Allow verification via //link[@rel='me'] in feed's website link

[colindean]

Thanks for building this, it's great!

I've got the feed available at https://codeandsupply.co/jobs birb'd via @[email protected]. I've added //link[@rel='me'] tags to the site to indicate that RSS-parrot's profile is verified, like how other Mastodon and fediverse systems allow.

<link href='https://rss-parrot.net/@codeandsupply.co.jobs' rel='me'>
<link href='https://rss-parrot.net/web/feeds/codeandsupply.co.jobs' rel='me'>

It doesn't look like RSS-parrot supports this right now. It'd be cool if it did.

[gugray]

I'm not familiar with //link[@rel='me'] tags... I'm very green when it comes to the whole ActivityPub universe!
What would be the expected behavior if this tag is present? (It's in the feed XML, right?)

[colindean]

The ideal behavior is that the service returning a Website link in a profile has verified that the HTML at the URL contains a <link rel="me" href="${activitypub_url}"/> tag where activitypub_url is the URL of the profile page.

That is, if https://rss-parrot.net/u/codeandsupply.co.jobs contains

{
	"@context": [
		"https://www.w3.org/ns/activitystreams",
		"https://w3id.org/security/v1"
	],
        "…",
        "attachment": [
		{
			"type": "PropertyValue",
			"name": "Website",
			"value": "<a href='https://codeandsupply.co/jobs' target='_blank' rel='nofollow noopener noreferrer me' translate='no'>https://codeandsupply.co/jobs</a>"
		}
	]
}

then the HTML or HTTP headers returned in https://codeandsupply.co/jobs need to point back to the profile URL in some way, e.g. one of these:

<link href='https://rss-parrot.net/@codeandsupply.co.jobs' rel='me'>
<link href='https://rss-parrot.net/web/feeds/codeandsupply.co.jobs' rel='me'>
<link href='https://rss-parrot.net/u/codeandsupply.co.jobs' rel='me'>

and then you can show something on the page that indicates that the target link has been verified.

[colindean]

To be more specific, this would actually be visible on https://rss-parrot.net/web/feeds/codeandsupply.co.jobs as something like this mockup:

with this simple HTML:

<p
  <span class="label">Site URL: </span>
  <a href="https://codeandsupply.co/jobs">codeandsupply.co/jobs</a>
  <span class="verified" title="verified through link tags">✅</span>
</p>

[gugray]

Got it, thanks! Tagging this as an improvement for later.

[chungyc]

The short story

Try using https://rss-parrot.net/u/codeandsupply.co.jobs as the "me" link, and the link may eventually be verified by your Mastodon server. Nothing needs to change in RSS Parrot for it to be verified for Mastodon users.

... although admittedly ...

This is different from what this issue is actually requesting (RSS Parrot itself verifying the link to show verification status on its own pages), so this may be irrelevant to the person who created issue. However, by its very nature content in RSS Parrot is in one sense always verified because it gets them from the feed provided by the website. If what one wants is some verification that a bridge for some RSS feed is an "official" bridge, I would expect verification by Mastodon servers would be more desirable as it exposes the verification status to most users; verification status only on RSS Parrot's own pages won't be terribly useful for this purpose.

The long story

I wanted a verified link for my own account, and after a substantial amount of digging, I don't think anything absolutely needs to be changed in RSS Parrot. Long story short, verified profile links in Mastodon servers are verified by each Mastodon server which reads the profile, not the Mastodon or ActivityPub server from which the profile originates.¹ RSS Parrot is not responsible for doing the verification.

However, you may need to use the correct URL as the "me" link on your web page. I had initially used https://rss-parrot.net/@blog.chungyc.org, which was never verified. When I switched it to https://rss-parrot.net/u/blog.chungyc.org, I now have a verified profile link for @[email protected].
I think this is because WebFinger returns the latter URL as the "self" link for the @[email protected] account:

wget --header="Accept: application/activity+json" -O - https://rss-parrot.net/.well-known/webfinger?resource=acct:[email protected] | jq
...
{
  ...
  "links": [
    ...
    {
      "rel": "self",
      "type": "application/activity+json",
      "href": "https://rss-parrot.net/u/blog.chungyc.org"
    }
  ]
}

I am not totally sure about this, since I don't use the URL returned by WebFinger for my main Mastodon account as the "me" link, and it still was verified on my Mastodon server. I suspect this is the case because the http://example.org/@user-style link is included as an alias in the WebFinger result. I do know that the profile links for my RSS Parrot account is verified now when it was not before.

The only remaining issue is to make a Mastodon server verify a profile link it had already determined not to be verified. The surest way is to publish an Update activity for UserInfo to followers, although I am not sure if this is supposed to be done with the account's outbox, the inboxes of followers, or the shared inboxes of the followers' servers. This effectively tells the Mastodon servers following the account to queue up the link for checking again due to a profile update. This is not absolutely necessary, though, since Mastodon servers appear to queue up links for checking again in other circumstances as well. The documentation for Bridgy indicates one situation is when a profile is searched for.

Footnotes

1. Each Mastodon server verifying profile links on their own means one Mastodon server does not have to trust what another Mastodon server says about verification of profile links. This was actually something I noticed was touted as a strong point about Mastodon profile verification a very long time ago, although I had completely forgotten about it, only recalling this after I found mention of it in Bridgy documentation. ↩