about their account and not fedi.simonwillison.net
#
vladimyr But they proxied webfinger (together with nodeinfo and host-meta) back to their fedi.simonwillison.net instance: https://github.com/simonw/simonwillisonblog/commit/f112e57f8619852985f15a71c00309f5046b8f1a
#
vladimyr This is their actor fetched from their mastodon instance https://ttm.sh/BLu.json
#
Loqi [preview] Simon Willison
#
vladimyr So they should be referenced either by @simon@simonwillison.net or https://fedi.simonwillison.net/@simon or https://fedi.simonwillison.net/users/simon
#
Loqi [preview] Simon Willison
#
vladimyr Where former is web url, and latter is actor id and hosts actpub doc describing it
#
vladimyr And that disparity between acct uri domain and https actor url is possible due to some Mastodon configuration magic described here https://til.simonwillison.net/mastodon/custom-domain-mastodon#user-content-getting-a-vanity-address
#
vladimyr Also when I said proxied that doesn't mean http redirect but internal s2s request and serving that back to the user
#
vladimyr Which is essentially the same trick like https://blog.maartenballiauw.be/post/2022/11/05/mastodon-own-donain-without-hosting-server.html utilized
#
vladimyr And Scott Hanselman also described in his post https://www.hanselman.com/blog/use-your-own-user-domain-for-mastodon-discoverability-with-the-webfinger-protocol-without-hosting-a-server
#
vladimyr But as commenter SjoredV stated this seems to limited only to people who are logged in
gRegor, Guest4437, oenone, darylsun, tei_ and holiday_1 joined the channel
#
vladimyr As usual I wasted great amount of time trying to reverse engineer things instead of reading the docs 🤦
#
vladimyr Anyway, I finally figured out how Mastodon/Pleroma search works
#
vladimyr Each time you do a search ajax request gets sent to /api/v2/search route of famous Mastodon client api
#
vladimyr Pleroma/Akkoma copied Mastodon's so they do the exact same thing
#
vladimyr But there is a catch
#
vladimyr That route has 2 important params
#
vladimyr 1) q=<what you typed into search box>
#
vladimyr 2. resolve which is boolean defaulting to false if you are not logged into that instance
tei_ joined the channel
#
vladimyr Resolve basically means use webfinger to fetch account data in case instance never encountered it before
#
vladimyr And that param is only available if you are logged in
#
vladimyr As documented here on Mastodon side https://docs.joinmastodon.org/methods/search/#v2
#
vladimyr And here on Pleroma/Akkoma https://api.pleroma.social/#operation/SearchController.search2
#
vladimyr i.e. if you search anonymously you are searching only that instance and whether it became aware of that account some time in the history
#
vladimyr And if you are logged in your search extends to previously unknown frontiers via magic of webfinger
#
vladimyr I'm not sure who thought that making search conditional based on logged in state is good idea but that's how it works
#
vladimyr And that's probably how Misskey/Calckey does it too (didn't check it yet)
#
vladimyr Also on topic of verified links
[KevinMarks] joined the channel
#
[KevinMarks] I remember at some point there were complaints about how much overhead each webfinger call was taking so they put it behind login to reduce them
#
vladimyr Essentially splitting search into two views limited local - anonymous and unlimited global - for logged in users
#
vladimyr Which is sooo confusing for newcomers
#
aaronpk !! https://github.com/snarfed/bridgy-fed/issues/560#issuecomment-1603715947
#
vladimyr Anyway back to original problem of link verification, here is what my anon search returned on mastodon.social for [snarfed]'s acct uri https://ttm.sh/BL_.jpeg
