Skip to content

feat: Improve instance API and OAuth client compatibility#296

Merged
dahlia merged 2 commits into
fedify-dev:mainfrom
quadr:feature/instance-api-improvements
Nov 26, 2025
Merged

feat: Improve instance API and OAuth client compatibility#296
dahlia merged 2 commits into
fedify-dev:mainfrom
quadr:feature/instance-api-improvements

Conversation

@quadr

@quadr quadr commented Nov 26, 2025

Copy link
Copy Markdown
Contributor

Summary

This PR improves compatibility with third-party Mastodon clients by addressing two issues:

1. Instance API Improvements (DAWN for Mastodon compatibility)

Problem: DAWN for Mastodon client failed to connect with error "Cannot read data" because expected fields were missing from the instance API response.

Changes to /api/v1/instance:

  • Added configuration.accounts.max_featured_tags field
  • Added thumbnail field with Hollo logo URL
  • Implemented actual stats values (user_count, status_count, domain_count) from database

Changes to /api/v2/instance:

  • Added thumbnail object with url, blurhash, and versions fields
  • Added icon array with Hollo logo
  • Updated max_featured_tags and max_pinned_statuses from 0 to 10
  • Clarified TODO comments for future improvements

2. OAuth Client Authentication (tooot compatibility)

Problem: tooot Android client failed OAuth authentication with 400 error because it sends credentials via both client_secret_basic (Authorization header) and
client_secret_post (request body) simultaneously.

Solution: Modified clientAuthentication middleware to allow multiple authentication methods if they contain identical credentials. Different credentials still result in a 400 error as per OAuth 2.0 spec.

Test plan

Automated checks:

  • Type checking (pnpm check)
  • Linting (Biome)
  • OAuth tests pass (including new tests for duplicate credentials handling)

Manual verification:

  • DAWN for Mastodon can connect to Hollo instance
  • tooot can complete OAuth authentication flow

quadr and others added 2 commits November 26, 2025 11:55
- Add configuration.accounts.max_featured_tags to v1 instance API
- Add thumbnail field with Hollo logo URL to both v1 and v2 APIs
- Add icon array to v2 instance API
- Implement actual stats (user_count, status_count, domain_count) from database
- Update max_featured_tags and max_pinned_statuses values in v2 API
- Clarify TODO comments for configurable values and future features

This fixes compatibility issues with clients like DAWN for Mastodon
that expect these fields to be present in the instance API response.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
Some clients like tooot send credentials via both Basic auth header
and POST body simultaneously. This change allows such requests if
all credentials have the same client_id and client_secret, improving
compatibility with these clients.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

@dahlia dahlia left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@dahlia dahlia merged commit 1426df2 into fedify-dev:main Nov 26, 2025
2 checks passed
@ThisIsMissEm

Copy link
Copy Markdown
Contributor

Problem: tooot Android client failed OAuth authentication with 400 error because it sends credentials via both client_secret_basic (Authorization header) and
client_secret_post (request body) simultaneously.

This behavior was actually correct per the OAuth specification. You should not be using both.

The client MUST NOT use more than one authentication method in each request.

@ThisIsMissEm

Copy link
Copy Markdown
Contributor

That is to say that Tooot needs to fix this, they'd also start breaking against future mastodon versions once the reworked client authentication handling in doorkeeper lands, which follows spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants