Shared Notes from the session
AndStatus has implemented some C2S with Pleroma.
- pump io
Pleroma can:
-
Create Notes
-
Likes
-
But not really keen on opening it up due to large surface area
Validation…
-
Used to be that messages would pass through Transmogrifier
-
Also has standard Mastodon API
-
These were 2 ways of validating
-
Now has per-type(?) fine grained validators
-
Still missing 1 big validator: Notes
Current status/future:
-
Interested in using OAuth
-
Uploads are similar to Mastodon API (1 parameter to make an object)
-
Pleroma piggypacks on the Mastodon flow
-
Pleroma does update the object with ‘id’ and ‘published’ and other fields before federating
Friendica :
-
has a challenge with LD-Signatures. For ex: C creating an object (and being signed) which makes it hard for S to add the ‘id’ and ‘published’
-
Friendica could do LD-Sig on the Server side in the C2S communication
-
Key management challenge
On Media upload…
-
pictures are always cached today
-
How to handle media upload when sharing the AS payload?
-
How to properly proxy media (remote URLs) when client views federated message.
Q: What motivating examples need additional endpoints and/or auth?
-
Uploads may require an additional endpoint.
-
End to end encryption is exposing ActivityPub objects to the client.
-
Key management? (maybe not)
-
How to do search properly (messages, hashtags), so that the client can properly “view” the data it cares about
-
How to properly search inbox/outbox to properly build state and filter.
-
…
Q: What about auth? OAuth 2.1?
-
Oauth has no well-known scopes defined. (what about https://oauth.net/2/rich-authorization-requests/ ?)
-
…
Q: How about storing the /me aka my AP-handle in the browser?
-
registerProtocolHandler FAILED - website could have browser ask user to save handle information
-
C2S allows interacting with different instances with the same software
-
In indieweb they have indieauth to remember common handles
-
…
How the term “C2S” makes you think of your own client:
-
Services can be C2S of one another
-
Does not need to be a UI
-
Really a conceptual
-
Is this related to ‘micropub’? How does Hubzilla do this use case?
-
Instead of OAuth, capabilities (OCAP) may fit really well, allowing posting on behalf
-
Quote from @erincandescent:
“What the C2S API gives you is delegation. It lets some other agent - which might be a mobile app, or might be a web app - act on your behalf. And, importantly, it gives those agents effectively equal power to the server itself has […] AP C2S allows an additional degree of federation and decentralisation.”
C2S has chicken-and-egg problem.Hackathon opportunity! cj “volunteered” lain to track.
“C2S is still a heck of a discovery process”: https://github.com/andstatus/andstatus/issues/499
Q: How to do search with AP C2S?
-
Doesn’t fit well into REST (maybe GraphQL)
-
“How to get all X messages” in the inbox/outbox
-
How to provide state to the user from a stream?
-
Referenced data could make it easier by providing some more stateful information about the actor.
-
Could have implicit collections, or dynamically-generated collections
Q: How does C2S following another contact work? Problem: when client sends “Accept” message, must include id on client?
Next steps:
-
Hackathon
-
Really want feedback from AP authors on C2S and how it should work (particularly with filtering the inbox/outbox to build a “meaningful” view)