Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add signing support to threadcap implementation #592

Open
mitchdowney opened this issue Jan 23, 2023 · 1 comment
Open

Add signing support to threadcap implementation #592

mitchdowney opened this issue Jan 23, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@mitchdowney
Copy link
Member

Ok @mitch, just published a new version 0.1.9 of Threadcap that supports optional http request signing.
So you (or anyone using Threadcap) can fetch comments from Mastodon instances in "secure mode".
The new helper function is called "makeSigningAwareFetcher" - I'll email you the endpoints you need to setup on your side.
https://www.npmjs.com/package/threadcap

https://podcastindex.social/@js/109728782218419529
@mitchdowney mitchdowney added the enhancement New feature or request label Jan 23, 2023
@mitchdowney
Copy link
Member Author

mitchdowney commented Feb 21, 2023
edited
Loading

John Spurlock sent us detailed instructions on how to resolve this...

Hi Mitch, here's how to set up Threadcap support for signing requests, required by a few Mastodon instances configured to use "secure mode". Secure mode in Mastodon means the content is public, but it requires ActivityPub callers to sign their request - identifying who they are - so the server has the option to block in the future.

Everything about the new Threadcap 0.1.9 is the same as before, except for one new helper function called makeSigningAwareFetcher. Like the other fetcher wrappers in Threadcap, this function takes an underlying fetcher, and also two required parameters and one optional parameter:
keyId: the url to an ActivityPub actor json file containing your public key. This serves as your calling identity. For Podverse, it could be: https://ap.podverse.fm/actor#main-key (see below for what to return there)
privateKeyPemText: your corresponding private key (never make this public) in standard key pem text format (that familiar base64 chunk starting with -----BEGIN PRIVATE KEY-----)
mode: 'always', or 'when-needed' (default) This drives how many of your Threadcap fetches use request signing. The default is 'when-needed', which will first try unsigned and only try signed requests when the server responds that it's needed.

One-time setup:

  1. Generate a new public/private keypair.
    Easiest way is to use minipub as I made it a single command (you can probably do this with openssl as well, but then it's up to you to get the security algorithm parameters right).
    To install minipub:

    • Install Deno.
    • Install minipub, a command line tool
      • deno install --name minipub -A https://raw.githubusercontent.com/skymethod/minipub/v0.1.9/src/cli.ts
    • Run: minipub generate-keypair --json
      • Save off the top part as the public key
      • Save off the middle part as the private key
      • Save off the bottom json as the keypair json file (you'll notice these are the same strings, but useful for copy/pasting later if you need the json/javascript string version)

  2. You'll need to host two new public http endpoints. They need to be hosted on the same origin, can be your main domain, but you can use a subdomain if you want, let's assume you choose https://ap.podverse.fm/ as the origin.
    https://ap.podverse.fm/actor
    static json, take a look at the livewire validator's actor json as a working example: https://validator.livewire.io/actor
    must use content-type: application/jrd+json; charset=utf-8
    this is your "system actor" endpoint, the preferredUsername is up to you, but I'd just stick with the typical system.
    use the public key part in this file, the value of publicPemText string in the keypair json from above might come in handy here
    https://ap.podverse.fm/.well-known/webfinger?resource=acct:[email protected]
    technically this should be dynamic, only returning the response for this query, but I think it would work as a static file as well if you only have one actor
    must use content-type: application/activity+json; charset=utf-8
    here is the livewire validator's response as a working example: https://validator.livewire.io/.well-known/webfinger?resource=acct:[email protected]
    the links inside here should point to your system actor endpoint

The livewire validator imports a helper in minipub to implement these two endpoints in case you want to crib something from it: https://github.com/skymethod/minipub/blob/master/src/system_actor.ts. These helper functions will return the response content-type, and the json body to use as the http body

That's it for the one-time setup.

Then, in your comments fetcher, use makeSigningAwareFetcher with your keyId and privateKeyPemText when you're initializing your fetcher to use for Threadcap.

That should be it!

Hope that helps,

  • John

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mitchdowney