Federation: Follow of channel by Mastodon instance with AUTHORIZED_FETCH on hangs at "requested"
As a visible member of a minority, I run with AUTHORIZED_FETCH turned on on my Mastodon (actually Hometown) instance, to prevent my posts from being transitively boosted to servers that I have blocked. AUTHORIZED_FETCH, also called "Secure Mode", means that all requests to the Mastodon server will be responded to with 401 Unauthorized, and the requesting instance must resubmit the request with a host signature, which will be checked against the Mastodon server's blocklist.
Steps to reproduce
- Create Funkwhale pod F running 1.3.3, create User FU, create Channel C.
- Create Mastodon instance M, create user MU. Set Mastodon instance to use AUTHORIZED_FETCH.
- In the web interface for M, attempt to follow FU from MU. Refresh the page to see if the follow has applied.
What happens?
In the Mastodon web interface, follow is degraded to Requested, and the button changes to "Withdraw follow request".
This seems to be because when a follow request is made, Funkwhale, like all Fediverse servers, needs to make a return request to the server that originated the follow request (to get the user's signature? I'm not totally certain about the workflow). But the server originating the follow request responds with 401 Unauthorized, because the requestor (Funkwhale) has not signed the request as AUTHORIZED_FETCH requires. Since Funkwhale never retries this request, the Mastodon user's follow request handshake never completes and hangs at "follow requested".
What is expected?
The follow completes successfully.
Workaround
Temporarily disabling AUTHORIZED_FETCH on the Mastodon server, then performing the follow, will permit the follow to succeed, and it will persist properly even after re-enabling AUTHORIZED_FETCH.
Context
Funkwhale version(s) affected: 1.3.3 Mastodon version(s) affected: 4.0, 4.1, 4.2, probably all versions since about 3.5.
Mastodon (old.mermaid.town) nginx log shows:
2400:8907::f03c:93ff:fe33:def5 - - [27/Oct/2023:14:49:31 +1100] "GET /users/futzle HTTP/1.1" 401 29 "-" "python-requests (funkwhale/1.3.3; +https://darkside.ofa.dog)"
Mastodon (old.mermaid.town) syslog shows:
Oct 27 14:49:31 old bundle[3955577]: [629ff5ea-7919-4382-a6e9-ce0eb81fb728] method=GET path=/users/futzle format=json controller=AccountsController action=show status=401 duration=7.51 view=0.54 db=1.07
Funkwhale server (darkside.ofa.dog) nginx log shows:
2400:8907::f03c:93ff:fe78:43a2 - - [27/Oct/2023:03:46:52 +0000] "POST /federation/actors/serious_futzle/inbox HTTP/1.1" 403 64 "-" "http.rb/5.1.0 (Mastodon/4.0.10+hometown-1.1.1; +https://old.mermaid.town/)"
Funkwhale server (darkside.ofa.dog) syslog shows:
Oct 27 03:26:45 localhost gunicorn[134469]: 2023-10-27 03:26:45,830 funkwhale_api.federation.authentication INFO Discarding HTTP request from actor/domain https://old.mermaid.town/users/futzle, 401 Client Error: Unauthorized for url: https://old.mermaid.town/users/futzle
Oct 27 03:26:45 localhost gunicorn[134469]: 2023-10-27 03:26:45,842 django.request WARNING Forbidden: /federation/actors/serious_futzle/inbox
Discarding HTTP request seems to be the smoking gun here, that Funkwhale isn't re-attempting the request with a signature.
Broader Fediverse context
Some Fediverse server software, notably GoToSocial, always runs in Secure Mode. They have an open issue to track following Funkwhale channels on Github.
Write.as has this issue (https://discuss.write.as/t/federation-cant-follow-from-mastodon-with-authorized-fetch-enabled/2063/5).
Bookwyrm had this issue and has applied a patch which might be of particular interest as Bookwyrm is also a Django project.
Pixelfed had this issue and has applied a patch.