Gregory's Server@brook This is really good — thank you!
Do you think in the future the setting that disables unauthorised API access might be separated from the instance website in some way (by authorising whatever component serves web requests, for example)?
I can see the argument for wanting to lock down everything, or people blocked one way will just go the other, but having a bit more granularity around these options might be good — so people can disable the API without trashing the website.
@tokyo_0 so, funny story about that... the public web interface didn't use to use the API. It changed last year in v4.0.0.
If I remember correctly a big reason for the change was there was previously two different web interfaces, one for logged in users and one for logged out users, and this was extra work to maintain both, so they were combined into one.
This is actually why the DISALLOW_UNAUTHENTICATED_API_ACCESS option was added (so people could still disable the new anonymous API access if they were willing to break the web interface).
We can certainly hope that the functionality of these options may improve in the future, but this mostly comes down to the priorities and resources of the Mastodon dev team.
@tokyo_0 so, funny story about that... the public web interface didn't use to use the API. It changed last year in v4.0.0.
If I remember correctly a big reason for the change was there was previously two different web interfaces, one for logged in users and one for logged out users, and this was extra work to maintain both, so they were combined into one.