Fedify: an ActivityPub server framework<p>🎉 Huge shoutout to two amazing contributors from Korea's <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/OSSCA" target="_blank">#<span>OSSCA</span></a> program who've made excellent contributions to <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a>!</p><p>👏 <a translate="no" class="h-card u-url mention" href="https://yuri.garden/@gaebalgom" rel="nofollow noopener" target="_blank">@<span>gaebalgom</span></a> tackled a tricky terminal compatibility issue in <a href="https://github.com/fedify-dev/fedify/pull/282" rel="nofollow noopener" target="_blank">PR #282</a>, fixing the <code>fedify node</code> command's favicon display on terminal emulators without truecolor support (<a href="https://github.com/fedify-dev/fedify/issues/168" rel="nofollow noopener" target="_blank">#168</a>). His solution elegantly detects terminal capabilities and falls back to 256-color mode when needed—ensuring a great experience across different environments.</p><p>🌟 <a translate="no" class="h-card u-url mention" href="https://hackers.pub/@joonnot" rel="nofollow noopener" target="_blank">@<span>joonnot</span></a> enhanced Fedify's <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> functionality in <a href="https://github.com/fedify-dev/fedify/pull/281" rel="nofollow noopener" target="_blank">PR #281</a> by adding a configurable <code>maxRedirection</code> option to the <code>lookupWebFinger()</code> function (<a href="https://github.com/fedify-dev/fedify/issues/248" rel="nofollow noopener" target="_blank">#248</a>). He transformed a hardcoded limitation into a flexible, user-customizable parameter while maintaining perfect backward compatibility.</p><p>Both delivered thoughtful, well-implemented solutions that showcase the quality of contributions coming from the OSSCA program. Welcome to the Fedify community! :fedify:</p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/ActivityPub" target="_blank">#<span>ActivityPub</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/opensource" target="_blank">#<span>opensource</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fedidev" target="_blank">#<span>fedidev</span></a></p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
211active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#webfinger
0 posts · 0 participants · 0 posts today
Fedify: an ActivityPub server framework<p>🎉 Big thanks to <a translate="no" class="h-card u-url mention" href="https://hackers.pub/@2chanhaeng" rel="nofollow noopener" target="_blank">@<span>2chanhaeng</span></a> for his first contribution to <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a>! He implemented the new <a href="https://unstable.fedify.dev/cli#fedify-webfinger-looking-up-a-webfinger-resource" rel="nofollow noopener" target="_blank"><code>fedify webfinger</code></a> command in <a href="https://github.com/fedify-dev/fedify/pull/278" rel="nofollow noopener" target="_blank">PR #278</a>, which allows isolated <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> lookups for testing configurations. This addresses the need for developers to test WebFinger functionality without performing comprehensive object retrieval.</p><p>The contribution includes:</p><ul>
<li>A new <code>fedify webfinger <handle></code> command that accepts <code>@user@domain</code> format handles or URIs</li><li>Clean JSON output of WebFinger JRD results</li><li>Proper error handling for invalid handles and lookup failures</li><li>Complete <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/CLI" target="_blank">#<span>CLI</span></a> integration with help text and usage examples</li>
</ul><p>This was originally filed as <a href="https://github.com/fedify-dev/fedify/issues/260" rel="nofollow noopener" target="_blank">issue #260</a> and marked as a <a href="https://github.com/fedify-dev/fedify/issues?q=sort%3Aupdated-desc+state%3Aopen+label%3A%22good+first+issue%22" rel="nofollow noopener" target="_blank">good first issue</a>—perfect for newcomers to learn the codebase structure while contributing meaningful functionality. The PR has been merged and will be included in the upcoming Fedify 1.8.0 release.</p><p>We appreciate all first-time contributors who help make Fedify better for the entire <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fediverse" target="_blank">#<span>fediverse</span></a> community. Welcome aboard, ChanHaeng!</p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/opensource" target="_blank">#<span>opensource</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fedidev" target="_blank">#<span>fedidev</span></a></p>
