@evan I think missing fields should also signify an unauthorized request... I'm not an expert what a "bad request" means, but I would interpret it as "the request does not have all necessary components for the server be able to compose a valid response".
An authorization header is not part of that in my opinion, but I'm willing to entertain the idea. :)
(Also I'm pretty sure I'm appending the created timestamp... but maybe I missed to test for that... I'll get back to you if it's my problem)
@mariusor I think what I try to do is:
401 - no authentication provided
403 - authentication is present and valid, but not authorized
400 - authentication is present but not valid, like missing fields
Does that seem right to you?
Also, I think the `created` timestamp is necessary for preventing replay attacks. It's pretty important!
Well this is concerning.
I just suspended 14 Russian LLM generated bot accounts that were created around April 17 on my Mastodon instance, twit.social. Somehow they circumvented manual registration approval. I've turned on Captchas (much as I hate them) for new member requests in the hopes that will stop the bots. They must have discovered a registration bypass bug.
Thanks to IFTAS SW-ISAC for noting and reporting the bots.
Hey @evan, sorry to bother you here and not on the github repo, but I have a question regarding tags.pub.
Do you by any chance only return response code 400 on fetches with an invalid HTTP-Signature?
Full error looks like this (when loading: "https://tags.pub/user/activitypub"):
> status received : {"type":"about:blank","title":"Bad Request","status":400,"detail":"No created timestamp provided"}
I know it's not an option, but I'm guessing "none of them", because what would be the point for them? They are all too focused on replicating their closed counterparts
@mlinksva You can definitely use those, but I think it would be good to have dedicated sites for that functionality.
@evan gracious of you and Misskey developers, thank you. (Use of word gracious because I thought your https://cosocial.ca/@evan/116503475632266219 was crying for a version involving more wordplay but I couldn't come up with anything I was fully satisified with; this is a remainder.)
Sparking writing down idle question: what's the nearest to wpt.fyi and caniuse.com for AP? Naively searched and found https://socialweb.coop/activitypub-testing/ https://feditest.org/ and...
Ah, guess https://socialhub.activitypub.rocks/c/activitypub/testing/77 is where I should read more
@paul Только не используй это как молоток.