diff --git a/integrations/webfinger_test.go b/integrations/webfinger_test.go new file mode 100644 index 0000000000..8ba93c3f20 --- /dev/null +++ b/integrations/webfinger_test.go @@ -0,0 +1,68 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "fmt" + "net/http" + "net/url" + "testing" + + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + "code.gitea.io/gitea/modules/setting" + + "github.com/stretchr/testify/assert" +) + +func TestWebfinger(t *testing.T) { + defer prepareTestEnv(t)() + + setting.Federation.Enabled = true + defer func() { + setting.Federation.Enabled = false + }() + + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User) + + appURL, _ := url.Parse(setting.AppURL) + + type webfingerLink struct { + Rel string `json:"rel,omitempty"` + Type string `json:"type,omitempty"` + Href string `json:"href,omitempty"` + Titles map[string]string `json:"titles,omitempty"` + Properties map[string]interface{} `json:"properties,omitempty"` + } + + type webfingerJRD struct { + Subject string `json:"subject,omitempty"` + Aliases []string `json:"aliases,omitempty"` + Properties map[string]interface{} `json:"properties,omitempty"` + Links []*webfingerLink `json:"links,omitempty"` + } + + session := loginUser(t, "user1") + + req := NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, appURL.Host)) + resp := MakeRequest(t, req, http.StatusOK) + + var jrd webfingerJRD + DecodeJSON(t, resp, &jrd) + assert.Equal(t, "acct:user2@"+appURL.Host, jrd.Subject) + assert.ElementsMatch(t, []string{user.HTMLURL()}, jrd.Aliases) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, "unknown.host")) + MakeRequest(t, req, http.StatusBadRequest) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", "user31", appURL.Host)) + MakeRequest(t, req, http.StatusNotFound) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", "user31", appURL.Host)) + session.MakeRequest(t, req, http.StatusOK) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=mailto:%s", user.Email)) + MakeRequest(t, req, http.StatusNotFound) +} diff --git a/routers/web/web.go b/routers/web/web.go index f68ad87d5f..97ea1e9035 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -282,6 +282,13 @@ func RegisterRoutes(m *web.Route) { } } + federationEnabled := func(ctx *context.Context) { + if !setting.Federation.Enabled { + ctx.Error(http.StatusNotFound) + return + } + } + // FIXME: not all routes need go through same middleware. // Especially some AJAX requests, we can reduce middleware number to improve performance. // Routers. @@ -289,10 +296,10 @@ func RegisterRoutes(m *web.Route) { m.Get("/", Home) m.Group("/.well-known", func() { m.Get("/openid-configuration", auth.OIDCWellKnown) - if setting.Federation.Enabled { + m.Group("", func() { m.Get("/nodeinfo", NodeInfoLinks) m.Get("/webfinger", WebfingerQuery) - } + }, federationEnabled) m.Get("/change-password", func(w http.ResponseWriter, req *http.Request) { http.Redirect(w, req, "/user/settings/account", http.StatusTemporaryRedirect) }) diff --git a/routers/web/webfinger.go b/routers/web/webfinger.go index 02cbe1af21..27d0351b81 100644 --- a/routers/web/webfinger.go +++ b/routers/web/webfinger.go @@ -8,7 +8,6 @@ import ( "fmt" "net/http" "net/url" - "regexp" "strings" user_model "code.gitea.io/gitea/models/user" @@ -17,8 +16,6 @@ import ( "code.gitea.io/gitea/modules/setting" ) -var webfingerRessourcePattern = regexp.MustCompile(`(?i)\A([a-z^:]+):(.*)\z`) - // https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-webfinger-14#section-4.4 type webfingerJRD struct { @@ -39,26 +36,20 @@ type webfingerLink struct { // WebfingerQuery returns informations about a resource // https://datatracker.ietf.org/doc/html/rfc7565 func WebfingerQuery(ctx *context.Context) { - resource := ctx.FormTrim("resource") - - scheme := "acct" - uri := resource - - match := webfingerRessourcePattern.FindStringSubmatch(resource) - if match != nil { - scheme = match[1] - uri = match[2] - } - appURL, _ := url.Parse(setting.AppURL) - var u *user_model.User - var err error + resource, err := url.Parse(ctx.FormTrim("resource")) + if err != nil { + ctx.Error(http.StatusBadRequest) + return + } - switch scheme { + var u *user_model.User + + switch resource.Scheme { case "acct": // allow only the current host - parts := strings.SplitN(uri, "@", 2) + parts := strings.SplitN(resource.Opaque, "@", 2) if len(parts) != 2 { ctx.Error(http.StatusBadRequest) return @@ -70,7 +61,10 @@ func WebfingerQuery(ctx *context.Context) { u, err = user_model.GetUserByNameCtx(ctx, parts[0]) case "mailto": - u, err = user_model.GetUserByEmailContext(ctx, uri) + u, err = user_model.GetUserByEmailContext(ctx, resource.Opaque) + if u != nil && u.KeepEmailPrivate { + err = user_model.ErrUserNotExist{} + } default: ctx.Error(http.StatusBadRequest) return @@ -79,7 +73,7 @@ func WebfingerQuery(ctx *context.Context) { if user_model.IsErrUserNotExist(err) { ctx.Error(http.StatusNotFound) } else { - log.Error("Error getting user: %v", err) + log.Error("Error getting user: %s Error: %v", resource.Opaque, err) ctx.Error(http.StatusInternalServerError) } return @@ -92,7 +86,6 @@ func WebfingerQuery(ctx *context.Context) { aliases := []string{ u.HTMLURL(), - appURL.String() + "api/v1/activitypub/user/" + strings.ToLower(u.Name), } if !u.KeepEmailPrivate { aliases = append(aliases, fmt.Sprintf("mailto:%s", u.Email)) @@ -108,15 +101,6 @@ func WebfingerQuery(ctx *context.Context) { Rel: "http://webfinger.net/rel/avatar", Href: u.AvatarLink(), }, - { - Rel: "self", - Type: "application/activity+json", - Href: appURL.String() + "api/v1/activitypub/user/" + strings.ToLower(u.Name), - }, - { - Rel: "http://ostatus.org/schema/1.0/subscribe", - Href: appURL.String() + "api/v1/authorize_interaction?uri={uri}", - }, } ctx.JSON(http.StatusOK, &webfingerJRD{