Plinubius 🇪🇺<p><span class="h-card" translate="no"><a href="https://gruene.social/@moderation" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>moderation</span></a></span> Die allermeisten Kreisverbände von B90/Die Grünen nutzen Wordpress, das ihnen sehr oft von Verdigado zur Verfügung gestellt wird. Grüne-Kreisverbände könnte insofern ad hoc im Fediverse relevant werden. <a href="https://chaos.social/tags/ActivityPub" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ActivityPub</span></a> und <a href="https://chaos.social/tags/Webfinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Webfinger</span></a>-Plugin installieren, fertig. Siehe auch <a href="https://chaos.social/@plinubius/114721884636312303" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">chaos.social/@plinubius/114721</span><span class="invisible">884636312303</span></a></p>
Ben Pate 🤘🏻<p>I'd love to know more about what you're thinking here. </p><p>I don't think we're replacing <a href="https://mastodon.social/tags/Webfinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Webfinger</span></a>. I think we're trying to follow through on <a href="https://mastodon.social/tags/WhatCorySaid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WhatCorySaid</span></a> at <a href="https://mastodon.social/tags/FediForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FediForum</span></a> (<a href="https://www.youtube.com/watch?v=7_Gs1t0qe78" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">youtube.com/watch?v=7_Gs1t0qe78</span><span class="invisible"></span></a>)</p><p>...which is basically: Let regular people take their account to a new server any time they want, without relying on awful XML/CSV import/export jobs. This would go a long way to solving Fediverse UX issues and preventing enshitification.</p><p>Is there more that I've missed?</p><p><span class="h-card" translate="no"><a href="https://digitalcourage.social/@mro" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mro</span></a></span> <span class="h-card" translate="no"><a href="https://j12t.social/@j12t" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>j12t</span></a></span> <span class="h-card" translate="no"><a href="https://indieweb.social/@tchambers" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tchambers</span></a></span></p>
Marcus Rohrmoser 🌻<p>Hi <span class="h-card" translate="no"><a href="https://j12t.social/@j12t" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>j12t</span></a></span> <span class="h-card" translate="no"><a href="https://indieweb.social/@tchambers" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tchambers</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@benpate" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>benpate</span></a></span>,<br>isn't <a href="https://digitalcourage.social/tags/discovery" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>discovery</span></a> without <a href="https://digitalcourage.social/tags/webfinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webfinger</span></a> (hostnames and dns in essence) a <a href="https://digitalcourage.social/tags/fallacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fallacy</span></a> and thus <a href="https://digitalcourage.social/tags/centralisation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>centralisation</span></a> in disguise?</p><p>I mean DNS is the centralised infra we prbly can't do without anyway - why not stand on that shoulder and not add another global registry?</p><p>Moving may be done via redirects (like IRL).</p>
just small circles 🕊<p><span class="h-card" translate="no"><a href="https://toot.risottobias.org/@risottobias" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>risottobias</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@tomgag" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tomgag</span></a></span> <span class="h-card" translate="no"><a href="https://floss.social/@forgefed" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>forgefed</span></a></span> <span class="h-card" translate="no"><a href="https://social.meissa-gmbh.de/@meissa" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>meissa</span></a></span> <span class="h-card" translate="no"><a href="https://floss.social/@forgejo" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>forgejo</span></a></span> <span class="h-card" translate="no"><a href="https://toot.radicle.xyz/@radicle" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>radicle</span></a></span> </p><p>This morning I tooted about <a href="https://social.coop/tags/Ayllu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ayllu</span></a> who just released v0.4 .. code <a href="https://social.coop/tags/forge" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>forge</span></a> not federated (yet?), though the release adds <a href="https://social.coop/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a> support.</p><p><a href="https://social.coop/@smallcircles/114504634340069171" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">social.coop/@smallcircles/1145</span><span class="invisible">04634340069171</span></a></p>
