Activity Pub Remote Follow
Purpose
This service is meant to make it easier to follow people on ActivityPub instances through links online. This service allows users to have their local instance signup page a click away.
How it works
ActivityPub instances uses something called webfinger to find out information about a user, and the instance it's on. This service uses the webfinger protocol to resolve the target user's instance, if allowed by CORS, and gets the profile page and canonical account name from the webfinger response.
If a canonical lookup of the webfinger endpoint is not possible (due to CORS), the service will attempt to infer a valid profile path from the provided account name itself. This is not guaranteed to work, but it's good enough as a fallback. The remote follow system will most likely still operate as normal.
The first time someone gets linked to this service, they get asked to submit their own username. This service will in turn use webfinger to find out their follow link, and store it in the browsers local storage. This way, the next time someone clicks on a link to this service, they will be able to follow the target user instantly.
What about privacy?
While this service DOES store the template path in the browser's local storage, it does not store any
information about the
target user. The path stored generally looks like this
https://instance.url/authorize_interaction?uri={uri} and
is used to redirect the user to their local instance's follow page.
This service is hosted on GitHub Pages, and is completely static. No data is collected by me, and since I've opted to use url-hashes for the user links, not even the username is sent to the server. So GitHub cannot see who being followed using this service, nor the username of who is following.
Since the follow-template is stored in local storage, that also never leaves the user's browser. Although, browser will run any JavaScript on the page, so while you can make sure that it does what I claim today, it could potentially leak your follow template in the future. But since your username is not sent to the server, at most what could be leaked with the current source code is which instance you're on.
I know internet privacy is a big deal for many, and I've tried to make the follow page where potentially sensitive information is managed as transparent as possible. No javascript framework or minified code. Not even external javascript resources. It's all in the HTML in a script tag. Commented and raw, in an effort to make it as trivial as possible to vet and audit the code that is actually executed.
Do I need to authorize or anything?
No. This service does not require any authorization. It does not even require you to be logged in to your instance. It's just a simple redirect to your instance's follow page. The only thing you need to do is to make sure that you have a valid username on your instance. It doesn't even have to be your own username, since the follow-endpoint is not tied to any specific user.