1
0

webfinger_spec.rb 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe 'The /.well-known/webfinger endpoint' do
  4. subject(:perform_request!) { get webfinger_url(resource: resource) }
  5. let(:alternate_domains) { [] }
  6. let(:alice) { Fabricate(:account, username: 'alice') }
  7. let(:resource) { nil }
  8. around do |example|
  9. tmp = Rails.configuration.x.alternate_domains
  10. Rails.configuration.x.alternate_domains = alternate_domains
  11. example.run
  12. Rails.configuration.x.alternate_domains = tmp
  13. end
  14. shared_examples 'a successful response' do
  15. it 'returns http success with correct media type and headers and body json' do
  16. expect(response).to have_http_status(200)
  17. expect(response.headers['Vary']).to eq('Origin')
  18. expect(response.media_type).to eq 'application/jrd+json'
  19. expect(response.parsed_body)
  20. .to include(
  21. subject: eq('acct:alice@cb6e6126.ngrok.io'),
  22. aliases: include('https://cb6e6126.ngrok.io/@alice', 'https://cb6e6126.ngrok.io/users/alice')
  23. )
  24. end
  25. end
  26. context 'when an account exists' do
  27. let(:resource) { alice.to_webfinger_s }
  28. before do
  29. perform_request!
  30. end
  31. it_behaves_like 'a successful response'
  32. end
  33. context 'when an account is temporarily suspended' do
  34. let(:resource) { alice.to_webfinger_s }
  35. before do
  36. alice.suspend!
  37. perform_request!
  38. end
  39. it_behaves_like 'a successful response'
  40. end
  41. context 'when an account is permanently suspended or deleted' do
  42. let(:resource) { alice.to_webfinger_s }
  43. before do
  44. alice.suspend!
  45. alice.deletion_request.destroy
  46. perform_request!
  47. end
  48. it 'returns http gone' do
  49. expect(response).to have_http_status(410)
  50. end
  51. end
  52. context 'when an account is not found' do
  53. let(:resource) { 'acct:not@existing.com' }
  54. before do
  55. perform_request!
  56. end
  57. it 'returns http not found' do
  58. expect(response).to have_http_status(404)
  59. end
  60. end
  61. context 'with an alternate domain' do
  62. let(:alternate_domains) { ['foo.org'] }
  63. before do
  64. perform_request!
  65. end
  66. context 'when an account exists' do
  67. let(:resource) do
  68. username, = alice.to_webfinger_s.split('@')
  69. "#{username}@foo.org"
  70. end
  71. it_behaves_like 'a successful response'
  72. end
  73. context 'when the domain is wrong' do
  74. let(:resource) do
  75. username, = alice.to_webfinger_s.split('@')
  76. "#{username}@bar.org"
  77. end
  78. it 'returns http not found' do
  79. expect(response).to have_http_status(404)
  80. end
  81. end
  82. end
  83. context 'when the old name scheme is used to query the instance actor' do
  84. let(:resource) do
  85. "#{Rails.configuration.x.local_domain}@#{Rails.configuration.x.local_domain}"
  86. end
  87. before do
  88. perform_request!
  89. end
  90. it 'returns http success' do
  91. expect(response).to have_http_status(200)
  92. end
  93. it 'sets only a Vary Origin header' do
  94. expect(response.headers['Vary']).to eq('Origin')
  95. end
  96. it 'returns application/jrd+json' do
  97. expect(response.media_type).to eq 'application/jrd+json'
  98. end
  99. it 'returns links for the internal account' do
  100. expect(response.parsed_body)
  101. .to include(
  102. subject: 'acct:mastodon.internal@cb6e6126.ngrok.io',
  103. aliases: ['https://cb6e6126.ngrok.io/actor']
  104. )
  105. end
  106. end
  107. context 'with no resource parameter' do
  108. let(:resource) { nil }
  109. before do
  110. perform_request!
  111. end
  112. it 'returns http bad request' do
  113. expect(response).to have_http_status(400)
  114. end
  115. end
  116. context 'with a nonsense parameter' do
  117. let(:resource) { 'df/:dfkj' }
  118. before do
  119. perform_request!
  120. end
  121. it 'returns http bad request' do
  122. expect(response).to have_http_status(400)
  123. end
  124. end
  125. context 'when an account has an avatar' do
  126. let(:alice) { Fabricate(:account, username: 'alice', avatar: attachment_fixture('attachment.jpg')) }
  127. let(:resource) { alice.to_webfinger_s }
  128. it 'returns avatar in response' do
  129. perform_request!
  130. expect(response_avatar_link)
  131. .to be_present
  132. .and include(
  133. type: eq(alice.avatar.content_type),
  134. href: eq(Addressable::URI.new(host: Rails.configuration.x.local_domain, path: alice.avatar.to_s, scheme: 'https').to_s)
  135. )
  136. end
  137. context 'with limited federation mode' do
  138. before do
  139. allow(Rails.configuration.x).to receive(:limited_federation_mode).and_return(true)
  140. end
  141. it 'does not return avatar in response' do
  142. perform_request!
  143. expect(response_avatar_link)
  144. .to be_nil
  145. end
  146. end
  147. context 'when enabling DISALLOW_UNAUTHENTICATED_API_ACCESS' do
  148. around do |example|
  149. ClimateControl.modify DISALLOW_UNAUTHENTICATED_API_ACCESS: 'true' do
  150. example.run
  151. end
  152. end
  153. it 'does not return avatar in response' do
  154. perform_request!
  155. expect(response_avatar_link)
  156. .to be_nil
  157. end
  158. end
  159. end
  160. context 'when an account does not have an avatar' do
  161. let(:alice) { Fabricate(:account, username: 'alice', avatar: nil) }
  162. let(:resource) { alice.to_webfinger_s }
  163. before do
  164. perform_request!
  165. end
  166. it 'does not return avatar in response' do
  167. expect(response_avatar_link)
  168. .to be_nil
  169. end
  170. end
  171. context 'with different headers' do
  172. describe 'requested with standard accepts headers' do
  173. it 'returns a json response' do
  174. get webfinger_url(resource: alice.to_webfinger_s)
  175. expect(response).to have_http_status(200)
  176. expect(response.media_type).to eq 'application/jrd+json'
  177. end
  178. end
  179. describe 'asking for json format' do
  180. it 'returns a json response for json format' do
  181. get webfinger_url(resource: alice.to_webfinger_s, format: :json)
  182. expect(response).to have_http_status(200)
  183. expect(response.media_type).to eq 'application/jrd+json'
  184. end
  185. it 'returns a json response for json accept header' do
  186. headers = { 'HTTP_ACCEPT' => 'application/jrd+json' }
  187. get webfinger_url(resource: alice.to_webfinger_s), headers: headers
  188. expect(response).to have_http_status(200)
  189. expect(response.media_type).to eq 'application/jrd+json'
  190. end
  191. end
  192. end
  193. private
  194. def response_avatar_link
  195. response
  196. .parsed_body[:links]
  197. .find { |link| link[:rel] == 'http://webfinger.net/rel/avatar' }
  198. end
  199. end