Post B0lhExlkCVInNButFo by django@social.coop
(DIR) More posts by django@social.coop
(DIR) Post #B0lhEw6EPMVAC9UDuS by django@social.coop
2025-11-30T04:42:58Z
0 likes, 0 repeats
ActivityPub client development is coming along!AP platform developers be warned, I be opening issues in your repo soon.#ActivityPub #c2s
(DIR) Post #B0lhExlkCVInNButFo by django@social.coop
2025-11-30T04:49:08Z
0 likes, 0 repeats
sorry Pleroma devs, I just opened up a 2nd #c2s issue in barely a week, and I have no idea what the project capacity is.#ActivityPub #Pleroma
(DIR) Post #B0lhEyq2E2KQgmvpa4 by mkljczk@pl.fediverse.pl
2025-11-30T10:28:49.172823Z
0 likes, 0 repeats
@django i’ll take a look, never played around with c2s
(DIR) Post #B0mOuP1g3p7FoLNLXM by silverpill@mitra.social
2025-11-30T18:37:26.769331Z
0 likes, 0 repeats
@django Have you tried Oni? https://git.sr.ht/~mariusor/oniIt supports ActivityPub client API and is actively developed
(DIR) Post #B0mQyYe0RTYUhxPdp2 by django@social.coop
2025-11-30T18:50:28Z
0 likes, 0 repeats
@silverpill I did try back in september, I need to try it again! thx
(DIR) Post #B0mQyZv3hYn2f8Om2a by silverpill@mitra.social
2025-11-30T19:00:45.218304Z
0 likes, 0 repeats
@djangocc @mariusor
(DIR) Post #B0mSXPntP2WtNZDpR2 by phnt@fluffytail.org
2025-11-30T19:18:55.724855Z
0 likes, 1 repeats
@django >c2sBut why though? Basically nothing uses that besides an android app that probably hasn't been update in 5+ years.
(DIR) Post #B0mSwtIesELy6ElC6q by phnt@fluffytail.org
2025-11-30T19:23:33.181744Z
0 likes, 1 repeats
@django Apparently AndStatus is still developed, so it is still used by something. That said the c2s interface in Pleroma was to be turned off by default due to lack of maintenance and recent security issues discovered in it.
(DIR) Post #B0mfClm1p4yMqApsfo by django@social.coop
2025-11-30T20:09:39Z
0 likes, 0 repeats
@phnt I saw the issue. Do you know if it has been confirmed? (The timing is unfortunate)
(DIR) Post #B0mfCn9og7ax8EyOOG by phnt@fluffytail.org
2025-11-30T21:40:50.458042Z
0 likes, 1 repeats
@django There has been some talk about it around the 2.9.1 release months ago iirc, but nothing since. One of the Akkoma maintainers also disclosed recently some information disclosure issues that might affect c2s, so the subject might come up again. But if someone is willing to maintain it and fix issues, it will probably likely stay.Not sure if Akkoma still has support for it enabled since they have a habit of removing features and options from BE.
(DIR) Post #B0mp4gMd3ELTHtjnpw by django@social.coop
2025-11-30T21:50:50Z
0 likes, 0 repeats
@phnt I asked about C2S support in their issue queue, and they said they had more or less ripped everything C2S out of the codebase. The vulnerability was reported to Pleroma a few days later 🫤
(DIR) Post #B0mp4hv3GjTU6wqo88 by phnt@fluffytail.org
2025-11-30T23:31:26.787575Z
0 likes, 1 repeats
@django Apparently the vulnerability is exactly what I found months ago and never investigated until two days ago :D
(DIR) Post #B0nzhar4f0ZMCB8CBs by mint@ryona.agency
2025-12-01T13:05:14.436929Z
1 likes, 1 repeats
@phnt @django The only true vulnerability I remember was being able to either post as other local users or update their statuses which was later fixed with a check. The last publicly disclosed "vulnerability" was being able to read public activities from outbox without signed fetches which says a lot about ackoma users.
