guppe don't work with Mastodon 3.2.1

[yingziwu]

If mastodon instance enable secure mode, this instance can't follow the accouts of guppe , can't post status to guppe, can't receive status from guppe.

Mastodon version: v3.2.0 master 4130aef29cb913cc33a1abaf997955fbbfdeb3b4

Error log:

Recieve status

Caddy.service

{
  "level": "error",
  "ts": 1603374123.2155101,
  "logger": "http.log.access.log0",
  "msg": "handled request",
  "request": {
    "remote_addr": "162.249.4.153:44200",
    "proto": "HTTP/1.1",
    "method": "POST",
    "host": "bgme.me",
    "uri": "/users/orz/inbox",
    "headers": {
      "Signature": [
        "keyId=\"https://gup.pe/u/board\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date\",signature=\"P/BQNvcqfpddT3H0eXndXVF9IPytdqS0gcbyRkSmP/dSHllLEA82asM38/tKpI4Dn4vPWL0aSJpmbd/BLiNi/6nLiWy/9nkEAx2IzLFIarChWfmbTLiDt7FG7Fhmb6GFpdyODZtBdEyXrkMceF7i+DuOiHOor2cPN0Ts3B57SbownNE+BOlCSrDi7eC9v9Q9fc7kJezMIDn9VqHJiVTqWrl5GcsQswbbhP2gIkM7CtA52ip/2dju2RrACa0f9lIiDbTDfZbkvtfGch+8N0jH6ThMkCEEG93wjQXI8No/3rrxq1XAXSfZnUMczcVbiudulx5/BOVsv2WS1odJhd2BTG2g84TbXhNZd0v5d1LQN+5irD9FdFG9zNSWx42QikzbAecS5J3Yj/KKdosGbI4HcHFi6G8EU8yd+Xoqzx6YEV55C/r0GfPLiTeAB6MvnLhRaHtu9o3HZumrrhlP1/MMHpB5o4oCLXr5gXBNHKPKWK31BsTiZ6axBA9cEpJ9eeqR7FvW/8yx47HcMcQy/TBiF51YFg7sWPNY8Xm8++zIyzdXM/+oE4LFhm5AQ9BBMfYcAskvMv/XQVP+xT1/rGOMK73BvkhvJOcFXHl8eXo40NWvzNiRDJYOySgULSt76iDHH4yCt4A/BuW4dsTFHF24Nn3KbnCQQVY6qjZ2f9FVOVQ=\""
      ],
      "Accept": [
        "application/json"
      ],
      "Content-Length": [
        "431"
      ],
      "Connection": [
        "close"
      ],
      "Content-Type": [
        "application/activity+json"
      ],
      "Date": [
        "Thu, 22 Oct 2020 13:41:58 GMT"
      ]
    },
    "tls": {
      "resumed": false,
      "version": 771,
      "cipher_suite": 49196,
      "proto": "",
      "proto_mutual": true,
      "server_name": "bgme.me"
    }
  },
  "common_log": "162.249.4.153 - - [22/Oct/2020:13:42:03 +0000] \"POST /users/orz/inbox HTTP/1.1\" 401 74",
  "duration": 0.015769757,
  "size": 74,
  "status": 401,
  "resp_headers": {
    "Server": [
      "Caddy"
    ],
    "Vary": [
      "Signature,Accept-Encoding"
    ],
    "X-Frame-Options": [
      "DENY"
    ],
    "Cache-Control": [
      "no-cache"
    ],
    "X-Runtime": [
      "0.014633"
    ],
    "X-Content-Type-Options": [
      "nosniff"
    ],
    "X-Xss-Protection": [
      "1; mode=block"
    ],
    "Content-Type": [
      "text/plain; charset=utf-8"
    ],
    "X-Request-Id": [
      "5ae5c1c8-2f65-4411-bb26-9d6074b4c324"
    ],
    "Strict-Transport-Security": [
      "max-age=31536000;"
    ]
  }
}

mastodon-web.service

Oct 22 13:42:03 bgme.me bundle[5069]: [5ae5c1c8-2f65-4411-bb26-9d6074b4c324] method=POST path=/users/orz/inbox format=json controller=ActivityPub::InboxesController action=create status=401 duration=12.41 view=0.27 db=1.59 key=https://gup.pe/u/board

[wmurphyrd]

Thanks for reporting. Are you familiar with the technical details of this mastodon feature? The docs aren't very clear - do they want us to start signing our GET requests?

