Enable communication with "authorized_fetch" Mastodon servers #2613
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When mastodon is in authorized fetch mode any request has to be signed or it fails with 401. This adds the needed signature to the requests made to discover the actor when receiving something from mastodon (such as a follow request)
If no digest value is passed to make_signature and Exception was thrown. Since digest is added to the signature headers if it is not None anyway, there is no need to assign the digest value before that check. When signing a request _as the server_ for Mastodon's AUTHORIZED_FETCH there is no need to include a digest.
ERROR HANDLING FIXES - use raise_for_status() to pass through response code - handle exceptions where no response object is passed through INSTANCE ACTOR - models.User.objects.create_user function cannot take an ID - allow instance admins to determine username and email for instance actor in settings.py
Makes exception handling more precise, only raising status for 401s. Also fixes a string pylint was complaining about.
|
Thanks for picking this up 🙏🏼 |
- when using raise_for_status we need to catch an HTTPError, not a ConnectionError - simplify instance actor - use internal email address since it will never be used anyway, and make default username less likely to already be in use.
jaschaurbach
approved these changes
Jan 25, 2023
|
@mouse-reeve if you're happy with @jaschaurbach's review, then this is ready to go. The only change I made since that review was to add a more verbose note in the |
|
Seems to work to me! |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This builds on the initial work of @renatolond in #427 and resolves a number of bugs preventing that PR moving forward.
In short, this PR should allow communication between Bookwyrm instances and Mastodon instances that use "secure mode" aka
AUTHORIZED_FETCH.I have run tests and also tested this manually against accounts running on both "secure mode" and non "secure mode" Mastodon instances, as well as between 2 Bookwyrm instances, and it appears to work, but I definitely want at least one other person to test it independently in case I missed something.
New settings
There is a new value in
settings.py:INSTANCE_ACTOR_USERNAME- defaults tothe instance domain namebookwyrm.instance.actor, so that the instance actor (required to sign requests to "secure mode" Mastodon servers) will have a username like@[email protected]*INSTANCE_ACTOR_EMAIL- defaults torepresentative@DOMAINso that instance actors will have a registered email like[email protected]The new instance actor will have an email address registered as
bookwyrm@localhost.resolves #1179
closes #427