Re: Threads testing federation via ActivityPub

I just retried removing `Content-Type` and `Digest` (as I had it) and it still does not work.

On Fri, Dec 15, 2023, at 12:14 PM, Jason Culverhouse wrote:
> 
> 
>> On Dec 15, 2023, at 11:51 AM, Angelo Gladding <angelo@ragt.ag> wrote:
>> 
>> We can all access: https://www.threads.net/.well-known/webfinger?resource=acct%3A0xjessel%40threads.net
>> 
>> This returns a single link to: https://www.threads.net/ap/users/0xjessel/
>> 
>> I'm requesting that URL with the following headers:
>> 
> 
> A few differences for what I am doing ( Ie just using application/activity+json )
> 
>>> Accept: application/activity+json; q=0.9, application/ld+json; profile="https://www.w3.org/ns/activitystreams"; q=0.8, text/html; charset=utf-8; q=0.7
>>> Content-Type: application/activity+json
> 
> I don't think content type is needed at all on a get request without a payload
> 
>>> Date: Fri, 15 Dec 2023 18:48:26 GMT
>>> Digest: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
> 
> This value is a constant value, the  SHA-256('') of an empty byte[] it shouldn’t be required in a signed get request (assuming no payload).
> For a get the only values required are `(request-target) date host`.
> 
> There is some question about the signature specifications ie
> 
> Is the header:
> Signature: Signature keyId="https://flipboard.com/users/JsonCulverhouse#main-key”��
> Or 
> Signature: keyId="https://flipboard.com/users/JsonCulverhouse#main-key”��
> 
> I find they both generally work. I tried both variations on threads, no difference.
> 
> 
> I see the same I get a 200 response with the 404 page.
> 
> 
>>> Host: www.threads.net
>> 
>> I'm using the same HTTP Signature code that works for Pixelfed, Peertube, Lemmy, Mastodon, Brid.gy and Micro.blog.
>> 
>> https://ragt.ag/search?q=%40dansup%40pixelfed.social
>> https://ragt.ag/search?q=%40egent07%40tube.tchncs.de
>> https://ragt.ag/search?q=%40skariko%40feddit.it
>> https://ragt.ag/search?q=%40evan%40cosocial.ca
>> https://ragt.ag/search?q=%40snarfed.org%40fed.brid.gy
>> https://ragt.ag/search?q=%40manton%40manton.org
>> 
>> The signature uses my key at https://ragt.ag/owner/actor#main-key
>> 
>> Threads is requesting my actor file during this request for 0xjessel's actor file and my server is returning 200. I've tried returning both "Content-Type: application/activitypub+json" and "Content-Type: application/ld+json".
>> 
>> I ultimately receive a 200 response with what appears to be the content of a generic 404 page eg. https://www.threads.net/asdkjhaskjdhasd.
>> 
>> On Fri, Dec 15, 2023, at 10:21 AM, Jason Culverhouse wrote:
>>> 
>>> 
>>>> On Dec 15, 2023, at 7:28 AM, Ryan Barrett <public@ryanb.org> wrote:
>>>> 
>>>> On Thu, Dec 14, 2023 at 12:52 PM Jason Culverhouse <jason@mischievous.org> wrote:
>>>>> 
>>>>> Has anyone gotten a fetch to work in a federated service other than mastodon?
>>>> 
>>>> Yes, Bridgy Fed (https://fed.brid.gy/) is successfully discovering and fetching Threads users, following them, and receiving posts from them via inbox delivery. I doubt they're allowlisting based on User-Agent.
>>>> 
>>>> Bridgy Fed uses Accept: application/activity+json; q=0.9, application/ld+json; profile="https://www.w3.org/ns/activitystreams"; q=0.8, text/html; charset=utf-8; q=0.7 . Here's its code for making signed fetches: https://github.com/snarfed/bridgy-fed/blob/44056bee8a0fb2e8348b69a9187ebe1377a7cdcd/activitypub.py#L460-L537
>>>> 
>>>>> 
>>> 
>>> Hmm… try as I might.  I always get back a html content type This is a get request so the signature header contains just "(request-target) date host” and I use the content type application/activity+json
>>> 
>>> Signature keyId="https://flipboard.com/users/JsonCulverhouse#main-key",created=1702664065,algorithm="rsa-sha256",headers="(request-target) date host",signature=“…“
>>> 
>>> 
>>> Same requests work fine with a secured mastodon server.
>>> Jason
>>> 
>>> 
>>> 
>>>>> Jason
>>>>> 
>>>>> 
>>>>>> On Dec 14, 2023, at 12:22 PM, Cristiano Longo <cristianolongo@opendatahacklab.org> wrote:
>>>>>> 
>>>>>> I get the same response with all the accounts you mentioned.
>>>>>> 
>>>>>> On 14/12/23 21:11, Ryan Barrett wrote:
>>>>>>> It's evidently a very limited set of accounts; so far I (and others) have only seen that @mosseri, @0xjessel, and @christophersu are federating so far. Others like @btsavage still aren't serving webfinger or AS2 yet.
