Implementing ActivityPub Client-to-Server

Meeting ActivityPub Conference 2020
, ,
11

Shared Notes from the session

AndStatus has implemented some C2S with Pleroma.

  • pump io

Pleroma can:

  • Create Notes

  • Likes

  • But not really keen on opening it up due to large surface area

Validation…

  • Used to be that messages would pass through Transmogrifier

  • Also has standard Mastodon API

  • These were 2 ways of validating

  • Now has per-type(?) fine grained validators

  • Still missing 1 big validator: Notes

Current status/future:

  • Interested in using OAuth

  • Uploads are similar to Mastodon API (1 parameter to make an object)

  • Pleroma piggypacks on the Mastodon flow

  • Pleroma does update the object with ‘id’ and ‘published’ and other fields before federating

Friendica :

  • has a challenge with LD-Signatures. For ex: C creating an object (and being signed) which makes it hard for S to add the ‘id’ and ‘published’

  • Friendica could do LD-Sig on the Server side in the C2S communication

  • Key management challenge

On Media upload…

  • pictures are always cached today

  • How to handle media upload when sharing the AS payload?

  • How to properly proxy media (remote URLs) when client views federated message.

Q: What motivating examples need additional endpoints and/or auth?

  • Uploads may require an additional endpoint.

  • End to end encryption is exposing ActivityPub objects to the client.

  • Key management? (maybe not)

  • How to do search properly (messages, hashtags), so that the client can properly “view” the data it cares about

  • How to properly search inbox/outbox to properly build state and filter.

Q: What about auth? OAuth 2.1?

Q: How about storing the /me aka my AP-handle in the browser?

  • registerProtocolHandler FAILED - website could have browser ask user to save handle information

  • C2S allows interacting with different instances with the same software

  • In indieweb they have indieauth to remember common handles

  • https://git.pleroma.social/pleroma/pleroma-meta/-/issues/1

How the term “C2S” makes you think of your own client:

  • Services can be C2S of one another

  • Does not need to be a UI

  • Really a conceptual

  • Is this related to ‘micropub’? How does Hubzilla do this use case?

  • Instead of OAuth, capabilities (OCAP) may fit really well, allowing posting on behalf

  • Quote from @erincandescent:

“What the C2S API gives you is delegation. It lets some other agent - which might be a mobile app, or might be a web app - act on your behalf. And, importantly, it gives those agents effectively equal power to the server itself has […] AP C2S allows an additional degree of federation and decentralisation.”

C2S has chicken-and-egg problem.Hackathon opportunity! cj “volunteered” lain to track.

“C2S is still a heck of a discovery process”: https://github.com/andstatus/andstatus/issues/499

Q: How to do search with AP C2S?

  • Doesn’t fit well into REST (maybe GraphQL)

  • “How to get all X messages” in the inbox/outbox

  • How to provide state to the user from a stream?

  • Referenced data could make it easier by providing some more stateful information about the actor.

  • Could have implicit collections, or dynamically-generated collections

Q: How does C2S following another contact work? Problem: when client sends “Accept” message, must include id on client?

Next steps:

  • Hackathon

  • Really want feedback from AP authors on C2S and how it should work (particularly with filtering the inbox/outbox to build a “meaningful” view)

2 Likes