#social 2019-09-15

2019-09-15 UTC
tantek joined the channel
# 04:23 
tantek Is anybody here at #tpac this week? (besides me)
# 04:23 
tantek I mean besides me and bigbluehat who I saw on the plane :)
# 04:28 
tantek There is currently no proposed breakout sessions on Wednesday for anything indieweb "social" "federated" "distributed" or "decentralized web" and I'm considering posting one, even for a small group, but I wanted to check here on interest first: https://www.w3.org/wiki/TPAC/2019/SessionIdeas
xmpp-social, tantek, hadleybeeman and jesopo- joined the channel
# 11:01 
jesopo- is an Accept to be in the body response to a Follow POST?
# 11:01 
jesopo- or rather, can it be?
# 11:35 
fr33domlover jesopo-, iirc it can be, but you still need to send it in a separate POST to be compatible
# 11:36 
fr33domlover (You can do both if you like, but an Accept in the response doesn't replace a separately delivered Accept activity)
# 11:47 
jesopo- hm
# 11:50 
nightpool[m] jesopo-: just to clarify a little—activitypub doesn't say anything about the response body of posting something to the inbox
# 11:51 
jesopo- understood. somewhat of a shame
# 11:51 
nightpool[m] generally, most implementations process activities asynchronously (since they may require further http requests) so there's no information available by the time the response is complete.
# 11:51 
jesopo- tru
# 13:10 
fr33domlover I'm having a new idea
# 13:10 
fr33domlover Wondering if anyone else is feeling the same
# 13:11 
fr33domlover I've been working on a federated web app for a while now, and I noticed how the code structure can get kind of weird when the actor model thinking differs a lot from the way things are actually implemented
# 13:12 
fr33domlover So I'm feeling this wish in me, to create some kind of data layer that handles inbox and outbox and storing activities in per-actor folders/collections/trees
# 13:13 
fr33domlover And write the actual app logic on top of that, instead of just the current plain way of DB queries etc.
# 13:13 
fr33domlover My app is ActivityPub-from-the-start so I have a lot of freedom to change the architecture to match the AP actor model stuff
# 13:14 
fr33domlover has some refactoring to do either way; he's excited about it because all this experience we're all gaining is paving the way for the future of federated web
# 13:17 
jaywink[m] > <@irc_fr33domlover:cybre.space> So I'm feeling this wish in me, to create some kind of data layer that handles inbox and outbox and storing activities in per-actor folders/collections/trees
# 13:17 
jaywink[m] I think there are many libraries designed in this way, some python ones at least, which you provide storage hooks for and they will then handle the storage logic.
# 13:17 
jaywink[m] Or they have a dedicated storage requirement
# 13:17 
jaywink[m] It's something I want to do in my federation library as well to push as much of the federation layer out of the app code
# 13:29 
fr33domlover jaywink[m], in the Haskell ecosystem (the language I'm using) there's distributed computing stuff and actor model stuff, I think mostly imitating what Erlang does, but it's not AP specific; it would still be useful I think if I could somehow put an AP delivery and storage layer on top ^_^
# 13:30 
fr33domlover Even without the actor model though, my app logic code structure is already changing and perhaps I could make some reusable parts there
# 13:31 
fr33domlover Kind of like to have federation-ready components for the web framework
jesopo joined the channel
# 13:58 
jesopo again, sorry for all the questions! getting there slowly but surely :P how do i even begin figuring out which part of my Accept (and Follow for that matter) is creating a 400 response? are there any server softwares with good debug logging to tell me what exactly is wrong?
# 14:00 
fr33domlover jesopo, tbh idk but one idea is to run e.g. pleroma with logging in your terminal, maybe that gives useful info? dansup, what have you used for this?