>>>>>>> 
>>>>>>> On Thu, Dec 14, 2023 at 11:23 AM Cristiano Longo <cristianolongo@opendatahacklab.org> wrote:
>>>>>>>> Still not working for me.  May be I should declare the accepted encodings in the request.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Request
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> GET /@btsavage HTTP/2
>>>>>>>> Host: www.threads.net
>>>>>>>> accept: application/activity+json
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Response
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> HTTP response code 320
>>>>>>>> 
>>>>>>>> empty body
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Headers
>>>>>>>> vary: Accept-Encoding
>>>>>>>> location: https://www.facebook.com/unsupportedbrowser
>>>>>>>> strict-transport-security: max-age=31536000; preload; includeSubDomains
>>>>>>>> content-type: text/html; charset="utf-8"
>>>>>>>> x-fb-debug: 0cHgFvshEWJR5sZU23uOemQcHuGcN+zUO8Wam4ym76dO5OEXTa4pOApVYp2AnEwPBkMl2L0E+IqWIkmcWDQICg==
>>>>>>>> content-length: 0
>>>>>>>> date: Thu, 14 Dec 2023 19:17:07 GMT
>>>>>>>> alt-svc: h3=":443"; ma=86400
>>>>>>>> 
>>>>>>>>             
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 14/12/23 19:31, Chris Messina wrote:
>>>>>>>>> Seems like that is working now. 
>>>>>>>>> 
>>>>>>>>> <02C65517-12EF-4D8E-A0D0-461492E8F00B.jpg>
>>>>>>>>> 
>>>>>>>>> https://www.threads.net/@0xjessel/post/C010QLJrQCI/?
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Photo of Chris Messina <https://chrismessina.me/>
>>>>>>>>> *Chris Messina <https://chrismessina.me/>*
>>>>>>>>> *Investor • *Ride Home AI Fund
>>>>>>>>> Previously: Google, Uber, Republic, Y Combinator 🏆 #1 Product Hunter <https://chrismessina.me/hunt-me>
>>>>>>>>> Threads <https://threads.net/@chris>Product Hunt <https://www.producthunt.com/@chrismessina>Mastodon <https://mastodon.xyz/@chrismessina>Spotify <https://open.spotify.com/user/factoryjoe>LinkedIn <https://linkedin.com/in/factoryjoe/>Instagram <https://instagram.com/chris>Medium <https://medium.com/@chrismessina>
>>>>>>>>> 
>>>>>>>>> Sent via Superhuman iOS <https://sprh.mn/?vip=chris.messina@gmail.com>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Thu, Dec 14 2023 at 6:12 AM, Cristiano Longo <cristianolongo@opendatahacklab.org> wrote: 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 14/12/23 02:43, Ben Savage wrote:
>>>>>>>>>>> Hi everyone,
>>>>>>>>>>> 
>>>>>>>>>>> Ben Savage here from Meta. Just a few quick points:
>>>>>>>>>>> 
>>>>>>>>>>>  1. This test is not yet started (debugging some last technical issues together with Mastodon engineers)
>>>>>>>>>>>  2. Only a few accounts will be a part of this initial test. My Threads account (https://www.threads.net/@btsavage) will be one of those and I'm happy to make test posts to help people who want to work on Threads integration.
>>>>>>>>>>>  3. We will share details about how to test soon, once we iron these issues out.
>>>>>>>>>>> 
>>>>>>>>>>> --Ben
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> But requesting content with activity+json mimetype  I get a redirect to https://www.facebook.com/unsupportedbrowser
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> *From:* Kagami Rosylight <saschanaz@outlook.com>
>>>>>>>>>>> *Sent:* Wednesday, December 13, 2023 11:09 PM
>>>>>>>>>>> *To:* public-swicg@w3.org <public-swicg@w3.org>
>>>>>>>>>>> *Subject:* Re: Threads testing federation via ActivityPub
>>>>>>>>>>>  
>>>>>>>>>>> This Message Is From an Untrusted Sender 
>>>>>>>>>>> You have not previously corresponded with this sender. 
>>>>>>>>>>>  
>>>>>>>>>>> The page source does include application/activity+json: <link href="https://www.threads.net/&#064;zuck/post/C0zXcQmxO77" type="application/activity+json" />
>>>>>>>>>>> 
>>>>>>>>>>> But curl doesn't work as you noted, perhaps it requires some additional things to limit it for internal test?
>>>>>>>>>>> 
>>>>>>>>>>> On 13/12/2023 21:35, Evan Prodromou wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Mike Macgirving pointed out that I'm not using the right media type! I tried with ld+json and didn't get any traction, though.
>>>>>>>>>>>> 
>>>>>>>>>>>> ```
>>>>>>>>>>>> curl -H 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' https://www.threads.net/@zuck
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> curl -H 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' https://www.threads.net/@zuck/post/C0zXcQmxO77
>>>>>>>>>>>> 
>>>>>>>>>>>> ```
>>>>>>>>>>>> 
>>>>>>>>>>>> On 2023-12-13 2:07 p.m., Evan Prodromou wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I just saw this post on Threads:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> https://www.threads.net/@zuck/post/C0zXcQmxO77
>>>>>>>>>>>>> 
>>>>>>>>>>>>> "Starting a test where posts from Threads accounts will be available on Mastodon and other services that use the ActivityPub protocol. Making Threads interoperable will give people more choice over how they interact and it will help content reach more people. I'm pretty optimistic about this."
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I haven't been able to probe WebFinger for threads.net accounts, nor do Threads URLs reply with Activity Streams 2.0 content.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> ```
>>>>>>>>>>>>> curl -H "Accept: application/activity+json" https://www.threads.net/@zuck
>>>>>>>>>>>>> curl -H "Accept: application/activity+json" https://www.threads.net/@zuck/post/C0zXcQmxO77
>>>>>>>>>>>>> curl -v "https://www.threads.net/.well-known/webfinger?resource=acct:zuck@threads.net"
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> ```
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Has anyone else been able to find signs of this "test" going on?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Evan
>>>>>>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> https://snarfed.org/
>>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> https://snarfed.org/