[Bookmark] Keep an eye on developments re: API access variables and landing pages

hometown-fork / hometown

A supported fork of Mastodon that provides local posting and a wider range of content types.

GNU Affero General Public License v3.0

743 stars 55 forks source link

[Bookmark] Keep an eye on developments re: API access variables and landing pages #1207

Open dariusk opened 1 year ago

dariusk commented 1 year ago

https://github.com/mastodon/mastodon/pull/19803

Putting this here as basically a bookmark. I expect this will be fixed upstream so that disallowing unauthorized API access no longer breaks landing pages for non-logged-in users and return the old functionality. But if it isn't fixed upstream, this will have to be fixed in Hometown before I do any kind of v4 release.

marrus-sh commented 1 year ago

can you be clearer regarding Hometown’s stance on this? my understanding, without passing judgment, is that prior to 4.0, Mastodon currently allowed:

unauthenticated access to the HTML of public posts (i.e. permalinks)
unauthenticated access to an RSS feed of public posts

considering this, the determination was made that unauthenticated access to the Mastodon API version of public posts (still not ActivityPub and not trivially able to be federated) was not giving scrapers anything they didn’t already have. it’s not clear to me whether Hometown disagrees with this assessment, or agrees but still wants a better fallback in the case that DISALLOW_UNAUTHENTICATED_API_ACCESS is set to true.

dariusk commented 1 year ago

I have to test this but my reading of the issue report linked is that DISALLOW_UNAUTHENTICATED_API_ACCESS when set to true will cause a hyperlink to an individual public post to throw a 401 error when an unauthenticated user tries to view it. I think. If that is the case, then that is bad, but I need to test to make sure the bug reported here is actually a real bug:

https://github.com/mastodon/mastodon/pull/19803#issuecomment-1320886057

lawremipsum commented 1 year ago

This seems to me to be how it is working.

I was going to make a separate feature request for a user toggle to disable RSS access. It is one of the block-evasion methods that I understand has been built into some fediverse servers.

Not sure how feasible that is or if it's in line with the maintenance philosophy, but might be something to consider while keeping an eye on this set of issues.

dariusk commented 1 year ago

@lawremipsum The current behavior is that non-public posts don't appear in the RSS feed. Is your issue that RSS makes accessing public posts easier and you'd rather force a bad actor to use a full-on scraper instead?

lawremipsum commented 1 year ago

I've had more than one user say that their public post availability in RSS discourages them from otherwise posting publicly. Since RSS feed subscription is trivial, avoids expected follow-approval behavior, and is integrated into some fediverse software as a "feature," it would meaningfully impair casual block evasion. It's a leaky default in the current environment, while HTML scraping requires more effort/technical ability.

dariusk commented 1 year ago

Okay, we are on the same page! Feel free to make a feature request here and put that language into it.