Open moyitpro opened 5 months ago
pfefferle
commented
5 months ago I think we have to improve the authorized fetch feature first. The current implementation only limits the access to the API endpoints, but it still shows all profile informations and posts.
github-actions[bot]
commented
1 month ago This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days.
mediaformat
commented
1 month ago @pfefferle what would you think about enabling Authorized fetch via a UI setting, with appropriate warning message and affordance?
I could submit a PR for this.
What
Authorized fetch should be enabled by default as more servers enable it to make blocks more effective against Meta Threads. On servers that have Authorized fetch enabled, if a WordPress blog doesn't enable it, that server won't load the post nor the user can follow it.
Why
By enabling authorized fetch enabled, servers that have it enabled can view and interact with the post. It may have performance implications as every request needs to be signed, but probably not.
How
Set the following: \defined( 'ACTIVITYPUB_AUTHORIZED_FETCH' ) || \define( 'ACTIVITYPUB_AUTHORIZED_FETCH', false ); to true.
Post shown on an instance that has Authorized Fetch enabled:
There should be a configurable option from the ActivityPub settings to enable/disable it, and not PHP constants, which I find doesn't work to enable it.