Inconsistent inclusion of port in HTTP signatures
I'm using a small, non-public installation of the docker container git.pleroma.social:5050/pleroma/pleroma:latest with backend version 2.4.53-863-g9f708037
(I'm not a real Pleroma user, I'm just using it to send some ActivityPub stuff to code I'm running.)
I've noticed that when Pleroma requests, for example, an Actor's data, it uses a GET
request with the key /internal/fetch#main-key
. When it signs the request, it uses the Host header without the port.
When it's sending data from a user, it uses a POST
request with the person's key /users/personname#main-key
. When it signs the request, it uses the Host header with the port.
In other words:
- When it gets http://localhost:8080/users/personname it generates the signature with
host: localhost
. - When it sends to http://localhost:8080/users/personname/outbox it generates the signature with
host: localhost:8080
The RFC for HTTP signatures doesn't seem to mention one way or the other whether to use the port so I don't know which one is 'right'. It does seem they should be consistent though.
This inconsistency only appears if the target (my code) is running on a non-default port, which means this likely applies to very few people (mainly developers?) so has very little impact.
I've got a workaround for it in my code so it's not a big deal. I just figured I should mention it here now that I've noticed it.