search

snarfed / bridgy-fed

🌉 A bridge between decentralized social network protocols
https://fed.brid.gy
Creative Commons Zero v1.0 Universal
738 stars 39 forks source link

Incorrect instructions for verifying profile links #1531

Closed chungyc closed 2 days ago

chungyc commented 4 days ago

I believe the instructions on https://fed.brid.gy/docs#mastodon-link-verification for verifying profile links is wrong. Using my own blog as an example, the instructions say that I should include a "me" link to https://web.brid.gy/r/https://blog.chungyc.org/ on my blog. However, the Mastodon server I am a member of does not verify the account being associated with blog.chungyc.org.

On a hunch, I looked at what WebFinger would say:

$ wget --header="Accept: application/activity+json" -O - https://web.brid.gy/.well-known/webfinger?resource=acct:@blog.chungyc.org@web.brid.gy | jq
...
{
  "aliases": [
    "https://blog.chungyc.org/"
  ],
  "links": [
    ...
    {
      "href": "https://web.brid.gy/blog.chungyc.org",
      "rel": "self",
      "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\""
    },
    {
      "href": "https://web.brid.gy/blog.chungyc.org",
      "rel": "self",
      "type": "application/activity+json"
    },
    ...
  ],
  "subject": "acct:blog.chungyc.org@web.brid.gy"
}

Is the verification code in the Mastodon server resolving @blog.chungyc.org@web.brid.gy to https://web.brid.gy/blog.chungyc.org using WebFinger, and this is what it bases its verification decision on? At least on my server, this seems to be the case, since the profile link was verified once I switched the "me" link on blog.chungyc.org to https://web.brid.gy/blog.chungyc.org.

Should the instructions be changed to use https://web.brid.gy/[ACCOUNT NAME]? Or perhaps add https://web.brid.gy/r/https://[DOMAIN]/ as an additional "self" link in the WebFinger results so that the instructions will work without breaking anyone who already uses https://web.brid.gy/[ACCOUNT NAME] as the "me" link (although I have no idea if Mastodon server verification code handles multiple "self" links).

snarfed commented 3 days ago

Hey, sorry for the trouble!

Let's see. Mastodon link verification is unrelated to Webfinger; it's based on your profile links, ie attachments in your AP actor with type: PropertyValue. The links are extracted from the HTML value in those attachments.

Your AP actor https://web.brid.gy/blog.chungyc.org has this in it:

  "url": "https://web.brid.gy/r/https://blog.chungyc.org/"
  "attachment": [{
      "name": "Web site",
      "type": "PropertyValue",
      "value": "<a rel=\"me\" href=\"https://blog.chungyc.org\"><span class=\"invisible\">https://</span>blog.chungyc.org</a>"
    }],

Note that url is https://web.brid.gy/r/https://blog.chungyc.org/ and the profile link points to https://blog.chungyc.org .

I don't know why your Mastodon instance didn't verify your link at first - Mastodon link verification can be finicky - or why it did when you switched to https://web.brid.gy/blog.chungyc.org . Both URLs will redirect to https://blog.chungyc.org/ in browsers; https://web.brid.gy/blog.chungyc.org only serves your AP actor with the AP Accept header.

chungyc commented 3 days ago

Mastodon link verification remains a mystery to me, but it's possible that the verification only looks at the string value of the "me" link and does not actually resolve anything from the URL. There would then be the question of what it is being compared against, which is where I suspect WebFinger comes in. It could be used to retrieve URLs representing the fediverse account, and then strings are compared without resolving any URLs. I.e., it uses WebFinger to find out that @blog.chungyc.org@web.brid.gy is identified by https://web.brid.gy/blog.chungyc.org, and it doesn't know that https://web.brid.gy/blog.chungyc.org and https://web.brid.gy/blog.chungyc.org point at the same thing because it's only doing string comparisons, not actually resolving URLs.

I don't actually know if this is what is happening, and I don't feel like diving into Mastodon code to find out, but it would explain why https://web.brid.gy/r/https://blog.chungyc.org/ never worked for verifying a profile link.

snarfed commented 3 days ago

Looking at #560, someone else there had a similar problem and fixed it by removing the trailing slash. I wonder if that's your problem too, and https://web.brid.gy/r/https://blog.chungyc.org (no trailing slash) would work?

(We spent a decent amount of time on this in #560 and beyond, and got lots of people working with the existing instructions. There are definitely a few moving parts, but after all that research and experimentation - and based on Mastodon's own docs - I'm pretty confident Webfinger is not involved.)

chungyc commented 3 days ago

Let's ignore WebFinger: it was something that helped me find a URL that worked as a "me" link for profile link verification, but I have nothing except guesses as to what the verification actually does. The suggestion regarding changing WebFinger was suggested as one possible way to make the instructions reliably correct, but it sounds like it would not actually do anything for profile link verification. The instructions still need correction or improvement, though.

Here are the "me" links I tried but didn't work. I actually tried them out twice, the second time making sure to wait at least 10 minutes before checking the verification status after a profile refresh:

The following was the only "me" link which made profile link verification work. Also done twice, just to make sure it was not one of the other URLs used for a successful verification before the server actually retrieved the page with this "me" link. The first time it took a couple of minutes for the verification to succeed, the second time it took less than 15 seconds.

Perhaps the instructions could suggest alternate URLs to try out if the first one suggested does not work out? There may be a number of unexpected factors which could make certain URLs work or not work; for example, I tried these "me" links as the last "me" link on the page I tested this with.[^1] Having alternate URL schemes to try out has got to be better than the lengths I had to go to get profile link verification working.

[^1]: I would expect ordering to not matter at all, but it actually can! I tried both https://mastodon.social/@chungyc and https://mastodon.social/users/chungyc for a Mastodon account based on what WebFinger told me, and they both work. Except the latter only works if it is the first "me" link!

snarfed commented 2 days ago

You're right. I don't know exactly what's going on here, but Mastodon link verification is well-known to be finicky and inconsistent, and if the normal format didn't work for you but the alternate format did, that's worth documenting. I've added this to the docs, it should be deployed soon:

Mastodon link verification can sometimes be finicky and unreliable. If this doesn't work for you, and you've waited a while, try changing your rel=me link to https://web.brid.gy/[DOMAIN] instead, eg https://web.brid.gy/snarfed.org, and then try the rest of the steps above again.

Thank you for the nudges here!