Skip to content

Piero Bosio Social Web Site Personale Logo Fediverso

Social Forum federato con il resto del mondo. Non contano le istanze, contano le persone
  1. Home
  2. Categories
  3. Technical Discussion
  4. Using the ActivityPub API for cross-server interactions

Using the ActivityPub API for cross-server interactions

Technical Discussion
3 3 0
Log in to reply

Feed RSS
Using the ActivityPub API for cross-server interactions

Gli ultimi otto messaggi ricevuti dalla Federazione
  • thisismissem@activitypub.spaceundefined
    thisismissem@activitypub.space

    Client reputation isn't really something you can track and share in a decentralized network without introducing some centralisation. You could try to do web of trust style things, but that would mean writing a record that publicly says "good client is good", but then a malicious app could just write that record on sign-in: how many iOS apps nag you for a positive review? Particularly with somewhat dark patterns of "are you enjoying ? Yes / no" where "no" pushes you to the app's feedback and yes pushes to write a review, trying to deliberately avoid negative reviews.

    The other downside of publicly disclosing which clients you use is that it tells attackers where to look for security exploits, because now you can pick a set of targets and try to attack the software they use.

    Raw usage numbers also doesn't help because a bad client can quite easily become viral, see for example Cambridge analytica, who iirc used games to gain access to sensitive data.

    You'd also need moderation tools that can moderate clients in some sort of meaningful way — that's near impossible for dynamic client registration. That's why we wrote the CIMD spec. A large Mastodon server usually has 10-20x the number of registered clients as number of accounts.

    Things that can add up to trust are things like:

    privacy policies & terms of service client_uri (website) matching the client metadata (requires some crawling) client authentication mechanism (public client vs private_key_jwt auth) scopes/authorization requested being fine grain enough, instead of asking for full unrestricted access.

    But OAuth security and trust models are complex and generally proprietary

    read more
  • brunogirin@mastodon.me.ukundefined
    brunogirin@mastodon.me.uk

    @evan
    Sounds good!

    I suppose it would be useful to be able to specify the version too so that you may ban a known buggy version of a client or any version prior to a known CVE fix.

    It could also be useful to make those lists shareable so that a new Fedi instance can start with something if they wish to.

    read more
  • evan@activitypub.spaceundefined
    evan@activitypub.space

    @brunogirin@mastodon.me.uk

    I'd suggest that there are two parties that should get to decide what is a good or bad client:

    The ActivityPub user who uses the client. The administrator of the server that the ActivityPub user uses.

    I think there's a third group, which is other admins, developers, and users, who share similar values with the user and the admin. They may have information to share with the user and/or admin.

    I don't think these values are universal, so I don't think we need a universal reputation. But I can give what I think are bad things for an API client to do.

    Generating activities on behalf of the user that don't match the user's express or implied intentions. For example, if the user logs into a client app, and it posts a public message, "I think this client app is the best and everyone should try it!" Extracting the user's data for reasons that the user wasn't informed of. For example, a client app that copies all your private messages to cloud backup controlled by the app developer. Abusing public or private resources, even if the user intends to abuse. For example, a client app for spamming, or a client app for brigading.

    I think there are a few signals that could identify what I would call "bad" clients:

    User complaints would be the biggest Complaints from other users about the user's behaviour when using the app Security researcher reports
    read more
  • toddsundsted@epiktistes.comundefined
    toddsundsted@epiktistes.com

    brilliant!

    read more
  • brunogirin@mastodon.me.ukundefined
    brunogirin@mastodon.me.uk

    @evan what factors would impact the reputation and who decides what is a good or bad client?

    read more
  • evan@cosocial.caundefined
    evan@cosocial.ca

    @evan@activitypub.space I want to take a moment to note how nice the NodeBB content looks in Mastodon.

    read more
  • evan@activitypub.spaceundefined
    evan@activitypub.space

    For the ActivityPub API Task Force, I started an issue to discuss OAuth client reputation systems.

    A reputation system tracks which OAuth clients are known good, known bad, or unknown. Servers could use this information to limit what clients can do. For example, a server could prevent users from logging in with a known bad client.

    The reputation could be based on human curation and review, or on automated collection of evidence from historical behaviour of the client.

    I'm trying to find examples in the OAuth ecosystem of this kind of reputation systems -- either local or distributed.

    App store approval (and user reviews) are a good example for native apps. OpenBanking keeps a client directory that needs human curation and review.

    I don't have examples from OAuth -- especially with dynamic registration or CIMD.

    Any ideas?

    read more
  • julian@activitypub.spaceundefined
    julian@activitypub.space

    @evan sorry I missed the meeting! Sounds like something right up my alley on what to work on next.

    Thanks for sharing the link.

    read more
@pierobosio@soc.bosio.info
Post suggeriti
  • eyeinthesky@mastodon.socialundefined

    "Critical concept: IRIs are opaque identifiers.

