403 returned on comment delivery from streams about nodebb HOT 19 OPEN

It appears julian is not actually following this account, even though it appears that way from my software. Closing.

from nodebb.

One sec, that shouldn't stop it from being accepted.

from nodebb.

We do a check for a pre-existing relationship, and one of those is whether the comment resolves back to an existing topic. In your case, even without a follow from me, the condition should've been satisfied.

This sounds like a bug we need to look into.

from nodebb.

@macgirvin I see the reply actually made it through. Did something change in the interim?

from nodebb.

I still see nothing but 403 returns here. But there was a reply to my comment from silverpill with the same mentions and perhaps that resulted in pulling it in. TBH, I'm not certain exactly what happened.

from nodebb.

But there was a reply to my comment from silverpill

Ah that's a good point, that might be why. I'll take a closer look.

Thank you for reporting!

from nodebb.

After some digging, this appears to be my own bug. We have some quite extensive permissions. The fetch permissions on that comment ended up being my current default - followers only. So even though it was posted to your site and the conversation is public, your site couldn't actually fetch the activity unless it used your credentials. I think this is what happened. The permissions on my activity should be public because it was part of a public conversation, regardless of my personal preference. I'll try and get this sorted.

from nodebb.

For what it's worth I've actually tried to follow you, but I'm not sure why it doesn't complete (might be my follow isn't accepted)

from nodebb.

I show you as following and accepted. So much for a quiet Sunday.... looks like I'm going to be tracking weird bugs. I might try deleting the connection and starting over. Couldn't hurt at this point.

from nodebb.

In that case it may suggest that the accept from you just wasn't properly handled 🤷 likely something for us to address

from nodebb.

Deleted my side of the connection and started over (I've sent a follow). We'll see how that goes. If that works we can try it going the other way. I might give you a less public account to test against since the logs rotate pretty fast on my primary site. You can try following [email protected] ... though I'm about to get called away for chores. I'll approve it when I get a chance and let you know here.

from nodebb.

Sadly did not receive. NodeBB doesn't have a concept of follow approvals so an Accept should've been sent back immediately.

Will check my logs soon. Also have chores to do 😑

It seems like whatever content is being sent my way from fediversity is rejected for whatever reason, but if requested from my end, is ok (e.g. I was able to successfully retrieve your post)

from nodebb.

Yeah, didn't see any Accept here. But I've been called away. Will have to take up at a later time. I might need to give you a test account here so you can check your side on your own schedule.

from nodebb.

Sure, we'll try again another time. Happy to test with a local account on your service if you'd like. I sent a follow from my dev instance (bb.devnull.land) hoping to see something come back but I got nothing, I guess the follow needs to be approved?

from nodebb.

S'rry - approved this around 12-13 hours ago, but Microsoft's SMS 2FA service was borked so I couldn't login here and let you know.

from nodebb.

Just accepted dragonfruit, which I assume is yours (correctly or incorrectly assumed)

from nodebb.

It is, but I didn't realize it was a different account. Now that you've accepted both will subsequent follows automatically bounce an approve back?

Edit: The answer is yes, here's what I see on my end:

24-04-29T01:12:21.457Z [4567/35216] - verbose: [middleware/activitypub] Validating incoming payload...
2024-04-29T01:12:21.458Z [4567/35216] - verbose: [activitypub/verify] Starting signature verification...
2024-04-29T01:12:21.459Z [4567/35216] - verbose: [activitypub/verify] Retrieving pubkey for https://fediversity.site/channel/mikedev?operation=rsakey
2024-04-29T01:12:21.463Z [4567/35216] - verbose: [activitypub/get] https://fediversity.site/channel/mikedev?operation=rsakey
2024-04-29T01:12:21.795Z [4567/35216] - verbose: [activitypub/verify] Attempting signed string verification
2024-04-29T01:12:21.798Z [4567/35216] - verbose: [middleware/activitypub] HTTP signature verification passed.
2024-04-29T01:12:21.798Z [4567/35216] - verbose: [middleware/activitypub] Request body check passed.
2024-04-29T01:12:21.799Z [4567/35216] - verbose: [middleware/activitypub] Origin check failed, stripping object down to id.
2024-04-29T01:12:21.800Z [4567/35216] - verbose: [middleware/activitypub] Origin check passed.
2024-04-29T01:12:21.802Z [4567/35216] - verbose: [middleware/activitypub] Key ownership cross-check failed.

The "key ownership cross-check" ensures that the claimed actor in the received payload actually controls the keyId received in the signature. I'll have to check to see what's up.

from nodebb.

Got it, it was naive logic in how I broke apart the signature string. I wasn't accounting for values that contained equal signs, of which yours uses (?operation=)

from nodebb.

Cool. Thanks. I've been waffling on using fragments for these things like everybody else does, but the webserver never sees fragments on inbound urls - and I kind of think it's important for the webserver to have knowledge of what exactly was requested of it.

from nodebb.