reports.md (4236B)
1 # Reports / Flag Activity Federation 2 3 This document contains design notes for GoToSocial's federated (s2s) Flag functionality. 4 5 ## What do existing implementations do? 6 7 Information below is true as of Jan 2023. If you're reading this much later, the below things may no longer apply. 8 9 ### Mastodon 10 11 Mastodon uses the Flag activity to federate reports to other AP servers. 12 13 The Activity is wrapped inside a Create, which is addressed To the Inbox of the offending account. 14 15 To preserve anonymity of the reporter, the instance Actor is used as the Actor of the Activity. 16 17 Examples of the unwrapped Flag: 18 19 ```json 20 { 21 "@context": "https://www.w3.org/ns/activitystreams", 22 "actor": "https://example.org/actor", 23 "content": "misinfo: it's not a good morning", 24 "id": "https://example.org/341e866f-93f8-4755-9cf4-f8fb17f434fd", 25 "object": [ 26 "https://bad.instance/users/tobi", 27 "https://bad.instance/users/tobi/statuses/01GP388K19DGXSV3SW2RXWM533" 28 ], 29 "type": "Flag" 30 } 31 ``` 32 33 ```json 34 { 35 "@context": "https://www.w3.org/ns/activitystreams", 36 "actor": "https://example.org/actor", 37 "content": "smellyyyyyyyyyyyyy", 38 "id": "https://example.org/3088184f-81b2-4545-8ce2-4cee4895449f", 39 "object": "https://bad.instance/users/tobi", 40 "type": "Flag" 41 } 42 ``` 43 44 The `content` field contains the report description. 45 46 The `object` field contains the reported Account URI and optionally one or more Note/Article/etc URIs. `object` value will be a string if just the Account URI is reported, or an array if the Account and one or more posts are being reported. 47 48 The `id` field is a generic URI that doesn't reveal any metadata. Trying to GET this URI gives a 404 Not Found error, which is OK since all the info needed to process the report is included in the Activity already. 49 50 ### Misskey 51 52 Misskey uses the Flag activity to federate reports to other AP servers. 53 54 The Activity is wrapped inside a Create, which is addressed To the Inbox of the offending account. 55 56 To preserve anonymity of the reporter, the instance Actor is used as the Actor of the Activity. 57 58 Example of the unwrapped Flag: 59 60 ```json 61 { 62 "@context": "https://www.w3.org/ns/activitystreams", 63 "actor": "https://example.org/users/909i45meeo", 64 "content": "Note: https://bad.instance/@tobi/statuses/01GPB56GPJ37JTK9HW308HQKBQ\n-----\nincites anti-police behaviour while being cute! ⛔", 65 "id": "https://example.org/db22128d-884e-4358-9935-6a7c3940535d", 66 "object": "https://bad.instance/users/tobi", 67 "type": "Flag" 68 } 69 ``` 70 71 The `content` field contains the report description. Unlike with Mastodon, `content` also seems to include one or more statuses, as opposed to including statuses in the `object` field. 72 73 The `object` field contains the reported Account URI. 74 75 Trying to dereference the `id` field for a Misskey report with `Accept: application/activity+json` gives a 200 OK, but the returned content is some HTML unrelated to the report, so functionally equivalent to Mastodon's 404 behavior. Again, this is not really a problem. 76 77 ### Calckey 78 79 Same as Misskey. Example: 80 81 ```json 82 { 83 "@context": "https://www.w3.org/ns/activitystreams", 84 "actor": "https://example.org/users/97wsu4gkns", 85 "content": "Note: https://bad.instance/@tobi/statuses/01GPB56GPJ37JTK9HW308HQKBQ\n-----\nTest report from Calckey", 86 "id": "https://example.org/b9a02404-d007-4b31-8dd6-bfc53387ad85", 87 "object": "https://bad.instance/users/tobi", 88 "type": "Flag" 89 } 90 ``` 91 92 ### Pleroma / Akkoma 93 94 todo 95 96 ### Friendica 97 98 Unsure: Friendica and GoToSocial still don't federate properly with one another (https://github.com/superseriousbusiness/gotosocial/issues/169) so it's hard to test this. 99 100 ## What should GoToSocial do? 101 102 Since the above implementations of Flag seem fairly consistent, GoToSocial should do more or less the same thing when federating reports outwards. So GtS ought to adopt the Mastodon behavior: 103 104 - Wrap Flag Activity in a Create and deliver it to the offending account. 105 - Use the GtS instance Actor as the Actor of the Flag. 106 - Generate an ID that doesn't reveal who created the report. 107 - Include Actor and one or more Note / Article / etc URIs in the `object` field 108 109 For incoming reports, all the above fields should be handled in order to generate a report for admins to look at.