I have added Mastodon-style (FEP-044f) quote post compatibility to my @DailyRucks bot.
Technical Discussion
7
Posts
2
Posters
0
Views
-
RE: https://fietkau.software/daily_rucks/ap/activity/2025-11-08
I have added Mastodon-style (FEP-044f) quote post compatibility to my @DailyRucks bot. You can now quote post the daily voice lines as much as you want! 🥳
This would be noteworthy on its own if there weren't already a bunch of non-Mastodon implementations, but I'm actually late to the party. WordPress, Bonfire, micro.blog, dotmakeup, and ActivityBot all got there before I did.
However, I think my approach is novel for being *stateless*. Thread incoming.
🧵 1/6
-
RE: https://fietkau.software/daily_rucks/ap/activity/2025-11-08
I have added Mastodon-style (FEP-044f) quote post compatibility to my @DailyRucks bot. You can now quote post the daily voice lines as much as you want! 🥳
This would be noteworthy on its own if there weren't already a bunch of non-Mastodon implementations, but I'm actually late to the party. WordPress, Bonfire, micro.blog, dotmakeup, and ActivityBot all got there before I did.
However, I think my approach is novel for being *stateless*. Thread incoming.
🧵 1/6
You may have read that Mastodon quote posts are technically opt-in. To give you the options to opt out of being quoted or to revoke a prior quote permission, each post that tries to quote you applies for an individualized “permission slip” behind the scenes.
This permission slip actually points back to your own server, allowing you to revoke a quote post permission without needing the cooperation of the server where you're being quoted.
Full technical details: https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md
🧵 2/6
-
You may have read that Mastodon quote posts are technically opt-in. To give you the options to opt out of being quoted or to revoke a prior quote permission, each post that tries to quote you applies for an individualized “permission slip” behind the scenes.
This permission slip actually points back to your own server, allowing you to revoke a quote post permission without needing the cooperation of the server where you're being quoted.
Full technical details: https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md
🧵 2/6
This bureaucracy is necessary for verification of consent, but it is a bit of a pain for software implementers who want to give blanket quoting permissions, like bot authors.
Making your account quotable by Mastodon takes more than a simple declaration: it has to have the ability to respond affirmatively to quote requests, and to confirm or deny the legitimacy of existing quotes.
Generally this means having to at least keep track of everyone who has quoted you.
🧵 3/6
-
This bureaucracy is necessary for verification of consent, but it is a bit of a pain for software implementers who want to give blanket quoting permissions, like bot authors.
Making your account quotable by Mastodon takes more than a simple declaration: it has to have the ability to respond affirmatively to quote requests, and to confirm or deny the legitimacy of existing quotes.
Generally this means having to at least keep track of everyone who has quoted you.
🧵 3/6
While reading FEP-044f, I had an idea for getting around that requirement. It's difficult to explain without getting extremely technical, but I think it could be interesting for platform implementers who want to offer blanket quotability to Mastodon users, but who have shied away from FEP-044f for its state management requirements.
Basically, a quote authorization stamp payload (see https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md#example-of-quoteauthorization) has to contain the IDs of the quoting post and the quoted post.
🧵 4/6
-
While reading FEP-044f, I had an idea for getting around that requirement. It's difficult to explain without getting extremely technical, but I think it could be interesting for platform implementers who want to offer blanket quotability to Mastodon users, but who have shied away from FEP-044f for its state management requirements.
Basically, a quote authorization stamp payload (see https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md#example-of-quoteauthorization) has to contain the IDs of the quoting post and the quoted post.
🧵 4/6
That's why it's not possible to simply reply “ya sure” to every quote verification request. The response has to affirmatively state which quote it is for.
So I thought, instead of keeping a list of prior quotes in a local database, why not embed them in the ID (URI) of the verification stamp? That way the code could simply echo them back out for any future request.
