I’m a retired Lisp hacker with about 40 years experience. I’m thinking about playing with an ActivityPub library in Clojure, and reading through the W3C recommendation; and of course there are things I want to clarify.
For example, under 3. Objects, immediately after Example 7, I read
it should dereference the id both to ensure that it exists and is a valid object
Does this mean I am expected to issue an HTTP GET or HEAD request for each object referenced? Does this not generate an enormous amount of network overhead? While I’m at it, the id values in the Mastodon sample data I’m playing with are not URIs, as the recommendation says they should be, but large integers; and I am seeing many things which appear to be objects but which don’t have a type key.
Obviously I don’t want to clutter up this forum with nonsense as basic as this, but is there some forum where newbie questions would be welcome?
So the requirement here is about verifying that the activity came from the server in question, rather than being spoofed. Mastodon uses HTTP Signatures to achieve this verification (Security - Mastodon documentation), which avoids the extra HTTP request (especially because some activities may not be publicly available, meaning that they can’t be verified in this way)
Another important part of this check is the origin check—you need to make sure that the HTTP signature’s actor, the activity and the object all have the same origin, so that server A can’t pollute the ID namespace of server B.