Live testing of remote categories
-
Actually, I think I know what’s going on with the Vivaldi blog group actor - it’s not necessarily NodeBB’s fault.
Inspecting the AP objects coming from vivaldi.com/blog, all the English-written blog posts have their
as:audiencefield set tohttps://vivaldi.com/?author=0.Meanwhile, every other blog post that is written in a different language instead have it set to
https://vivaldi.com//?author=0, so for Japanese blog posts, for example, it ishttps://vivaldi.com/ja/?author=0.And all these URLs link to different group actors, but all of them have the same value on the
preferredUsernameandwebfingerproperties:blog, andblog@vivaldi.com. -
@AltCode okay! Thanks for reporting, it sounds like there are two issues going on:
- Categories losing their handle-to-id association
- Frustratingly, this read very similarly to #13283, and both remote users and categories share similar logic. I have so far not been able to reproduce it at all on local development.
- Separate users (different IDs) sharing the same
preferredUsername.- This is an interesting one, and I am not entirely sure where the fault lies. I wonder how other software handles it?
- Categories losing their handle-to-id association
-
@AltCode I forked this out to a new topic. I think it’s time to loop @pfefferle@mastodon.social into the conversation (at the very least so this could be potentially escalated).
Mattias, it seems that when the WPML and ActivityPub plugins are enabled together, notes federated out by the blog user in another language have different
ids but the samepreferredUsername.e.g.
ruari@vivaldi.com: https://vivaldi.com/?author=46andhttps://vivaldi.com/ja/?author=46NodeBB interprets this as two different users. Curiously, Mastodon does not, the second ID explicitly does not resolve.
So there can be two solutions here:
- The underlying issue can be fixed by WordPress, the solution of which is out of scope (for me at least)
- NodeBB can adopt whatever mechanism Mastodon is using… which is most likely that Mastodon does a two-way when asserting an ID, and ensures that the webfinger resource points to the ID.
-
The remaining questions here are:
- whether
preferredUsernameis meant to be unique to the instance (in which case having multipleids point to an identicalpreferredUsernamewould be a violation), and - what exactly AP software should do when it encounters this situation… store a list of “known alias” IDs? There are potential security issues to doing so.
- whether
-
@AltCode all three flipboard remote categories seem to be working now
-
This is getting out of hand! Now, there are six of them!
-
@AltCode This should be fixed in the upcoming v4.3.0.
https://github.com/NodeBB/NodeBB/issues/13352
It won’t proactively remove the duplicates, but they’ll be pruned out within ~7 days.
-
Bit of a thought experiment here as to how to handle these duplicate accounts.
(tl;dr two federated accounts with different IDs report the same webfinger handle, what do?)
Let’s say @ruario@social.vivaldi.net posts an English article under his account (and then is federated), and posts a translated Japanese one that is also federated, but under the Japanese ID.
What should NodeBB do when encountering the latter? Currently, it will try to assert the actor, fail the webfinger backreference check, and probably drop the post. Not so good.
One could adjust the actor to the former (canonical ID), but that’s not technically right either.
That also opens up potential account impersonation possibilities, so that is something that would need addressing as well.
-
@pfefferle@mastodon.social just wanted to poke you about this issue again.
The latest updates to NodeBB now do a webfinger backcheck to ensure that the actor has a valid webfinger entry for their purported handle. If it does not, then the user is not properly created. Mastodon also does this. This check is probably for security as well as for preventing handle collisions.
The multilingual plugin in conjunction with the ActivityPub plugin creates users that share the same handle, and that causes issues with federated content.
For example, this article by @jonvt@vivaldi.com will load up just fine in Mastodon, but this japanese article by @akira@vivaldi.com will not, because that second article’s
attributedToishttps://vivaldi.com/ja/?author=176, which fails that check (the author’s ID is actually https://vivaldi.com?author=176 as per the handle backcheck)cc @AltCode
