AkkomaGang/akkoma
AkkomaGang/akkoma
15
64
Fork 91
Code Issues 175 Pull requests 19 Projects 2 Releases 14 Packages Wiki Activity

[bug] Some redirects 404 for AP, only work for browser users #835

New issue
Open
opened 2024-09-24 18:37:17 +00:00 by mirabilos · 2 comments
mirabilos commented 2024-09-24 18:37:17 +00:00
Copy link

Your setup

No response

Extra details

No response

Version

"2.7.2 (compatible; Akkoma 3.13.2)"

PostgreSQL version

No response

What were you trying to do?

Found by https://github.com/superseriousbusiness/gotosocial/issues/2643#issuecomment-2370906204 :

$ curl --http1.1 -D - -H 'accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo                                               
HTTP/1.1 404 Not Found
Server: nginx/1.26.2
Date: Tue, 24 Sep 2024 18:36:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 11
Connection: keep-alive
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key
cache-control: max-age=0, private, must-revalidate
content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-SaKLRXO_tUN_VPo';font-src 'self';script-src 'self' 'nonce-SaKLRXO_tUN_VPo' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-request-id: F_hB9pS_crsvLf4AOK4S
x-xss-protection: 0

"Not found"
$ curl --http1.1 -D - -H 'accept: application/activity+json' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo                                                                                          
HTTP/1.1 404 Not Found
Server: nginx/1.26.2
Date: Tue, 24 Sep 2024 18:36:25 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 11
Connection: keep-alive
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key
cache-control: max-age=0, private, must-revalidate
content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-coSHJtwvzoL6kWJ';font-src 'self';script-src 'self' 'nonce-coSHJtwvzoL6kWJ' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-request-id: F_hB9ulzTKWg0TAAOK8S
x-xss-protection: 0

"Not found"
$ curl --http1.1 -D - -A 'Mozilla/5.0 (compatible; Firefox or something)' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo                                                                             
HTTP/1.1 302 Found
Server: nginx/1.26.2
Date: Tue, 24 Sep 2024 18:36:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 102
Connection: keep-alive
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key
cache-control: max-age=0, private, must-revalidate
content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-E_w2HubmmV7PE6Y';font-src 'self';script-src 'self' 'nonce-E_w2HubmmV7PE6Y' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';
location: https://bird.makeup/users/evilsocket
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-request-id: F_hB9yUAADe3YJ0AOLAS
x-xss-protection: 0

<html><body>You are being <a href="https://bird.makeup/users/evilsocket">redirected</a>.</body></html>
$ _

You really have to make the redirects work for AP requests as well, otherwise it can’t work when a user searches for a URL an Akkoma user sent them on their own instance.

What did you expect to happen?

No response

What actually happened?

No response

Logs

No response

Severity

No response

Have you searched for this issue?

  • I have double-checked and have not found this issue mentioned anywhere.
### Your setup _No response_ ### Extra details _No response_ ### Version "2.7.2 (compatible; Akkoma 3.13.2)" ### PostgreSQL version _No response_ ### What were you trying to do? Found by https://github.com/superseriousbusiness/gotosocial/issues/2643#issuecomment-2370906204 : ``` $ curl --http1.1 -D - -H 'accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo HTTP/1.1 404 Not Found Server: nginx/1.26.2 Date: Tue, 24 Sep 2024 18:36:24 GMT Content-Type: application/json; charset=utf-8 Content-Length: 11 Connection: keep-alive access-control-allow-credentials: true access-control-allow-origin: * access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key cache-control: max-age=0, private, must-revalidate content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-SaKLRXO_tUN_VPo';font-src 'self';script-src 'self' 'nonce-SaKLRXO_tUN_VPo' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; permissions-policy: interest-cohort=() referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-permitted-cross-domain-policies: none x-request-id: F_hB9pS_crsvLf4AOK4S x-xss-protection: 0 "Not found" $ curl --http1.1 -D - -H 'accept: application/activity+json' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo HTTP/1.1 404 Not Found Server: nginx/1.26.2 Date: Tue, 24 Sep 2024 18:36:25 GMT Content-Type: application/json; charset=utf-8 Content-Length: 11 Connection: keep-alive access-control-allow-credentials: true access-control-allow-origin: * access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key cache-control: max-age=0, private, must-revalidate content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-coSHJtwvzoL6kWJ';font-src 'self';script-src 'self' 'nonce-coSHJtwvzoL6kWJ' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; permissions-policy: interest-cohort=() referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-permitted-cross-domain-policies: none x-request-id: F_hB9ulzTKWg0TAAOK8S x-xss-protection: 0 "Not found" $ curl --http1.1 -D - -A 'Mozilla/5.0 (compatible; Firefox or something)' https://infosec.place/users/AlXRUAEjZWsAzH4Zm4; echo HTTP/1.1 302 Found Server: nginx/1.26.2 Date: Tue, 24 Sep 2024 18:36:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 102 Connection: keep-alive access-control-allow-credentials: true access-control-allow-origin: * access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key cache-control: max-age=0, private, must-revalidate content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-E_w2HubmmV7PE6Y';font-src 'self';script-src 'self' 'nonce-E_w2HubmmV7PE6Y' ;connect-src 'self' https://infosec.place wss://infosec.place;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; location: https://bird.makeup/users/evilsocket permissions-policy: interest-cohort=() referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-permitted-cross-domain-policies: none x-request-id: F_hB9yUAADe3YJ0AOLAS x-xss-protection: 0 <html><body>You are being <a href="https://bird.makeup/users/evilsocket">redirected</a>.</body></html> $ _ ``` You really have to make the redirects work for AP requests as well, otherwise it can’t work when a user searches for a URL an Akkoma user sent them on their own instance. ### What did you expect to happen? _No response_ ### What actually happened? _No response_ ### Logs _No response_ ### Severity _No response_ ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.
mirabilos added the
bug
 label 2024-09-24 18:37:17 +00:00
floatingghost commented 2024-09-24 23:37:14 +00:00
Owner
Copy link

