ivoryvalley 0.4.0

A transparent deduplication proxy for Mastodon and the Fediverse
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

# ActivityPub Deduplication Proxy - Project Plan

## Problem Statement
Following users across Fediverse clients results in duplicate posts due to boosts/reposts, sometimes 10x the same content.

## Solution Concept
A transparent proxy between your Mastodon client and the upstream server that filters duplicates before delivery.

---

## High-Level Phases

### 1. Research & Discovery
- Study ActivityPub protocol specification (message format, IDs, how boosts work)
- Analyze how Mastodon clients authenticate and communicate (OAuth flow, API endpoints)
- Identify what makes a message "unique" vs a duplicate (content ID? object ID? content hash?)
- Survey existing client-server traffic to understand what needs proxying

### 2. Architecture Design
- Define how proxy intercepts requests (MITM-style vs explicit proxy config)
- Choose database for seen-message storage (SQLite? Redis? LevelDB?)
- Decide on deduplication strategy (ID-based, content-hash, or hybrid)
- Plan authentication passthrough mechanism

### 3. Core Implementation
- Build proxy server that speaks Mastodon API
- Implement message ID extraction and storage
- Implement filtering logic on timeline/feed endpoints
- Handle passthrough for all non-feed requests (posting, auth, etc.)

### 4. Testing & Validation
- Test with real clients (Tusky, Ice Cubes, web interface, etc.)
- Verify deduplication actually works
- Ensure no legitimate messages are dropped
- Performance testing with realistic feed sizes

### 5. Deployment & Usability
- Packaging (Docker, standalone binary, etc.)
- Configuration (upstream server, credentials, filter rules)
- Documentation for end users

---

## Key Technical Risks to Investigate Early
- OAuth token handling - can we pass through auth transparently?
- WebSocket/streaming endpoints - do clients use these?
- What exactly identifies a "duplicate" in ActivityPub semantics?

---

## Investigation Notes

### Finding 1: Deduplication Strategy (SOLVED)

The Mastodon Status entity has clear fields for deduplication:

| Field | Type | Purpose |
|-------|------|---------|
| `id` | string | Database ID (local to instance) |
| `uri` | string | **Federated URI - globally unique across all instances** |
| `reblog` | Status? | If present, contains the original boosted status |

**Deduplication approach:**
- Use `uri` as the unique identifier (it's globally unique across federation)
- For boosts: extract `reblog.uri` to find the original post
- If we've seen a URI before → filter it out
- Simple hash set or key-value store is sufficient

### Finding 2: OAuth Passthrough (LOW RISK)

Mastodon uses standard OAuth 2.0 with Bearer tokens:
- Token passed via `Authorization: Bearer <token>` header
- Proxy can pass this header through transparently to upstream
- No need to intercept or modify the auth flow
- Client authenticates directly with upstream, proxy just forwards

### Finding 3: API Endpoints to Proxy

**Timeline endpoints (need filtering):**
- `GET /api/v1/timelines/home` - home timeline
- `GET /api/v1/timelines/public` - federated/local timeline
- `GET /api/v1/timelines/list/:list_id` - list timelines
- `GET /api/v1/timelines/tag/:hashtag` - hashtag timelines

**Passthrough (no filtering needed):**
- All POST/PUT/DELETE requests (actions)
- `/api/v1/accounts/*` - account info
- `/oauth/*` - authentication
- Everything else

### Finding 4: WebSocket Streaming (MEDIUM RISK)

Streaming uses WebSocket at `/api/v1/streaming`:
- Token passed as query param: `?access_token=<token>&stream=user`
- Some instances use separate streaming domain (check `/api/v2/instance`)
- Events include `update`, `delete`, `notification`, etc.

**Challenge:** Need to proxy WebSocket connections and filter events in real-time.
**Mitigation:** Can start with REST-only support, add streaming later.

### Finding 5: Architecture Decision

**Recommended: Explicit Proxy Configuration**
- Client points to proxy URL instead of real server
- Proxy rewrites requests to upstream
- Simpler than MITM, no certificate issues
- User configures: `proxy_url` + `upstream_server`

---

## Refined Architecture

```
┌─────────────┐     ┌─────────────────┐     ┌──────────────┐
│   Client    │────▶│  Dedup Proxy    │────▶│   Mastodon   │
│  (Tusky,    │◀────│                 │◀────│   Instance   │
│   etc.)     │     │  - Filter dupes │     │              │
└─────────────┘     │  - Store URIs   │     └──────────────┘
                    │  - Pass auth    │
                    └─────────────────┘
                    ┌──────▼──────┐
                    │   SQLite    │
                    │  (seen URIs)│
                    └─────────────┘
```

---

## Sources

- [Mastodon Status Entity](https://docs.joinmastodon.org/entities/Status/)
- [Mastodon Timelines API](https://docs.joinmastodon.org/methods/timelines/)
- [Mastodon OAuth Documentation](https://docs.joinmastodon.org/spec/oauth/)
- [Mastodon Streaming API](https://docs.joinmastodon.org/methods/streaming/)
- [ActivityPub W3C Spec](https://www.w3.org/TR/activitypub/)
- [ActivityPub Announce Activity](https://www.w3.org/wiki/ActivityPub/Primer/Announce_activity)