From 68ef81ccec6331bc9e1fe5b3cb9fc0baf720cabb Mon Sep 17 00:00:00 2001
From: Ryan Barrett <git@ryanb.org>
Date: Sat, 1 Jun 2024 17:52:05 -0700
Subject: [PATCH] webfinger: 404 requests for web users with unknown username

ie username doesn't match domain or mf2 custom username

fixes #1025
---
 tests/test_webfinger.py | 16 +++++++++++++++-
 webfinger.py            | 11 +++++++----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/tests/test_webfinger.py b/tests/test_webfinger.py
index 60e5dd8a..84ccfc50 100644
--- a/tests/test_webfinger.py
+++ b/tests/test_webfinger.py
@@ -168,7 +168,7 @@ class WebfingerTest(TestCase):
         })
 
     def test_webfinger(self):
-        for resource in ('user.com@user.com', 'acct:user.com@user.com', 'xyz@user.com',
+        for resource in ('user.com@user.com', 'acct:user.com@user.com',
                          'user.com', 'http://user.com/', 'https://user.com/',
                          'http://localhost/user.com'):
             with self.subTest(resource=resource):
@@ -308,6 +308,20 @@ class WebfingerTest(TestCase):
         got = self.client.get(f'/.well-known/webfinger?resource=acct:user.com@user.com')
         self.assertEqual(404, got.status_code)
 
+    def test_user_not_custom_username(self):
+        for base_url in (None, 'https://web.brid.gy/', 'https://fed.brid.gy/'):
+            with self.subTest(base_url=base_url):
+                got = self.client.get(
+                    f'/.well-known/webfinger?resource=acct:foo@user.com',
+                    base_url=base_url)
+                self.assertEqual(404, got.status_code)
+
+    def test_missing_user_web_subdomain(self):
+        self.user.direct = False
+        self.user.put()
+        got = self.client.get(f'/.well-known/webfinger?resource=acct:foo@bar.com')
+        self.assertEqual(404, got.status_code)
+
     def test_protocol_not_enabled(self):
         self.make_user('eefake:user', cls=ExplicitEnableFake)
         got = self.client.get(f'/.well-known/webfinger?resource=acct:eefake:user@eefake.brid.gy')
diff --git a/webfinger.py b/webfinger.py
index 733cea57..1001418e 100644
--- a/webfinger.py
+++ b/webfinger.py
@@ -59,13 +59,14 @@ class Webfinger(flask_util.XrdOrJrd):
         allow_indirect = False
         cls = None
         try:
-            user, id = util.parse_acct_uri(resource)
+            username, server = util.parse_acct_uri(resource)
+            id = server
             cls = Protocol.for_bridgy_subdomain(id, fed='web')
             if cls:
-                id = user
+                id = username
                 allow_indirect = True
         except ValueError:
-            id = urlparse(resource).netloc or resource
+            id = username = server = urlparse(resource).netloc or resource
 
         if id == PRIMARY_DOMAIN or id in PROTOCOL_DOMAINS:
             cls = Web
@@ -98,7 +99,9 @@ class Webfinger(flask_util.XrdOrJrd):
             if user and not user.direct:
                 error(f"{user.key} hasn't signed up yet", status=404)
 
-        if not user or not user.is_enabled(activitypub.ActivityPub):
+        if (not user
+                or not user.is_enabled(activitypub.ActivityPub)
+                or (cls == Web and username not in (user.key.id(), user.username()))):
             error(f'No {cls.LABEL} user found for {id}', status=404)
 
         ap_handle = user.handle_as('activitypub')