Closed jernst closed 1 month ago
FWIW, this is the actor document for Barack Obama.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1"
],
"id": "https://threads.net/ap/users/17841400921600159/",
"type": "Person",
"name": "Barack Obama",
"preferredUsername": "barackobama",
"summary": "<p>Dad, husband, President, citizen.</p>",
"url": "https://threads.net/@barackobama/",
"inbox": "https://threads.net/ap/users/17841400921600159/inbox/",
"outbox": "https://threads.net/ap/users/17841400921600159/outbox/",
"followers": "https://threads.net/ap/users/17841400921600159/followers/",
"following": "https://threads.net/ap/users/17841400921600159/following/",
"endpoints": {
"sharedInbox": "https://threads.net/ap/inbox/"
},
"publicKey": {
"id": "https://threads.net/ap/users/17841400921600159/#main-key",
"owner": "https://threads.net/ap/users/17841400921600159/",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8jneCvDC1FyLQhN/2e9\nMqm4/cUPwJy2fKOdO0AA6H5XBzVxCleUYFoYcw3AWaAa2+xulxLWR8IJTAb/aKuU\nOgMeOfoViEK6VYtVrWHbSjfu/7eB1uu0iWe48mWyJCp9T1ITzRd26EJPBjzei1FV\no8Mn9B7wQ7PD+5Te7Zryt2cihTVhqBVH948M7NCylkvUTfZgFA3dFeYAQwMqSATm\n4btdYce7mmu6PzCFi+oepcb4BAq0cV1i+Mm294f4h+A/b1SIVj+CoLd49MR30uGl\nOiz/mjEjL1+2pMCY7Vxra0j4Kyehg59RdQuYdGZ1HTRZSx5/+00U+Lqo6XcWw73A\nNwIDAQAB\n-----END PUBLIC KEY-----\n"
},
"icon": {
"type": "Image",
"url": "https://scontent-mrs2-2.cdninstagram.com/v/t51.2885-19/361742448_804303214579253_9097669498418482911_n.jpg?stp=dst-jpg_s400x400&_nc_cat=1&ccb=1-7&_nc_sid=3fd06f&_nc_ohc=Dkr1V0SwShAAb5alCU3&_nc_ht=scontent-mrs2-2.cdninstagram.com&oh=00_AfBgX0jqcUS8wQOG9sMVBUl6IuKF_FqGhQ8wMQnG7lkcdQ&oe=661C433B"
}
}
I used a signed request by a fake actor hosted on a domain with a temporary server that lived just long enough to serve the webfinger and signing actor info requests for the authorized fetch.
The followers collection looks like:
{
"@context": [
"https://www.w3.org/ns/activitystreams"
],
"id": "https://threads.net/ap/users/17841400921600159/followers/",
"type": "OrderedCollection",
"totalItems": 4417203
}
There's no link to any collection pages. Some servers will link to the first page with an empty items
array. My guess is that no one can see the followers.
Did you by any chance log what requests threads performed on the temporary server?
Did you by any chance log what requests threads performed on the temporary server?
The only request I saw from Threads was the signed actor fetch from:
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1"
],
"id": "https://threads.net/ap/users/threads.sys/",
"type": "Person",
"name": "Threads System",
"preferredUsername": "threads.sys",
"url": "https://threads.net/@threads.sys/",
"inbox": "https://threads.net/ap/users/threads.sys/inbox/",
"outbox": "https://threads.net/ap/users/threads.sys/outbox/",
"followers": "https://threads.net/ap/users/threads.sys/followers/",
"following": "https://threads.net/ap/users/threads.sys/following/",
"endpoints": {
"sharedInbox": "https://threads.net/ap/inbox/"
},
"publicKey": {
"id": "https://threads.net/ap/users/threads.sys/#main-key",
"owner": "https://threads.net/ap/users/threads.sys/",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLjz/cObcOdKwsClpbu0\nkz1LVhe0ZnAxm+RXeCLl7gWYtGVlU6AdwShorAmJp/3H2YfIhDJs5OwMnktKPYo3\n2dZHyq1cvJrgahRSM3oiCEkNCz6bsaOXp37MypmQuL69jI1hIzIf0G/uoMeezFG+\n5+Us4SGiFsHeUlWtPJKUXPazmoeygHF6TefYCbp996jfSjsyu1I0YnQbtHBPmqRg\n66JS8zhhpIfprO1FG9JyFNQmKNtMjeR7KtqX2hHSupIsvwl5sAEceYa7IFBhp/Sp\nnbg6RDztuspw7w3fJ7tJ5tvgcbLLXcNyCdmc2KmDbvI1YcLr2jSldB100Wc2KTVZ\n8QIDAQAB\n-----END PUBLIC KEY-----\n"
}
}
I think we have enough answers for now.
Threads does not publish Actor files to the world, instead requiring some kind of authentication. This may impact what and how we can test. We need to understand this better. Questions such as:
Example impact: we want to test that
@b@b
can follow@a@a
. A test would reasonably:@b@b
is not in@a@a
's following collection, and@a@a
is not in@b@b
's followers collection.@b@b
now follows@a@a
.@b@b
is in@a@a
's following collection, and@a@a
is in@b@b
's followers collection.Which party can perform step 1 and 3? Does it have to be
@a@a
and@b@b
checking each other, or can it be a@c@c
(such as the test framework)?Also would be useful to compare Threads' behavior with that of other Fediverse software that also requires signed fetches for (some) resources.