1
0

verify_link_service_spec.rb 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe VerifyLinkService do
  4. subject { described_class.new }
  5. context 'when given a local account' do
  6. let(:account) { Fabricate(:account, username: 'alice') }
  7. let(:field) { Account::Field.new(account, 'name' => 'Website', 'value' => 'http://example.com') }
  8. before do
  9. stub_request(:head, 'https://redirect.me/abc').to_return(status: 301, headers: { 'Location' => ActivityPub::TagManager.instance.url_for(account) })
  10. stub_request(:head, 'http://unrelated-site.com').to_return(status: 301)
  11. stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
  12. subject.call(field)
  13. end
  14. context 'when a link contains an <a> back' do
  15. let(:html) do
  16. <<~HTML
  17. <!doctype html>
  18. <body>
  19. <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me">Follow me on Mastodon</a>
  20. </body>
  21. HTML
  22. end
  23. it 'marks the field as verified' do
  24. expect(field.verified?).to be true
  25. end
  26. end
  27. context 'when a link contains an <a rel="me noopener noreferrer"> back' do
  28. let(:html) do
  29. <<~HTML
  30. <!doctype html>
  31. <body>
  32. <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me noopener noreferrer" target="_blank">Follow me on Mastodon</a>
  33. </body>
  34. HTML
  35. end
  36. it 'marks the field as verified' do
  37. expect(field.verified?).to be true
  38. end
  39. end
  40. context 'when a link contains a <link> back' do
  41. let(:html) do
  42. <<~HTML
  43. <!doctype html>
  44. <head>
  45. <link type="text/html" href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me" />
  46. </head>
  47. HTML
  48. end
  49. it 'marks the field as verified' do
  50. expect(field.verified?).to be true
  51. end
  52. end
  53. context 'when a link goes through a redirect back' do
  54. let(:html) do
  55. <<~HTML
  56. <!doctype html>
  57. <head>
  58. <link type="text/html" href="https://redirect.me/abc" rel="me" />
  59. </head>
  60. HTML
  61. end
  62. it 'marks the field as verified' do
  63. expect(field.verified?).to be true
  64. end
  65. end
  66. context 'when a document is truncated but the link back is valid' do
  67. let(:html) do
  68. <<-HTML
  69. <!doctype html>
  70. <body>
  71. <a rel="me" href="#{ActivityPub::TagManager.instance.url_for(account)}">
  72. HTML
  73. end
  74. it 'marks the field as verified' do
  75. expect(field.verified?).to be true
  76. end
  77. end
  78. context 'when a link tag might be truncated' do
  79. let(:html) do
  80. <<-HTML_TRUNCATED
  81. <!doctype html>
  82. <body>
  83. <a rel="me" href="#{ActivityPub::TagManager.instance.url_for(account)}"
  84. HTML_TRUNCATED
  85. end
  86. it 'marks the field as not verified' do
  87. expect(field.verified?).to be false
  88. end
  89. end
  90. context 'when a link does not contain a link back' do
  91. let(:html) { '' }
  92. it 'does not mark the field as verified' do
  93. expect(field.verified?).to be false
  94. end
  95. end
  96. context 'when link has no `href` attribute' do
  97. let(:html) do
  98. <<~HTML
  99. <!doctype html>
  100. <head>
  101. <link type="text/html" rel="me" />
  102. </head>
  103. <body>
  104. <a rel="me" target="_blank">Follow me on Mastodon</a>
  105. </body>
  106. HTML
  107. end
  108. it 'does not mark the field as verified' do
  109. expect(field.verified?).to be false
  110. end
  111. end
  112. context 'when a link contains a link to an unexpected URL' do
  113. let(:html) do
  114. <<~HTML
  115. <!doctype html>
  116. <body>
  117. <a href="http://unrelated-site.com" rel="me">Follow me on Unrelated Site</a>
  118. </body>
  119. HTML
  120. end
  121. it 'does not mark the field as verified' do
  122. expect(field.verified?).to be false
  123. end
  124. end
  125. end
  126. context 'when given a remote account' do
  127. let(:account) { Fabricate(:account, username: 'alice', domain: 'example.com', url: 'https://profile.example.com/alice') }
  128. let(:field) { Account::Field.new(account, 'name' => 'Website', 'value' => '<a href="http://example.com" rel="me"><span class="invisible">http://</span><span class="">example.com</span><span class="invisible"></span></a>') }
  129. before do
  130. stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
  131. subject.call(field)
  132. end
  133. context 'when a link contains an <a> back' do
  134. let(:html) do
  135. <<~HTML
  136. <!doctype html>
  137. <body>
  138. <a href="https://profile.example.com/alice" rel="me">Follow me on Mastodon</a>
  139. </body>
  140. HTML
  141. end
  142. it 'marks the field as verified' do
  143. expect(field.verified?).to be true
  144. end
  145. end
  146. context 'when the link contains a link with a missing protocol slash' do
  147. # This was seen in the wild where a user had three pages:
  148. # 1. their mastodon profile, which linked to github and the personal website
  149. # 2. their personal website correctly linking back to mastodon
  150. # 3. a github profile that was linking to the personal website, but with
  151. # a malformed protocol of http:/
  152. #
  153. # This caused link verification between the mastodon profile and the
  154. # website to fail.
  155. #
  156. # apparently github allows the user to enter website URLs with a single
  157. # slash and makes no attempts to correct that.
  158. let(:html) do
  159. <<-HTML
  160. <a href="http:/unrelated.example">Hello</a>
  161. HTML
  162. end
  163. it 'does not crash' do
  164. # We could probably put more effort into perhaps auto-correcting the
  165. # link and following it anyway, but at the very least we shouldn't let
  166. # exceptions bubble up
  167. expect(field.verified?).to be false
  168. end
  169. end
  170. end
  171. end