Hello !
When someone connects to my instances communities, but from another instance, how do I know it’s no spoofing involved?
Cheers
Hello !
When someone connects to my instances communities, but from another instance, how do I know it’s no spoofing involved?
Cheers
Okay so it’s the lemmt server running my instance that checks it is the right user. Do you know how it is done ?
I reread your post, so it’s a signature in the http call?
It should be a signature that is sent together with the ActivityPub Object. Yes, if the signature doesn’t match, the content, whether a post, comment, favorite, upvote, etc… should be dropped.
Here is the source code of the library that lemmy uses to handle incoming objects and you can see that it does a call to verify the signature of the actor:
https://docs.rs/activitypub_federation/latest/src/activitypub_federation/actix_web/inbox.rs.html#18-54
It’s a https certificate connected to the domain name of the instance.
Okay thank you very much!