What is all necessary to accept Follow

astrid · January 8, 2023, 1:41pm

I want to accept follow requests with PHP. I am testing with my Mastodon.social account.

The request from my mastodon.social account to my test server ug-mayen.de looks like this in my log file:

{"@context":"https://www.w3.org/ns/activitystreams","id":"https://mastodon.social/5b495336-3561-42f8-8bb3-90b6d46db9af","type":"Follow","actor":"https://mastodon.social/users/Astridx","object":"https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil"}

As response for mastodon.social, I am putting together the following.

{"@context":"https:\/\/www.w3.org\/ns\/activitystreams","id":"https:\/\/ug-mayen.de\/index.php?option=com_activitypubs&view=Profil&id=63babc85ad9d6","type":"Accept","actor":"https:\/\/ug-mayen.de\/index.php?option=com_activitypubs&view=Profil","object":"{\"@context\":\"https:\/\/www.w3.org\/ns\/activitystreams\",\"id\":\"https:\/\/mastodon.social\/5b495336-3561-42f8-8bb3-90b6d46db9af\",\"type\":\"Follow\",\"actor\":\"https:\/\/mastodon.social\/users\/Astridx\",\"object\":\"https:\/\/ug-mayen.de\/index.php?option=com_activitypubs&view=Profil\"}"}

I think my signature is OK. If I use wrong keys, wrong digest or wrong signature, I get 401 Unauthorized.

The answer in my log file is 202 Accepted

HTTP/1.1 202 Accepted
Date: Sun, 08 Jan 2023 12:52:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: no-cache
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://static-cdn.mastodon.social; img-src 'self' https: data: blob: https://static-cdn.mastodon.social; style-src 'self' https://static-cdn.mastodon.social 'nonce-YD13s6qiWcFUNr+Yu7WJww=='; media-src 'self' https: data: https://static-cdn.mastodon.social; frame-src 'self' https:; manifest-src 'self' https://static-cdn.mastodon.social; connect-src 'self' data: blob: https://static-cdn.mastodon.social https://files.mastodon.social wss://mastodon.social; script-src 'self' https://static-cdn.mastodon.social 'wasm-unsafe-eval'; child-src 'self' blob: https://static-cdn.mastodon.social; worker-src 'self' blob: https://static-cdn.mastodon.social
X-Request-Id: 0c6553d9-743b-4cd4-a1fe-13f48e07e134
X-Runtime: 0.021619
Strict-Transport-Security: max-age=63072000; includeSubDomains

Therefore, I assumed that everything fits.

But when I check my account on Mastodon.social, the following was not successful. There I find the button “Withdraw follow request”. When I move the mouse over the button, the text “Waiting for approval” appears.

There is only one user in my PHP-CMS, so the username or handle is not relevant at the moment.

The profile of my PHP-User is found, even in the Mastodon search.

$ curl -L 'https://ug-mayen.de?option=com_activitypubs&view=Profil' | jq
{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    "https://w3id.org/security/v1"
  ],
  "id": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil",
  "type": "Person",
  "preferredUsername": "astrid",
  "name": "astrid",
  "manuallyApprovesFollowers": false,
  "discoverable": true,
  "inbox": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Inbox",
  "outbox": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Outbox",
  "followers": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Followers",
  "following": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Following",
  "publicKey": {
    "id": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil#main",
    "owner": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil",
    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkbG9P+WTrKg988crKCVk\r\nY52GRr09jDenYvGtgmEWw7f1nQsurw+KRsSfSHexG2kkUK8AV2s23bKVq5lsxsdL\r\nBieTmDJpygpuFJkMJ3HWEWluugtJ5PVEqHqxWV9YZwnpgOpE1OMteotkGEU5P7U3\r\nNg/xRd37Akel5+ON0DPy1YAuWA7wPISZuU4a6JhZVdkB5eH2kO3UyJlVLOOWsfuz\r\nCvJPNcoMPiMpk7C8FBlGZTuvWytWqxzN/CioZh2eCTEM/UFoKmw57/GJG4xghUPM\r\nLVOb2lN0MGc0RWXmq+Rc+DpjOPPZxnfEXtdbyJRDpR+udcqfCZoZr+7R35sG/vY+\r\n3QIDAQAB\r\n-----END PUBLIC KEY-----"
  },
  "summary": "Blog Summary",
  "url": "https://ug-mayen.de/",
  "publishedDate": "2017-04-05T00:00:00Z",
  "icon": {
    "type": "Image",
    "mediaType": "image/png",
    "url": "https://fimidi.com/system/accounts/avatars/109/440/699/924/678/668/original/3bfc7e943863a577.jpg"
  }
}

My mastodon.social user who wants to follow is also included in the list of the followers.

$ curl -L 'https://ug-mayen.de?option=com_activitypubs&view=Followers' | jq
{
  "@context": "https://www.w3.org/ns/activitystreams",
  "id": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Followers",
  "type": "OrderedCollection",
  "totalItems": 3,
  "first": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Followers&page=1",
  "next": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Followers?page=1",
  "partOf": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Followers",
  "orderedItems": [
    "https://mastodon.social/users/Astridx",
    "https://mastodon.world/users/agi2",
    "no actor"
  ]
}

So, now I don’t know what I can do to get the follow request approved and welcome any hints.

nightpool · January 8, 2023, 4:38pm

Pretty-printing your JSON object makes it pretty clear what the problem is:

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "id": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil&id=63babc85ad9d6",
  "type": "Accept",
  "actor": "https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil",
  "object": "{\"@context\":\"https://www.w3.org/ns/activitystreams\",\"id\":\"https://mastodon.social/5b495336-3561-42f8-8bb3-90b6d46db9af\",\"type\":\"Follow\",\"actor\":\"https://mastodon.social/users/Astridx\",\"object\":\"https://ug-mayen.de/index.php?option=com_activitypubs&view=Profil\"}"
}

Instead of including a URI or embedded document as the target of the object property, you’ve included a string representation of the object instead.

202 Accepted only means that object has been accepted for further processing. It does not mean the request has succeeded, because a significant amount of the processing for any activity needs to be done asynchronously. Only HTTP signatures are validated synchronously before the activity is enqueued into the background job system.

astrid · January 8, 2023, 5:51pm

Oh dear, this is embarrassing. That was the solution. I had so much trouble with the signature beforehand that I didn’t even look closely at the obvious later.
Thank you very much @nightpool .