As far as I can tell, this happens when a server sends Create activity directly to SocialHub, and also to NodeBB, which wraps it in Announce and also sends to SocialHub. I suspect that Create and Announce arrive roughly at the same time and some conflict occurs during the processing.
Note that one comment appears as federated but its copy is always local.
the mention led to the other server posting to this server; and
the actor doing the mentioning was being followed by an actor on this server.
The plugin doesnât (currently) allow topic creation from actors that arenât followed by the actor the Create activity (or equivalent) is sent to. I know that may seem restrictive compared with stream-based implementations, however forums are inherently more slow paced and controlled than stream-based stuff. That restriction may be modifiable by settings at some point.
The next time this happens Iâll be ready to properly debug it, as Iâll have the raw JSON received (with timestamps). Iâll recreate the case like I did to debug the context issue.
Apparently client_credentials grant type is something new, I donât remember seeing it before in Mastodon docs.
Other Mastodon API clients use authorization_code grant type.
Is there a clear path from authorization_code to client_credentials? Does the former replace the latter? Was this something created within @mastodon or discussed with the larger community?
grant_type. Set equal to authorization_code if code is provided in order to gain user-level access. Otherwise, set equal to client_credentials to obtain app-level access only.
What I understand from Logging in with an account - Mastodon documentation is that the first time you authorize an app, youâre using client_credentials (AKA username and password), and then you can retrieve an OAuth authorization_code.
meaning "actor from oisaur.com created object on socialhub.activitypub.rocks", which generally shouldn't be allowed (unless this actor is explicitly authorized to do so).
I think Discourse should show the original ActivityPub ID of the remote comment when user clicks on the "ActivityPub" button. This probably affects federated activities as well.
this is generally not an issue with the way the facts are being claimed. the issue is with identity and identity equivalence.
in other words, âobject on socialhub.activitypub.rocksâ is a re-serialization of âobject on oisaur.comâ. this is a link relation waiting to be captured. possibly you could claim an equivalence relation of some kind, or some concept of syndication could help.
authorization is a separate axis entirely and depends on the authorization scheme being devised. at minimum, you can use signatures as proof, or you can signal which prefixes you âownâ. authorization also depends on the identity scheme being used.
Understandably, I could be confused by Discourse's UI, but @renchap@oisaur.com didn't compose that post, the local account on SocialHub did, because it's got a green AP logo.
Discourse seems to have combined the two accounts and is sending out the reply with the incorrect attributedTo. NodeBB would likely parse that note and see that attributedTo does not match the signed actor, and drop it for security reasons. Let me confirm that... NodeBB actually pulled that Note in perfectly fine.
This may be my âfaultâ, I had a @renchap account here that was created from ActivityPub (using @renchap@oisaur.com), then I created an account on Discourse and asked the admins if I could grab the @renchap username.
I think they merged the 2 accounts, and probably it created some bug in Discourse where I now have a ârealâ @renchap SocialHub account, but tied to my external @renchap@oisaur.com AP account?
Yes, staged ActivityPub users have an invalid email address, so I had to change it and activate the account to perform the user merge. So I guess I might have hit a bug as a result. The other account was a regular one.
The reason only Mastodon and Discourse Actors are supported currently is because you have to authenticate with remote platform hosting the Actor to claim it so each type of platform needs to be added individually (as each type uses different auth systems).