bridgy-fed/redirect.py

"""Simple conneg endpoint that serves AS2 or redirects to to the original post.

Serves /r/https://foo.com/bar URL paths, where https://foo.com/bar is an
original post. Needed for Mastodon interop, they require that AS2 object ids and
urls are on the same domain that serves them. Background:

https://github.com/snarfed/bridgy-fed/issues/16#issuecomment-424799599
https://github.com/tootsuite/mastodon/pull/6219#issuecomment-429142747

The conneg makes these /r/ URLs searchable in Mastodon:
https://github.com/snarfed/bridgy-fed/issues/352
"""
import logging
import re
import urllib.parse

from flask import g, redirect, request
from granary import as2
from negotiator import ContentNegotiator, AcceptParameters, ContentType
from oauth_dropins.webutil import flask_util, util
from oauth_dropins.webutil.flask_util import error
from oauth_dropins.webutil.util import json_dumps, json_loads

from activitypub import ActivityPub
from flask_app import app, cache
from common import CACHE_TIME, CONTENT_TYPE_HTML
from models import Object, User
from web import Web

logger = logging.getLogger(__name__)

_negotiator = ContentNegotiator(acceptable=[
    AcceptParameters(ContentType(CONTENT_TYPE_HTML)),
    AcceptParameters(ContentType(as2.CONTENT_TYPE)),
    AcceptParameters(ContentType(as2.CONTENT_TYPE_LD)),
])


@app.get(r'/r/<path:to>')
@flask_util.cached(cache, CACHE_TIME, headers=['Accept'])
def redir(to):
    """Either redirect to a given URL or convert it to another format.

    E.g. redirects /r/https://foo.com/bar?baz to https://foo.com/bar?baz, or if
    it's requested with AS2 conneg in the Accept header, fetches and converts
    and serves it as AS2.
    """
    if request.args:
        to += '?' + urllib.parse.urlencode(request.args)
    # some browsers collapse repeated /s in the path down to a single slash.
    # if that happened to this URL, expand it back to two /s.
    to = re.sub(r'^(https?:/)([^/])', r'\1/\2', to)

    if not util.is_web(to):
        error(f'Expected fully qualified URL; got {to}')

    to_domain = urllib.parse.urlparse(to).hostname

    # check conneg
    accept_as2 = False
    accept = request.headers.get('Accept')
    if accept:
        try:
            negotiated = _negotiator.negotiate(accept)
        except ValueError:
            # work around https://github.com/CottageLabs/negotiator/issues/6
            negotiated = None
        if negotiated:
            accept_type = str(negotiated.content_type)
            if accept_type in (as2.CONTENT_TYPE, as2.CONTENT_TYPE_LD):
                accept_as2 = True

    # check that we've seen this domain before so we're not an open redirect
    domains = set((util.domain_from_link(to, minimize=True),
                   util.domain_from_link(to, minimize=False),
                   to_domain))
    for domain in domains:
        if domain:
            # TODO(#512): do we need to parameterize this by protocol? or is it
            # only for web?
            g.user = Web.get_by_id(domain)
            if g.user:
                logger.info(f'Found web user for domain {domain}')
                break
    else:
        if accept_as2:
            g.external_user = urllib.parse.urljoin(to, '/')
            logging.info(f'No web user for {g.external_user}')
        else:
            return f'No web user found for any of {domains}', 404

    if accept_as2:
        # AS2 requested, fetch and convert and serve
        obj = Web.load(to, check_backlink=False)
        if not obj or obj.deleted:
            return f'Object not found: {to}', 404
        ret, _ = ActivityPub.serve(obj)
        logger.info(f'Returning: {json_dumps(ret, indent=2)}')
        return ret, {
            'Content-Type': accept_type,
            'Access-Control-Allow-Origin': '*',
        }