    Technical Discussion activitypub
    1
    0 Votes
    1 Posts
    1 Views
    eyeinthesky@mastodon.socialundefined
    "Critical concept: IRIs are opaque identifiers. You cannot infer meaning from the string pattern — only by dereferencing and inspecting the data." [1] This applies to URIs too. Sadly, almost no #ActivityPub implementations use this principle. Multi-tenant servers and simple account portability (with personal domains) would be relatively easy if they did.🙄 It is what it is.../cc @melvincarvalho [1] https://socialdocs.org/docs/concepts/uris-iris-linked-data/
  • bsky.brid.gy@bsky.brid.gyundefined

    Happy New Year!

    Technical Discussion
    1
    1
    0 Votes
    1 Posts
    0 Views
    bsky.brid.gy@bsky.brid.gyundefined
    Happy New Year! Hope you all had a good holiday. It’s shaping up to be a great year on the open social web! We’ve been busy working on new features, internal improvements, bug fixes, and exploring new networks over the last couple months. Here are the noticeable changes on the bridge since our last update: DM notifications for interactions from non-bridged users (more) Mastodon to Bluesky support in Bounce (more) Expand blocking to Bluesky blocklists, multiple at once, web UI, and more… Support setting Bluesky handle back to the default *.ap.brid.gy (more) More support for fediverse => Bluesky pinned posts Make images/videos on Bluesky more reliable: Refresh them periodically Handle the same file at multiple URLs Upgraded to a paid CloudImage account for proxying Threads images/videos Customize Bluesky labels based on keywords in fediverse content warning (thanks @KDederichs!) Improve GoToSocial compatibility Bridge Web Monetization wallet addresses For Bluesky profiles bridged to the fediverse, make the link back to Bluesky “verified” (green check) in Mastodon Add support for new (invisible) website field in Bluesky profiles Web UI: improve handling of IDNs (domain names with emoji) and punycode RSS feeds: support application/rdf+xml Web UI: reload profile on login Bug fixes: …for race condition on writing to Bluesky repos …for bridging Bluesky handle changes to fediverse Webfinger address …for bridging web posts, replies, etc after we’ve already seen them …for deleting bridged fediverse profiles on some servers …for bridging Bluesky profile pictures to the fediverse …for links in post text When there’s an unbridged dependency, only skip that one protocol, not all Add missing PropertyValue in AS2 @context …for duplicated images in posts bridged to Bluesky Internal: Bluesky: Reliability improvements for firehose server/client Scale past ~10qps bottleneck in allocating sequence numbers (more) implement listBlobs Expand continuous deploy flags Various cost optimizations added up to savings of 40-50%: As usual, feel free to ping us with feedback, questions, and bug reports, and please support us on Patreon! You can follow the now label on GitHub to see what we’re currently focusing on. See you on the bridge!
  • julian@activitypub.spaceundefined

    WP replies not federating back out?

    Technical Discussion
    11
    1 Votes
    11 Posts
    0 Views
    evan@cosocial.caundefined
    @pfefferle in the admin panel!
  • fedify@hollo.socialundefined

