#social 2018-07-30

2018-07-30 UTC
cdchapman, fr33domlover and cwebber2 joined the channel
#
puckipedia so ehm one reason to be /against/ static signatures... you can easily use "is posted to someone's inbox" as proof that they can see the post
cwebber2 joined the channel
#
aaronpk That doesn't sound like it proves much
#
aaronpk I've got a lot of stuff in my inbox that I haven't looked at
#
dansup Hey, having some issues with the GS AP plugin when sending to a mastodon instance
#
dansup Client error: `POST https://mastodon.social/users/dansup/inbox` resulted in a `401 Unauthorized` response: Public key not found for key https://www.hackthis.space/social/index.php/user/1
#
dansup any idea Gargron or nightpool ?
#
dansup I wonder if its the lack of pretty urls in GS
#
dansup nope, hmm
#
dansup kaniini: any idea? ^^
KevinMarks, ben_thatmustbeme, xmpp-social and vasilakisfil joined the channel
#
kaniini dansup what does the http signature look like
#
puckipedia dansup: lemme see
#
puckipedia dansup: your key ID should be "[..]#public-key" also ehm your @context is really really borked
#
puckipedia "manuallyApprovesFollowers": "as=>manuallyApprovesFollowers",
#
puckipedia "sensitive": "as=>sensitive",
#
puckipedia also following/followers should be a proper collection I think
#
JasonRobinson[m] do all platforms generally export a "following/followers" collection, to the public? personally I find it a bit of a privacy issue to show who follows who - I guess it's common in the microblogging world at least twitter. in socialhome you can only see counts. in diaspora you can't even see that. I was thinking of adding a setting at some point to export following, but followers is a bit of a no no since the follower wont have possibility to
#
JasonRobinson[m] approve it.
#
puckipedia I do
#
puckipedia Mastodon does it too, if you block follower/following viewing the pages are inaccessible but you still have the basic collection
#
JasonRobinson[m] hmm not sure I understood that. yeah mastodon I checked already. they have the really nice "add .json to anything" to get the AS2 object, so easy to check :)
#
puckipedia basically, you still have "followers" and it's still a collection
#
puckipedia but, there's no content basically
#
JasonRobinson[m] yes, that is what I will do
Guest84 joined the channel
#
aaronpk dansup: lol welcome to http signature debugging :-D
#
aaronpk Try sending something to my server, I return some more info in the debug message that should point you the right direction
#
csarven I have such a backlog of stuff to do.. should probably get my site on the https bus for starters.
cdchapman joined the channel
#
up201705417 aaronpk: what is your server?
#
aaronpk aaronpk@aaronparecki.com
#
dansup up201705417: the Date header is missing 'GMT'
#
up201705417 I added it
#
up201705417 and also changed some stuff based on what was said here
#
up201705417 aaronpk: the plugin is unable to validate your profile
#
up201705417 I tried to manually grab it but it doesn't give me a JSON representation
#
aaronpk send the appropriate Accept header
#
up201705417 attempted this URL: https://aaronparecki.com/aaronpk
#
Loqi Aaron Parecki
#
up201705417 accept header used: application/activity+json
#
up201705417 it works just fine with dansup's mastodon profile
#
aaronpk ah crap something changed, it only sends back json for "application/json" now
#
aaronpk one sec
#
aaronpk wait no, it does work
#
aaronpk curl -H "Accept: application/activity+json" https://aaronparecki.com/aaronpk
#
donpdonp i get json no matter what the mime type
#
up201705417 let me try again here
#
aaronpk whoa I think something is caching
#
donpdonp yeah the behavior keeps changing
#
aaronpk I didn't think I had a cache on my server
#
aaronpk whoops sure enough, I have a microcache that I forgot about, and it's not using the content type as a key
KevinMarks joined the channel
#
aaronpk up201705417: i'm including the accept header in the cache key now, try again
#
aaronpk not ideal, but it's better than being completely broken
#
aaronpk if anyone has tips for nginx fastcgi caching that supports content negotiation i'm all ears
cwebber2 joined the channel
#
up201705417 aaronpk: I've just tried again and it failed as before...
