Recently, I discussed with a friend ways to simplify the process of following accounts across Mastodon instances. There have been a wave of chrome extensions for achieving this, I personally use Mastodon Profile Redirect. We considered the idea of browsers implementing a fedi:
scheme, like mailto:
, for links. However, I was reminded of the easy follow mechanism in older Mastodon versions and wanted to document how it worked and ponder why it was removed 🤔.
What's the issue?
Let's say your instance is indieweb.social
and you want to follow someone on a different instance, say tech.lgbt
(which uses v4.0.2). What currently happens? It will show this popup when you press the follow button:
Can you see that? It actually asks you to copy and paste into your instances search box 🤦...
Copy and paste this URL into the search field of your favourite Mastodon app or the web interface of your Mastodon server.
What happens on older versions of mastodon?
I had to do some digging to find an example server to use running 3.0, I found usne.social. When you attempt to follow someone on 3.0 you're greeted by this popup. For me my username@instance
is pre-populated by chrome making it really easy to fill.
The second popup is optional, and depends if your logged into your instance already, it's unlikely you'd see this but is essential to understanding how this works.
Then I get another popup.
How does this work?
Older versions of Mastodon use special endpoints, redirects, and cookies to navigate users to the desired location.
Here are the URLS in order:
<FOREIGN_INSTANCE>/users/<FOLLOWING_USER>/remote_follow
-
<YOUR_INSTANCE>/auth/sign_in
(optional) <YOUR_INSTANCE>/authorize_interaction?uri=<FULL_PROFILE_URL>
From this you can get a better understanding of the redirects involved. First you start out on the account you want to follow and input your username@instance
this allows the foreign instance to redirect you to your instance, which checks if there's a logged in user, if not asks you to log in, if yes, provides a page with a follow button for you.
Conclusion
I wonder why this feature was dropped in 4.0. Perhaps it presented a security vulnerability if someone "faked" the popup and asked for user credentials? If you have any thoughts or relevent github comments let me know below!
Top comments (0)