search

fediverse-devnet / feditest-tests-fediverse

The tests for the fediverse testsuite
MIT License
5 stars 4 forks source link

Investigate Threads' requirement to sign most requests and impact on testing #37

Closed jernst closed 1 month ago

jernst commented 2 months ago

Threads does not publish Actor files to the world, instead requiring some kind of authentication. This may impact what and how we can test. We need to understand this better. Questions such as:

Example impact: we want to test that @b@b can follow @a@a. A test would reasonably:

  1. check that @b@b is not in @a@a's following collection, and @a@a is not in @b@b's followers collection.
  2. take action so that @b@b now follows @a@a.
  3. check that @b@b is in @a@a's following collection, and @a@a is in @b@b's followers collection.

Which party can perform step 1 and 3? Does it have to be @a@a and @b@b checking each other, or can it be a @c@c (such as the test framework)?

Also would be useful to compare Threads' behavior with that of other Fediverse software that also requires signed fetches for (some) resources.

steve-bate commented 2 months ago

FWIW, this is the actor document for Barack Obama.

{
    "@context": [
        "https://www.w3.org/ns/activitystreams",
        "https://w3id.org/security/v1"
    ],
    "id": "https://threads.net/ap/users/17841400921600159/",
    "type": "Person",
    "name": "Barack Obama",
    "preferredUsername": "barackobama",
    "summary": "<p>Dad, husband, President, citizen.</p>",
    "url": "https://threads.net/@barackobama/",
    "inbox": "https://threads.net/ap/users/17841400921600159/inbox/",
    "outbox": "https://threads.net/ap/users/17841400921600159/outbox/",
    "followers": "https://threads.net/ap/users/17841400921600159/followers/",
    "following": "https://threads.net/ap/users/17841400921600159/following/",
    "endpoints": {
        "sharedInbox": "https://threads.net/ap/inbox/"
    },
    "publicKey": {
        "id": "https://threads.net/ap/users/17841400921600159/#main-key",
        "owner": "https://threads.net/ap/users/17841400921600159/",
        "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8jneCvDC1FyLQhN/2e9\nMqm4/cUPwJy2fKOdO0AA6H5XBzVxCleUYFoYcw3AWaAa2+xulxLWR8IJTAb/aKuU\nOgMeOfoViEK6VYtVrWHbSjfu/7eB1uu0iWe48mWyJCp9T1ITzRd26EJPBjzei1FV\no8Mn9B7wQ7PD+5Te7Zryt2cihTVhqBVH948M7NCylkvUTfZgFA3dFeYAQwMqSATm\n4btdYce7mmu6PzCFi+oepcb4BAq0cV1i+Mm294f4h+A/b1SIVj+CoLd49MR30uGl\nOiz/mjEjL1+2pMCY7Vxra0j4Kyehg59RdQuYdGZ1HTRZSx5/+00U+Lqo6XcWw73A\nNwIDAQAB\n-----END PUBLIC KEY-----\n"
    },
    "icon": {
        "type": "Image",
        "url": "https://scontent-mrs2-2.cdninstagram.com/v/t51.2885-19/361742448_804303214579253_9097669498418482911_n.jpg?stp=dst-jpg_s400x400&_nc_cat=1&ccb=1-7&_nc_sid=3fd06f&_nc_ohc=Dkr1V0SwShAAb5alCU3&_nc_ht=scontent-mrs2-2.cdninstagram.com&oh=00_AfBgX0jqcUS8wQOG9sMVBUl6IuKF_FqGhQ8wMQnG7lkcdQ&oe=661C433B"
    }
}

I used a signed request by a fake actor hosted on a domain with a temporary server that lived just long enough to serve the webfinger and signing actor info requests for the authorized fetch.

The followers collection looks like:

{
    "@context": [
        "https://www.w3.org/ns/activitystreams"
    ],
    "id": "https://threads.net/ap/users/17841400921600159/followers/",
    "type": "OrderedCollection",
    "totalItems": 4417203
}

There's no link to any collection pages. Some servers will link to the first page with an empty items array. My guess is that no one can see the followers.

jernst commented 2 months ago

Did you by any chance log what requests threads performed on the temporary server?

steve-bate commented 2 months ago

Did you by any chance log what requests threads performed on the temporary server?

The only request I saw from Threads was the signed actor fetch from:

{
  "@context": [
     "https://www.w3.org/ns/activitystreams",
     "https://w3id.org/security/v1"
  ],
  "id": "https://threads.net/ap/users/threads.sys/",
  "type": "Person",
  "name": "Threads System",
  "preferredUsername": "threads.sys",
  "url": "https://threads.net/@threads.sys/",
  "inbox": "https://threads.net/ap/users/threads.sys/inbox/",
  "outbox": "https://threads.net/ap/users/threads.sys/outbox/",
  "followers": "https://threads.net/ap/users/threads.sys/followers/",
  "following": "https://threads.net/ap/users/threads.sys/following/",
  "endpoints": {
    "sharedInbox": "https://threads.net/ap/inbox/"
  },
  "publicKey": {
    "id": "https://threads.net/ap/users/threads.sys/#main-key",
    "owner": "https://threads.net/ap/users/threads.sys/",
    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLjz/cObcOdKwsClpbu0\nkz1LVhe0ZnAxm+RXeCLl7gWYtGVlU6AdwShorAmJp/3H2YfIhDJs5OwMnktKPYo3\n2dZHyq1cvJrgahRSM3oiCEkNCz6bsaOXp37MypmQuL69jI1hIzIf0G/uoMeezFG+\n5+Us4SGiFsHeUlWtPJKUXPazmoeygHF6TefYCbp996jfSjsyu1I0YnQbtHBPmqRg\n66JS8zhhpIfprO1FG9JyFNQmKNtMjeR7KtqX2hHSupIsvwl5sAEceYa7IFBhp/Sp\nnbg6RDztuspw7w3fJ7tJ5tvgcbLLXcNyCdmc2KmDbvI1YcLr2jSldB100Wc2KTVZ\n8QIDAQAB\n-----END PUBLIC KEY-----\n"
  }
}
jernst commented 1 month ago

I think we have enough answers for now.