On Thu, Oct 22, 2020, at 9:53 AM, yingziwu wrote:

If mastodon instance enable secure mode https://docs.joinmastodon.org/admin/config/#authorized_fetch, this instance can't follow the accouts of guppe https://gup.pe/ , can't post status to guppe, can't receive status from guppe.

Mastodon version: v3.2.0 master 4130aef29cb913cc33a1abaf997955fbbfdeb3b4 https://github.com/tootsuite/mastodon/commit/4130aef29cb913cc33a1abaf997955fbbfdeb3b4

Error log:

Recieve status

Caddy.service

{ "level": "error", "ts": 1603374123.2155101, "logger": "http.log.access.log0", "msg": "handled request", "request": { "remote_addr": "162.249.4.153:44200", "proto": "HTTP/1.1", "method": "POST", "host": "bgme.me", "uri": "/users/orz/inbox", "headers": { "Signature": [ "keyId=\"https://gup.pe/u/board\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date\",signature=\"P/BQNvcqfpddT3H0eXndXVF9IPytdqS0gcbyRkSmP/dSHllLEA82asM38/tKpI4Dn4vPWL0aSJpmbd/BLiNi/6nLiWy/9nkEAx2IzLFIarChWfmbTLiDt7FG7Fhmb6GFpdyODZtBdEyXrkMceF7i+DuOiHOor2cPN0Ts3B57SbownNE+BOlCSrDi7eC9v9Q9fc7kJezMIDn9VqHJiVTqWrl5GcsQswbbhP2gIkM7CtA52ip/2dju2RrACa0f9lIiDbTDfZbkvtfGch+8N0jH6ThMkCEEG93wjQXI8No/3rrxq1XAXSfZnUMczcVbiudulx5/BOVsv2WS1odJhd2BTG2g84TbXhNZd0v5d1LQN+5irD9FdFG9zNSWx42QikzbAecS5J3Yj/KKdosGbI4HcHFi6G8EU8yd+Xoqzx6YEV55C/r0GfPLiTeAB6MvnLhRaHtu9o3HZumrrhlP1/MMHpB5o4oCLXr5gXBNHKPKWK31BsTiZ6axBA9cEpJ9eeqR7FvW/8yx47HcMcQy/TBiF51YFg7sWPNY8Xm8++zIyzdXM/+oE4LFhm5AQ9BBMfYcAskvMv/XQVP+xT1/rGOMK73BvkhvJOcFXHl8eXo40NWvzNiRDJYOySgULSt76iDHH4yCt4A/BuW4dsTFHF24Nn3KbnCQQVY6qjZ2f9FVOVQ=\"" ], "Accept": [ "application/json" ], "Content-Length": [ "431" ], "Connection": [ "close" ], "Content-Type": [ "application/activity+json" ], "Date": [ "Thu, 22 Oct 2020 13:41:58 GMT" ] }, "tls": { "resumed": false, "version": 771, "cipher_suite": 49196, "proto": "", "proto_mutual": true, "server_name": "bgme.me" } }, "common_log": "162.249.4.153 - - [22/Oct/2020:13:42:03 +0000] \"POST /users/orz/inbox HTTP/1.1\" 401 74", "duration": 0.015769757, "size": 74, "status": 401, "resp_headers": { "Server": [ "Caddy" ], "Vary": [ "Signature,Accept-Encoding" ], "X-Frame-Options": [ "DENY" ], "Cache-Control": [ "no-cache" ], "X-Runtime": [ "0.014633" ], "X-Content-Type-Options": [ "nosniff" ], "X-Xss-Protection": [ "1; mode=block" ], "Content-Type": [ "text/plain; charset=utf-8" ], "X-Request-Id": [ "5ae5c1c8-2f65-4411-bb26-9d6074b4c324" ], "Strict-Transport-Security": [ "max-age=31536000;" ] } } mastodon-web.service

Oct 22 13:42:03 bgme.me bundle[5069]: [5ae5c1c8-2f65-4411-bb26-9d6074b4c324] method=POST path=/users/orz/inbox format=json controller=ActivityPub::InboxesController action=create status=401 duration=12.41 view=0.27 db=1.59 key=https://gup.pe/u/board

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/wmurphyrd/guppe/issues/28, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACMR5K6WNLLQT25RHRBFPU3SMBBNRANCNFSM4S3J7OYQ.

