Mastodon 3.2.0

Time for an update! At the start of this month I've released 3.1.5 with just security patches and now I've released 3.2.0 with all the other changes that have accumulated since the last time.

The center piece of this version has become audio functionality. Inspired by Twitter's announcement of Voice Tweets, I focused on polishing Mastodon's audio-related features and overhauling the design of its audio player. Mastodon has supported audio uploads since June 2019 but the feature was, in hindsight, rather lackluster.

First off, I added the ability to upload a custom thumbnail for audio and video attachments and automatic album artwork extraction for audio files. Then I've also added color extraction for custom thumbnails, in other words getting an appropriate color scheme from album artworks to make the audio player look more interesting.

Various aspects of how posts with audio attachments appear on OpenGraph previews (e.g. when linked to from Discord or Twitter) have also been polished up. For example, if you link to a Mastodon audio post on Twitter, you'll be able to click on the preview it shows which will load Mastodon's audio player right there -- same for videos, like you'd expect from YouTube or Twitch Clip links.

I've also added what I think is an important security measure. Over time I've observed that a lot of people who signed up to reserve their username and then forgot about their accounts were getting their accounts hijacked by spammers (who would put a spam link in the bio and proceed randomly following other users to pop up in their notifications). Each of the hijacked accounts was on haveibeenpwned.com and didn't have two-factor authentication enabled, i.e. they were re-using their password on multiple websites and some of those websites have previously been breached and had their passwords leaked.

To stop this, I've added an e-mail based token challenge for people who don't have two-factor authentication enabled, who haven't been active for over two weeks, and who are attempting to sign in from a previously unseen IP address. According to my observations, I believe this has fully eliminated the issue.

The .env.production.sample file had grown quite messy over time and had quite a few bits of documentation in it that wasn't available anywhere else, all the meanwhile it wasn't really in the limelight anymore since Mastodon got the interactive setup prompt. I've reduced it to a bare minimum (a true "sample") and instead deferred the documentation to our actual documentation website. I've then actually wrote the missing documentation for all the options.

There's more technical fixes and improvements, take a look at the changelog if you want to see everything.

End-to-end encryption is not part of this release. I've got the server-side APIs and federation implemented, it's technically in 3.2.0 but the APIs have been purposefully disabled. One of the flipsides of E2EE not having the server in the loop about the contents of messages is that the server can no longer simplify or validate the data format of those messages. Absolute freedom in what app developers can dump into the pipes also means that if there is no consensus or guidance about the data format, no app will be compatible with another. I am working on a flagship implementation of the E2EE client in Mastodon's web interface, but it is definitely an involved task. I'm happy to report that I at least got the basics working, so I am making progress, but it will take a while.

I'll also be working with a professional UX designer, Pam Drouin, on improving the onboarding flow on joinmastodon.org for the next week.

By the way, have you seen the new illustrations for each tier on this Patreon? I hope you like them! Thanks everyone for your support!