julian<p><strong>Pleroma Webfinger compatibility</strong></p>
<p>Does anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why <code>@jmtd@pleroma.debian.social</code> won't resolve in NodeBB, and it's because the webfinger call returns <code>400 Bad Request</code>.</p>
<p>NodeBB is calling <code>https://pleroma.debian.social/.well-known/webfinger?resource=acct%3Ajmtd%40pleroma.debian.social</code> with <code>User-Agent</code> and <code>Content-Type</code> headers (curiously, it's <em>not</em> sending <code>Accept</code>, but it also fails if that header is set, so that's irrelevant.)</p>
<p>Navigating to that webfinger url in the browser returns XML, which is :grimacing: but I'm not even getting that when NodeBB makes the call.</p>
<p><a href="https://community.nodebb.org/post/104461" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">community.nodebb.org/post/1044</span><span class="invisible">61</span></a></p>
Fedify: an ActivityPub server framework<p>Fetching remote <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/ActivityPub" target="_blank">#<span>ActivityPub</span></a> objects or actors often involves handling <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> lookups, content negotiation, and then parsing potentially untyped JSON.</p><p>With <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a>, it's much simpler: use <a href="https://fedify.dev/manual/context#looking-up-remote-objects" rel="nofollow noopener" target="_blank"><code>Context.lookupObject()</code></a>. Pass it a URI (e.g., <code>https://instance.tld/users/alice</code>) <em>or</em> a handle (e.g., <code>@alice@instance.tld</code>), and Fedify handles the lookup and content negotiation automatically.</p><p>The real power comes from the return value: a <a href="https://fedify.dev/manual/vocab" rel="nofollow noopener" target="_blank">type-safe Activity Vocabulary object</a>, not just raw JSON. This allows you to confidently access properties and methods directly. For example, you can safely traverse account moves using <code>.getSuccessor()</code> like this:</p><pre><code>let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
const successor = await actor.getSuccessor();
if (successor == null) break;
actor = successor;
}
// actor now holds the latest account after moves
</code></pre><p>This is readily available in handlers where the <a href="https://fedify.dev/manual/context" rel="nofollow noopener" target="_blank"><code>Context</code></a> object is provided (like <a href="https://fedify.dev/manual/actor" rel="nofollow noopener" target="_blank">actor dispatchers</a> or <a href="https://fedify.dev/manual/inbox" rel="nofollow noopener" target="_blank">inbox listeners</a>).</p><p>Focus on your app's logic, not protocol boilerplate!</p><p>Learn more: <a href="https://fedify.dev/manual/context#looking-up-remote-objects" rel="nofollow noopener" target="_blank">https://fedify.dev/manual/context#looking-up-remote-objects</a></p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fedidev" target="_blank">#<span>fedidev</span></a></p>
CarK :python:<p><span class="h-card" translate="no"><a href="https://blog.fami.ga/@Thomas" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Thomas</span></a></span> </p><p>Ich weiß zwar nicht genau, was <a href="https://social.tchncs.de/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a> ist, aber es löst ziemlich sicher nicht das Problem, dass Leute – aus gut nach vollziehbaren Gründen – unterschiedliche Mailadressen für unterschiedliche Dienste (z.B. WeAct und Mastodon) verwenden.</p><p><span class="h-card" translate="no"><a href="https://mastodon.social/@Stefan_S_from_H" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Stefan_S_from_H</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@campact" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>campact</span></a></span> <span class="h-card" translate="no"><a href="https://social.heise.de/@heiseonline" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heiseonline</span></a></span> <span class="h-card" translate="no"><a href="https://digitalcourage.social/@digitalcourage" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>digitalcourage</span></a></span></p>