[umonaca]

Thanks for reporting. Are you familiar with the technical details of this mastodon feature? The docs aren't very clear - do they want us to start signing our GET requests? On Thu, Oct 22, 2020, at 9:53 AM, yingziwu wrote: If mastodon instance enable secure mode https://docs.joinmastodon.org/admin/config/#authorized_fetch, this instance can't follow the accouts of guppe https://gup.pe/ , can't post status to guppe, can't receive status from guppe. Mastodon version: v3.2.0 master 4130aef29cb913cc33a1abaf997955fbbfdeb3b4 [tootsuite/mastodon@4130aef](https://github.com/tootsuite/mastodon/commit/4130aef29cb913cc33a1abaf997955fbbfdeb3b4) Error log: Recieve status Caddy.service { "level": "error", "ts": 1603374123.2155101, "logger": "http.log.access.log0", "msg": "handled request", "request": { "remote_addr": "162.249.4.153:44200", "proto": "HTTP/1.1", "method": "POST", "host": "bgme.me", "uri": "/users/orz/inbox", "headers": { "Signature": [ "keyId=\"https://gup.pe/u/board\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date\",signature=\"P/BQNvcqfpddT3H0eXndXVF9IPytdqS0gcbyRkSmP/dSHllLEA82asM38/tKpI4Dn4vPWL0aSJpmbd/BLiNi/6nLiWy/9nkEAx2IzLFIarChWfmbTLiDt7FG7Fhmb6GFpdyODZtBdEyXrkMceF7i+DuOiHOor2cPN0Ts3B57SbownNE+BOlCSrDi7eC9v9Q9fc7kJezMIDn9VqHJiVTqWrl5GcsQswbbhP2gIkM7CtA52ip/2dju2RrACa0f9lIiDbTDfZbkvtfGch+8N0jH6ThMkCEEG93wjQXI8No/3rrxq1XAXSfZnUMczcVbiudulx5/BOVsv2WS1odJhd2BTG2g84TbXhNZd0v5d1LQN+5irD9FdFG9zNSWx42QikzbAecS5J3Yj/KKdosGbI4HcHFi6G8EU8yd+Xoqzx6YEV55C/r0GfPLiTeAB6MvnLhRaHtu9o3HZumrrhlP1/MMHpB5o4oCLXr5gXBNHKPKWK31BsTiZ6axBA9cEpJ9eeqR7FvW/8yx47HcMcQy/TBiF51YFg7sWPNY8Xm8++zIyzdXM/+oE4LFhm5AQ9BBMfYcAskvMv/XQVP+xT1/rGOMK73BvkhvJOcFXHl8eXo40NWvzNiRDJYOySgULSt76iDHH4yCt4A/BuW4dsTFHF24Nn3KbnCQQVY6qjZ2f9FVOVQ=\"" ], "Accept": [ "application/json" ], "Content-Length": [ "431" ], "Connection": [ "close" ], "Content-Type": [ "application/activity+json" ], "Date": [ "Thu, 22 Oct 2020 13:41:58 GMT" ] }, "tls": { "resumed": false, "version": 771, "cipher_suite": 49196, "proto": "", "proto_mutual": true, "server_name": "bgme.me" } }, "common_log": "162.249.4.153 - - [22/Oct/2020:13:42:03 +0000] \"POST /users/orz/inbox HTTP/1.1\" 401 74", "duration": 0.015769757, "size": 74, "status": 401, "resp_headers": { "Server": [ "Caddy" ], "Vary": [ "Signature,Accept-Encoding" ], "X-Frame-Options": [ "DENY" ], "Cache-Control": [ "no-cache" ], "X-Runtime": [ "0.014633" ], "X-Content-Type-Options": [ "nosniff" ], "X-Xss-Protection": [ "1; mode=block" ], "Content-Type": [ "text/plain; charset=utf-8" ], "X-Request-Id": [ "5ae5c1c8-2f65-4411-bb26-9d6074b4c324" ], "Strict-Transport-Security": [ "max-age=31536000;" ] } } mastodon-web.service Oct 22 13:42:03 bgme.me bundle[5069]: [5ae5c1c8-2f65-4411-bb26-9d6074b4c324] method=POST path=/users/orz/inbox format=json controller=ActivityPub::InboxesController action=create status=401 duration=12.41 view=0.27 db=1.59 key=https://gup.pe/u/board … — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#28>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACMR5K6WNLLQT25RHRBFPU3SMBBNRANCNFSM4S3J7OYQ.

