Ok, I’m stuck at the http signatures bit. I’m trying to reply to a toot I made and I just get a 401 Unauthorized response, not very informative!
I’m pretty sure I’ve got (almost) everything right, the code is based on this nice simple example:
Should this still work?
Here’s what I’m POSTing to the remote server inbox via fetch() options (based on the Ruby example above):
{
method: 'POST',
headers: {
Host: 'toot.io',
Date: 'Thu, 21 Dec 2023 04:40:16 GMT',
Signature: 'keyId="https://skirmish-dev.net/users/marksibly",headers="(request-target) host date",signature="SDKa6ckF2lJ1B0DL7Lk5E6PXJ8dEeE0zOgnl/x6YEbY19AsX2Ix4uZ91hj4q5gYJ3FDzRbh9z7/QW4H3vMbUBRx8lJNeo2PFlCoPFsCEt1C6TupBs2h900ROTfvLO1CJoa3vfF/6E2NpjX3JfuZu1ZU3h30BOpxVhy6oZZPJjqcpMsVGLXgRC7dRfvNk5LE+kSUdX7yfhVTaKPSuEfxN/giEb0WHCoRp6XVPAzjkL2M6rtmcyhIMlj8+jgvhSp4E8wtZ355Uik0isPj2aXTFxU5qexvFbaPcQeE7/XcOYq+uxsmTpvb5O2TnfGMRzOv9x16RjDPq8RY5MqrurhzNDg=="'
},
body: '{"@context":"https://www.w3.org/ns/activitystreams","id":"https://skirmish-dev.net/users/marksibly/notes/123/activity","type":"Create","actor":"https://skirmish-dev.net/users/marksibly","object":{"id":"https://skirmish-dev.net/users/marksibly/notes/123","type":"Note","published":"Thu, 21 Dec 2023 04:40:16 GMT","attributedTo":"https://skirmish-dev.net/users/marksibly","inReplyTo":"https://toot.io/users/marksibly/statuses/111603479196881233","content":"Hello there!","to":"https://www.w3.org/ns/activitystreams#Public"}}'
}
Here’s the body, ie: the create note activity:
{
'@context': 'https://www.w3.org/ns/activitystreams',
id: 'https://skirmish-dev.net/users/marksibly/notes/123/activity',
type: 'Create',
actor: 'https://skirmish-dev.net/users/marksibly',
object: {
id: 'https://skirmish-dev.net/users/marksibly/notes/123',
type: 'Note',
published: 'Thu, 21 Dec 2023 04:40:16 GMT',
attributedTo: 'https://skirmish-dev.net/users/marksibly',
inReplyTo: 'https://toot.io/users/marksibly/statuses/111603479196881233',
content: 'Hello there!',
to: 'https://www.w3.org/ns/activitystreams#Public'
}
}
Here’s the signature before it gets signed and base64-ized.
{
(request-target): post /users/marksibly/inbox
host: toot.io
date: Thu, 21 Dec 2023 04:40:16 GMT
}
I’m using crypto.verify to check my crypto.sign works.
Any hints on how to debug this stuff, it’s driving me a bit nuts! Would installing a mastodon server locally help?