Conversation

Notices

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 04:37:45 JST Alex Gleason

Welp, here’s the Deno library for signing Fetch API Request objects with HTTP Signatures. Tested against Mastodon, Pleroma, and Misskey and it all works: https://gitlab.com/soapbox-pub/fedisign
In conversation Sunday, 19-Feb-2023 04:37:45 JST from gleasonator.com permalink
Attachments
1. Domain not in remote thumbnail source whitelist: gitlab.com
  
  Soapbox / Fedisign · GitLab
  
  A batteries-included library for dealing with actor keys on the Fediverse. Generate keys, import/export into PEM format, sign requests and verify requests with HTTP signatures.
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 04:38:01 JST Alex Gleason
  in reply to
  
  Most of this code was pulled from Cloudflare’s Wildebeest project.
  
  In conversation Sunday, 19-Feb-2023 04:38:01 JST permalink
- Embed this notice
  Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 04:45:33 JST Sexy Moon
  in reply to
  
  @alex I think I am gonna pivot the 10grans tipbot 2.0 code to Deno so this is critical functionality.
  
  In conversation Sunday, 19-Feb-2023 04:45:33 JST permalink
  
  Alex Gleason likes this.
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 04:45:41 JST Alex Gleason
  in reply to
  - Sexy Moon
  @Moon You should. Finally got the basics sorted out, so we can share code.
  
  In conversation Sunday, 19-Feb-2023 04:45:41 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:02:36 JST Alex Gleason
  in reply to
  - Tassoman
  @tassoman Anyone can POST /inbox from anywhere. TLS only helps verify servers, not clients.
  Public activities don’t have to be signed, because if we get an unsigned activity we can just refetch it from the origin server. In that case TLS helps.
  Private activities can’t be fetched, so the only way to verify it is by a key. We fetch the actor and compare their RSA public key with the HTTP Signature.
  What if key-pair is lost/stolen? ?
  Yes, we have to plan for that. This is what Pleroma does:
  1. Accounts are refetched every 24 hours. A last_refreshed_at is stored on the user. So if keys are stolen, re-roll them.
  2. Upon getting an invalid signature, refetch the actor and try one more time before giving up.
  In conversation Sunday, 19-Feb-2023 05:02:36 JST permalink
- Embed this notice
  Tassoman (tassoman@orwell.fun)'s status on Sunday, 19-Feb-2023 05:02:38 JST Tassoman
  in reply to
  
  I can't get how it works ? it's a server-to-server signed request? There's already TLS between them, what's the plus?
  Can be signed also client-server requests?
  It means can work as certified mail, who can prove the message got inside the inbox of one user and got out from the outbox of another?
  What if key-pair is lost/stolen? ?
  
  In conversation Sunday, 19-Feb-2023 05:02:38 JST permalink
- Embed this notice
  flappypaddle (flappypaddle@shitpost.racing)'s status on Sunday, 19-Feb-2023 05:27:56 JST flappypaddle
  in reply to
  - Tassoman
  What a fucking mess.
  
  In conversation Sunday, 19-Feb-2023 05:27:56 JST permalink
  
  Alex Gleason likes this.

Public

Conversation

Notices

Feeds