Thomas Ganter<p><span class="h-card" translate="no"><a href="https://mastodon.social/@Stefan_S_from_H" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Stefan_S_from_H</span></a></span> </p><p>Genau hier könnte ja, mit etwas gutem Willen, <span class="h-card" translate="no"><a href="https://mastodon.social/@campact" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>campact</span></a></span> mittels <a href="https://blog.fami.ga/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a> versuchen, zu der E-Mail-Adresse die man gerade im Schritt zuvor bestätigt hat schon mal einen Server zu identifizieren … </p><p><span class="h-card" translate="no"><a href="https://social.tchncs.de/@cark" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>cark</span></a></span> <span class="h-card" translate="no"><a href="https://social.heise.de/@heiseonline" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heiseonline</span></a></span> <span class="h-card" translate="no"><a href="https://digitalcourage.social/@digitalcourage" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>digitalcourage</span></a></span></p>
Thomas Ganter<p><span class="h-card" translate="no"><a href="https://bonn.social/@Sascha" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Sascha</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@campact" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>campact</span></a></span> <span class="h-card" translate="no"><a href="https://bewegung.social/@neuSoM" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>neuSoM</span></a></span> </p><p>Plus ... wofür gibt es eigentlich <a href="https://blog.fami.ga/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a>? Könnte hier nicht einfach ein Lookup mit meiner E-Mail-Adresse gemacht werden? Schon sind alle <a href="https://blog.fami.ga/tags/FediVerse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FediVerse</span></a> <a href="https://blog.fami.ga/tags/Interaction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Interaction</span></a> <a href="https://blog.fami.ga/tags/Links" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Links</span></a> bekannt ... Oder?</p>
Chris Trottier<p><span class="h-card"><a class="u-url mention" href="https://cyberplace.social/@antoinnesterk" rel="nofollow noopener" target="_blank">@<span>antoinnesterk</span></a></span> Strictly speaking, <a class="hashtag" href="https://atomicpoet.org/tag/webfinger" rel="nofollow noopener" target="_blank">#WebFinger</a> is not <a class="hashtag" href="https://atomicpoet.org/tag/finger" rel="nofollow noopener" target="_blank">#finger</a> but is based on <a class="hashtag" href="https://atomicpoet.org/tag/finger" rel="nofollow noopener" target="_blank">#finger</a>.</p>
Chris Trottier<p>Fun fact: the <a class="hashtag" href="https://atomicpoet.org/tag/fediverse" rel="nofollow noopener" target="_blank">#Fediverse</a> doesn’t just depend on <a class="hashtag" href="https://atomicpoet.org/tag/activitypub" rel="nofollow noopener" target="_blank">#ActivityPub</a>. </p><p>A good portion of it runs on <a class="hashtag" href="https://atomicpoet.org/tag/webfinger" rel="nofollow noopener" target="_blank">#WebFinger</a>. It’s why we’re able to find each other across different servers running vastly different software.</p><p><a href="https://en.wikipedia.org/wiki/WebFinger" rel="nofollow noopener" target="_blank">https://en.wikipedia.org/wiki/WebFinger</a><span class="quote-inline"><br><br>RE: <a href="https://atomicpoet.org/objects/6bc30357-bc44-4114-a036-1a6caaf3c42e" rel="nofollow noopener" target="_blank">https://atomicpoet.org/objects/6bc30357-bc44-4114-a036-1a6caaf3c42e</a></span></p>