(DIR) Post #B0o1Z5QPpfBaJCjWKm by phnt@fluffytail.org
2025-12-01T13:26:06.311312Z
1 likes, 1 repeats
@mint @django >The last publicly disclosed "vulnerability" was being able to read public activities from outbox without signed fetches which says a lot about ackoma users.Now Oneric called the ability to fav/reblog/react on posts that aren't visible to the user via MastoAPI a low severity data leak. Only issue is that you _had_ to know the FlakeID of the post for your local instance to pull this off, which is almost impossible without DB access. But he completely left out the issue that you can reblog your own locked posts and DMs via the same API which leaks the existence of objects to other instances in case of DMs (Announce enters federation queue) and is a deviation from MastoAPI which is undocumented, but apparently deliberate according to some Pleroma tests.Nevertheless, I've ported the fixes to Pleroma already and only some tests are failing, because Akkoma switched the order of arguments to fav and likely reblog/react ActivityDraft functions for whatever reason.
(DIR) Post #B0o1nrpEg5JKTROHC4 by mint@ryona.agency
2025-12-01T13:28:46.768911Z
0 likes, 1 repeats
@phnt @django >because Akkoma switched the order of arguments to fav and likely reblog/react ActivityDraft functions for whatever reasonIf you're talking about CommonAPI function, I think it was feld who changed them in Pleroma instead. Either way some versions already leak the presence of DMs/lockposts by incrementing reply count on a non-locked post.
(DIR) Post #B0o1uL4gqIwKvUhmSG by phnt@fluffytail.org
2025-12-01T13:29:56.995506Z
1 likes, 1 repeats
@mint @django And there's no way to fix that since the reference count is stored in the DB I think :D
(DIR) Post #B0o2KFf3amHrfM4V6m by mint@ryona.agency
2025-12-01T13:34:38.053675Z
0 likes, 1 repeats
@phnt @django Doable but tedious, grab all inReplyTos with public scope for each post, count them and update the count in parents.
(DIR) Post #B0o2dzO1oJweyzWBV2 by phnt@fluffytail.org
2025-12-01T13:38:11.977793Z
1 likes, 1 repeats
@mint @django Not really, because then the count would be inaccurate for those that can see the DM/lockpost. Essentially you have to count it on every request for every user to get it right. Special casing can be done with noLocked/noDms flags, but that's about it I think.
(DIR) Post #B0o4cb4Mw3C9BQmpHM by mint@ryona.agency
2025-12-01T14:00:21.963408Z
0 likes, 1 repeats
@phnt @django Actually it looks like it was done by nuroma devs.RT: https://ryona.agency/objects/3f7dd035-c3d1-4b82-b488-448d4f0e3e30
(DIR) Post #B0oCynrUqyO6rWriL2 by phnt@fluffytail.org
2025-12-01T15:34:01.943566Z
1 likes, 1 repeats
@mint @django >I think it was feld who changed them in Pleroma instead.>>Normalize functions so they share the same order of argsYou are right, Akkoma just never backported it so they are stuck with this very nice and readable messimage.png
(DIR) Post #B0oumvoFsG801IUy48 by phnt@fluffytail.org
2025-12-01T23:44:53.488283Z
0 likes, 1 repeats
@django AP C2S has been disabled in Pleroma since 2.9.0, commit: https://git.pleroma.social/pleroma/pleroma/-/commit/d6a136f823c6e749e6d2c4a0f80202f0d7c5a960Also I've noticed that it doesn't like Content-Type: activity/activity+json and can be quirky with cc/to so I'm not really a fan. I couldn't make a reply to a thread that would properly show up in FE. The parent was always not visible in the thread view, but visible when hovering over the "Replying to <user>" UI element. Probably something weird with addressing I'm missing.