#
up201705417 dansup: can you try aaronpk too?
#
aaronpk what the heck kind of accept header is this? application/ld+json; profile=\x22https://www.w3.org/ns/activitystreams\x22
#
up201705417 oh, that's what it is sending?
#
up201705417 let me check
cwebber2 joined the channel
#
aaronpk I don't know *who* is sneding that but I got a bunch of requests like that
#
aaronpk should still return json for that tho
#
up201705417 ah yeah, that's the plugin accept header on discovery
#
up201705417 I think I read in the spec that that was the header to be used
#
up201705417 let me see
#
up201705417 The client MUST specify an Accept header with the application/ld+json; profile="https://www.w3.org/ns/activitystreams" media type in order to retrieve the activity.
#
Loqi [Amy Guy] ActivityStreams 2.0 Terms
#
aaronpk what happened to application/activity+json?
#
up201705417 yeah... locally I used the other (smaller one) for pure laziness
#
up201705417 the plugin is accepting three headers but always sending the big one
cwebber2 joined the channel
#
donpdonp i saw that mimetype;profile=blah in the spec somewhere and just laughed.
#
aaronpk huh well in any case, the +json is enough to trigger my site to send a JSON response, and i'm seeing the right response for the full profile and ld+json one too
#
aaronpk it's replying with Content-Type: application/activity+json tho, is that tripping up your code?
#
up201705417 hm, well, in that case I will add some debug routines here
#
up201705417 nah, the plugin handles the content types properly too
#
up201705417 (well, at least I expect him to xD)
cwebber2 joined the channel
#
up201705417 you don't have a "summary" on your profile
#
aaronpk do I need one?
#
up201705417 and I told the plugin that everyone without summary was invalid
#
up201705417 sorry
#
up201705417 no, you don't, it was my mistake
cwebber2 joined the channel
#
aaronpk ah k
#
aaronpk it's hard to tell what's required
#
up201705417 you don't have a name either
#
up201705417 which is another thing I set as necessary
#
aaronpk oh hm, I only have "preferredUsername"
#
up201705417 yes
#
up201705417 okay
#
up201705417 updated the validate function
#
up201705417 let me see if this affects anything else
#
up201705417 and will test again
cwebber2 joined the channel
#
up201705417 all right, this should do it
#
up201705417 will test now
#
up201705417 now this is "better":
#
up201705417 Client error: `POST https://aaronparecki.com/activitypub/inbox` resulted in a `400 Bad Request` response: {"error":"Invalid signature","headers":"(request-target): post \/activitypub\/inbox\ndate: Mon, 30 Jul 2018 07:17:39 GMT (truncated...)
#
Loqi Aaron Parecki
#
aaronpk progress!
#
up201705417 yeah, got some bugs fixed! :)
#
up201705417 hm, any idea of what could be wrong?
#
aaronpk http signatures are a pita to do the first time
#
aaronpk make sure you're canonicalizing the header names that you're sending when you're computing the signature, etc
fr33domlover joined the channel
#
donpdonp up201705417: can you paste the string you're signing?
