ceoln

Executive summary:

Get your magic authorization token by logging into your server, right-clicking on the page in Chrome, doing “Inspect”, going to the “Network” section, reloading if necessary, clicking on any request, looking at the Request Headers, and finding the Authorization header that contains “Bearer” followed by lots of alphanumeric gibberish. That gibberish is your token.

In a shell, issue:

curl --header "Authorization: Bearer [token]" -X POST https://[your server]/api/v1/domain_blocks -d "domain=[bad server]"

and expect the reply {}.

Or forget all of that, and make a one-line file with the domain name and import it as a domain-block list!

Possibly-entertaining narrative form:

I started to write this with an introduction about blocking domains and why it's useful and how Mastodon differs from Twitter and stuff, but realized that it's not really relevant. Maybe I'll polish that and post it by itself someday. Even this is getting long, so I'll put a tl;dr at the top most likely.

But anyway suffice it to say that sometimes one finds out that a server called like jerks.xyz exists, and that for whatever reason one doesn't want to interact with it or anyone on it, in any way.

(As a user, that is. Being a server admin and wanting to cut off jerks.xyz from interacting with one's server is a Whole Other Thing that I'm not talking about here.)

Various UIs and apps and things provide various ways to do this. The simplest way to do it in the qoto.org web ui (which is all I use or know much about) is to find some user on the server, say foo, search on @[email protected], find that profile, open it, open the kabob (three vertical dots) menu in the profile, and do “Block domain jerks.xyz”. The server will then show up under “blocked domains” in one's own profile dropdown.

This doesn't work if there aren't any known users on jerks.xyz, or if that server refuses to serve anything about them (the empty “profile unavailable” fake profile that the UI serves up in that case doesn't have a kabob menu).

In that case, we can still block the server, by having fun with curl and the Mastodon API. Yay!

(Probably there is also some much simpler method that someone will point out to me and I will slap my forehead, but this is still fun! Since this was originally written, it's been pointed out that one can make a one-line file with the domain name, and then import it as a blocked-domains list under “Import and Export”, so that's an alternative. But less fun!)

curl (“client for URLs”) is a magical and very useful 25-year-old program that lets one do all sorts of things that normally browsers do, from a command line. It was originally a *ix program of course, but I was impressed to find that it's also Just There and Just Works from a Windows shell prompt in Windows 11 here, which is cool.

If we look at the Mastodon API documentation on domain blocking, we see that all we need to do is send a POST request to /api/v1/domain_blocks on our server, with the domain field set to jerks.xyz. There's also some stuff about an “Authorization”, but we'll ignore that for now.

To send that via curl, we would just do:

curl -X POST https://[your server]/api/v1/domain_blocks -d "domain=jerks.xyz"

Doing that gets us the polite reply:

{ "error": "The access token is invalid" }

so apparently we do have to worry about that Authorization thing.

The thing that we need is a magical token that reflects the fact that we are us, and we are logged onto our server. There are two ways to obtain this token; we can actually send the OAUTH request with our password and everything, as described here (I don't know why I can't find a more official-looking source; probably bad github search skills, unless perhaps it's not or no longer correct), or we can just get it from a logged-in browser session.

To do the latter in Chrome (in other browsers, presumably some rough equivalent), right-click on a page where you're logged into your server, choose Inspect to get the scary everything-going-on page, select “Network” at the top, wait or refresh the page until some requests appear in the request list, click on one, scroll to the request headers section, and find the “Authorization” header; it should contain the word “Bearer” followed by a whole lot of alphanumeric gibberish. That gibberish is the magical token.

Armed with that, we can do:

curl --header "Authorization: Bearer [gibberish]" -X POST https://[your server]/api/v1/domain_blocks -d "domain=jerks.xyz"

If that works, it will helpfully reply {}, and now jerks.xyz should appear in your Blocked Domains list, and you'll never have to deal with those jerks.

Hurrah!