A couple days ago, I got a DM from a #Bonfire user.
Fediverso
6
Posts
3
Posters
4
Views
-
A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent
a follow request—but theAcceptnever came back, even though they hadn't
enabledmanuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding
200 OKeven when signature verification failed, instead of401 Unauthorized.This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned
200 OKon the failed first knock, #Fedify had no reason to send a second one.I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning
401on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use
draft-cavage-http-signatures-12as thefirstKnock, so Bonfire instances can at least understand the first request.One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning
200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.After all that, the mutual follow went through and my DM reply landed. Worth it.
#fedidev #fediverse #Hollo #HackersPub
-
@hongminhee not all heroes wear capes... thank you for your phenomenal work!!!
-
@hongminhee not all heroes wear capes... thank you for your phenomenal work!!!
-
@hongminhee@hollo.social interesting... but if you send cavage-12 as the first knock, and it is accepted, then how will you know if the server supports the 9421?
-
@julian@activitypub.space That's a fair point; honestly, right now there's no reliable way to know. If a server supports both RFC 9421 and draft cavage, and you lead with cavage, you can't infer anything about its RFC 9421 support from a successful response.
The workaround I applied is intentionally temporary, just to keep things working while Bonfire instances catch up with the fix. Once they do, I'll revert
firstKnockback to RFC 9421.The longer-term answer to your question might be FEP-844e, which proposes a capability discovery mechanism—servers could explicitly advertise which specifications they implement (including RFC 9421) via an
Applicationobject. That would make the guesswork unnecessary. It's still a draft, but worth keeping an eye on. -
@hongminhee@hollo.social ah yes,
implementswould be a good thing to support. It would allow you to cache the value temporarily (maybe a quick recheck every 7 days or so) so as to avoid needing a double knock at all.Caching based on first knock success also works.
I wonder if sending HTTP 426 is doable too... 🤔
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/426
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@tommi questo potrebbe interessarti...
-
La European Civil Society Week 2026 è un evento molto interessante, si può partecipare anche online.
La sessione intitolata "Media and digital resilience as safeguards of democracy" sembra di particolare interesse e rilevanza per gli abitanti del #fediverso
Ci sono anche sessioni su come organizzare petizioni europee (European Citizens' Initiative) per contribuire a scrivere l'agenda delle istituzioni europee.
Prendete e strimmatene tutti.
https://www.eesc.europa.eu/en/agenda/our-events/events/civil-society-week-2026
-
@hongminhee@hollo.social ah yes, implements would be a good thing to support. It would allow you to cache the value temporarily (maybe a quick recheck every 7 days or so) so as to avoid needing a double knock at all.
Caching based on first knock success also works.
I wonder if sending HTTP 426 is doable too... 🤔
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/426
-
@julian@activitypub.space That's a fair point; honestly, right now there's no reliable way to know. If a server supports both RFC 9421 and draft cavage, and you lead with cavage, you can't infer anything about its RFC 9421 support from a successful response.
The workaround I applied is intentionally temporary, just to keep things working while Bonfire instances catch up with the fix. Once they do, I'll revert firstKnock back to RFC 9421.
The longer-term answer to your question might be FEP-844e, which proposes a capability discovery mechanism—servers could explicitly advertise which specifications they implement (including RFC 9421) via an Application object. That would make the guesswork unnecessary. It's still a draft, but worth keeping an eye on.
-
@hongminhee@hollo.social interesting... but if you send cavage-12 as the first knock, and it is accepted, then how will you know if the server supports the 9421?
-
@elena@aseachange.com Thanks! 🥰
-
@stefano buongiorno Stefano! Spero che tutti i problemi si risolvano presto
-
@hongminhee not all heroes wear capes... thank you for your phenomenal work!!!
