https://github.com/mastodon/mastodon/pull/19803 (part of the Mastodon 4.0 release) breaks AUTHORIZED_FETCH aka "secure mode" intentionally, by allowing the instance's REST API to be used even if you're not authenticated. Eugen did this because even the logged-out views of, for example, individual posts, are backed by the REST API in 4.0.

(presumably AUTHORIZED_FETCH still works for the ActivityPub API or it'd be entirely pointless?)

unfortunately the new behavior allows way more than just loading individual posts. for example, unauthenticated users can now call the search API. it doesn't seem to allow full-text search, but i cannot work out why (it doesn't throw an explicit error and i haven't yet found relevant access control code).

it definitely allows searching for local and remote users, searching for hashtags, viewing hashtag timelines if you know the hashtag, not sure what else might be useful to scrapers and federation mappers.

there's now a completely undocumented (outside of this PR) environment variable called DISALLOW_UNAUTHENTICATED_API_ACCESS that restores the behavior of AUTHORIZED_FETCH to what it was supposed to do… at the cost of breaking public/unlisted posts and user profiles. given how Mastodon doesn't fetch context for threads very well, sometimes the only way to load a whole conversation is for users to try to open a post on the original instance, so this is not great.

i want to write an article on how much Mastodon leaks but really i should red team this shit so i have specific scenarios to walk through. go write that spambot i was joking about. resume work on that scraper. or i could go touch grass.

#MastoAdmin