# 14:00 
jesopo yeah i would have thought pleroma does well on verbose logging
# 14:02 
fr33domlover jesopo, possibly it's not even related to the request body, it would be because of missing webfinger or http signature authentication failing. Have you seen the 2 blog posts on the Mastodon blog? They'd be a good starting point to figure out what you need
# 14:02 
jesopo I'm assuming it's the HTTP sig
# 14:02 
jesopo but I'm 99% sure I'm doing that part correctly
# 14:02 
fr33domlover jesopo, I mean, 2 blog posts about making a federating server ^_^
# 14:03 
fr33domlover jesopo, have you tried checking against your own code?
# 14:03 
fr33domlover I guess that's a good way too, because you control the debug output
# 14:03 
jesopo so i wrote this sig stuff from 2 things
# 14:03 
fr33domlover Make sure your implementation sucessfully authenticates its own requests etc. and if that works, try against Mastodon etc.
# 14:03 
jesopo the masto post about writing an AP server and the sourcecode for the pleroma standalone litepub relay
# 14:04 
jesopo currently doing automatic followback (tried against mastodon) and it fails
# 14:18 
fr33domlover jesopo, does other stuff work for you against Mastodon?
# 14:22 
jesopo not as far as i know
# 14:23 
jesopo the signature does look very large compared to masto's
# 14:24 
jesopo and we're both apparently using rsa-sha256
# 14:50 
fr33domlover jesopo, which language are you using? are you sure you did the signature right? are you able to verify it with your own code? iirc the sig should be the same typical size? maybe unless they key size is different, but i'm not sure tbh
# 14:51 
jesopo it's python and verifying it is a little eeh. if my signature code is broken then my verify will be too
# 14:51 
jesopo i can link the code!
# 14:51 
fr33domlover (the signature's input data though is constant size AFAIK, it's the SHA-256 of the input
# 14:52 
jaywink[m] The way I verify stuff is to save payloads from another platform as test fixtures and then write unit tests to pass those fixtures.
# 14:52 
fr33domlover jaywink[m], ^ is writing in python too, perhaps he knows more? :)
# 14:52 
jesopo https://github.com/jesopo/bitbot/blob/433e3cdcfb31be74636b96bd0d0aa894d2e85594/modules/fediverse/ap_security.py#L20
# 14:52 
jaywink[m] Generally got quite far with only minor tweaks in live testing
# 14:53 
jaywink[m] I'm on mobile but can link to my similar part of the code
# 14:53 
jesopo https://github.com/jesopo/bitbot/blob/433e3cdcfb31be74636b96bd0d0aa894d2e85594/modules/fediverse/ap_actor.py#L51
# 14:53 
jesopo oki
# 14:53 
jesopo thatd be great ^^
# 14:53 
fr33domlover jesopo, if you can, use an existing http signature library
# 14:54 
fr33domlover it's very easy to miss something such as the (request-target) special header etc.
# 14:54 
fr33domlover of the lowercasing of header names
# 14:54 
jesopo hm
# 14:54 
fr33domlover *or
# 14:54 
jesopo i thought they're meant to be lowercase
# 14:55 
jesopo host: /users/jesstest/inbox
# 14:55 
jesopo is part of what's being generated atm
# 14:55 
fr33domlover jesopo, there's also Funkwhale which is written in Python, you can always check how they do stuff
# 14:55 
jesopo i did look at pleroma's standalone litepub relay and it looks like mine should be working
# 14:55 
jaywink[m] jesopo https://git.feneas.org/jaywink/federation/blob/master/federation/protocols/activitypub/signing.py
# 14:55 
jesopo but again, the signature is huge on my side
# 14:55 
jesopo ty jaywink
# 14:56 
jaywink[m] Funkwhale code is quality, I recommend reading their code
# 14:56 
fr33domlover jesopo, not sure you need that PSS part
# 14:57 
fr33domlover (iirc RSA PSS is a different scheme?)
