swicg / activitypub-http-signature

Repository for a SocialCG report on how HTTP Signature is used with ActivityPub
https://swicg.github.io/activitypub-http-signature/
11 stars 1 forks source link

Deadlock issues #11

Closed evanp closed 7 months ago

evanp commented 10 months ago

If I have to use HTTP Signature to fetch the key defined in the key ID, there's a regression issue.

The key resource, actor resource, and/or server actor resources have to be available with unsigned GET requests.

nightpool commented 10 months ago

I'm not aware of any implementation in practice that has the "deadlock" issue, even Authorized Fetch Mastodon makes the actor's key resource available with an unsigned GET request.

snarfed commented 9 months ago

Yeah this is generally handled with instance/server actors (#12): https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization#Instance_actors , https://seb.jambor.dev/posts/understanding-activitypub-part-4-threads/#the-instance-actor

@nightpool I'm curious, do you have an example of how to get an authorized fetch Mastodon to serve an actor or its key unsigned? Testing on mastodon.art, I couldn't get it to serve me either an actor or its #main-key (granted, how to even request that is unclear, viz https://github.com/w3c/activitypub/issues/367) with unsigned requests:

$ curl -vL -H 'Accept: application/activity+json' 'https://mastodon.art/users/snarfed'
...
< HTTP/1.1 401 Unauthorized
...
{"error":"Request not signed"}

$ openssl s_client -connect mastodon.art:443
...
GET /users/snarfed#main-key HTTP/1.1
Host: mastodon.art
Accept: application/activity+json
...
HTTP/1.1 401 Unauthorized
...
{"error":"Request not signed"}
nightpool commented 9 months ago

I learned recently that this was a change made between the original release of Authorized Fetch (which I reviewed) and a subsequent release which locked user actors down further. This change was made for compatibility reasons (so that instances not supporting authorized fetch didn't show incomplete profiles)

evanp commented 9 months ago

If I remember correctly, Threads actors require signed requests, which caused a deadlock unless the requestor allowed unsigned requests for keys.

snarfed commented 9 months ago

Huh, I could have sworn they stopped requiring sigs, and said it was a bug that the originally did require them, but I checked just now and they still are required.

Regardless, the instance actor solution works against servers like Threads too, even if they don't have their own instance actor.

evanp commented 9 months ago

@snarfed yes, they fixed it. It doesn't mean we shouldn't tell the next implementer to avoid that same bug!

snarfed commented 9 months ago

First pass at text here is in https://github.com/swicg/activitypub-http-signature/issues/12#issuecomment-1965494431