It is my understanding that authorized fetch mode enables a number of guarantees which are not otherwise possible, and which are useful to Mastodon development. Any Mastodon server which is not horrifically out‐of‐date should support authorized fetch, so there is no reason not to enforce it in all cases.
(Currently it is behind an environment variable, AUTHORIZED_FETCH=true.)
The main complication to implementing this (aside from understanding all of the areas of the code that the authorized fetch toggle affects) is that it introduces uncertainties when migrating an older Mastodon server which previously did not require it. We will need to investigate the potential edgecases and ramifications of such a migration, and provide appropriate measures to handle them.
It is my understanding that authorized fetch mode enables a number of guarantees which are not otherwise possible, and which are useful to Mastodon development. Any Mastodon server which is not horrifically out‐of‐date should support authorized fetch, so there is no reason not to enforce it in all cases.
(Currently it is behind an environment variable,
AUTHORIZED_FETCH=true.)The main complication to implementing this (aside from understanding all of the areas of the code that the authorized fetch toggle affects) is that it introduces uncertainties when migrating an older Mastodon server which previously did not require it. We will need to investigate the potential edgecases and ramifications of such a migration, and provide appropriate measures to handle them.