|
I've seen a bit of discussion lately about Mastodon's AUTHORIZED_FETCH and DISALLOW_UNAUTHENTICATED_API_ACCESS settings and since I had a hard enough time myself figuring out what they do based on the documentation and Discord comments, I wrote up what I hope is a more approachable explanation. https://hub.sunny.garden/2023/06/28/what-does-authorized_fetch-actually-do/ 23 comments
Wow, thank you. This helps _a lot_ in understanding how blocking/defederating works and what loopholes/problems maybe arise if there are some important toggles not switched. And I am not even an admin. π @PaulaToThePeople @brook This is really good β thank you! Do you think in the future the setting that disables unauthorised API access might be separated from the instance website in some way (by authorising whatever component serves web requests, for example)? I can see the argument for wanting to lock down everything, or people blocked one way will just go the other, but having a bit more granularity around these options might be good β so people can disable the API without trashing the website. @brook Wow, interesting - thank you. I can see the argument for not having two different web interfaces.... kind of. Certainly two whole separate web interfaces would be overkill. The decision to make both the site and the API used elsewhere controlled with one switch still leaves me a bit cold, though. Thankfully I'm not an admin, so I don't have to worry too much about it, but I don't envy those that do. Thank you for explaining the background! π @brook Sorry to bother you but do you know how to check the ENV of the running server so I can make sure my configuration has changed? @hamishtpb @brook If you can access a Linux shell, `echo $VAR_NAME` will print the value of a specific variable. @weevil I found a couple of methods now, the only problem is that Mastodon launches a whole host of processes and I can't work out which one I need to check π `/proc/<pid>/environ` or `ps eww <pid>` are good.  This Fetch and API access is a bit beyond me but I bet people following #MastodonServer #MastodonInstance #mastodonAdministration #MastodonAdmin #MastoAdminTip and #MastoAdmin Might like it. Thanks for writing it up!  @brook pretty good explanation, from my understanding of signed fetches, that section appears to be accurate  @brook Thank you for writing this.    @brook @welshpixie Iβve just started building a tool that, among other things, displays your latest Mastodon statuses on your home page. DISALLOW_UNAUTHENTICATED_API_ACCESS would make life a bit more complicated for me and my users (thatβs me, Iβm my users.)  |
Gregory's Server
@brook thanks for writing this up