Implement ActivityPub and http-signatures (draft-cavage earlier than the final hs2019 draft, like maybe draft 10 or 11). Then you should be able to federate with generic ActivityPub services. Note: Mastodon is not considered to be a generic ActivityPub service. I'll cover those requirements a bit further down.
If http-signatures fail, some projects decide for you which headers need to be signed but there is no way to discover their signing requirements currently. Just sign everything you can. date, (request-target), host, and digest are the ones that some projects insist on. When in doubt, fetch an actor record or something and see what headers they sign for their own content and that should give you an idea what you'll need to include in yours.
Use rsa-pem public keys - I forget which PKCS# that was. 8? Elliptic curves and other more modern public key technologies don't federate well at the moment.
Then you just need to implement a few pages of Mastodon quirks and webfinger if you want to federate with that project. This involves things like re-factoring your HTML so it looks decent when downgrading to plaintext, stripping out photos from HTML and adding them back in as attachments, making sure your comments mention the inReplyTo author so that Mastodon folks will get notifications, and making sure your mentions use the webfinger and not the displayName when conversing with that project. Or translate to/from your preferred mention display format like we do. Don't use 'Article'. Eugen poisoned it in an earlier attempt to exterminate HTML. And if you normally provide a 'summary' - you can't, as that's a CW in Mastodon. Mastodon mentions also include the initial '@' character in the link text. Some projects put it outside the link text. Best option: accept either/both because we'll never agree on it.
I think that's the important stuff.
Two things that trip up 90% of newcomers:
Most ActivityStreams things can be a url, an object, or an array of objects. Just recognise all of them from the start so we don't have to file bugs. If your software can't use arrays internally, use the first entry and ignore the rest. Not ideal, but you will see posts with multiple actors and actor records with multiple urls and you don't want these breaking your server.
Read the part in the ActivityPub spec about the Accept header. Then read it again. Don't send me an accept header of 'application/json' and expect me to send you an ActivityPub document. Maybe I will, maybe I won't.
And if you have any desire to federate with Facebook-like projects or those with a focus on privacy/permissions, send replies to the address or addresses in the replyTo field and to nobody else. If there's no replyTo, you can send it to whoever you want. Most of the time things will work just fine if you ignore this, and it isn't standard, but if you really want to federate with most of the fediverse - you'll do it.
mike /
npub1nl…0fh6t
2023-03-27 02:36:01
in reply to nevent1q…0e6c
Author Public Key
npub1nl98j7g9kxkdh5f3u0cxltk8dl0gwt77kxxmk5wtlmstufjrkkqsk0fh6tPublished at
2023-03-27 02:36:01Event JSON
{
"id": "0f7969d408520e1b85ee5573f3cbe1084e3de9435b9e4627ec4b701e5a0a3913",
"pubkey": "9fca797905b1acdbd131e3f06faec76fde872fdeb18dbb51cbfee0be2643b581",
"created_at": 1679877361,
"kind": 1,
"tags": [
[
"p",
"ec55841e6b607007a0167bd7e8d844705669336aef56485b48f4d38f51e5f68d",
"wss://relay.mostr.pub"
],
[
"p",
"9c7c4f0286fb9f22491e71510b51be47be761dc1dc1867fb2390f5921c795446",
"wss://relay.mostr.pub"
],
[
"p",
"e2bc32de32285830ffa94c3619e8a7c9cd7df0176a306fb59af777b07ca1e6e6",
"wss://relay.mostr.pub"
],
[
"e",
"bc929c6219b82e05e09a8cb59f5c17792712f9c981f2fe303e3130db8f2f8aa3",
"wss://relay.mostr.pub",
"reply"
],
[
"mostr",
"https://macgirvin.com/item/f291a9e5-18be-436f-83f1-388676004784"
]
],
"content": "Implement ActivityPub and http-signatures (draft-cavage earlier than the final hs2019 draft, like maybe draft 10 or 11). Then you should be able to federate with generic ActivityPub services. Note: Mastodon is not considered to be a generic ActivityPub service. I'll cover those requirements a bit further down. \n\nIf http-signatures fail, some projects decide for you which headers need to be signed but there is no way to discover their signing requirements currently. Just sign everything you can. date, (request-target), host, and digest are the ones that some projects insist on. When in doubt, fetch an actor record or something and see what headers they sign for their own content and that should give you an idea what you'll need to include in yours. \n\nUse rsa-pem public keys - I forget which PKCS# that was. 8? Elliptic curves and other more modern public key technologies don't federate well at the moment. \n\nThen you just need to implement a few pages of Mastodon quirks and webfinger if you want to federate with that project. This involves things like re-factoring your HTML so it looks decent when downgrading to plaintext, stripping out photos from HTML and adding them back in as attachments, making sure your comments mention the inReplyTo author so that Mastodon folks will get notifications, and making sure your mentions use the webfinger and not the displayName when conversing with that project. Or translate to/from your preferred mention display format like we do. Don't use 'Article'. Eugen poisoned it in an earlier attempt to exterminate HTML. And if you normally provide a 'summary' - you can't, as that's a CW in Mastodon. Mastodon mentions also include the initial '@' character in the link text. Some projects put it outside the link text. Best option: accept either/both because we'll never agree on it. \n \nI think that's the important stuff.\n\nTwo things that trip up 90% of newcomers:\n\n Most ActivityStreams things can be a url, an object, or an array of objects. Just recognise all of them from the start so we don't have to file bugs. If your software can't use arrays internally, use the first entry and ignore the rest. Not ideal, but you will see posts with multiple actors and actor records with multiple urls and you don't want these breaking your server. \n \n Read the part in the ActivityPub spec about the Accept header. Then read it again. Don't send me an accept header of 'application/json' and expect me to send you an ActivityPub document. Maybe I will, maybe I won't. \n\nAnd if you have any desire to federate with Facebook-like projects or those with a focus on privacy/permissions, send replies to the address or addresses in the replyTo field and to nobody else. If there's no replyTo, you can send it to whoever you want. Most of the time things will work just fine if you ignore this, and it isn't standard, but if you really want to federate with most of the fediverse - you'll do it.",
"sig": "644d3f9aa5357d01f30cf245bf5a21d5926281fa7b1fa38bfa785fa852e1333d91accf4876abebffd9da510cad2bde05734176b30aa260fa704caf34c841fd65"
}