From 0f2c707ad159ebc8a80fc6408aa50d9500bf0358 Mon Sep 17 00:00:00 2001
From: smitten <everything-cozy@pm.me>
Date: Thu, 27 Jul 2023 15:55:05 -0400
Subject: [PATCH] Remove webfinger support, these are not properly formatted
 URIs, more consideration of syntax needs to be done strip userinfo from URI,
 if present

---
 .../protocol_handler_controller.ex            | 17 +++------
 .../protocol_handler_controller_test.exs      | 38 +++++++------------
 2 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex b/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex
index ffc7f1dcd..82d618ed9 100644
--- a/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex
+++ b/lib/pleroma/web/akkoma_api/controllers/protocol_handler_controller.ex
@@ -38,19 +38,12 @@ def handle(%{assigns: %{user: user}} = conn, %{"target" => "web+ap://" <> identi
 
   def handle(conn, _), do: conn |> json_response(:bad_request, "Could not handle protocol URL")
 
-  # Should webfinger handles even be accepted? They are not ActivityPub URLs
-  defp find_and_redirect(conn, "@" <> identifier) do
-    with {:error, _err} <- User.get_or_fetch(identifier) do
-      conn |> json_response(:not_found, "Not Found - @#{identifier}")
-    else
-      {:ok, %User{} = found_user} -> conn |> redirect(to: "/users/#{found_user.id}")
-    end
-  end
-
   defp find_and_redirect(%{assigns: %{user: user}} = conn, identifier) do
-    with {:error, _err} <- User.get_or_fetch("https://" <> identifier),
-        [] <- DatabaseSearch.maybe_fetch([], user, "https://" <> identifier) do
-      conn |> json_response(:not_found, "Not Found - #{identifier}")
+    # Remove userinfo if present (username:password@)
+    cleaned = String.replace(identifier, ~r/^[^\/]*?@/, "")
+    with {:error, _err} <- User.get_or_fetch("https://" <> cleaned),
+        [] <- DatabaseSearch.maybe_fetch([], user, "https://" <> cleaned) do
+      conn |> json_response(:not_found, "Not Found - #{cleaned}")
     else
       {:ok, %User{} = found_user} -> conn |> redirect(to: "/users/#{found_user.id}")
 
diff --git a/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs b/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs
index 314815f20..556b94b74 100644
--- a/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs
+++ b/test/pleroma/web/akkoma_api/protocol_handler_controller_test.exs
@@ -42,18 +42,6 @@ test "should return bad_request when target prefix has unknown protocol" do
       assert resp =~ "Could not handle protocol URL"
     end
 
-    test "should return forbidden for unauthed user when target is webfinger handle" do
-      clear_config([Pleroma.Web.Endpoint, :url, :host], "sub.example.com")
-      %{conn: conn} = oauth_access([])
-
-      resp =
-        conn
-        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2F%40akkoma%40ihatebeinga.live")
-        |> json_response(403)
-
-      assert resp =~ "Invalid credentials."
-    end
-
     test "should return forbidden for unauthed user when target is remote" do
       clear_config([Pleroma.Web.Endpoint, :url, :host], "sub.example.com")
       %{conn: conn} = oauth_access([])
@@ -118,19 +106,6 @@ test "should return redirect for unauthed user when target is local AP ID for no
       assert resp =~ "<a href=\"/notice/#{activity.id}\">"
     end
 
-    test "should return redirect for authed user when target is webfinger handle" do
-      %{conn: conn} = oauth_access(["read:search"])
-      remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false})
-
-      resp =
-        conn
-        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2F%40akkoma%40ihatebeinga.live")
-        |> html_response(302)
-
-      assert resp =~ "You are being"
-      assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
-    end
-
     test "should return redirect for authed user when target is AP ID for user" do
       %{conn: conn} = oauth_access(["read:search"])
       remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false, ap_id: "https://ihatebeinga.live/users/akkoma"})
@@ -144,6 +119,19 @@ test "should return redirect for authed user when target is AP ID for user" do
       assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
     end
 
+    test "should return redirect for authed user when target is AP ID for user, stripping userinfo" do
+      %{conn: conn} = oauth_access(["read:search"])
+      remote_user = insert(:user, %{nickname: "akkoma@ihatebeinga.live", local: false, ap_id: "https://ihatebeinga.live/users/akkoma"})
+
+      resp =
+        conn
+        |> get("/api/v1/akkoma/protocol-handler?target=web%2Bap%3A%2F%2Fusername%3Apassword%40ihatebeinga.live/users/akkoma")
+        |> html_response(302)
+
+      assert resp =~ "You are being"
+      assert resp =~ "<a href=\"/users/#{remote_user.id}\">"
+    end
+
     test "should return redirect for authed user when target is AP ID for note activity" do
       Tesla.Mock.mock(fn
         %{method: :get, url: "https://mastodon.social/users/emelie/statuses/101849165031453009"} ->