I’m working on handling OAuth token expiry as part of #ktistec Mastodon API support. Is my understanding that Mastodon issues OAuth tokens with no expiration correct?!?

This release is a maintenance update: a few bug fixes, a security mitigation worth paying attention to, and some performance improvements for users on slow connections.

It's worth updating to pick up the SSRF (Server-Side Request Forgery) mitigation.

Fixed

• Prevent SSRF when dereferencing externally supplied IRIs.
• Timeline entry no longer becomes stale when an announce is undone.
• Correctly represent boosted posts on the home timeline in API clients.

Changed

• Defer downloading of script files.
• Defer loading of image, video, and audio attachments.
• Move poll vote notification for voters into the outbox processor.

#ktistec #crystallang #activitypub #fediverse

The Mastodon-compatible API is at a stable stopping point, so I have removed the gating with_mastodon_api build flag and made it generally available.

I use the API daily via a couple different client apps. What works, works. There are known limitations, most of them rooted in architectural differences between Mastodon and Ktistec. For example, Mastodon and Ktistec manage media differently. In Ktistec, there is no simple way to upload and manage media apart from creating a post. That difference will take some work to bridge.

Here's the full changelog for this release:

Added

• Mastodon-compatible API endpoints:
  • /api/v1/accounts
  • /api/v1/accounts/lookup
  • /api/v1/accounts/:id
  • /api/v1/accounts/:id/statuses
  • /api/v1/accounts/:id/following
  • /api/v1/accounts/:id/followers
  • /api/v1/accounts/relationships
  • /api/v1/follow_requests
  • /api/v1/polls/:id/votes
  • /api/v1/preferences

Fixed

• Correctly resolve keyId from Signature header for inbox verification.

Changed

• Support both offset and cursor-based pagination in JSON collections.
• Switch following/followers pages to cursor-based pagination.

Credit goes to this thread for inspiring me to review my signature verification. There is now one more correct implementation. 😉

The next release will focus on cleaning up the internals. Ktistec is just under 100,000 lines of code, 307 source files, and 195 spec files (7030 tests). With one maintainer, the only way to stay sane is by ruthlessly refactoring and paying down the debt!

#ktistec #crystallang #activitypub #fediverse

mastodon API support in Ktistec is almost an MVP. building it has involved an unexpected number of side quests. but some of them have been worthwhile excursions—Ktistec will be getting cursor based pagination (a popular request) and offset/limit pagination will be going away.

#ktistec

Release v3.3.4 of Ktistec is available.

This release adds Mastodon-compatible client support for publishing posts. Just like the previous release, however, all Mastodon API support is behind a build flag (-Dwith_mastodon_api). It's still experimental, so opt in only if you're happy to work with rough edges.

Beyond that, I focused on cleanup and refactoring throughout the codebase. Here's the full changelog:

Added

• Cursor-based pagination on actor timeline and everything pages.
• Mastodon-compatible API: /api/v1/statuses endpoint for status posting.
• Mastodon-compatible API: /api/v1/timelines/public endpoint.

Fixed

• Autosave focus handling. Fixes problems introduced in v3.3.3.
• Prevent blur from creating a draft post when publishing a post.

Changed

• Integrate X-Ray Mode colors into the theming system.
• Improve CI: add npm audit, test, and caching.
• Use npm ci in Dockerfile for reproducible builds.
• Remove very old compiler bug work-around.

🏋️ Mastodon API support is coming along—more in the next release!

#ktistec #crystallang #activitypub #fediverse

test post from tusker via Mastodon-compatible API… #ktistec

I have started work on a Mastodon-compatible API layer intended to support the many Mastodon front-ends available. It is incomplete and requires an explicit build flag to enable, but what's there (the main timeline) already works with the official Mastodon app, Tusky, and Phanpy.

Here's the full changelog:

Fixed

• Editor focus now stays in the editor after the first draft is saved. (fixes #139)
• Filter settings instructions. (fixes #135)

Changed

• Improved consistency of mini button colors.

As always, check out the full diff for the complete details.

#ktistec #crystallang #activitypub #fediverse

This small release focused on two big deliverables: support for the latest version of Crystal and fixes for a few delivery issues.

Previous releases supported a wide range of Crystal Language versions, but ran into problems with version 1.17.x and beyond due to breaking changes in the standard library. This release works on 1.19.1 but also requires at least 1.19.1.

This release also fixes a bug, present since mid-2020 when HTTP signatures were first added, that resulted in signatures some fediverse servers wouldn't accept. Mastodon did, but with the proliferation of new ActivityPub servers, I increasingly encountered servers that did not.

Here's the full changelog:

Fixed

• HTTP signature keyId now includes #main-key fragment.
• IRI matching during dereferencing.
• Broken down-detection for actors.

Changed

• Fall back to Activity Streams context if supplied context is empty.
• Deliver to personal inbox if delivery to shared inbox fails.

It's always good to stay up-to-date on releases. But if your platform doesn't yet support 1.19.1, I've also released a parallel branch that still runs on 1.16.3 and earlier. I'll maintain that branch for the next few releases to give everyone time to upgrade.

#ktistec #crystallang #activitypub #fediverse

I think I’m going to work on a Mastodon-compatible API next. I did all the hard work figuring out what I need to change months ago so this should be smooth. I’m happy with the existing #ktistec UI but there is a lot of interesting work on the client side that I’d like to sample.

FWIW, I’m not opposed to C2S—Ktistec comes with a lot of the necessary abstractions. But I feel like my users, myself included, will get more bang out a Mastodon-compatible API. (But change my mind!)

The latest release of Ktistec addresses the shortcomings of the previous release that became apparent after using quote posts in production for a few days. So far, there have been no major bugs, but there was room for improvement.

Here's the full changelog.

Added

• Federation documentation (FEDERATION.md).
• Visibility (private or direct) icon in object summary.
• Object social activity details include dislikes.
• "quotes-me" theming class for objects.
• Notification for quote posts.
• MCP integration for quote posts.

Changed

• Renamed NodeInfo siteName to more standard nodeName.
• Increased hard-coded limits for actor attachments and pinned collections.

Fixed

• Displaying quoted posts in draft view.
• Visual indication of nested quotes in object view.

I added a FEDERATION.md document to the project. This is documentation required by FEP-67ff on "information necessary for achieving interoperability with a federated service". The document describes, at a high level, what federation protocols and standards Ktistec currently supports.

#ktistec #crystallang #activitypub #fediverse