AkkomaGang/akkoma
AkkomaGang/akkoma
17
68
Fork 110
Code Issues 145 Pull requests 16 Projects 2 Releases 21 Packages Wiki Activity

Fix WebFinger for split-domain setups #1032

Open
mkljczk wants to merge 6 commits from mkljczk/akkoma:webfinger-actual-fix into develop
pull from: mkljczk/akkoma:webfinger-actual-fix
merge into: AkkomaGang:develop
Conversation 1 Commits 6 Files changed 3 +135 -32
mkljczk commented 2025-12-15 16:25:34 +00:00
Contributor
Copy link

Currently, running a webfinger query like WebFinger.finger("hswaw@social.hackerspace.pl") fails in the validate_webfinger/2 function due to a hostname mismatch.

As a result, when update_nickname_on_user_fetch is enabled (which is the default), fetching and updating a user — eg. via Pleroma.Web.ActivityPub.ActivityPub.generate_nickname/1 — causes the stored nickname to change to include the domain name from actor's AP url.

The issue doesn't happen when resolving addresses of instances having a /.well-known/host-meta redirect between domains. However, Mastodon documentation doesn't instruct admins to configure such a redirect.

My PR resolves this issue, while keeping the existing spoofing prevention working (it worked before a security fix introduced a regression which I only partially fixed).

Currently, running a webfinger query like `WebFinger.finger("hswaw@social.hackerspace.pl")` fails in the `validate_webfinger/2` function due to a hostname mismatch. As a result, when `update_nickname_on_user_fetch` is enabled (which is the default), fetching and updating a user — eg. via `Pleroma.Web.ActivityPub.ActivityPub.generate_nickname/1` — causes the stored nickname to change to include the domain name from actor's AP url. The issue doesn't happen when resolving addresses of instances having a `/.well-known/host-meta` redirect between domains. However, Mastodon documentation [doesn't instruct admins](https://docs.joinmastodon.org/admin/config/#web_domain) to configure such a redirect. My PR resolves this issue, while keeping the existing spoofing prevention working (it worked before [a security fix](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/4114) introduced a regression which I [only partially fixed](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/4116)).
Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>
Update tests, make the mastodon subdomain example not have the /.well-known/host-meta redirect, as the docs don't include it
Some checks are pending
ci/woodpecker/pr/test/1 Pipeline is pending approval
Details
ci/woodpecker/pr/test/2 Pipeline is pending approval
Details
5a6f0408c8 
Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>
Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>
WebFinger: Tighten the requirements.
Some checks are pending
ci/woodpecker/pr/test/1 Pipeline is pending approval
Details
ci/woodpecker/pr/test/2 Pipeline is pending approval
Details
221d995d51
floatingghost reviewed 2026-02-04 21:58:10 +00:00
floatingghost left a comment
Owner
Copy link

i'm not seeing much wrong here, just one thing to potentially change up

i'm not seeing much wrong here, just one thing to potentially change up
test/pleroma/web/web_finger_test.exs Outdated
@ -185,2 +185,4 @@
body: File.read!("test/fixtures/tesla_mock/bad.com_host_meta")
}}
%{url: "https://whitehouse.gov/.well-known/webfinger?resource=acct:trump@whitehouse.gov"} ->
floatingghost commented 2026-02-04 21:57:08 +00:00
Owner
Copy link

this is a very specific gripe but we should probably avoid having outright irl politics in our test strings

this is a very specific gripe but we should probably avoid having outright irl politics in our test strings
mkljczk commented 2026-02-04 23:18:30 +00:00
Author
Contributor
Copy link

Thanks, accidentally merged this from Pleroma, this mock was not even used

Thanks, accidentally merged this from Pleroma, this mock was not even used
Remove unused mock
Some checks are pending
ci/woodpecker/pr/test/1 Pipeline is pending approval
Details
ci/woodpecker/pr/test/2 Pipeline is pending approval
Details
b9c72f2d4d 
Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>
Some checks are pending
ci/woodpecker/pr/test/1 Pipeline is pending approval
Details
ci/woodpecker/pr/test/2 Pipeline is pending approval
Details
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u webfinger-actual-fix:mkljczk-webfinger-actual-fix
git switch mkljczk-webfinger-actual-fix
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
approved, awaiting change

   
broken setup

Issue arose from a misconfiguration by the admin, custom patches, manual db edits or similar

  
bug

Something is not working

  
cannot reproduce

   
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs change/feedback

Issue or PR is stalled on response from the author or a third party

  
needs docs

   
needs tests

   
not a bug

   
not our bug

Bug in a dependency of ours (meaning we can't just fix it), or in another AP implementation or client interfacing with Akkoma (which needs to be fixed on their end)

  
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No labels
approved, awaiting change
broken setup
bug
cannot reproduce
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs change/feedback
needs docs
needs tests
not a bug
not our bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
AkkomaGang/akkoma!1032
No description provided.