Dendrobatus Azureus<p>Make sure that you always think about the data that you divulge to big companies. Use the Easy Storage knowing that they will use your data also even your copyrighted photographs. </p><p>Within the Fediverse it's easy to own your data, very easy, always remember that and be thankful</p><p>🖋️ <a href="https://mastodon.bsd.cafe/tags/bash" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bash</span></a> <a href="https://mastodon.bsd.cafe/tags/sh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sh</span></a> <a href="https://mastodon.bsd.cafe/tags/zsh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zsh</span></a> <a href="https://mastodon.bsd.cafe/tags/ksh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ksh</span></a> <a href="https://mastodon.bsd.cafe/tags/csh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csh</span></a> <a href="https://mastodon.bsd.cafe/tags/tsh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tsh</span></a> <a href="https://mastodon.bsd.cafe/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a> <a href="https://mastodon.bsd.cafe/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.bsd.cafe/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mastodon</span></a> <a href="https://mastodon.bsd.cafe/tags/freeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freeBSD</span></a> <a href="https://mastodon.bsd.cafe/tags/ngix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ngix</span></a> <a href="https://mastodon.bsd.cafe/tags/json" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>json</span></a> <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> <a href="https://mastodon.bsd.cafe/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialMedia</span></a> <a href="https://mastodon.bsd.cafe/tags/webfinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webfinger</span></a></p>
Dendrobatus Azureus<p>In this article Stefano explains to you how to use a web finger system so that people can always find your address</p><p>An important message here is that _you should always own your data_. So do not rely on cloud or web services to maintain your data. Always remember that many of those massive conglomerates use your data and sell it, literally sell it, or the metadata off it, to the highest bidder</p><p>Within the Fediverse it's easy to migrate from one server to the next, your followers will automatically follow your new account</p><p><a href="https://it-notes.dragas.net/2024/10/08/using-a-permanent-webfinger-address/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">it-notes.dragas.net/2024/10/08</span><span class="invisible">/using-a-permanent-webfinger-address/</span></a></p><p>🖋️ <a href="https://mastodon.bsd.cafe/tags/bash" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bash</span></a> <a href="https://mastodon.bsd.cafe/tags/sh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sh</span></a> <a href="https://mastodon.bsd.cafe/tags/zsh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zsh</span></a> <a href="https://mastodon.bsd.cafe/tags/ksh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ksh</span></a> <a href="https://mastodon.bsd.cafe/tags/csh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csh</span></a> <a href="https://mastodon.bsd.cafe/tags/tsh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tsh</span></a> <a href="https://mastodon.bsd.cafe/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a> <a href="https://mastodon.bsd.cafe/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.bsd.cafe/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mastodon</span></a> <a href="https://mastodon.bsd.cafe/tags/freeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freeBSD</span></a> <a href="https://mastodon.bsd.cafe/tags/ngix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ngix</span></a> <a href="https://mastodon.bsd.cafe/tags/json" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>json</span></a> <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> <a href="https://mastodon.bsd.cafe/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialMedia</span></a> <a href="https://mastodon.bsd.cafe/tags/webfinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webfinger</span></a></p>
Fedify: an ActivityPub server framework<p>FedifyのWebFinger実装における脆弱性<a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">CVE-2025-23221</a>に対するセキュリティアップデート(<a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a>、<a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a>、<a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a>、<a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a>)をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。</p>
<p><strong>脆弱性の詳細</strong></p>
<p>セキュリティ研究者により、Fedifyの<code>lookupWebFinger()</code>関数において以下のセキュリティ上の問題が発見されました:</p>
<ul>
<li>無限リダイレクトループによるサービス拒否攻撃(DoS)の可能性</li>
<li>プライベートネットワークアドレスへのリダイレクトを利用したSSRF(サーバーサイドリクエストフォージェリ)攻撃の可能性</li>
<li>リダイレクト操作による意図しないURLスキームへのアクセスの可能性</li>
</ul>
<p><strong>修正されたバージョン</strong></p>
<ul>
<li>1.3.xシリーズ:<a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a>へアップデート</li>