#
donpdonp erros are usually easy to spot
#
aaronpk I made my server return a bunch of details so you can see what showed up on the other end
#
up201705417 https://git.gnu.io/dansup/ActivityPub/blob/fun1/utils/postman.php#L176
#
up201705417 GS truncates the return, will add a debug log on the return so that I can see it, give me a sec
#
aaronpk it looks like the signature string you sent got truncated
#
donpdonp does aaronpk's http verifier actually read the headers list? you've got headers beyond the bare minimum in the signing list
#
aaronpk I got MQ==
#
aaronpk here's the complete signature header I got:
#
aaronpk keyId="https://www.hackthis.space/social/index.php/user/1#public-key",algorithm="rsa-sha256",headers="(request-target) date content-type accept user-agent",signature="MQ=="
#
aaronpk looks like MQ== is "1"
#
aaronpk um, if you're using that guzzle http signature library it won't work unless you know something I don't
#
aaronpk https://github.com/99designs/http-signatures-php/issues/34
#
Loqi [aaronpk] #34 Support RSA signing
cwebber2 joined the channel
#
up201705417 I'm using a custom version by dansup that adds rsa-sha256
#
aaronpk ah okay
#
up201705417 just added another debug info
#
dansup aaronpk: https://github.com/pixelfed/http-signatures-php/commit/3b59f93ec3c5388d2fb6e9992757e2b739bd8ce6
#
aaronpk found the problem
#
aaronpk https://github.com/pixelfed/http-signatures-php/commit/3b59f93ec3c5388d2fb6e9992757e2b739bd8ce6#diff-8d41702f0ea7cd8b071723db669d200fR36
#
aaronpk openssl_sign returns a boolean
#
aaronpk which is ending up as "1" when converted to a string
#
aaronpk so instead of returning $res there you need to return the signed string
#
aaronpk it puts the signed string in $signature
#
dansup ok
#
aaronpk once this works you should send them a PR!
#
up201705417 aaronpk: dansup pushed an update
#
up201705417 and it seems to have worked
#
up201705417 did you receive a notice there?
#
aaronpk yep I see it!
#
up201705417 for mastodon I got this though: Client error: `POST https://mastodon.social/users/dansup/inbox` resulted in a `401 Unauthorized` response: Public key not found for key https://www.hackthis.space/social/index.php/user/1#public-key
#
aaronpk hm I can't remember what accept header mastodon sends, but it looks like I get back HTML from that URL when I send Accept: application/json
#
up201705417 from hackthis URL?
#
up201705417 I've set the header to:
#
up201705417 header('Content-Type: application/activity+json');
#
aaronpk curl -H "Accept: application/json" https://www.hackthis.space/social/index.php/user/1
#
aaronpk sends back a 303
#
up201705417 oh great :/
#
up201705417 working on that
#
up201705417 okay, that's fixed
#
dansup application/json is valid? https://www.w3.org/TR/activitypub/#retrieving-objects
#
up201705417 it isn't in the spec afaik
#
aaronpk like I said, I don't know what mastodon is sending, but it still seems weird to return HTML when requesting application/json
#
up201705417 mastodon keeps throwing the error
#
up201705417 so that isn't the issue
vasilakisfil joined the channel
#
puckipedia up201705417: oh hmm, idea
#
up201705417 *-* say it!
#
puckipedia curl -H "Accept: application/activity+json, application/ld+json, application/atom+xml, text/html" https://www.hackthis.space/social/index.php/user/1
#
puckipedia that should be enough info right? :P
#
up201705417 wut?
#
puckipedia that's the header that Mastodon sends
#
aaronpk why does it include text/html?
#
up201705417 ah
#
up201705417 yeah, why?
#
aaronpk that implies that it knows how to do something with HTML
#
aaronpk does it?
#
puckipedia aaronpk: fallback. checks link headers and link meta tags
#
aaronpk orly? does it look for rel=alternate or somethign?
#
puckipedia json_link = page.xpath('//link[@rel="alternate"]').find { |link| ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(link['type']) }
#
nightpool[m] ya
#
puckipedia would say yes
#
Loqi [Amy Guy] ActivityStreams 2.0 Terms
#
aaronpk neato
#
nightpool[m] we mentioned this on your ticket.
#
nightpool[m] iirc
#
aaronpk does that work for post permalinks too?