(DIR) Post #B0owFKj4vdNdMMBTfM by phnt@fluffytail.org
2025-12-02T00:01:13.595943Z
0 likes, 1 repeats
@julian @django >use the C2S API as a transport layer in a server to server context. Performing actions on behalf of another user.Incredibly cursed and another case of "I can doesn't mean I should". I don't think that pretending to be a user should ever be done unless necessary (such as the case of automatic follow acceptance). Especially when it requires external authentication like OAuth2. At least with S2S you can use actor keys, but such concept does not exist in C2S. Not to mention that now none of the big ActivityPub server implementations support C2S (Mastodon, Pleroma, Misskey), so you are stuck in a bubble you are creating yourself.Honestly, I would appreciate if the work that is being done to create toys around AP was instead focused on fixing the complete mess of a specification and making a v2 spec that isn't ambiguous and open-ended as a typical corporate privacy policy.
(DIR) Post #B0pOkgA259ULX2Wj0C by feld@friedcheese.us
2025-12-02T05:20:36.666617Z
2 likes, 0 repeats
@mint @phnt @django that was me! Because the order was inconsistent on a few of those but the vast majority were opposite which made it REALLY annoying to work with sometimes and it made no sense why they'd be reversed in the first place.I knew that was gonna be painful with future merges though
(DIR) Post #B0pkkQSydDxdqdfkI4 by silverpill@mitra.social
2025-12-02T09:26:11.185635Z
1 likes, 0 repeats
@phnt C2S API has always been a solution looking for a problem, but it is similar enough to FEP-ae97 API, so I have no issue with people devoting their time to fixing C2S.However, almost nobody actually works on it. There is a lot of cheap talk, but anyone who actually tries to implement C2S quickly realizes how broken it is and gives up. Most progress so far has been made by a single developer (btw: I began to document some aspects of his implementation in FEP-9f9f: Collections).>fixing the complete mess of a specification and making a v2 spec that isn't ambiguous and open-ended as a typical corporate privacy policyThe working group is too busy renaming https://www.w3.org/ns/activitystreams#Public to as:Public@julian @django
(DIR) Post #B0po9d7p0GrID7UFrE by django@social.coop
2025-12-02T00:38:14Z
1 likes, 0 repeats
@phnt no me gusta, but it explains why it didn’t work on one instance I tested.
(DIR) Post #B0uOQGSetVmtpCIvMu by mkljczk@pl.fediverse.pl
2025-12-04T15:10:21.576169Z
0 likes, 0 repeats
@phnt @django there's announce validator that makes sure you don't elevate the scope, does it not work as intended?
(DIR) Post #B0uPT05kJQVZsWSIwC by phnt@fluffytail.org
2025-12-04T15:22:10.919053Z
0 likes, 1 repeats
@mkljczk @django Only the reblog validation worked. You could report posts you can't see, you could favorite posts you can't see, you could EmojiReact posts you can't see which shouldn't happen. And in the case of favs, it would leak the whole MastoAPI response including the post content. There were basically zero checks around that, which Oneric mostly fixed (except the reports) in MastoAPI (CommonAPI) with a check in the favorite function and the private in_reply_to function in ActivityDraft. There's also an internal object representation leak for some Activity types like EmojiReact and Listen and probably more which was fixed by using the Transmogrifier in ObjectView.Both are fixed in Akkoma in PRs 1014 and 1018 (except the reports). I've ported both PRs to Pleroma a few days ago and there's an MR for it already (Gitlab seems to be down). I've also partially fixed the CommonAPI reports issues and the same issues that got fixed in C2S (no validation there either). The reports and C2S issues aren't on Gitlab yet as they are half-done and break some tests currently.If you want to check what I've made public, here are the changes on my Gitea instance: https://git.fluffytail.org/phnt/pleroma/src/branch/akkoma-fixes-1014-1018/Also if you are wondering why I'm not secretive about it, the cat has been out of the bag for over a week.
(DIR) Post #B0uPcDjAz2KKmAIMAi by phnt@fluffytail.org
2025-12-04T15:23:53.219567Z
0 likes, 1 repeats
@mkljczk @django Also the fixes are applied to CommonAPI/CommonAPI.ActivityDraft/C2S instead of being in Object validators. My only guess why Oneric chose that is because you don't have to then handle incoming federation. The checks are inserted right before the "Common Pipeline", same as I did with C2S in the controller instead.