#
vladimyr And now the same search made on indieweb.social https://ttm.sh/BLj.jpeg
#
vladimyr So whatever you did in 5:50 UTC triggered verification services but only on that instance
#
vladimyr What the hell, commit link gives me 404 :(
#
vladimyr Ok this is commit https://github.com/snarfed/granary/commit/8b61d3b
#
vladimyr ^ fixed link: https://github.com/snarfed/granary/commit/a037ba5
#
vladimyr I still fail to understand what exactly prompted indie.social to refetch actor and redo link verification compared to mastodon.social for instance 🤔
#
vladimyr Oh, I should've spotted this sooner https://github.com/mastodon/mastodon/blob/v4.1.2/app/models/account/field.rb#L77-L88
#
vladimyr This is how mastodon side extracts url from actor field
#
vladimyr And why [snarfed] had to change that html snippet
#
vladimyr Specifically this genial (read it in French) condition on line 85 dictating that href prop must equal anchor's innerText 🤦
#
[KevinMarks] WTF? So that will break lots of prefectly valid rel=me links
#
[snarfed] morning all! [KevinMarks] it's not a req't of the web side rel-me link, it's a reqt of the link HTML in the AP actor's profile link
#
[snarfed] still unfortunate, but I kind of get it. they're trying to make sure the human-visible profile link text is where the actual link goes, so that you can't mislead viewers by making it something different, eg <a href="https://bad.com/">http://google.com</a>
#
[snarfed] and nice sleuthing vladimyr!
#
[snarfed] you and [KevinMarks] are right, when I'm logged into a Mastodon instance and I search for @snarfed.org@snarfed.org , that triggers the verification, but not when I'm logged out and I search
#
vladimyr mornin o/ digs through akkoma code just in case...
gRegor joined the channel
#
vladimyr https://akkoma.dev/AkkomaGang/akkoma/pulls/405
#
[snarfed] ^ if any BF users here (cc [tantek]) want to try, all you need to do is add a rel-me link to your site that points to https://fed.brid.gy/r/[HOMEPAGE] , eg https://fed.brid.gy/r/https://snarfed.org/
#
aaronpk [snarfed]: is the `<span class="invisible">` CSS something mastodon supports?
#
[snarfed] ^ [aaronpk] looks like you already have that rel-me link to your actor's url https://aaronparecki.com/aaronpk . you just need to change the HTML in your actor's attachment[0].value to have the full URL inside the anchor text, eg <a href=\"https://aaronparecki.com\" rel=\"me\">https://aaronparecki.com</a>
#
[snarfed] aaronpk yup
#
Loqi [preview] Aaron Parecki
#
[snarfed] I have a todo to see how it handles eg `<a href="https://google.my-site.com">https://google.<span class="invisible">my-site.</span>com</a>` 😈
#
aaronpk heh
#
aaronpk [snarfed]++ that worked!!
#
Loqi [snarfed] has 99 karma in this channel over the last year (155 in all channels)
#
[snarfed] woo congrats!
#
aaronpk fyi https://media.aaronpk.com/2023/06/23070308-7035.png
#
[snarfed] lol
#
aaronpk apparently the profile is also cached so you can't repeatedly test this stuff
holiday_medley joined the channel
#
vladimyr https://ttm.sh/BLL.jpeg
#
vladimyr [snarfed]: there is your evil answer ^
#
vladimyr aaronpk: lol 💯
#
[snarfed] yup thx
#
[snarfed] I've been talking with people about this on the fediverse matrix channel to. we've reported it
#
vladimyr Um where can I place my bet on the possibility of unicode homographic attacks also :P
#
[snarfed] they handle that. https://docs.joinmastodon.org/user/profile/#validation-criteria-for-verified-links
#
[snarfed] they're oddly sophisticated in some ways, like that, but then oddly naive in other ways, like class="invisible"
#
shreyanjain[m] [snarfed]: Oh, there's a fediverse matrix channel?
