As I’ve mentioned before, I’m working on an ActivityPub-compatible “letterboxd clone”, where users can track what movies they’ve watched, add them to collections, and publish reviews. For social features, it supports followers/following, likes and comments on watches/collections/reviews. The server is designed to federate with other instances of itself (for the usual “feed view”), but also will support basic publishing of Note objects for interaction with other projects. Additionally, likes/comments can come from interaction with other projects. E.g. a user could be followed by a mastodon user, and that mastodon user can reply to their reviews.
I’m a little perplexed by the expected behavior of the inbox/outbox collections in a pure server-to-server application. My application will not support C2S and will provide a canonical web based client.
The spec states that inbox.outbox MUST be OrderedCollections, which would imply they must be accessible by an HTTP GET request. The spec then moves to non-normative language about what the collections contain.
The outbox stream contains activities the user has published, subject to the ability of the requestor to retrieve the activity (that is, the contents of the outbox are filtered by the permissions of the person reading it). If a user submits a request without Authorization the server should respond with all of the Public posts. This could potentially be all relevant objects published by the user, though the number of available items is left to the discretion of those implementing and deploying the server.
and
The inbox stream contains all activities received by the actor. The server SHOULD filter content according to the requester’s permission. In general, the owner of an inbox is likely to be able to access all of their inbox contents. Depending on access control, some other content may be public, whereas other content may require authentication for non-owner users, if they can access the inbox at all.
For the inbox, “if they can access the inbox at all” seems like its alright to make the inbox
collection empty, at least when not authorized as that actor.
For the outbox though, the options seems less obvious.
This could potentially be all relevant objects published by the user, though the number of available items is left to the discretion of those implementing and deploying the server.
Is there anything in the spec that allows server-to-server interaction to read the outbox from another actor? Are there implementations that do this?