@AltCode okay! Thanks for reporting, it sounds like there are two issues going on:

1. Categories losing their handle-to-id association
   • Frustratingly, this read very similarly to #13283, and both remote users and categories share similar logic. I have so far not been able to reproduce it at all on local development.
2. Separate users (different IDs) sharing the same preferredUsername.
   • This is an interesting one, and I am not entirely sure where the fault lies. I wonder how other software handles it?

@AltCode I forked this out to a new topic. I think it's time to loop @pfefferle@mastodon.social into the conversation (at the very least so this could be potentially escalated).

Mattias, it seems that when the WPML and ActivityPub plugins are enabled together, notes federated out by the blog user in another language have different ids but the same preferredUsername.

e.g. ruari@vivaldi.com: https://vivaldi.com/?author=46 and https://vivaldi.com/ja/?author=46

NodeBB interprets this as two different users. Curiously, Mastodon does not, the second ID explicitly does not resolve.

So there can be two solutions here:

1. The underlying issue can be fixed by WordPress, the solution of which is out of scope (for me at least)
2. NodeBB can adopt whatever mechanism Mastodon is using... which is most likely that Mastodon does a two-way when asserting an ID, and ensures that the webfinger resource points to the ID.

The remaining questions here are:

• whether preferredUsername is meant to be unique to the instance (in which case having multiple ids point to an identical preferredUsername would be a violation), and
• what exactly AP software should do when it encounters this situation... store a list of "known alias" IDs? There are potential security issues to doing so.

This is getting out of hand! Now, there are six of them!

@AltCode This should be fixed in the upcoming v4.3.0.

Actor assertion should not proceed if passed-in ID does not pass a webfinger query · Issue #13352 · NodeBB/NodeBB

I think NodeBB checks that the ID exists, and then proceeds with a full actor assert/update if it doesn't find it. Which leads to weird stuff as discovered by @altcode@community.nodebb.org where: One user with id: https://vivaldi.com/?au...

GitHub (github.com)

It won't proactively remove the duplicates, but they'll be pruned out within ~7 days.

Bit of a thought experiment here as to how to handle these duplicate accounts.

(tl;dr two federated accounts with different IDs report the same webfinger handle, what do?)

Let's say @ruario@social.vivaldi.net posts an English article under his account (and then is federated), and posts a translated Japanese one that is also federated, but under the Japanese ID.

What should NodeBB do when encountering the latter? Currently, it will try to assert the actor, fail the webfinger backreference check, and probably drop the post. Not so good.

One could adjust the actor to the former (canonical ID), but that's not technically right either.

That also opens up potential account impersonation possibilities, so that is something that would need addressing as well.

@pfefferle@mastodon.social just wanted to poke you about this issue again.

The latest updates to NodeBB now do a webfinger backcheck to ensure that the actor has a valid webfinger entry for their purported handle. If it does not, then the user is not properly created. Mastodon also does this. This check is probably for security as well as for preventing handle collisions.

The multilingual plugin in conjunction with the ActivityPub plugin creates users that share the same handle, and that causes issues with federated content.

For example, this article by @jonvt@vivaldi.com will load up just fine in Mastodon, but this japanese article by @akira@vivaldi.com will not, because that second article's attributedTo is https://vivaldi.com/ja/?author=176, which fails that check (the author's ID is actually https://vivaldi.com?author=176 as per the handle backcheck)

cc @AltCode