[Technically not us] Redirecting /notice to /objects causes http signatures to be invalid #146

Closed
opened 2022-08-04 22:52:37 +00:00 by floatingghost · 0 comments

When we get an AP request on /notice/:id, we redirect to the /object endpoint

this causes most HTTP clients to seemlessly move from one URL to the next, but this then causes the HTTP signature to be incorrect since the server software won't regenerate the signature

this is only an issue in the case that

  • your instance is in secure mode
  • someone tries to fetch a post from the /notice endpoint

it only got unearthed due to the secure mode being made more accessible and people turning it on, but this will affect all *roma instances

there's a few possible ways about this, the ugliest would be just to check against the note URL on validate (ew)

given that http is stateless that might be the only way to do this reliably

anyhow something to thunk about

When we get an AP request on `/notice/:id`, we [redirect to the /object endpoint](https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/o_status/o_status_controller.ex#L79) this causes most HTTP clients to seemlessly move from one URL to the next, but this then causes the HTTP signature to be incorrect since the server software won't regenerate the signature this is only an issue in the case that - your instance is in secure mode - someone tries to fetch a post from the /notice endpoint it only got unearthed due to the secure mode being made more accessible and people turning it on, but this will affect all \*roma instances there's a few possible ways about this, the ugliest would be just to check against the note URL on validate (ew) given that http is stateless that might be the only way to do this reliably anyhow something to thunk about
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#146
No description provided.