    # redirect
    logger.info(f'redirecting to {to}')
    return redirect(to, code=301)
handle full conneg Accept header parsing in /r/ handler for #352 2022-12-26 05:09:34 +00:00			`"""Simple conneg endpoint that serves AS2 or redirects to to the original post.`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
handle full conneg Accept header parsing in /r/ handler for #352 2022-12-26 05:09:34 +00:00			`Serves /r/https://foo.com/bar URL paths, where https://foo.com/bar is an`
			`original post. Needed for Mastodon interop, they require that AS2 object ids and`
			`urls are on the same domain that serves them. Background:`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
			`https://github.com/snarfed/bridgy-fed/issues/16#issuecomment-424799599`
			`https://github.com/tootsuite/mastodon/pull/6219#issuecomment-429142747`
handle full conneg Accept header parsing in /r/ handler for #352 2022-12-26 05:09:34 +00:00
			`The conneg makes these /r/ URLs searchable in Mastodon:`
			`https://github.com/snarfed/bridgy-fed/issues/352`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00			`"""`
cache lots of GET requests this helps with requests that make external HTTP fetches, eg indieweb home pages/posts and federated profiles/posts, which change rarely. in particular, outbound AP requests that get federated widely (eg Mastodon) result in all of those federated instances making the same bridgy fed requests at the same time, often within just a few seconds. more background: tootsuite/mastodon#4486 2019-04-16 15:02:19 +00:00			`import logging`
redirect: handle single /s that got collapsed by the browser (etc) 2021-06-29 05:52:04 +00:00			`import re`
stop /r/ from being an open redirect by checking that we've seen the domain 2021-03-07 15:36:34 +00:00			`import urllib.parse`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
move current user into Flask g request-global 2023-03-20 21:28:14 +00:00			`from flask import g, redirect, request`
serve /r/ URLs as AS2 from the datastore, don't fetch and convert on the fly for #392, #378 2023-02-12 02:35:34 +00:00			`from granary import as2`
request caching tweaks, webfinger, use new flask_util.cached headers kwarg 2022-12-26 21:34:50 +00:00			`from negotiator import ContentNegotiator, AcceptParameters, ContentType`
move Flask utils to oauth_dropins.webutil.flask_util corresponds to snarfed/webutil@5574bb23fa88df899a3d539123797ef1ef0e995d 2021-07-18 04:22:13 +00:00			`from oauth_dropins.webutil import flask_util, util`
move common.error() to webutil.flask_util corresponds to snarfed/webutil@10c088cebd104c6b2e6deecf564fee65f1d489ce 2021-08-06 17:29:25 +00:00			`from oauth_dropins.webutil.flask_util import error`
serve /r/ URLs as AS2 from the datastore, don't fetch and convert on the fly for #392, #378 2023-02-12 02:35:34 +00:00			`from oauth_dropins.webutil.util import json_dumps, json_loads`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
AP users: extract out Protocol.serve() method #512 2023-05-24 04:30:57 +00:00			`from activitypub import ActivityPub`
switch circular imports to runtime imports; split out flask_app.py from app.py runtime imports are just as bad, but...meh. eventually I'll untangle them for real. #486 2023-04-19 00:17:48 +00:00			`from flask_app import app, cache`
start to separate logic from protocols with new Protocol/ActivityPub classes for #388 2023-03-08 21:10:41 +00:00			`from common import CACHE_TIME, CONTENT_TYPE_HTML`
serve /r/ URLs as AS2 from the datastore, don't fetch and convert on the fly for #392, #378 2023-02-12 02:35:34 +00:00			`from models import Object, User`
rename Webmention class => Web, webmention.py => web.py 2023-05-27 00:40:29 +00:00			`from web import Web`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
logging: use separate loggers for each module with their names 2022-02-12 06:38:56 +00:00			`logger = logging.getLogger(__name__)`

handle full conneg Accept header parsing in /r/ handler for #352 2022-12-26 05:09:34 +00:00			`_negotiator = ContentNegotiator(acceptable=[`
			`AcceptParameters(ContentType(CONTENT_TYPE_HTML)),`
noop: drop content type constants in common, use granary's instead 2023-01-07 05:01:33 +00:00			`AcceptParameters(ContentType(as2.CONTENT_TYPE)),`
			`AcceptParameters(ContentType(as2.CONTENT_TYPE_LD)),`
handle full conneg Accept header parsing in /r/ handler for #352 2022-12-26 05:09:34 +00:00			`])`

