webfinger: don’t serve response for remote users’ AP id

2026-01-10 00:00:00 +00:00 · 2026-01-10 00:00:00 +00:00 · 74fa8f5581
commit 74fa8f5581
parent 967e2d0e71
2 changed files with 9 additions and 1 deletions
--- a/lib/pleroma/web/web_finger.ex
+++ b/lib/pleroma/web/web_finger.ex
@ -45,7 +45,8 @@ defmodule Pleroma.Web.WebFinger do
      {:ok, represent_user(user, fmt)}
    else
      _e ->
-        with %User{} = user <- User.get_cached_by_ap_id(resource) do
+        with %User{} = user <- User.get_cached_by_ap_id(resource),
+             true <- user.local do
          {:ok, represent_user(user, fmt)}
        else
          _e ->
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@ -42,6 +42,13 @@ defmodule Pleroma.Web.WebFingerTest do
      assert is_binary(result)
    end

+    test "fails for remote ap_ids" do
+      user = insert(:user, local: false)
+
+      {:error, _} = WebFinger.webfinger(user.ap_id, "XML")
+      {:error, _} = WebFinger.webfinger(user.ap_id, "JSON")
+    end
+
    test "exposes AP id with both canonical and Mastodon content type in JSON" do
      user = insert(:user, local: true)
      {:ok, data} = WebFinger.webfinger(user.ap_id, "JSON")