fsebugoutzone.org:9999

       Post Am4TOqWf8L1FViFAPY by JsonCulverhouse@flipboard.social
 (DIR) More posts by JsonCulverhouse@flipboard.social
 (DIR) Post #Am0WSEkJ3xW2j75tzs by MatejLach@social.matej-lach.me
       2024-09-14T22:07:11Z
       
       0 likes, 0 repeats
       
       I wrote a small, easy to use #golang lib for signing HTTP requests so that #Mastodon would accept them and also to verify requests originating from Mastodon and other #ActivityPub servers, useful if you&#39;re implementing your own.    Check it out at https://github.com/MatejLach/httpsigver-ap
       
 (DIR) Post #Am1CyYyLap46ncl5hw by mariusor@metalhead.club
       2024-09-15T06:03:39Z
       
       0 likes, 0 repeats
       
       @MatejLach my hero!!! 😻
       
 (DIR) Post #Am2NplrDbvH0oEOV8q by robey@messydesk.social
       2024-09-15T19:40:02Z
       
       0 likes, 1 repeats
       
       @MatejLach congrats! this seems to be the worst-documented part of AP :)i can&#39;t read golang, but here&#39;s my working ts impl if you want to compare notes! https://code.lag.net/robey/squidcity/src/branch/main/src/signatures.ts#L15
       
 (DIR) Post #Am2RrGtY6BXxB1SHuS by MatejLach@social.matej-lach.me
       2024-09-15T20:25:10Z
       
       0 likes, 0 repeats
       
       @robey I really like your explanatory comments, something I need to get better at myself.
       
 (DIR) Post #Am2SR0WSRrmgp7h8Zk by MatejLach@social.matej-lach.me
       2024-09-15T20:31:36Z
       
       0 likes, 0 repeats
       
       @robey One diff I see is https://code.lag.net/robey/squidcity/src/branch/main/src/signatures.ts#L12 vs https://github.com/MatejLach/httpsigver-ap/blob/main/signature.go#L141I&#39;ve got the 12 hours off of https://docs.joinmastodon.org/spec/security/#http-verify to be Mastodon compatible to start with, but am going to make it configurable in the next release as 12hrs seems quite a long time.
       
 (DIR) Post #Am4Re2sjHEJcGcgXE8 by robey@messydesk.social
       2024-09-16T19:32:11Z
       
       0 likes, 0 repeats
       
       @MatejLach i&#39;m pretty sure i made up the 1 hour number, so 12 is just as valid...my thinking was: when sending, we&#39;ll retry for up to a few days, to handle servers that have fallen offline for a day or two. so, we&#39;re going to have to sign every post *as we send it* -- it can&#39;t be queued pre-signed.so the signature time is really a measure of clock skew between two servers. and at some point it&#39;s not clock skew, it&#39;s some kind of hanky-panky.
       
 (DIR) Post #Am4TOqWf8L1FViFAPY by JsonCulverhouse@flipboard.social
       2024-09-16T19:51:46Z
       
       0 likes, 0 repeats
       
       @MatejLach GET requests can and often are signed with a digest header that is just the sha-256 of the empty string.You will also find that `hs2019` is used by some servers as an alias to `sha256`Header can be either `SHA-256=` or `sha-256=` Always require a Date header or (created) pseudo-header as part of the signature.Always require Host header to be part of the signature on a GET request.