i disagree with your analysis

we are not the authority on remote users - requesting the AP data for https://infosec.place/users/AlXRUAEjZWsAzH4Zm4, which is actually https://bird.makeup/users/evilsocket should indeed return 404 - you've requested AP, we cannot return that AP authoritatively, the url is not found

i disagree with your analysis we are _not_ the authority on remote users - requesting the AP data for `https://infosec.place/users/AlXRUAEjZWsAzH4Zm4`, which is _actually_ `https://bird.makeup/users/evilsocket` should indeed return 404 - you've requested AP, we cannot return that AP authoritatively, the url is not found
mirabilos commented 2024-09-25 20:15:32 +00:00
Author
Copy link

But when an Akkoma user copies the link to a third-instance user’s profile and sends that link to me, it DOES NOT WORK unless you add the redirection which you ALREADY HAVE for the browser.

Just make it so that the 302 is also returned for AP requests and things will become interoperable.

But when an Akkoma user copies the link to a third-instance user’s profile and sends that link to me, it DOES NOT WORK unless you add the redirection which you ALREADY HAVE for the browser. Just make it so that the 302 is also returned for AP requests and things will become interoperable.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
keys-extraction
translations
customizable-docker-db
stable
static-adminfe
bad-uploader-config-warning
docker
user-expiry-backfill
config-db-keys
ensure-scrubbers-loaded
otp26
code-shaking-does-not-go-brr
elixir1.15
circleci
backup-fixes
mod-task
policy
mrf-coolness
frontend-switcher-9000
contentMap
language-on-posts
rabbit
credo-on-pr
unify-http
normalise-markup-by-default
buildx
v3.13.2
v2.6.3
v3.13.1
v3.13.0
snac-3.12.1.2
v3.12.2
snac-3.12.1.1
v3.12.1
v3.12.0
v3.11.0
v2.6.2
v2.6.1
2.6.1
v2.6.0
v2.5.5
v3.10.4
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v2.5.4
v2.5.3
v3.9.3
v3.9.2
v3.9.1
V3.9.0
2023.05
v3.8.0
v3.7.1
v3.7.0
v3.6.0
v3.5.0
v2.4.5
v3.4.0
v3.3.1
v2.4.4
v3.3.0
v3.2.3
v3.2.2
v3.2.1
stable-202209
v3.2.0
v3.1.0
stable-2022.07
v3.0.0
v0.0.1
v2.5.2-6
v2.5.2-5
v2.5.2-4
v2.5.2-3
v2.5.2-2
v2.5.2-1
v2.5.2
v2.5.1
v2.5.0-8
v2.5.0-7
v2.5.0-6
v2.5.0-5
v2.5.0-4
v2.5.0-3
v2.5.0-2
v2.5.0-1
v2.5.0
v2.4.3
pre-rebase
v2.4.2
v2.4.1
v2.4.0
soapbox-v1.1.1
soapbox-v1.1.0
soapbox-v1.0.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.91
v1.0.90
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.9.0
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#835
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?