Another curious #ActivityPub / #MastodonAPI issue.

Another curious #ActivityPub / #MastodonAPI issue.

A Mastodon server is sending me a DELETE message.

The delete is because a user has been deleted.

My server tries to validate the HTTP Signature.

My server looks up the deleted user's main-key.

The user has been deleted so the public key 404s.

My server never acknowledges the delete, so the other server keeps sending me the same request.

So… How do I validate the signature of a deleted user?

@Edent ugh it naively makes sense to delete records but unfortunately you always have to keep them around for some period of time and have a flag. I think every developer (myself included) has made this mistake at some point. I'm not sure if it's an issue with AP or just with whichever server implemented this.

I guess the answer is "I should have saved the user's public key previously"?

@Edent Do you really need to validate a request to delete an user that was already deleted? What's the harm of a spoofed request? An unnecessary database lookup leading to DOS? It's not like you're going to delete it twice.

@hirvox How do I know that they are deleted?
I *guess* that the account 404ing is evidence, but I'm worried it might be a mistake.

But perhaps the problem is *me*?

My script just dies on that error. It never responds.

I'm going to try sending an HTTP 202 status. If that doesn't work, a 200.

Let's see if that helps!

@Edent Check the logs in case the original deletion was recent. If the logs might have been deleted..

Some big event-sourced systems keep every single event to be able to go back and check, but that kind of forever storage would be illegal in right-of-erasure jurisdictions.

@Edent Happens to my server all the time too.

My approach is to check to see if I have that actor profile stored already.

* If I do, I'll have the public key so can check the signature.
* If I don't, there's nothing for me to do/delete, so I just return OK.

But this is because my implementation stores the actor profile for every message it keeps, and I guess that's not generally true for other servers.

@hirvox as far as I can tell, the deletion was some time ago - and I don't keep longs for that long.

@Edent would it hurt to just respond ok? If you don't know the user then you don't can't know the message either. If you were told to delete something you don't have, would you error, or just reply that it has been deleted?

@SDF hi - I think your instance might be misconfigured.
You keep sending me delete messages for deleted users.
I'm replying with HTTP 200 - but you keep sending the same requests over and over again.
Is this something you're able to fix?

@gundersen True. I've tried returning OK - but the messages keep coming. Very odd!