Federation: can't follow from mastodon with authorized fetch enabled


I run masto.donte.com.br and I have some users complaining that they can’t follow write.as blogs from there. I’m running Mastodon v3.2.1 and the only notable config I have is that I have authorized fetch enabled.
Since I’ve seen other softwares have troubles with authorized fetch before (https://github.com/pixelfed/pixelfed/issues/1850), I’m wondering if that could be the reason.

If I look for a blog (i.e. my test one at @renatolond@write.as), I can see the profile. If I click on follow, it stays on “awaiting approval” with no change.
I also tested on a custom write.as install and also no luck there.

Is there something I can provide to help debugging?

Hey @renatolond, thanks for the report! We’ve heard about similar issues since Mastodon v3.1 or so, but haven’t found the exact cause yet.

I believe it’s because the Accept activity we send in response to a Follow request on Write.as / WriteFreely isn’t passing Mastodon’s validation anymore. But it could also be an issue with Mastodon fetching and validating a Write.as / WriteFreely profile.

As far as debugging, we could use your help with finding any useful error information in your Mastodon logs. Maybe something shows up there when you try to follow one of those Write.as accounts?

Hey @matt, thanks for getting back so quickly :slight_smile:

Hm, noticed something even weirder now. I went to my test instance to get logs for you, because masto.donte just has too much stuff scrolling around and it was working fine. The only difference between the two is that my testing was still in 3.2.0 and masto.donte.com.br is in 3.2.1. But I think we can eliminate authorized fetch, because my test instance also has authorized fetch on.

So I’ve bumped the version of my test instance to see what happens, and it still worked, which led me to think there was something else going on the first time around (and no doubt about it, now it shows as being followed back in masto.donte.com.br too)

Do you think it could be some kind of slower federation queue that would cause it? (Not sure if there’s even a federation queue in write.as as in mastodon)
The original blog that was reported as not working is in a custom write.as instance, so I’m guessing it might be actually related to Unable to follow blog [SOLVED], I’ll check with the owner of the instance to get some logs and see if there’s something going on there :slight_smile:

So, coming back from a few tests with the custom instance, it doesn’t seem to be related to the linked issue.
In my test instance I was trying to follow an unlisted blog and it was not working, it stayed on the “pending following” status. I could see some errors in the logs:

Nov 17 21:57:22 lond-com-br bash[4109717]: [5f537505-5134-4897-9e7b-a694c4367bf4] method=GET path=/users/renato format=json controller=AccountsController action=show status=401 duration=13.14 view=1.03 db=1.83
Nov 17 21:57:28 lond-com-br bash[4109717]: [49ca4f17-2d2d-48f7-9f8d-2d3af7eba41d] method=GET path=/users/renato format=json controller=AccountsController action=show status=401 duration=6.83 view=0.42 db=1.05

It seems the remote write.as was having troubles fetching my profile.
I then turned off authorized fetch, tried again and it worked. Now, even if with the remote fetch on, it seems to work following and unfollowing the blog.

The same seems to be happening at masto.donte.com.br, I didn’t disable authorized fetch over there, but I’d guess the same would happen there too.

Thanks, that helps narrow it down! Based on the 401 statuses and AUTHORIZED_FETCH documentation, I’m assuming WriteFreely is missing some important actor data on that initial fetch (such as public keys), causing later calls to fail.

This is on my list to personally investigate more, but we could use help from anyone in the community interested in solving this (especially if you run a WriteFreely instance)! I think as a next step, it’s worth opening a bug report about this.

I don’t know enough to help, but I can’t follow my own blog on @writing.exchange.

I try to follow @OldYogre@write.as, and when I go to the blog’s mastodon profile it shows “cancel follow request” and says it is awaiting approval. If there’s anything I can do to help, I’m willing. I’m just not knowledgeable.

Hey, Matt!
I saw a very similar issue on BookWyrm and since it was a language I felt a bit more at ease with, I managed to dig a little and find out the issue. Not sure if it helps on your investigation, but here’s what was missing on BookWyrm’s side: https://github.com/mouse-reeve/bookwyrm/pull/427

Basically, when Mastodon tries to follow a BookWyrm actor, BookWyrm doesn’t know the actor yet and tries to fetch the actor from Mastodon. That fetch is not signed, which means mastodon rejects the call, and BookWyrm without being able to fetch the actor, rejects the follow requests.

Since the behavior is quite similar on the mastodon side (a follow request which stays pending indefinitely), I’d assume it’s a similar code path in writefreely’s side, but I couldn’t dig on it too much yet to see if I can find it :slight_smile:

I appreciate all the assistance, @renatolond! It was a huge help in coming up with a fix. Basically, when someone follows a blog and we look up the requesting actor, we now sign that GET request to get the actor with keys from a fake instance.tld actor on our end.

This fix is live on Write.as now, and will be in the next version of WriteFreely (see PR#439).