med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

343
active users

#webfinger

4 posts2 participants0 posts today
Continued thread

#FediverseHistogram

On October 2, 2013, GNU social developer MMN-o (Mikael Nordfeldth) published a blog piece announcing that they'd rolled out a change to their WebFinger implementation, adding backwards-compatible support for the RFC7033 version;

"Plus of course the former RFC6415 (Web Host Metadata), which StatusNet supports (but only XRD format)."

web.archive.org/web/2016072211

For those who don't know, masrodon.social was created to federate with #GnuSocial servers.

web.archive.orgGNU Social now supports WebFinger (RFC7033) | MMN-o | Blog
Continued thread

"That's the irony of what Blaine did when he created WebFinger. It was supposed to support multiple! It wasn't supposed to just be this is your fediverse address, it was supposed to be, here's how you find all the different account of information about me, and different things."

@rabble, 2025

wedistribute.org/podcast/s2e3-

So ... WF is meant to facilitate something like Libravatar, where all roads lead back to a canonical profile? Hmm ...

IMG_0067
We Distribute · S2E3 – Rabble from Nos.Social
More from We Distribute

🎉 Huge shoutout to two amazing contributors from Korea's #OSSCA program who've made excellent contributions to #Fedify!

👏 @gaebalgom tackled a tricky terminal compatibility issue in PR #282, fixing the fedify node command's favicon display on terminal emulators without truecolor support (#168). His solution elegantly detects terminal capabilities and falls back to 256-color mode when needed—ensuring a great experience across different environments.

🌟 @joonnot enhanced Fedify's #WebFinger functionality in PR #281 by adding a configurable maxRedirection option to the lookupWebFinger() function (#248). He transformed a hardcoded limitation into a flexible, user-customizable parameter while maintaining perfect backward compatibility.

Both delivered thoughtful, well-implemented solutions that showcase the quality of contributions coming from the OSSCA program. Welcome to the Fedify community! :fedify:

🎉 Big thanks to @2chanhaeng for his first contribution to #Fedify! He implemented the new fedify webfinger command in PR #278, which allows isolated #WebFinger lookups for testing configurations. This addresses the need for developers to test WebFinger functionality without performing comprehensive object retrieval.

The contribution includes:

  • A new fedify webfinger <handle> command that accepts @user@domain format handles or URIs
  • Clean JSON output of WebFinger JRD results
  • Proper error handling for invalid handles and lookup failures
  • Complete #CLI integration with help text and usage examples

This was originally filed as issue #260 and marked as a good first issue—perfect for newcomers to learn the codebase structure while contributing meaningful functionality. The PR has been merged and will be included in the upcoming Fedify 1.8.0 release.

We appreciate all first-time contributors who help make Fedify better for the entire #fediverse community. Welcome aboard, ChanHaeng!

unstable.fedify.devfedify: CLI toolchain | FedifyThe fedify command is a CLI toolchain for Fedify and debugging ActivityPub-enabled federated server apps. This section explains the key features of the fedify command.

I'd love to know more about what you're thinking here.

I don't think we're replacing #Webfinger. I think we're trying to follow through on #WhatCorySaid at #FediForum (youtube.com/watch?v=7_Gs1t0qe78)

...which is basically: Let regular people take their account to a new server any time they want, without relying on awful XML/CSV import/export jobs. This would go a long way to solving Fediverse UX issues and preventing enshitification.

Is there more that I've missed?

@mro @j12t @tchambers

Pleroma Webfinger compatibility

Does anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why @jmtd@pleroma.debian.social won't resolve in NodeBB, and it's because the webfinger call returns 400 Bad Request.

NodeBB is calling https://pleroma.debian.social/.well-known/webfinger?resource=acct%3Ajmtd%40pleroma.debian.social with User-Agent and Content-Type headers (curiously, it's not sending Accept, but it also fails if that header is set, so that's irrelevant.)

Navigating to that webfinger url in the browser returns XML, which is :grimacing: but I'm not even getting that when NodeBB makes the call.

community.nodebb.org/post/1044

NodeBB Community · Pleroma Webfinger compatibilityDoes anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why @jmtd@pleroma.debian.social won't resolve in NodeB...

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

With #Fedify, it's much simpler: use Context.lookupObject(). Pass it a URI (e.g., https://instance.tld/users/alice) or a handle (e.g., @alice@instance.tld), and Fedify handles the lookup and content negotiation automatically.

The real power comes from the return value: a type-safe Activity Vocabulary object, not just raw JSON. This allows you to confidently access properties and methods directly. For example, you can safely traverse account moves using .getSuccessor() like this:

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

fedify.devContext | FedifyThe Context object is a container that holds the information of the current request. This section explains the key features of the Context object.

Have you ever asked yourself how the BSD Café Mastodon instance was built?

Stefano has written here what he has done. You should have at least rudimentary knowledge of what a jail is in order to follow everything and at least a simple manner.

In short a jail is much more efficient than a VM, uses much less resources and it's easier to control

If you take the time to Study all the subjects, you will be a will to build a freeBSD instance of Mastodon yourself; all the information necessary Is provided Here and Deep to very Deep details you can dig up yourself

wiki.bsd.cafe/bsdcafe-technica

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger

I have had an account on an instance where the System Operator had to shut down because the operational costs were too high to sustain the node. All proper precautions were made and the operator gave us more than six weeks to get all of our followers moved somewhere else. He also made sure that everybody got the message by sending it multiple times also through email. I've made an account there because that place was bot Friendly {botsin.space/} and I was going to Create a bot on that instance

However, since I put so few toots out there, on that account I didn't even bother to download them. And since I'm quite aware of high internet costs, I also make sure that I have accounts on different places because in the end somebody is paying for it either in cash or paying for it by using Surplus bandwidth and surplus disc area space.

We as Fediverse Community users should realise that nothing is free apart from Air and Water; everything else cost either Time, Space_Time or Energy, often a combination of the latter two.

I've just checked and botsin.space/ still seems to be up as a read-only instance.

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json  #POSIX #SocialMedia #webfinger

In this article Stefano explains to you how to use a web finger system so that people can always find your address

An important message here is that _you should always own your data_. So do not rely on cloud or web services to maintain your data. Always remember that many of those massive conglomerates use your data and sell it, literally sell it, or the metadata off it, to the highest bidder

Within the Fediverse it's easy to migrate from one server to the next, your followers will automatically follow your new account

it-notes.dragas.net/2024/10/08

🖋️ #bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger

Continued thread

FedifyのWebFinger実装における脆弱性CVE-2025-23221に対するセキュリティアップデート(1.0.141.1.111.2.111.3.4)をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました:

  • 無限リダイレクトループによるサービス拒否攻撃(DoS)の可能性
  • プライベートネットワークアドレスへのリダイレクトを利用したSSRF(サーバーサイドリクエストフォージェリ)攻撃の可能性
  • リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

  • 1.3.xシリーズ:1.3.4へアップデート
  • 1.2.xシリーズ:1.2.11へアップデート
  • 1.1.xシリーズ:1.1.11へアップデート
  • 1.0.xシリーズ:1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました:

  1. 無限リダイレクトループを防ぐため、最大リダイレクト回数(5回)の制限を導入
  2. 元のリクエストと同じスキーム(HTTP/HTTPS)のみにリダイレクトを制限
  3. SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます:

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub DiscussionsMatrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

GitHubInfinite loop and Blind SSRF found inside the WebFinger mechanism### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...