Jump to content

Authorized Fetch: Difference between revisions

Authorized Fetch (view source)

Revision as of 22:20, 20 December 2023

1,832 bytes added ,  22:20, 20 December 2023
no edit summary
No edit summary
No edit summary
 
Line 9: Line 9:
Up To: [[Part Of::Features]], [[Part Of::Config]]
Up To: [[Part Of::Features]], [[Part Of::Config]]


Defederation, by default, doesn't completely prevent blocked accounts or instances from accessing our instance's content.  
Defederation, by default, doesn't completely prevent blocked accounts or instances from accessing our instance's content. Authorized fetch is an additional step to prevent scraping or other automated collection of instance data.
 
== Effects ==
 
=== Access ===
 
* The primary effect is to require the underlying JSON-LD, ActivityPub representation of server content be requested by a valid ActivityPub Actor (that isn't blocked or suspended). Typically this data doesn't require authentication, so even if an instance is blocked/defederated, they can still access instance data with an unauthenticated, anonymous request.
* Statuses and accounts are '''still visible''' via manual HTTP/HTML access through the website to people who are logged out, only the JSON-LD representation is affected.
 
=== Caching ===
 
* A secondary effect is that ours and other instances can't cache our data as effectively, which requires modestly more networking/compute resources.
 
== Implementation ==
 
* Many actions invoke <code>require_account_signature</code> ([https://github.com/NeuromatchAcademy/mastodon/blob/cf9b7e9c62ca94a1f766d76480d4f40a285094a6/app/controllers/concerns/signature_verification.rb#L48 source]), which checks that the request comes from an account, accompanied by a valid signature
** Fetching account details like followers/following
** Fetching statuses
** Fetching hashtags
** Fetching replies
* Causes many items not to be cached (re-served on demand)
* Turns off <code>public_fetch_mode</code> in the ApplicationController ([https://github.com/NeuromatchAcademy/mastodon/blob/cf9b7e9c62ca94a1f766d76480d4f40a285094a6/app/controllers/application_controller.rb#L57 source])
** Causes the "public" setting to be turned into <code>private</code> in HTTP cache-control flags, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
 


== Docs ==
== Docs ==
Line 25: Line 48:




== References ==


* https://hub.sunny.garden/2023/06/28/what-does-authorized_fetch-actually-do/




Retrieved from "https://wiki.neuromatch.social/Special:MobileDiff/1079"