Turns out this works! You can see an example here: https://fietkau.software/daily_rucks/ap/quoteAuth?stamp=2025-11-08;https%3A%2F%2Fexample.com%2Fsome-post
🧵 5/6
-
That's why it's not possible to simply reply “ya sure” to every quote verification request. The response has to affirmatively state which quote it is for.
So I thought, instead of keeping a list of prior quotes in a local database, why not embed them in the ID (URI) of the verification stamp? That way the code could simply echo them back out for any future request.
Turns out this works! You can see an example here: https://fietkau.software/daily_rucks/ap/quoteAuth?stamp=2025-11-08;https%3A%2F%2Fexample.com%2Fsome-post
🧵 5/6
This way, @DailyRucks gives out permission slips which are “shaped” in a way that is instantly verifiable, no database and no internal state required.
The only problem is that the ID of the quoting post is an arbitrary URI, and passing full URIs as query string parameters is brittle. It seems to work for Mastodon post IDs, but other platforms might have more complex URI schemas.
I guess we'll see what happens! 😀
Project website with link to the git repository: https://fietkau.software/daily_rucks
🧵 6/6
-
This way, @DailyRucks gives out permission slips which are “shaped” in a way that is instantly verifiable, no database and no internal state required.
The only problem is that the ID of the quoting post is an arbitrary URI, and passing full URIs as query string parameters is brittle. It seems to work for Mastodon post IDs, but other platforms might have more complex URI schemas.
I guess we'll see what happens! 😀
Project website with link to the git repository: https://fietkau.software/daily_rucks
🧵 6/6
@julian Nice workaround. They should describe it in the FEP
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Token revocation and userinfo endpoint are also implemented. iss indication on redirects is also recommended, but not planned yet
-
I believe CIMD is planned, and at some point expiring access tokens & refresh tokens will also land, and maybe in a distant future DPoP too.
DCR has a client registration proliferation problem, which is why Mastodon want CIMD.
-
So, as far as I can tell, Mastodon supports:
Authorization code flow PKCE Authorization server metadataIt doesn't seem to support:
OAuth Dynamic Client Registration Client ID Metadata DocumentsIt instead uses a proprietary endpoint.
thisismissem is that about right? Is there work underway to support CIMD (preferred) or dynamic registration (less good but a more established standard)?
-
@julian Nice workaround. They should describe it in the FEP
-
This way, @DailyRucks gives out permission slips which are “shaped” in a way that is instantly verifiable, no database and no internal state required.
The only problem is that the ID of the quoting post is an arbitrary URI, and passing full URIs as query string parameters is brittle. It seems to work for Mastodon post IDs, but other platforms might have more complex URI schemas.
I guess we'll see what happens! 😀
Project website with link to the git repository: https://fietkau.software/daily_rucks
🧵 6/6
-
That's why it's not possible to simply reply “ya sure” to every quote verification request. The response has to affirmatively state which quote it is for.
So I thought, instead of keeping a list of prior quotes in a local database, why not embed them in the ID (URI) of the verification stamp? That way the code could simply echo them back out for any future request.
Turns out this works! You can see an example here: https://fietkau.software/daily_rucks/ap/quoteAuth?stamp=2025-11-08;https%3A%2F%2Fexample.com%2Fsome-post
🧵 5/6
-
While reading FEP-044f, I had an idea for getting around that requirement. It's difficult to explain without getting extremely technical, but I think it could be interesting for platform implementers who want to offer blanket quotability to Mastodon users, but who have shied away from FEP-044f for its state management requirements.
Basically, a quote authorization stamp payload (see https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md#example-of-quoteauthorization) has to contain the IDs of the quoting post and the quoted post.
🧵 4/6
-
This bureaucracy is necessary for verification of consent, but it is a bit of a pain for software implementers who want to give blanket quoting permissions, like bot authors.
Making your account quotable by Mastodon takes more than a simple declaration: it has to have the ability to respond affirmatively to quote requests, and to confirm or deny the legitimacy of existing quotes.
Generally this means having to at least keep track of everyone who has quoted you.
🧵 3/6
