Bug: /update-profile accidentally sent AP Delete for 16 web users #1379
Comments
|
@tantek posted about this: https://tantek.com/2024/287/t1/fediverse-unfollow-bridgyfed-bug |
|
We're sending DMs to @tantek's followers who hadn't already refollowed to tell them what happened and nudge them to follow again. Here's the code: t = Web.get_by_id('tantek.com')
followers = Follower.query(Follower.to == t.key).fetch()
users = [u for u in ndb.get_multi(f.from_ for f in followers) if u and not u.status]
active_f = [f for f in followers if f.status == 'active' and f.updated < datetime.datetime(2024, 9, 22, 13, 9, 39)]
users = {u.key: u for u in users}
import dms
text = """\
Admin notice: this account (<a href="https://tantek.com/">@tantek.com</a>) was accidentally deleted recently due to a bug in its fediverse provider, which resulted in other fediverse servers removing its followers, including you. We've now restored the account, so feel free to re-follow at your discretion. Sorry for the inconvenience!
[This one-time DM sent by <a href="https://fed.brid.gy/">Bridgy Fed</a> on behalf of <a href="https://tantek.com/">@tantek.com</a>. Bridgy Fed accounts do not yet support receiving DMs.]"""
for i, f in enumerate(active_f):
print(i, user.key.id())
user = users.get(f.from_)
if not user or not user.obj or not user.obj.as2:
print('skipping!')
continue
target = user.target_for(user.obj, shared=False)
id = f'https://fed.brid.gy/tantek.com#delete-bug-dm-{i}'
dm = Object(id=id, source_protocol='web', our_as1={
'objectType': 'activity',
'verb': 'post',
'id': id,
'actor': 'https://fed.brid.gy/tantek.com',
'object': {
'objectType': 'note',
'id': f'{id}-obj',
'author': 'https://fed.brid.gy/tantek.com',
'content': text,
'tags': [{
'objectType': 'mention',
'url': user.key.id(),
}],
'to': [user.key.id()],
'published': util.now().isoformat(),
},
'to': [user.key.id()],
})
dm.put()
try:
activitypub.signed_post(target, data=ActivityPub.convert(dm, from_user=t), from_user=t)
except BaseException as err:
print(err)
# can't use this, it sends from bot user
# dms.maybe_send(from_proto=Web, to_user=user, text=text) |
|
How it looks to me as a user of Ivory on Mastodon. Nice idea, I'm already following Tantek again though, so I probably didn't need to get this. Curious how well it actually works. |
|
Thanks @mattl! And interesting! I tried to exclude users who'd already re-followed, but I guess I didn't try hard enough. |
This one helped me understanding that the mistake was genuine (and not a takeover). Thanks. |
|
It wasn't clear to me that the message was sent on tantek's behalf with his consent or knowledge, which made it somewhat weird. Screenshot of the message on mastodon.social:
|
4df76d0 introduced a nasty bug: for anyone who clicked the 🔁 (update profile) button on their user page, BF deleted their bridged profiles instead. Ugh. Really bad!
This was later fixed in 7015262, along with a test that should have been there in the first place and would have caught this. Bridgy Fed has decent test coverage, 93% right now, but clearly not good enough!
During the window that this bug was live, it hit 19 accounts, all web sites. Of those, only one was active, ie had ever bridged a post: @tantek, tantek.com.
I was able to recover and recreate the bridged Bluesky profiles, including their followers. I was also able to restore the bridged fediverse profiles by sending new
Createactivities to them for his actor manually, and laterUndos for the originalDeletes, but the followers there didn't come back. Their instances severed those following relationships, and recreating the profiles didn't restore them. Catastrophic. 😭I can see which of those followers haven't re-followed since then, so I'm going to manually DM them from @tantek.com@tantek.com to tell them what happened and nudge them to re-follow, with text that @tantek wrote. (We've been discussing this on and off in https://chat.indieweb.org/dev.)
The text was updated successfully, but these errors were encountered: