[bug] userGET seems to require valid signature

Describe the bug with a clear and concise description of what the bug is.

I'm filing this one as a bug because the behaviour is different from what I can observe from other implementations. Things do seem to work though.

It seems the returned URL from webfinger for rel=self when pointing at a gotosocial instance cannot be retrieved without applying an HTTP signature to the request. Other implementations do not require it and it strikes me as odd that this endpoint would require HTTP signatures since it's not involved in exchanging an activity.

What's your GoToSocial Version?

0.5.2

GoToSocial Arch

amd64 binary

Browser version

Firefox 107.0 (64-bit)

What happened?

$ curl -L 'https://dny.social/.well-known/webfinger?resource=acct:ohno@dny.social'

{
  "subject": "acct:ohno@dny.social",
  "aliases": [
    "https://ap.dny.social/users/ohno",
    "https://ap.dny.social/@ohno"
  ],
  "links": [
    {
      "rel": "http://webfinger.net/rel/profile-page",
      "type": "text/html",
      "href": "https://ap.dny.social/@ohno"
    },
    {
      "rel": "self",
      "type": "application/activity+json",
      "href": "https://ap.dny.social/users/ohno"
    }
  ]
}

$ curl -X GET -H 'Accept: application/activity+json' 'https://ap.dny.social/users/ohno'

{
  "error": "Unauthorized: http request wasn't signed or http signature was invalid"
}

What you expected to happen?

I expected a document showing the inbox, outbox etc.

How to reproduce it?

Use curl against a gotosocial instance to retrieve user info and compare the results to doing the same query against a Pleroma, Mastodon or Honk instance

Anything else we need to know?

Mastodon, Pleroma and Honk do not require any form of HTTP signature to be applied.

$ curl -X GET -H 'Accept: application/activity+json' 'https://mastodon.social/users/gargron' | jq .

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    "https://w3id.org/security/v1",
    {
...
}

superseriousbusiness / gotosocial