#
puckipedia this is for both actors and posts iirc
#
aaronpk ahh found that discussion, forgot about that https://github.com/w3c/activitypub/issues/310
#
Loqi [riking] #310 Standardize discovery using link rel on user-visible URLs
#
up201705417 hi
#
up201705417 sorry the away
#
up201705417 puckipedia: did what you said
#
up201705417 and it still gives this:
#
up201705417 Client error: `POST https://mastodon.social/users/dansup/inbox` resulted in a `401 Unauthorized` response: Public key not found for key https://www.hackthis.space/social/index.php/user/1#public-key
#
up201705417 but now the curl command you sent works
#
puckipedia up201705417: whatever you've done it's not really resilient
#
puckipedia you should properly parse the Accept header
#
Loqi definitely
#
up201705417 fair enough
#
up201705417 give me a minute
#
up201705417 puckipedia: it was a large minute
#
up201705417 sadly both yesterday and today are being busy IRL days
#
up201705417 so, I think now it is a resilient solution
#
up201705417 yet, mastodon still doesn't like me: Client error: `POST https://mastodon.social/users/dansup/inbox` resulted in a `401 Unauthorized` response: Public key not found for key https://www.hackthis.space/social/index.php/user/1#public-key
#
puckipedia yeah, I'm slightly unsure now of everything, sorry
#
up201705417 lol
#
up201705417 dansup: do you have any other ideas of what is going wrong?
#
dansup up201705417: Have you tried a pleroma instance?
#
donpdonp up201705417: you want to try following don@donpark.org ?
#
dansup pleroma.site/users/pixeldev
#
up201705417 just sent a notice to pleroma
#
donpdonp its my activitypub perl script (not always running but it is now) and it dumps the details of each request to my console.
#
up201705417 may I send a notice there donpdonp?
#
donpdonp up201705417: oh are you already past the 'following' stage and now are sending Notes?
#
up201705417 (to do a follow request I have to write a bit more)
#
donpdonp up201705417: you can send whatever you like. its not very 'real'
#
up201705417 now, we are just testing with the notices first xd
#
donpdonp just some perl pretending to be an AP site
#
aaronpk whoa, pleroma returns an atom feed for an individual post?? https://pleroma.site/notice/2684664
#
aaronpk (Accept: */*)
#
donpdonp up201705417: hmm that test might have revealed a problem on my side rather than yours. i assume you just did the webfinger lookup. the site sent back the AP profile for my user but the back-and-forth stops there
#
up201705417 yeah, the Explorer failed in grabbing your profile
#
up201705417 let me get you the logs
#
up201705417 donpdonp: https://git.gnu.io/snippets/436
#
puckipedia aaronpk: so not actually looking at the result, but yeah, that's what ostatus sends out for updates
#
aaronpk that's crazypants
#
aaronpk so i'm making a thing that fetches a URL and finds the best data it can find there. it's a bit of a trick to make this work between content negotiation and my own preferred formats
#
aaronpk especially when I have no prior knowledge of what's at the URL
#
aaronpk here's my current accept header, I think this is what I want: application/activity+json, application/mf2+json, text/html, application/json, application/xml, text/xml
#
donpdonp up201705417: hmm ok i'll look into that thx.
#
up201705417 will try again specifying different routes
#
up201705417 this worked: @donpark.org/don This is a test notice published by a GNU Social instance using ActivityPub.
#
up201705417 what have you got on your side?
#
up201705417 (I think that according to the spec this is the only one you have to support...)
#
donpdonp up201705417: https://gist.githubusercontent.com/donpdonp/80706a46ab561bef024a3e36f77cf6ba/raw/4a926515f064a21865c2882cbf4b492f27efc1b3/gistfile1.txt
#
up201705417 so... it looks kinda well
#
up201705417 what do you think?
#
dansup up201705417: https://git.pleroma.social/pleroma/pleroma/blob/develop/test/web/http_sigs/http_sig_test.exs#L90
#
donpdonp i dont see anything wrong off hand. the two different sig headers are dupes. just "Signature: " works for me
#
donpdonp $ curl -H 'accept: application/json' 'https://www.hackthis.space/social/index.php/user/1#public-key'|jq .publicKey.id => "https://www.hackthis.space/social/index.php/user/1#public-key"
#
donpdonp keyId="https://www.hackthis.space/social/index.php/user/1#public-key"
#
donpdonp that looks like a match to me. not sure what mastodon is saying.