Liked by

@hongminhee@hollo.social

While working on #Fedify, I noticed something about how #Misskey handles #ActivityPub object access. When a remote server requests a followers-only post or DM with a valid HTTP Signatures (draft-cavage) from an authorized actor, Misskey still returns 404 instead of the content. It seems Misskey only checks the visibility field (public/home) without verifying the signature at all.

#Mastodon takes a different approach—when #authorized_fetch is enabled, it validates the HTTP Signatures and returns the content if the requesting actor has permission. I think it would be beneficial if Misskey could adopt a similar mechanism, since it would better respect the access control semantics that ActivityPub intends. Has anyone else run into this, or are there specific reasons Misskey handles it this way?

#fedidev

6 likes

Doctor M. Popular
@docpop@mastodon.social
"Jack-of-all-trades musician, artist, dramatic yo-yoist, and video game designer-wizard" - From the San Francisco Bay Guardian's "Best Of The Bay" issue.
he/him
San Francisco, CA
Ikkle Gemz Universe+
@ikklegemzuniverseplus@ohai.social
Additional account of @IkkleGemzUniverse.
I boost a lot on this account but not on my main one.
silverpill
@silverpill@mitra.social
Developer of ActivityPub-based micro-blogging and content subscription platform Mitra. I help maintain the FEP repository and write my own FEPs too. Currently working on ActivityPub Next.
Jun (준)
@JunOfficial@jeju.social
🛡️ 시스템 아키텍트 @jeju.social
🔐 보안과 프라이버시를 중시하는 오픈소스 사용자
☕️ 콜드브루 커피 & 캠핑을 사랑하는 사람
🗣️ 영어를 쓰지만 한국어를 배우고 있습니다
📅 제 타임라인은 7 일마다 초기화됩니다 (개인 취향)
Evan Prodromou
@evan@cosocial.ca
He/him. Board member at CoSocial.ca.
Research Director, Social Web Foundation.
Author of "ActivityPub: Programming for the Social Web" from O'Reilly Media.
Founder of Wikitravel, StatusNet, identi.ca, Fuzzy.ai.
Creator of pump.io. Co-creator of GNU social.
Former co-chair of the Social Web Working Group at W3C. Co-author of Activity Streams 2.0. Co-author of ActivityPub. Co-author of OStatus.
Grad student in CS at Georgia Tech.
Greek, Arab, Palestinian, American, Canadian, Montréalais.
Radomír Žemlička
@Razemix@mamutovo.cz
JS/TS dev, tech enthusiast, FOSS lover, singer, fan of good music, movies, and literature.