Closed umonaca closed 4 years ago
The following is a Delete Actor request intercepted with ngrok on a local development machine. It is sent from localhost:3000 to 6e7c3bdc9e25.ngrok.io (which is the same machine but port forwarded to Activity-Relay running at port 8080)
POST /inbox HTTP/1.1
User-Agent: http.rb/4.4.1 (Mastodon/3.2.0rc1; +http://localhost:3000/)
Host: 6e7c3bdc9e25.ngrok.io
Date: Tue, 28 Jul 2020 04:52:30 GMT
Accept-Encoding: gzip
Digest: SHA-256=4ZBxPxe36w+eVZjrytHt1w1Y4bCxVmFDfZt0/UUmum0=
Content-Type: application/activity+json
Signature: keyId="http://localhost:3000/users/admin#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="5QV/TtofOGXzQk278kiocm7fuq99Zc7ZPY+M/zk/cengf1hAE/jCRJoYk5xmjQAneKCML0jVKQRRQiY/3paLE1KXd7tkeY5T/uBw9gSAAGW1QuxrXDqerQCVeqHpyDbQw2B3TEFRIuwoI+8gYZlf/cMxZYjDGmcmEVNCAx/ICD8zFmxypUJfFv5ILaauMnzw0atxirRczFw/DCb3FUUvFDiNKK13QPoQ/LorRioMpaLXdM6R0Ru0HUsTSvDUcIY4uQi0IVQ3LtRbNMR4aXJ72Kl33zrK6KAZalWD/7XiHxONgCdcXOqabqBD1JEFehZoi/y0uX0ndATPJSYAJce7Eg=="
Content-Length: 751
X-Forwarded-Proto: https
X-Forwarded-For: 67.241.7.98
{"@context":"https://www.w3.org/ns/activitystreams","id":"http://localhost:3000/users/admin#delete","type":"Delete","actor":"http://localhost:3000/users/admin","to":["https://www.w3.org/ns/activitystreams#Public"],"object":"http://localhost:3000/users/admin","signature":{"type":"RsaSignature2017","creator":"http://localhost:3000/users/admin#main-key","created":"2020-07-28T04:52:29Z","signatureValue":"Kmj02PAcA/KbicmRLCj/NRiBO22fcfiIT6ZeOu74c6378bOGSdEaw2hZTckJ3Z0Dau9VWMVC4ZjEAnhGTWaHv3TBHRuyZuYeG3R5YfOe/2a67YaOWlGiGZhSj/kEgGtrHt16Nr2uTAD+eTA7t9tS1uixrhbilGbYXYVIAJsyGslQDTwzWUCr2kD2rb+7tat/hjQIzKM5cc3Go0tugbKKV6YEoI/wvPoj9SEHc/KfCJZLpY/s32a0LTWo6xc6dTxIzKi/ncrpbSzlkkLGzF57Zh4eRGXNdQu0K2Y7C3OFdksbN4tUgAGhxvVGkiTnLe9RFoJo81JBm5mmm1w2ku0pDw=="}}
Note: tootctl self-destruct
does not destroy local data, it only mark local accounts as "suspended", which can be easily reverted by an SQL or rails console command. Just set the suspended_at to nil in the accounts
table.
I confirmed why self-destruct is not relay successfully.
The user sent Delete Activity
has been gone.
Relay has no user's publickey information so it need confirm per activity (of course has a little cache mechanism).
But user has gone, relay can't retrieve publickey, so it can't confirm the authenticity of object.
This is specification.
Mastodon's self-destruct presuppose receiver has the way to confirm the authenticity of object by only oneself. Relay's priority is prevent spread spams, so I can't solve this problem.
If the actor's information is reachable from relay, Delete Actor is supported current implement.
On Mastodon when a user delete their account, or when a developer execute
tootctl self-destruct
, the server sends out a Delete Actor activity. Currently it's unsupported by the relay, returning 400.