Live testing of remote categories

scott@loves.tech

@julian @Mario Vavti That is one thing that I wish Hubzilla did, and that is identify the author of the original note (top level post in a forum), both internally in the database and in a variable available to themes, and externally via Zot protocol and ActivityPub.

mario@hub.somaton.com

@julian in Hubzilla the group actor will fork the original post with a quote reshare. Hence attributedTo is set to the group actor. IIRC the author of the original post is being stored for refernce but we currently do not use this info.

@Scott M. Stolz

julian@community.nodebb.org

@mario@hub.somaton.com since Hubzilla posts (incl. yours) are making it in fine I’m assuming this is only for the “forum” feature?

mario@hub.somaton.com

@julian right.

scott@loves.tech

@Mario Vavti If we exposed the original author to the Hubzilla UI as a variable and via Zot and ActivityPub, it would allow the UI to display the author of the first post instead of or in addition to the name of the forum.

I understand that on the backend it may be desirable to have the first post in a forum owned by the forum for backwards compatibility with platforms that don't support groups, but the UI does not have to display the first post with the forum as the author. We have the information about the author of the first post, so might as well display it.

scott@loves.tech

@Mario Vavti @julian Another compatibility issue that we may need to look at is permissions to post. Hubzilla can restrict posts and comments to only being from people following the forum, for example. It also has a moderated mode, which will accept posts from unknown actors, but will place it in a moderation queue. So it may be desirable to turn off the ability to comment if the permissions to comment are not permitted for a particular actor.

mario@hub.somaton.com

@Scott M. Stolz i think this would be very misleading. But this discussion does not belong here.

scott@loves.tech

@Mario Vavti Okay. Deleting the post.

mario@hub.somaton.com

@julian we have recently rewritten the addressing logic and it seems mapping the mentions to to for public toplevel posts has fallen short. After fixing this it seems to work fine now: #^https://community.nodebb.org/topic/cbbf1640-2295-4fc5-b86f-5b1fd259cccb/test2

@Scott M. Stolz

julian@community.nodebb.org

@mario@hub.somaton.com that’s wonderful to hear! Thank you so much.

? Offline

Some of the remote categories appear to be broken now.

These are the Flipboard magazines NodeBB is currently aware of when searching “flipboard” in the search page:

[Tech News by @theverge@flipboard.com](https://community.nodebb.org/category/tech-news-theverge@flipboard.com)
[Musik News by @musikexpressde@flipboard.com](https://community.nodebb.org/category/musik-news-musikexpressde@flipboard.com)
[Gear by @engadget@flipboard.com](https://community.nodebb.org/category/gear-engadget@flipboard.com)

However, that very first one (tech news by The Verge) does not work; going to it gives a 404 page instead.

Something else appears to have happened to the Vivaldi Blog remote category (a WordPress blog). A week ago it was working fine, but now, searching for it lists it twice in the search page. Each listing indicates a completely different number of posts and topics for the remote category.

Even weirder though most of the topics that are correctly slotted into it, they are not actually in the category page, e.g. https://community.nodebb.org/topic/a85b0eff-5219-46ba-9ad4-a5d417a7bec5/minor-update-2-for-vivaldi-desktop-browser-7.3

? Offline

Actually, I think I know what’s going on with the Vivaldi blog group actor - it’s not necessarily NodeBB’s fault.

Inspecting the AP objects coming from vivaldi.com/blog, all the English-written blog posts have their as:audience field set to https://vivaldi.com/?author=0.

Meanwhile, every other blog post that is written in a different language instead have it set to https://vivaldi.com//?author=0, so for Japanese blog posts, for example, it is https://vivaldi.com/ja/?author=0.

And all these URLs link to different group actors, but all of them have the same value on the preferredUsername and webfinger properties: blog, and blog@vivaldi.com.

julian@community.nodebb.org

@AltCode okay! Thanks for reporting, it sounds like there are two issues going on:

Categories losing their handle-to-id association
- Frustratingly, this read very similarly to #13283, and both remote users and categories share similar logic. I have so far not been able to reproduce it at all on local development.
Separate users (different IDs) sharing the same preferredUsername.
- This is an interesting one, and I am not entirely sure where the fault lies. I wonder how other software handles it?

julian@community.nodebb.org

@AltCode I forked this out to a new topic. I think it’s time to loop @pfefferle@mastodon.social into the conversation (at the very least so this could be potentially escalated).

Mattias, it seems that when the WPML and ActivityPub plugins are enabled together, notes federated out by the blog user in another language have different ids but the same preferredUsername.

e.g. ruari@vivaldi.com: https://vivaldi.com/?author=46 and https://vivaldi.com/ja/?author=46

NodeBB interprets this as two different users. Curiously, Mastodon does not, the second ID explicitly does not resolve.

So there can be two solutions here:

The underlying issue can be fixed by WordPress, the solution of which is out of scope (for me at least)
NodeBB can adopt whatever mechanism Mastodon is using… which is most likely that Mastodon does a two-way when asserting an ID, and ensures that the webfinger resource points to the ID.

julian@community.nodebb.org

The remaining questions here are:

whether preferredUsername is meant to be unique to the instance (in which case having multiple ids point to an identical preferredUsername would be a violation), and
what exactly AP software should do when it encounters this situation… store a list of “known alias” IDs? There are potential security issues to doing so.

julian@community.nodebb.org

@AltCode all three flipboard remote categories seem to be working now

? Offline

This is getting out of hand! Now, there are six of them!

julian@community.nodebb.org

@AltCode This should be fixed in the upcoming v4.3.0.

https://github.com/NodeBB/NodeBB/issues/13352

It won’t proactively remove the duplicates, but they’ll be pruned out within ~7 days.

julian@community.nodebb.org

Bit of a thought experiment here as to how to handle these duplicate accounts.

(tl;dr two federated accounts with different IDs report the same webfinger handle, what do?)

Let’s say @ruario@social.vivaldi.net posts an English article under his account (and then is federated), and posts a translated Japanese one that is also federated, but under the Japanese ID.

What should NodeBB do when encountering the latter? Currently, it will try to assert the actor, fail the webfinger backreference check, and probably drop the post. Not so good.

One could adjust the actor to the former (canonical ID), but that’s not technically right either.

That also opens up potential account impersonation possibilities, so that is something that would need addressing as well.

julian@community.nodebb.org

@pfefferle@mastodon.social just wanted to poke you about this issue again.

The latest updates to NodeBB now do a webfinger backcheck to ensure that the actor has a valid webfinger entry for their purported handle. If it does not, then the user is not properly created. Mastodon also does this. This check is probably for security as well as for preventing handle collisions.

The multilingual plugin in conjunction with the ActivityPub plugin creates users that share the same handle, and that causes issues with federated content.

For example, this article by @jonvt@vivaldi.com will load up just fine in Mastodon, but this japanese article by @akira@vivaldi.com will not, because that second article’s attributedTo is https://vivaldi.com/ja/?author=176, which fails that check (the author’s ID is actually https://vivaldi.com?author=176 as per the handle backcheck)

cc @AltCode