What happens after Follow request?

Hi all,

I am trying to understand what a server does after a Follow request. Specifically:
A. How does it verify the signature of the client request?
B. How does it communicate the Accept object?
C. How does the server reply to the Accept object?


When an activity is received, it is typically verified using HTTP Signatures. The sending server is expected to send a Signature header. The target server then requests the user’s info from the sender and extracts the publicKey field in order to verify the signature.

The user info also includes an inbox field, which is where the response will be sent when the follow is approved.

Responding to an Accept is nothing special, most implementations just return some HTTP success code

HTTP responses to posting things to inbox are usually ignored. You only need to return a 2xx status code to indicate that you accepted the request. Smithereen returns 200 OK, Mastodon returns 202 Accepted.

The (barebones) flow is like this:

  1. Other server sends a Follow activity to your inbox.
  2. You verify the HTTP signature, fetching the actor from the URL in the actor field if necessary. Reject the request with a 4xx code if the signature doesn’t match.
  3. You look up the user specified in activity’s object in your database. Reject the request with a 4xx code if there’s no such user.
  4. You store the follow relation.
  5. You return a 2xx status code in your HTTP response.
  6. You send an Accept{Follow} to the inbox of the actor who followed one of your users, signed with the private key of that user.
  7. After the server responds with a 2xx code, it’s done. You’re now supposed to send any relevant activities by that user, like Create{Note}, to that server.

So, to sum up: to do this, you need a working web server, with a valid SSL certificate, and a server application of some sort capable of both accepting and making HTTP requests. You can use something like ngrok.com to experiment from localhost.

1 Like