<li>1.2.xシリーズ:<a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a>へアップデート</li>
<li>1.1.xシリーズ:<a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a>へアップデート</li>
<li>1.0.xシリーズ:<a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a>へアップデート</li>
</ul>
<p><strong>変更内容</strong></p>
<p>本セキュリティアップデートでは、以下の修正が実施されました:</p>
<ol>
<li>無限リダイレクトループを防ぐため、最大リダイレクト回数(5回)の制限を導入</li>
<li>元のリクエストと同じスキーム(HTTP/HTTPS)のみにリダイレクトを制限</li>
<li>SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック</li>
</ol>
<p><strong>アップデート方法</strong></p>
<p>以下のコマンドで最新のセキュアバージョンにアップデートできます:</p>
<pre><code># npmユーザーの場合
npm update @fedify/fedify
# Denoユーザーの場合
deno add jsr:@fedify/fedify
</code></pre>
<p>この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。</p>
<p>本脆弱性の詳細については、<a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">セキュリティ勧告</a>をご参照ください。</p>
<p>ご質問やご懸念がございましたら、<a href="https://github.com/dahlia/fedify/discussions" rel="nofollow noopener" target="_blank">GitHub Discussions</a>、<a href="https://matrix.to/#/#fedify:matrix.org" rel="nofollow noopener" target="_blank">Matrixチャットスペース</a>、または<a href="https://discord.gg/bhtwpzURwd" rel="nofollow noopener" target="_blank">Discordサーバー</a>までお気軽にご連絡ください。</p>
<p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3" target="_blank">#<span>セキュリティ</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/%E8%84%86%E5%BC%B1%E6%80%A7" target="_blank">#<span>脆弱性</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/DoS" target="_blank">#<span>DoS</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/SSRF" target="_blank">#<span>SSRF</span></a></p>
Fedify: an ActivityPub server framework<p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a> 프레임워크의 <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> 구현에서 발견된 보안 취약점 <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">CVE-2025-23221</a>을 해결하기 위한 보안 업데이트(<a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a>)를 배포했습니다. 모든 사용자께서는 각자 사용 중인 버전에 해당하는 최신 버전으로 즉시 업데이트하시기를 권장합니다.</p>
<p><strong>취약점 내용</strong></p>
<p>보안 연구자가 Fedify의 <code>lookupWebFinger()</code> 함수에서 다음과 같은 보안 문제점들을 발견했습니다:</p>
<ul>
<li>무한 리다이렉트 루프를 통한 서비스 거부 공격 가능</li>
<li>내부 네트워크 주소로의 리다이렉트를 통한 SSRF (서버측 요청 위조) 공격 가능</li>
<li>리다이렉트 조작을 통한 의도하지 않은 URL 스킴 접근 가능</li>
</ul>
<p><strong>수정된 버전</strong></p>
<ul>
<li>1.3.x 시리즈: <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a>로 업데이트</li>
<li>1.2.x 시리즈: <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a>로 업데이트</li>
<li>1.1.x 시리즈: <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a>로 업데이트</li>
<li>1.0.x 시리즈: <a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a>로 업데이트</li>
</ul>
<p><strong>변경 사항</strong></p>
<p>이번 보안 업데이트에는 다음과 같은 수정 사항이 포함되어 있습니다:</p>
<ol>
<li>무한 리다이렉트 루프를 방지하기 위해 최대 리다이렉트 횟수 제한(5회) 도입</li>
<li>원래 요청과 동일한 스킴(HTTP/HTTPS)으로만 리다이렉트 허용하도록 제한</li>
<li>SSRF 공격 방지를 위해 내부 네트워크 주소로의 리다이렉트 차단</li>
</ol>
<p><strong>업데이트 방법</strong></p>
<p>다음 명령어로 최신 보안 버전으로 업데이트하실 수 있습니다:</p>
<pre><code># npm 사용자의 경우
npm update @fedify/fedify
# Deno 사용자의 경우
deno add jsr:@fedify/fedify
</code></pre>
<p>이 취약점을 책임감 있게 보고해 주신 보안 연구자께 감사드립니다. 덕분에 신속하게 문제를 해결할 수 있었습니다.</p>
<p>이 취약점에 대한 자세한 내용은 <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">보안 권고문</a>을 참고해 주시기 바랍니다.</p>
<p>문의 사항이나 우려 사항이 있으시다면 <a href="https://github.com/dahlia/fedify/discussions" rel="nofollow noopener" target="_blank">GitHub Discussions</a>나 <a href="https://matrix.to/#/#fedify:matrix.org" rel="nofollow noopener" target="_blank">Matrix 채팅방</a>, 또는 <a href="https://discord.gg/bhtwpzURwd" rel="nofollow noopener" target="_blank">Discord 서버</a>를 통해 언제든 연락해 주시기 바랍니다.</p>
<p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/%EB%B3%B4%EC%95%88" target="_blank">#<span>보안</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/%EB%B3%B4%EC%95%88%ED%8C%A8%EC%B9%98" target="_blank">#<span>보안패치</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/%EC%B7%A8%EC%95%BD%EC%A0%90" target="_blank">#<span>취약점</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/SSRF" target="_blank">#<span>SSRF</span></a></p>
Fedify: an ActivityPub server framework<p>We have released <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#<span>security</span></a> updates (<a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a>) to address <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">CVE-2025-23221</a>, a <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/vulnerability" target="_blank">#<span>vulnerability</span></a> in <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a>'s <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/WebFinger" target="_blank">#<span>WebFinger</span></a> implementation. We recommend all users update to the latest version of their respective release series immediately.</p>