#
[snarfed] yup https://matrix.to/#/%23fediverse-devs:matrix.org
#
vladimyr Since akkoma is obviously new to the verified links game (that PR I linked is 6mo olds) I had to do some proper digging to find profile with links attached but here it is https://ttm.sh/BL5.jpeg
#
vladimyr And now view from the search side https://ttm.sh/BLG.jpeg
#
vladimyr https://social.projectsegfau.lt/users/midou
#
vladimyr Nothing is verified but that's how akkoma formats links
#
vladimyr I have no idea what's rel=ugc tho
#
vladimyr Apparently stands for user generated content
#
vladimyr https://developers.google.com/search/docs/crawling-indexing/qualify-outbound-links#ugc
#
vladimyr Calckey has jsonfeed support! https://procial.tchncs.de/@benoegen.json
#
vladimyr Just append dot json at the end
#
vladimyr Calckey's link format https://ttm.sh/BLK.jpeg
#
[tantek] [snarfed] interesting! (re: bridgy fed rel-me link) — I'm curious what the best presentation is for that sort of thing, presumably it has to be in page content right?
#
[tantek] or does it work with <link rel=me> ?
[schmarty] joined the channel
#
[schmarty] vladimyr++ wow lots of good interop research, here! may i offer a nudge that there is plenty here to add to the wiki and/or pull together into some posts for posterity? indieweb-dev is searchable but not a great archive.
#
Loqi vladimyr has 5 karma over the last year
#
[tantek] what is Calckey
#
Loqi It looks like we don't have a page for "Calckey" yet. Would you like to create it? (Or just say "Calckey is ____", a sentence describing the term)
#
[tantek] is Calckey a fork of Miskey or vice versa?
#
[tantek] let's get some stub pages created so we can document all the great research done by vladimyr++
#
Loqi vladimyr has 6 karma over the last year
#
[tantek] happy to help get those started
#
vladimyr And finally how Calckey presents links through account search https://ttm.sh/BLz.jpeg
#
vladimyr [schmarty]: Yeah I'm planning on documenting all this stuff
#
vladimyr [tantek]: Calckey is new cool kid, fork of Misskey
#
[snarfed] [tantek] I believe link rel=me works. empty <a> tags definitely work too
#
[tantek] Calckey is a fork of [[Misskey]], an [[ActivityPub]] server implementation that also supports [[JSON feed]].
#
Loqi ok
#
[tantek] well that's a start!
#
[snarfed] I'll document in BF docs
#
[tantek] [snarfed] I'm going to try this which I believe should work and be accessibility friendly (i.e. not create any noise for screenreaders) <a rel="me" href="https://fed.brid.gy/r/https://tantek.com/" aria-hidden="true"></a>
#
Loqi [preview] Tantek Çelik
#
vladimyr You can use link instead?
#
[tantek] vladimyr, today's a very good day to document this stuff, because all the updates go out in the weekly IndieWeb newsletter
#
[tantek] so if you've got a list of notes of things you've discovered, now's the time to braindump them onto the appropriate page(s) on the wiki, and folks will be more than happy to help with editing, wiki markup etc.
#
[tantek] [snarfed] done, http://tantek.com updated
#
[tantek] what do I do now?
#
[tantek] send BF a WM from my homepage?
#
[tantek] sent. let's see what happens
#
vladimyr Someone logged into the mastodon instance should search for your profile to retrigger link verification on that instance
#
[KevinMarks] mastodon now uses link headers itself, since it js;dr'd all it's html
jonnybarnes, boag, btrem, gRegor and gRegorLove_ joined the channel
#
gRegor I updated my homepage with a <link> rel-me to BF, will see how that goes
#
gRegor Trying the update profile button on BF
#
gRegor no change yet, but I'm also not logged in on Mastodon
#
[snarfed] hmm yeah, gRegor I searched for you and [tantek] on indieweb.social, logged in, but neither https://indieweb.social/@tantek.com@tantek.com nor https://indieweb.social/@gregorlove.com@gregorlove.com have green checks yet
#
Loqi [preview] Tantek Çelik
#
[snarfed] https://indieweb.social/@aaronpk@aaronparecki.com doesn't either
#
[snarfed] I started to think the rel-me link needs to point to AS2 actor id instead of url, but aaronpk's id and url are the same, and it's not working for him, so 🤷
[jacky] joined the channel
#
[jacky] random question regarding IndieAuth and progressive enhancement: does it make more sense to use a refresh token to ask for more permissions versus asking for a whole new token (like invoking the flow all over)? I ask because I noticed that you can add extra parameters (like scopes) to the request according to the spec
#
[jacky] an explicit case would be 'upgrading' a token from just `read` to something like `read create:note` for a reader
#
[snarfed] https://indieweb.social/@aaronpk@aaronparecki.com has the green checks now! no clue what changed
#
[snarfed] the green check http://google.com on his profile is so good too
#
sknebel [jacky]: I might be misunderstanding, but wouldnt the user need to have pre-approved that?
#
sknebel (that=granting extra scopes)
Xe joined the channel
#
sknebel to me that feels like a niche case not necessarily applicable to usual IndieAuth scenarios
#
sknebel (or I'm missing something, also entirely possible :))
#
[jacky] No you're right and I think I might be thinking out of band then
#
[jacky] I notice it in the spec (for OAuth2 refresh tokens)
#
[jacky] I figure if it did require user intervention, it'd redirect to such a page but then it wouldn't be clear where to redirect _back_ to
#
sknebel right, my guess would be that this is for apps where the approval is somehow defined externally. client can use minimal permissions and upgrade if it needs to
#
sknebel I guess you could try and fall back to full new flow if it doesnt succeed, but I'm not sure if anyone would bother implement it server-side?
#
[snarfed] ok [tantek] gRegorLove, it seems like your rel-me links might need to point a different BF URL, https://fed.brid.gy/[DOMAIN] , eg https://fed.brid.gy/snarfed.org . feel free to update and try again. sorry for the runaround!
#
Zegnat [jacky]: if you send scopes when using a refresh token to gain a new access token, the "requested scope MUST NOT include any scope not originally granted". So you can only go to fewer scopes, not add scopes. https://datatracker.ietf.org/doc/html/rfc6749#section-6
#
[schmarty] This might make sense if an app wanted to _shrink_ its scopes. Not sure of an example case tho'.
gRegor joined the channel
#
[snarfed] removes a feature, doesn't need the corresponding scope any more
#
gRegor [snarfed], I don't mind being a guinea pig. Updated.
#
Zegnat Except it would not remove the scope from the refresh token itself. So it could always get an access token with the scope again in the future?
#
Zegnat But maybe if you are getting an access token for some sort of external app / usage and want to minimise the leak potential from there? But really you should just ask for a new token from scratch then, IMO
#
[snarfed] gRegor no luck yet. interestingly though https://indieweb.social/@gregorlove.com@gregorlove.com now at least shows BF's updated profile link, with the full URL in anchor text. but https://indieweb.social/@tantek.com@tantek.com doesn't. I've searched for you both logged in, not sure what's going on, whee
#
Loqi [preview] gRegor Morrill
#
gRegor Ooh, indieweb.social has a newer design than I remember
#
gRegor I usually check on xoxo.zone. Interesting indieweb.social is getting my about page too since it also has a u-url in my h-card, haven't seen that on other instances.
#
gRegor I don't see the BF profile link you're referring to though
#
[snarfed] the scheme is span class="invisible"-d so it's not rendered, but the anchor text is now full URL, that was the (at least one) key piece in getting verification working
#
gRegor Ah
#
gRegor Oh, is Mastodon checking the exact HTML value of the attachments on https://fed.brid.gy/gregorlove.com, including the invisible spans?