cache lots of GET requests this helps with requests that make external HTTP fetches, eg indieweb home pages/posts and federated profiles/posts, which change rarely. in particular, outbound AP requests that get federated widely (eg Mastodon) result in all of those federated instances making the same bridgy fed requests at the same time, often within just a few seconds. more background: tootsuite/mastodon#4486 2019-04-16 15:02:19 +00:00
flask: port XrdOrJrdHandler, finish porting webfinger 2021-07-11 23:30:14 +00:00			`@app.get(r'/r/<path:to>')`
serve /r/ URLs as AS2 from the datastore, don't fetch and convert on the fly for #392, #378 2023-02-12 02:35:34 +00:00			`@flask_util.cached(cache, CACHE_TIME, headers=['Accept'])`
Flask routing tweak, don't redirect URLs with empty path elements 2021-08-06 17:28:56 +00:00			`def redir(to):`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`"""Either redirect to a given URL or convert it to another format.`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`E.g. redirects /r/https://foo.com/bar?baz to https://foo.com/bar?baz, or if`
			`it's requested with AS2 conneg in the Accept header, fetches and converts`
			`and serves it as AS2.`
add /r/ redirect endpoint for #16, #32. cc @swentel. more to come. 2018-10-14 14:42:28 +00:00			`"""`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00			`if request.args:`
			`to += '?' + urllib.parse.urlencode(request.args)`
			`# some browsers collapse repeated /s in the path down to a single slash.`
			`# if that happened to this URL, expand it back to two /s.`
			`to = re.sub(r'^(https?:/)([^/])', r'\1/\2', to)`

use util.is_web() more 2022-12-10 17:04:05 +00:00			`if not util.is_web(to):`
move common.error() to webutil.flask_util corresponds to snarfed/webutil@10c088cebd104c6b2e6deecf564fee65f1d489ce 2021-08-06 17:29:25 +00:00			`error(f'Expected fully qualified URL; got {to}')`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`to_domain = urllib.parse.urlparse(to).hostname`

			`# check conneg`
			`accept_as2 = False`
			`accept = request.headers.get('Accept')`
			`if accept:`
			`try:`
			`negotiated = _negotiator.negotiate(accept)`
			`except ValueError:`
			`# work around https://github.com/CottageLabs/negotiator/issues/6`
			`negotiated = None`
			`if negotiated:`
			`accept_type = str(negotiated.content_type)`
			`if accept_type in (as2.CONTENT_TYPE, as2.CONTENT_TYPE_LD):`
			`accept_as2 = True`

flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00			`# check that we've seen this domain before so we're not an open redirect`
don't strip www, m, and mobile subdomains from user domains fixes #267 2022-11-08 00:26:33 +00:00			`domains = set((util.domain_from_link(to, minimize=True),`
			`util.domain_from_link(to, minimize=False),`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`to_domain))`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00			`for domain in domains:`
AP: always generate an actor for every outbound activity for #279 2022-11-16 05:37:39 +00:00			`if domain:`
start to make User subclasses for each protocol #512 2023-05-26 23:07:36 +00:00			`# TODO(#512): do we need to parameterize this by protocol? or is it`
			`# only for web?`
rename Webmention class => Web, webmention.py => web.py 2023-05-27 00:40:29 +00:00			`g.user = Web.get_by_id(domain)`
move current user into Flask g request-global 2023-03-20 21:28:14 +00:00			`if g.user:`
start to make User subclasses for each protocol #512 2023-05-26 23:07:36 +00:00			`logger.info(f'Found web user for domain {domain}')`
AP: always generate an actor for every outbound activity for #279 2022-11-16 05:37:39 +00:00			`break`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00			`else:`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`if accept_as2:`
AP users: serve AS2 for external homepage URLs #512 2023-05-23 06:09:36 +00:00			`g.external_user = urllib.parse.urljoin(to, '/')`
start to make User subclasses for each protocol #512 2023-05-26 23:07:36 +00:00			`logging.info(f'No web user for {g.external_user}')`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`else:`
start to make User subclasses for each protocol #512 2023-05-26 23:07:36 +00:00			`return f'No web user found for any of {domains}', 404`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`if accept_as2:`
			`# AS2 requested, fetch and convert and serve`
rename Webmention class => Web, webmention.py => web.py 2023-05-27 00:40:29 +00:00			`obj = Web.load(to, check_backlink=False)`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`if not obj or obj.deleted:`
			`return f'Object not found: {to}', 404`
AP users: extract out Protocol.serve() method #512 2023-05-24 04:30:57 +00:00			`ret, _ = ActivityPub.serve(obj)`
AP users: serve AS2 for external URLs #512 2023-05-22 22:27:43 +00:00			`logger.info(f'Returning: {json_dumps(ret, indent=2)}')`
			`return ret, {`
			`'Content-Type': accept_type,`
			`'Access-Control-Allow-Origin': '*',`
			`}`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00
			`# redirect`
logging: use separate loggers for each module with their names 2022-02-12 06:38:56 +00:00			`logger.info(f'redirecting to {to}')`
flask: port /r/, start to port common 2021-07-08 04:02:13 +00:00			`return redirect(to, code=301)`