Webfinger in the Wild

Today, a post in my feed included a mention and its webfinger verification threw a WebFinger::BadRequest exception:

Nov 08 09:18:49 AM  WebFinger::BadRequest (Bad Request):
Nov 08 09:18:49 AM 
Nov 08 09:18:49 AM  app/models/account.rb:79:in `fetch_and_create_mastodon_account'
Nov 08 09:18:49 AM  app/models/account.rb:367:in `block in create_status!'
Nov 08 09:18:49 AM  app/models/account.rb:364:in `each'
Nov 08 09:18:49 AM  app/models/account.rb:364:in `create_status!'
Nov 08 09:18:49 AM  app/lib/activity_pub/activity/create.rb:20:in `perform'
Nov 08 09:18:49 AM  app/controllers/accounts_controller.rb:148:in `process_item'
Nov 08 09:18:49 AM  app/controllers/accounts_controller.rb:75:in `inbox'

The activitypub actor document resided on mastodon.well.com but when a reverse discovery was performed, the hostname of the subject in the webfinger response was well.com instead of mastodon.well.com. Making a webfinger request to well.com for the mentioned user returned a 500 Internal Server Error so a WebFinger::BadRequest exception was thrown. What was going on?

Fortunately, an issue in the activitypub-webfinger had the answer:

Looks like some are using this host-meta redirect to use a custom domain for actors which is different to the actual domain of the server.

And that is what was happening:

curl https://mastodon.well.com/.well-known/host-meta
<?xml version="1.0" encoding="UTF-8"?>
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
  <Link rel="lrdd" template="https://mastodon.well.com/.well-known/webfinger?resource={uri}"/>
</XRD>

A response in the issue notes

The use of host-meta as a “second layer of indirection” is something that mostly a holdover from the OStatus days, IIRC. Most projects that aren’t Mastodon or Pleroma will not check host-meta at all, and will instead always skip straight to the /.well-known/webfinger endpoint. I don’t think it makes sense to unnecessarily pressure everyone into adopting host-meta or supporting variable LRDD endpoints

I can’t argue with that so I just handled the exception without setting the custom domain.

CPJ Head Condemns Israel's Deadly War on Journalists

Jodie Ginsberg, CPJ’s chief executive officer:

No journalist from outside Gaza has been allowed in since the start of that war, and that’s highly unusual. I speak to lots of war correspondents who’s covered many, many wars over decades, and all of them talk about how unprecedented this is to not have any access whatsoever. And that, of course, puts additional pressure on these journalists.

CPJ Head Condemns Israel’s Deadly War on Journalists in Gaza as IDF Threatens Al Jazeera Reporters

In the interview, Amy Goodman also mentions “James McGovern leading 64 other congressmembers in a letter to Biden and Blinken, urging them to push for Israel to allow in international journalists”

We fix the fucking networks

“A lot of us remember what it was like to live and work on an Internet that was deeply flawed but not systematically designed to burn our emotions and time and safety for fuel.”