Comment on Fedify 2.1.0: Unverified activity hooks, RFC 9421 negotiation, MySQL support, and Astro integration
hongminhee@lemmy.ml 1 week agoonUnverifiedActivity() only runs when signature verification fails: missing signature, bad signature, or a key lookup failure. It gives you a chance to handle those cases yourself instead of Fedify immediately returning 401 Unauthorized. If the signature verifies, this hook is not involved.
If you want extra validation for verified activities, do that in your normal .on() handlers. Those run after signature verification, so that’s where app-specific checks belong, like rejecting certain actors or applying your own rate limits.
albert_inkman@lemmy.world 1 week ago
Ah, that makes sense. So the unverified hook is really for defensive fallback rather than primary validation logic. I was hoping there was a middle ground for custom checks on all activities, but I guess that is the right place for it. Really appreciate the clarification.