-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Drop (certain) Delete requests? #554
Comments
Seems it merely tries to fetch the remote public key for sig verification (which then fails because the remote profile probably responds with a 410, although I get why you'd want to verify these requests :-D), but I'm wondering if we can't simply skip this step for "Deletes" of unknown users, and return a "444" or similar, or even a 202, but return early or terminate the request. |
I am currently working on activity handlers to better support delete and update requests. I will ping you in the PR if I have something to show! |
Had another look and decided to try and write a In it, I mainly just check for the This is probably overkill, still; I think I could, right now at least, also just choose to defer verification. (I don't think Deletes are acted upon at all?) But simply terminating the request seemed safer. In fact, if Deletes really are silently discarded by the plugin, we could probably just skip verification for all of them. Or I could create my own Also, as I type this, I realize I |
😅 I actually started a follow up to #552 yesterday which checks for a delete actor request, compares to known commenters, and either skips the delete, or go ahead and delete all the comments if the actor is known. |
@janboddez I currently work on the delete handler and experiment with late signature verification. something like if user is in follower list, verify request and delete it, otherwise ignore it! |
Or rather we must not check the signature at all on delete, it could be a simple check for http code 404 or 410! |
@pfefferle This is what I've done in #561 |
This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
What
Seeing a lot of Delete activities in debug.log, followed by a 401 response ("Remote profile not accessible" or something).
But I'm (i.e., my WordPress user is) not following anyone, and less than 0.01% of these Deletes concern followers of mine.
Don't think it makes sense to look up remote profiles for all of these Delete requests. If they concern a follower, we should probably verify the delete actually took place. If not, can't we just drop the request and be done with it? (Or maybe that's already happening and the debug is simply ambiguous?)
Why
Don't think it makes sense to look up remote profiles for Delete requests if they don't concern a profile that we actually know.
Hoping this frees up some server resources.
How
No response
The text was updated successfully, but these errors were encountered: