Remove webfinger support, these are not properly formatted URIs, more consideration of syntax needs to be done

strip userinfo from URI, if present
2023-07-27 15:55:05 -04:00 · 2023-07-27 15:55:05 -04:00 · 0f2c707ad1
parent 44cc0966a0
commit 0f2c707ad1
2 changed files with 18 additions and 37 deletions
--- a/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex
+++ b/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex
@ -38,19 +38,12 @@ defmodule Pleroma.Web.AkkomaAPI.ProtocolHandlerController do

  def handle(conn, _), do: conn |> json_response(:bad_request, "Could not handle protocol URL")

-  # Should webfinger handles even be accepted? They are not ActivityPub URLs
-  defp find_and_redirect(conn, "@" <> identifier) do
-    with {:error, _err} <- User.get_or_fetch(identifier) do
-      conn |> json_response(:not_found, "Not Found - @#{identifier}")
-    else
-      {:ok, %User{} = found_user} -> conn |> redirect(to: "/users/#{found_user.id}")
-    end
-  end
-
  defp find_and_redirect(%{assigns: %{user: user}} = conn, identifier) do
-    with {:error, _err} <- User.get_or_fetch("https://" <> identifier),
-        [] <- DatabaseSearch.maybe_fetch([], user, "https://" <> identifier) do
-      conn |> json_response(:not_found, "Not Found - #{identifier}")
+    # Remove userinfo if present (username:password@)
+    cleaned = String.replace(identifier, ~r/^[^\/]*?@/, "")
+    with {:error, _err} <- User.get_or_fetch("https://" <> cleaned),
+        [] <- DatabaseSearch.maybe_fetch([], user, "https://" <> cleaned) do
+      conn |> json_response(:not_found, "Not Found - #{cleaned}")
    else
      {:ok, %User{} = found_user} -> conn |> redirect(to: "/users/#{found_user.id}")

--- a/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs
+++ b/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs
@ -42,18 +42,6 @@ defmodule Pleroma.Web.AkkomaAPI.ProtocolHandlerControllerTest do
      assert resp =~ "Could not handle protocol URL"
    end

-    test "should return forbidden for unauthed user when target is webfinger handle" do
-      clear_config([Pleroma.Web.Endpoint, :url, :host], "sub.example.com")
-      %{conn: conn} = oauth_access([])
-
-      resp =
-        conn
-        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2F%40akkoma%40ihatebeinga.live")
-        |> json_response(403)
-
-      assert resp =~ "Invalid credentials."
-    end
-
    test "should return forbidden for unauthed user when target is remote" do
      clear_config([Pleroma.Web.Endpoint, :url, :host], "sub.example.com")
      %{conn: conn} = oauth_access([])
@ -118,19 +106,6 @@ defmodule Pleroma.Web.AkkomaAPI.ProtocolHandlerControllerTest do
      assert resp =~ "<a href=\"/notice/#{activity.id}\">"
    end

-    test "should return redirect for authed user when target is webfinger handle" do
-      %{conn: conn} = oauth_access(["read:search"])
-      remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false})
-
-      resp =
-        conn
-        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2F%40akkoma%40ihatebeinga.live")
-        |> html_response(302)
-
-      assert resp =~ "You are being"
-      assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
-    end
-
    test "should return redirect for authed user when target is AP ID for user" do
      %{conn: conn} = oauth_access(["read:search"])
      remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false, ap_id: "https://ihatebeinga.live/users/akkoma"})
@ -144,6 +119,19 @@ defmodule Pleroma.Web.AkkomaAPI.ProtocolHandlerControllerTest do
      assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
    end

+    test "should return redirect for authed user when target is AP ID for user, stripping userinfo" do
+      %{conn: conn} = oauth_access(["read:search"])
+      remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false, ap_id: "https://ihatebeinga.live/users/akkoma"})
+
+      resp =
+        conn
+        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2Fusername%3Apassword%40ihatebeinga.live/users/akkoma")
+        |> html_response(302)
+
+      assert resp =~ "You are being"
+      assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
+    end
+
    test "should return redirect for authed user when target is AP ID for note activity" do
      Tesla.Mock.mock(fn
        %{method: :get, url: "https://mastodon.social/users/emelie/statuses/101849165031453009"} ->