# 14:57 
fr33domlover (i mean, different from the plain RSA-SHA256)
# 14:57 
fr33domlover jesopo, also do you HTTP serve the key? Beause Mastodon will try to GET the key, to use it in sig verification
# 14:58 
jesopo i serve the key on my Actor
# 14:58 
fr33domlover Ah yes good
# 14:58 
jesopo can't really serve the key out of the httpd if the key id is url#frag
# 14:59 
fr33domlover jesopo, yeah serving inside actor document is the standard
# 15:00 
fr33domlover jesopo, idk if it helps, but you're welcome to try POSTing stuff against my code and see what it says, I have some debug output right in the HTML
# 15:01 
fr33domlover My code isn't guaranteed to be bug free though, and its RSA key usage hasn't beed tested yet, but, at least it's easy to use ^_^ there's an actor at https://forge.angeley.es/s/fr33 that you can send activities to, and see result at https://forge.angeley.es/inbox
# 15:02 
fr33domlover (easy to use as in you can just POST and see what happens)
# 15:04 
jesopo thnx, will look shortly
# 15:04 
cjslep[m] If the signature is huge it sounds like a signing algorithm or base64 encoding issue?
# 15:05 
jesopo could be either. are there any gotches for the b64?
# 15:05 
jesopo i saw gargron's example used something called b64 "strict"
# 15:05 
cjslep[m] There's big and little endian encoding I believe
# 15:06 
cjslep[m] (shameless plug) I use https://github.com/go-fed/httpsig for my HTTP sigs for my federated blog
# 15:09 
cjslep[m] Sorry, I was wrong, not endian-ness, but "standard" vs "url" encoding for base64 (use standard)
# 15:11 
fr33domlover If it's much longer, it sounds like something bigger though
# 15:11 
fr33domlover jesopo, maybe that PSS padding thing
# 15:11 
fr33domlover From wikipedia: "RSA-PSS is an adaptation of their work and is standardized as part of PKCS#1 v2.1. In general, RSA-PSS should be used as a replacement for RSA-PKCS#1 v1.5. "
# 15:12 
fr33domlover So these are 2 different things
# 15:12 
fr33domlover And you need the latter
# 15:13 
fr33domlover (The older original one; it was chosen because it's commonly available, I guess)
# 15:14 
fr33domlover has been using ed25519 instead in his code, but supports receving stuff signed with RSA keys too
# 15:15 
jesopo i tried the latter and it didnt help
# 15:16 
jesopo sig still came out huge
# 15:20 
fr33domlover jesopo, run it though something that gives debug messages (your own code, or some existing server)
# 15:20 
cjslep[m] Sha512 would be much larger than sha256, any way to test with the known hashes in the HTTP signature spec appendix?
# 15:21 
fr33domlover The code snippet sugests SHA 256 is being used, that part seems ok
# 15:23 
jesopo does key size cause a difference in signature size
# 15:23 
fr33domlover jesopo, hmm maybe this line does something that isn't needed? signature = base64.b64encode(signature).decode("ascii")
# 15:23 
jesopo oh
# 15:23 
jesopo maybe
# 15:23 
jesopo which part?
# 15:23 
jesopo the decode is needed. b64encode returns a byte string and i need string object for the headers
# 15:23 
fr33domlover jesopo, idk I don't code in python so just unsure how base64 encoding the signature would normally be done :)
# 15:24 
fr33domlover jesopo, which key size are you using
# 15:25 
fr33domlover If you're using 4096, try a smaller size and see if signature looks the same size as mastodon's signatures (if you have examples of them)
# 15:25 
jesopo uhhhh how do i check :l
# 15:25 
jesopo yeah i'm certain this key is 4096
# 15:30 
jesopo yet looks exactly the same length as masto's
# 15:30 
jesopo so nought wrong there.
# 15:34 
jesopo if you follow @test5@bitbot.dev
# 15:34 
jesopo he'll attempt to Accept and Follow back
# 16:33 
jesopo faceplalm!
# 16:33 
jesopo plalm?
# 16:33 
jesopo ok
# 16:33 
jesopo seems i wasn't jsonifying the dict i was sending. http lib assumed form encoding
# 16:34 
jesopo that said, my connections are now timing out
# 16:46 
jesopo yeah, my inbox posts are now hanging
# 16:46 
jesopo :thumbsup
# 16:46 
jesopo :
BitBot joined the channel
# 22:05 
xkr47 9%lx