verify_link_service_spec.rb 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe VerifyLinkService, type: :service do
  4. subject { described_class.new }
  5. context 'when given a local account' do
  6. let(:account) { Fabricate(:account, username: 'alice') }
  7. let(:field) { Account::Field.new(account, 'name' => 'Website', 'value' => 'http://example.com') }
  8. before do
  9. stub_request(:head, 'https://redirect.me/abc').to_return(status: 301, headers: { 'Location' => ActivityPub::TagManager.instance.url_for(account) })
  10. stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
  11. subject.call(field)
  12. end
  13. context 'when a link contains an <a> back' do
  14. let(:html) do
  15. <<-HTML
  16. <!doctype html>
  17. <body>
  18. <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me">Follow me on Mastodon</a>
  19. </body>
  20. HTML
  21. end
  22. it 'marks the field as verified' do
  23. expect(field.verified?).to be true
  24. end
  25. end
  26. context 'when a link contains an <a rel="noopener noreferrer"> back' do
  27. let(:html) do
  28. <<-HTML
  29. <!doctype html>
  30. <body>
  31. <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me noopener noreferrer" target="_blank">Follow me on Mastodon</a>
  32. </body>
  33. HTML
  34. end
  35. it 'marks the field as verified' do
  36. expect(field.verified?).to be true
  37. end
  38. end
  39. context 'when a link contains a <link> back' do
  40. let(:html) do
  41. <<-HTML
  42. <!doctype html>
  43. <head>
  44. <link type="text/html" href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me" />
  45. </head>
  46. HTML
  47. end
  48. it 'marks the field as verified' do
  49. expect(field.verified?).to be true
  50. end
  51. end
  52. context 'when a link goes through a redirect back' do
  53. let(:html) do
  54. <<-HTML
  55. <!doctype html>
  56. <head>
  57. <link type="text/html" href="https://redirect.me/abc" rel="me" />
  58. </head>
  59. HTML
  60. end
  61. it 'marks the field as verified' do
  62. expect(field.verified?).to be true
  63. end
  64. end
  65. context 'when a document is truncated but the link back is valid' do
  66. let(:html) do
  67. "
  68. <!doctype html>
  69. <body>
  70. <a rel=\"me\" href=\"#{ActivityPub::TagManager.instance.url_for(account)}\"
  71. "
  72. end
  73. it 'marks the field as not verified' do
  74. expect(field.verified?).to be false
  75. end
  76. end
  77. context 'when a link back might be truncated' do
  78. let(:html) do
  79. "
  80. <!doctype html>
  81. <body>
  82. <a rel=\"me\" href=\"#{ActivityPub::TagManager.instance.url_for(account)}"
  83. end
  84. it 'does not mark the field as verified' do
  85. expect(field.verified?).to be false
  86. end
  87. end
  88. context 'when a link does not contain a link back' do
  89. let(:html) { '' }
  90. it 'does not mark the field as verified' do
  91. expect(field.verified?).to be false
  92. end
  93. end
  94. context 'when link has no `href` attribute' do
  95. let(:html) do
  96. <<-HTML
  97. <!doctype html>
  98. <head>
  99. <link type="text/html" rel="me" />
  100. </head>
  101. <body>
  102. <a rel="me" target="_blank">Follow me on Mastodon</a>
  103. </body>
  104. HTML
  105. end
  106. it 'does not mark the field as verified' do
  107. expect(field.verified?).to be false
  108. end
  109. end
  110. end
  111. context 'when given a remote account' do
  112. let(:account) { Fabricate(:account, username: 'alice', domain: 'example.com', url: 'https://profile.example.com/alice') }
  113. let(:field) { Account::Field.new(account, 'name' => 'Website', 'value' => '<a href="http://example.com" rel="me"><span class="invisible">http://</span><span class="">example.com</span><span class="invisible"></span></a>') }
  114. before do
  115. stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
  116. subject.call(field)
  117. end
  118. context 'when a link contains an <a> back' do
  119. let(:html) do
  120. <<-HTML
  121. <!doctype html>
  122. <body>
  123. <a href="https://profile.example.com/alice" rel="me">Follow me on Mastodon</a>
  124. </body>
  125. HTML
  126. end
  127. it 'marks the field as verified' do
  128. expect(field.verified?).to be true
  129. end
  130. end
  131. context 'when the link contains a link with a missing protocol slash' do
  132. # This was seen in the wild where a user had three pages:
  133. # 1. their mastodon profile, which linked to github and the personal website
  134. # 2. their personal website correctly linking back to mastodon
  135. # 3. a github profile that was linking to the personal website, but with
  136. # a malformed protocol of http:/
  137. #
  138. # This caused link verification between the mastodon profile and the
  139. # website to fail.
  140. #
  141. # apparently github allows the user to enter website URLs with a single
  142. # slash and makes no attempts to correct that.
  143. let(:html) { '<a href="http:/unrelated.example">Hello</a>' }
  144. it 'does not crash' do
  145. # We could probably put more effort into perhaps auto-correcting the
  146. # link and following it anyway, but at the very least we shouldn't let
  147. # exceptions bubble up
  148. expect(field.verified?).to be false
  149. end
  150. end
  151. end
  152. end