Limited federation mode is broken due to instance api restrict

mastodon / mastodon

Your self-hosted, globally interconnected microblogging community

https://joinmastodon.org

GNU Affero General Public License v3.0

47.26k stars 7k forks source link

Limited federation mode is broken due to instance api restrict #23434

Open tribela opened 1 year ago

tribela commented 1 year ago

Steps to reproduce the problem

Enable limited federation mode
View website in anonymous mode
...

Expected behaviour

Should work fine

Actual behaviour

Some functions are broken

Detailed description

Cannot login via Official Mastodon app - Because /api/v2/instance is forbidden and it causes "it doesn't seems to be mastodon server"
/about page is broken - Also /api/v2/instance
Banner and admin profile is not loaded on main page - Also because /api/v2/instance is forbidden
Explore function is not working when logged out - /api/v1/trends/*

It sometimes work because if queried by user, it returns 200 OK with cache-control: public It is also a security hole if 401 was intended behaviour

Specifications

v4.1.0rc3

ClearlyClaire commented 1 year ago

Although this is not a design decision I agree with, limited federation mode is designed to not have anonymous viewing possible, and that was the case before 4.0 too. However, before 4.0, you used to have a 401 page or a log-in page, not the Web UI with most of it not working.

It sometimes work because if queried by user, it returns 200 OK with cache-control: public It is also a security hole if 401 was intended behaviour

That's indeed an oversight! That being said, I'm in favor of having the decision to hide the about page on LIMITED_FEDERATION_MODE be revisited.

tribela commented 1 year ago

But cannot login/signup via official app is a real problem.

ClearlyClaire commented 1 year ago

Indeed! Does that occur because the request to /api/v2/instance fails or something else?

tribela commented 1 year ago

Yes, /api/v2/instance is the main problem. But I didn't check oauth and other apis

cole-miller commented 1 year ago

Edit: I walked some existing users of my LIMITED_FEDERATION_MODE instance through setting up the official mobile app recently, and they didn't run into problems -- so I guess I misremembered the existence of a problem here, or something has changed since I encountered it. In any case, thanks!

~~Chiming in as another admin who would appreciate a way to~~

~~control federation and prevent unauthenticated users from viewing posts on my instance, but also~~
~~allow existing users of the instance to e.g. sign in when they're setting up a new mobile app~~

sopoforic commented 4 months ago

The login issue (mastodon/mastodon-android#637) is still a problem for app users. It's necessary to disable limited federation mode when adding a new user, so they can log into the app, then re-enable it afterward.

Tobstr02 commented 2 months ago

Same problem here, when limited_federation is turned on, the app is not able to login into the mastodon instance. Even when using an invite-link or some other schemas of server addresses.