    # Fedify 1.10.0: Observability foundations for the future debug dashboard

    Technical Discussion fedify fedidev release fediverse typescript activitypub opentelemetry
    1
    0 Votes
    1 Posts
    1 Views
    fedify@hollo.socialundefined
    Fedify 1.10.0: Observability foundations for the future debug dashboard Fedify is a #TypeScript framework for building #ActivityPub servers that participate in the #fediverse. It reduces the complexity and boilerplate typically required for ActivityPub implementation while providing comprehensive federation capabilities. We're excited to announce #Fedify 1.10.0, a focused release that lays critical groundwork for future debugging and observability features. Released on December 24, 2025, this version introduces infrastructure improvements that will enable the upcoming debug dashboard while maintaining full backward compatibility with existing Fedify applications. This release represents a transitional step toward Fedify 2.0.0, introducing optional capabilities that will become standard in the next major version. The changes focus on enabling richer observability through OpenTelemetry enhancements and adding prefix scanning capabilities to the key–value store interface. Enhanced OpenTelemetry instrumentation Fedify 1.10.0 significantly expands OpenTelemetry instrumentation with span events that capture detailed ActivityPub data. These enhancements enable richer observability and debugging capabilities without relying solely on span attributes, which are limited to primitive values. The new span events provide complete activity payloads and verification status, making it possible to build comprehensive debugging tools that show the full context of federation operations: activitypub.activity.received event on activitypub.inbox span — records the full activity JSON, verification status (activity verified, HTTP signatures verified, Linked Data signatures verified), and actor information activitypub.activity.sent event on activitypub.send_activity span — records the full activity JSON and target inbox URL activitypub.object.fetched event on activitypub.lookup_object span — records the fetched object's type and complete JSON-LD representation Additionally, Fedify now instruments previously uncovered operations: activitypub.fetch_document span for document loader operations, tracking URL fetching, HTTP redirects, and final document URLs activitypub.verify_key_ownership span for cryptographic key ownership verification, recording actor ID, key ID, verification result, and the verification method used These instrumentation improvements emerged from work on issue #234 (Real-time ActivityPub debug dashboard). Rather than introducing a custom observer interface as originally proposed in #323, we leveraged Fedify's existing OpenTelemetry infrastructure to capture rich federation data through span events. This approach provides a standards-based foundation that's composable with existing observability tools like Jaeger, Zipkin, and Grafana Tempo. Distributed trace storage with FedifySpanExporter Building on the enhanced instrumentation, Fedify 1.10.0 introduces FedifySpanExporter, a new OpenTelemetry SpanExporter that persists ActivityPub activity traces to a KvStore. This enables distributed tracing support across multiple nodes in a Fedify deployment, which is essential for building debug dashboards that can show complete request flows across web servers and background workers. The new @fedify/fedify/otel module provides the following types and interfaces: import { MemoryKvStore } from "@fedify/fedify"; import { FedifySpanExporter } from "@fedify/fedify/otel"; import { BasicTracerProvider, SimpleSpanProcessor, } from "@opentelemetry/sdk-trace-base"; const kv = new MemoryKvStore(); const exporter = new FedifySpanExporter(kv, { ttl: Temporal.Duration.from({ hours: 1 }), }); const provider = new BasicTracerProvider(); provider.addSpanProcessor(new SimpleSpanProcessor(exporter)); The stored traces can be queried for display in debugging interfaces: // Get all activities for a specific trace const activities = await exporter.getActivitiesByTraceId(traceId); // Get recent traces with summary information const recentTraces = await exporter.getRecentTraces({ limit: 100 }); The exporter supports two storage strategies depending on the KvStore capabilities. When the list() method is available (preferred), it stores individual records with keys like [prefix, traceId, spanId]. When only cas() is available, it uses compare-and-swap operations to append records to arrays stored per trace. This infrastructure provides the foundation for implementing a comprehensive debug dashboard as a custom SpanExporter, as outlined in the updated implementation plan for issue #234. Optional list() method for KvStore interface Fedify 1.10.0 adds an optional list() method to the KvStore interface for enumerating entries by key prefix. This method enables efficient prefix scanning, which is useful for implementing features like distributed trace storage, cache invalidation by prefix, and listing related entries. interface KvStore { // ... existing methods list?(prefix?: KvKey): AsyncIterable<KvStoreListEntry>; } When the prefix parameter is omitted or empty, list() returns all entries in the store. This is useful for debugging and administrative purposes. All official KvStore implementations have been updated to support this method: MemoryKvStore — filters in-memory keys by prefix SqliteKvStore — uses LIKE query with JSON key pattern PostgresKvStore — uses array slice comparison RedisKvStore — uses SCAN with pattern matching and key deserialization DenoKvStore — delegates to Deno KV's built-in list() API WorkersKvStore — uses Cloudflare Workers KV list() with JSON key prefix pattern While list() is currently optional to give existing custom KvStore implementations time to add support, it will become a required method in Fedify 2.0.0 (tracked in issue #499). This migration path allows implementers to gradually adopt the new capability throughout the 1.x release cycle. The addition of list() support was implemented in pull request #500, which also included the setup of proper testing infrastructure for WorkersKvStore using Vitest with @cloudflare/vitest-pool-workers. NestJS 11 and Express 5 support Thanks to a contribution from Cho Hasang (@crohasang@hackers.pub), the @fedify/nestjs package now supports NestJS 11 environments that use Express 5. The peer dependency range for Express has been widened to ^4.0.0 || ^5.0.0, eliminating peer dependency conflicts in modern NestJS projects while maintaining backward compatibility with Express 4. This change, implemented in pull request #493, keeps the workspace catalog pinned to Express 4 for internal development and test stability while allowing Express 5 in consuming applications. What's next Fedify 1.10.0 serves as a stepping stone toward the upcoming 2.0.0 release. The optional list() method introduced in this version will become required in 2.0.0, simplifying the interface contract and allowing Fedify internals to rely on prefix scanning being universally available. The enhanced #OpenTelemetry instrumentation and FedifySpanExporter provide the foundation for implementing the debug dashboard proposed in issue #234. The next steps include building the web dashboard UI with real-time activity lists, filtering, and JSON inspection capabilities—all as a separate package that leverages the standards-based observability infrastructure introduced in this release. Depending on the development timeline and feature priorities, there may be additional 1.x releases before the 2.0.0 migration. For developers building custom KvStore implementations, now is the time to add list() support to prepare for the eventual 2.0.0 upgrade. The implementation patterns used in the official backends provide clear guidance for various storage strategies. Acknowledgments Special thanks to Cho Hasang (@crohasang@hackers.pub) for the NestJS 11 compatibility improvements, and to all community members who provided feedback and testing for the new observability features. For the complete list of changes, bug fixes, and improvements, please refer to the CHANGES.md file in the repository. #fedidev #release