1. Fetching public status through API without a credential won't work if the Mastodon instance has set AUTHORIZED_FETCH=true.
2. The payload sent from the "safe mode" instances does not contain the JSON-LD linked data signature, but guppe currently must verify the signature to accept a message. https://github.com/wmurphyrd/guppe/blob/6db9dcaf4188bbdfb90112e946142f5c52e64acc/routes/inbox.js#L7

[wmurphyrd]

@umonaca

1. I'm not using Mastodon API; only ActivityPub endpoints
2. I'm not checking JSON-LD signatures; only HTTP signatures

So neither of those changes should affect gup.pe function

[yingziwu]

@wmurphyrd

I notice that guppe work well befort Sep 6 for my instace, bgme.me. After Sep 6, guppe could't relay status to my instace.

[wmurphyrd]

@yingziwu I don't doubt this secure mode has impacted your usage; I just cannot decipher why from the mastodon documentation. I've submitted an issue to their docs repo.

[yingziwu]

@wmurphyrd

I notice that guppe work well befort Sep 6 for my instace, bgme.me. After Sep 6, guppe could't relay status to my instace.

May related commits: https://github.com/yingziwu/mastodon/compare/3843d6fe55fadbb4433b71e47663b84b170d6943...790c0364c43cdf8a8b6f8f495369696c06030035

[yingziwu]

@wmurphyrd

I notice that guppe work well befort Sep 6 for my instace, bgme.me. After Sep 6, guppe could't relay status to my instace.

May related commits: https://github.com/yingziwu/mastodon/compare/4dcc600448bdf076c10c4b704d6da20c621d4d1e...790c0364c43cdf8a8b6f8f495369696c06030035

[yingziwu]

After view the comits list above, I found this commit: https://github.com/tootsuite/mastodon/commit/b241f20bd2387244c14fa5de70bd7c928b599a8b

[yingziwu]

Besides, after upgrade to v3.2.1, slashine.onl reported that they meet the same problem even if slashine.onl don't enable secure mode.

https://slashine.onl/@slashine/105079011698940129

I can't find any log errors for follow of @gup.pe or , meaning Mastodon doesn't return an error at least not in normal mode.

Still, if the error happened after the upgrade yesterday to v3.2.1 of Mastodon there are two changes that I would say could be causing some problems: https://github.com/tootsuite/mastodon/pull/14919 https://github.com/tootsuite/mastodon/pull/14556

Looking at guppe's github I only find one issue https://github.com/wmurphyrd/guppe/issues/26 I am guessing this is an old problem and not related to these changes.

[wmurphyrd]

@yingziwu thanks for digging in - yeah the change in http-signature implementation looks like a likely culprit. I'll look into it

[wmurphyrd]

Ok found it is returning this message to my server Mastodon requires the Digest header to be signed when doing a POST request - Mastodon has changed their requirements for http signaure construction. Hoping they'll clarify all requirements in https://github.com/tootsuite/documentation/issues/822, but I should be able to work on this soon

[wmurphyrd]

Looks like I've resolved this via 5208b67df5f8ed6851c0d65e512880792794f9a6 - please file another issue if you still have problems