#
Loqi [preview] gRegor Morrill
#
gRegor If so that's wild
#
[snarfed] right
#
[snarfed] discussion here earlier this morning
#
gRegor I see different rels on indieweb.social vs that json then: `nofollow noopener noreferrer`
#
gRegor I'll read back
#
[snarfed] right, but I was able to get the green check via BF without those rels
#
gRegor Quantum verification
#
[tantek] Needsdocs
#
[KevinMarks] Also, the verification is asynchronous, so you may trigger it by searching, but the verification runs in a queue later, and I think verification is lower priority than fetches for posts etc
#
gRegor I was hoping updating the profile from BF would trigger it, since that updates the bio and avatar
#
[snarfed] aha, figured it out. gRegor you're right, we needed the profile update, but also we had the rel-me link right the first time, https://fed.brid.gy/r/https://gregorlove.com/
#
[snarfed] https://indieweb.social/@tantek.com@tantek.com now has the green check after both of those
#
Loqi [preview] gRegor Morrill
#
Loqi [preview] Tantek Çelik
btrem joined the channel
#
[snarfed] Bridgy Fed green check docs are up: https://fed.brid.gy/docs#mastodon-link-verification
#
gRegor Hm, will try. I had sent the profile update both times, but maybe didn't wait long enough after the first one
#
gRegor rel-me updated and BF profile update clicked
#
gRegor BR profile shows "gRegor Morrill None gRegor Morrill" to 15 instances, followed shortly by "gRegor Morrill updated gRegor Morrill" to 19 instances
#
[snarfed] yeah your profile got the updated link HTML earlier, updating again probably won't change anything. and your site's rel-me link looks fine. maybe Mastodon requires <a> and doesn't support <link>? 🤷
#
[snarfed] hmm they say they support <link> https://docs.joinmastodon.org/user/profile/#verification
#
[KevinMarks] They publish link now for cross mastodon verification
#
[snarfed] aha I see green checks now on https://mastodon.art/@gregorlove.com@gregorlove.com and https://mas.to/@gregorlove.com@gregorlove.com (logged into both). gRegorLove we may now just be waiting for Mastodon caches to expire
#
gRegor woo!
#
Loqi [preview] gRegor Morrill
#
gRegor [snarfed], does BF have logs we can see webmentions sent to back to us? I don't think I received one for your like
#
[snarfed] yeah on your user page, https://fed.brid.gy/web/gregorlove.com , but they're flaky right now
#
[snarfed] but yes it doesn't look like it sent one. looking now
#
gRegor ah yeah, no log found
#
[snarfed] it sent one and got a 500
#
gRegor aha
#
[snarfed] source https://fed.brid.gy/convert/activitypub/web/https:/indieweb.social/users/snarfed^^likes/941922 , target https://gregorlove.com/2023/06/ooh-new-sigur-ros/
#
gRegor The ^^ in those is interesting
#
gRegor Need to show some love to my webmention plugin
#
[snarfed] yup, trying to work around an open bug in the wordpress webmention plugin 😢 https://github.com/pfefferle/wordpress-webmention/issues/359
#
Loqi [preview] [snarfed] #359 Are source URLs getting incorrectly URL-decoded?
#
gRegor wee!
#
[snarfed] ^ GWG [pfefferle] any news on progress on that bug? I can't wait to get rid of the ^^s in BF's URLs!
#
[snarfed] gRegor https://fed.brid.gy/log?path=%2Finbox&start_time=1687549921&key=https%3A%2F%2Findieweb.social%2Fusers%2Fsnarfed%23likes%2F941922
#
gRegor Ah, interesting. New debugger plugin I'm using, but shouldn't be showing that. Will investigate.
#
gRegor Ok, hopefully that's fixed now
Seirdy_ joined the channel
#
gRegor [snarfed], I'm going to post to BF mentioning someone. I know mentions are still TBD but is there anything I should try in the mf2 as an experiment? person-tag?
[0x3b0b] joined the channel
#
[snarfed] gRegor got me, I felt like I tried a ton of stuff in https://github.com/snarfed/bridgy-fed/issues/493
#
Loqi [preview] [gRegorLove] #493 Add support for publishing mentions
#
[snarfed] feel free to experiment though!