<p><strong>The Vulnerability</strong></p>
<p>A security researcher identified multiple security issues in Fedify's <code>lookupWebFinger()</code> function that could be exploited to:</p>
<ul>
<li>Perform denial of service attacks through infinite redirect loops</li>
<li>Execute server-side request forgery (<a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/SSRF" target="_blank">#<span>SSRF</span></a>) attacks via redirects to private network addresses</li>
<li>Access unintended URL schemes through redirect manipulation</li>
</ul>
<p><strong>Fixed Versions</strong></p>
<ul>
<li>1.3.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow noopener" target="_blank">1.3.4</a></li>
<li>1.2.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow noopener" target="_blank">1.2.11</a></li>
<li>1.1.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow noopener" target="_blank">1.1.11</a></li>
<li>1.0.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow noopener" target="_blank">1.0.14</a></li>
</ul>
<p><strong>Changes</strong></p>
<p>The security updates implement the following fixes:</p>
<ol>
<li>Added a maximum redirect limit (5) to prevent infinite redirect loops</li>
<li>Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)</li>
<li>Blocked redirects to private network addresses to prevent SSRF attacks</li>
</ol>
<p><strong>How to Update</strong></p>
<p>To update to the latest secure version:</p>
<pre><code># For npm users
npm update @fedify/fedify
# For Deno users
deno add jsr:@fedify/fedify
</code></pre>
<p>We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.</p>
<p>For more details about this vulnerability, please refer to our <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow noopener" target="_blank">security advisory</a>.</p>
<p>If you have any questions or concerns, please don't hesitate to reach out through our <a href="https://github.com/dahlia/fedify/discussions" rel="nofollow noopener" target="_blank">GitHub Discussions</a>, join our <a href="https://matrix.to/#/#fedify:matrix.org" rel="nofollow noopener" target="_blank">Matrix chat space</a>, or our <a href="https://discord.gg/bhtwpzURwd" rel="nofollow noopener" target="_blank">Discord server</a>.</p>
Nordnick :verified:<p><span class="h-card" translate="no"><a href="https://masto.ai/@danieldekay" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>danieldekay</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@NickBohle" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>NickBohle</span></a></span> <span class="h-card" translate="no"><a href="https://notiz.blog/author/matthias-pfefferle/" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>pfefferle</span></a></span> </p><p>Checking <a href="https://norden.social/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a> for pfefferle@notiz.blog it looks different and a little bit better...</p><p> "subject": "acct:pfefferle@notiz.blog",<br> "aliases": [<br> "acct:pfefferle@notiz.blog",<br> "<a href="https://notiz.blog/author/matthias-pfefferle/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">notiz.blog/author/matthias-pfe</span><span class="invisible">fferle/</span></a>",<br> "<a href="https://notiz.blog/@pfefferle" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">notiz.blog/@pfefferle</span><span class="invisible"></span></a>"<br> ],</p><p>and...</p>
Nordnick :verified:<p><span class="h-card" translate="no"><a href="https://masto.ai/@danieldekay" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>danieldekay</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@NickBohle" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>NickBohle</span></a></span> <span class="h-card" translate="no"><a href="https://notiz.blog/author/matthias-pfefferle/" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>pfefferle</span></a></span> </p><p>Yes, lookup should work.</p><p>Requested now </p><p><a href="https://www.rhein-neckar-tango.de/?author=0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">rhein-neckar-tango.de/?author=</span><span class="invisible">0</span></a></p><p>as described in the <a href="https://norden.social/tags/WebFinger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFinger</span></a> result for "type": "application/activity+json"</p><p>with "Accept: application/activity+json"</p><p>and got a 403.</p><p>HTTP/1.1 403 Forbidden<br>Server: nginx</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload