webfinger verification: handle URL-encoded Location header

fixes #535
2023-06-08 11:04:11 -07:00 · 2023-06-08 11:04:11 -07:00 · 861552f455
commit 861552f455
--- a/tests/test_web.py
+++ b/tests/test_web.py
@ -1391,7 +1391,9 @@ class WebTest(TestCase):
    def test_verify_neither(self, mock_get, _):
        empty = requests_response('')
        mock_get.side_effect = [empty, empty]
-        self._test_verify(False, False, None)
+        self._test_verify(False, False, None, """\
+<pre>https://user.com/.well-known/webfinger?resource=acct:user.com@user.com
+  returned HTTP 200</pre>""")

    def test_verify_redirect_strips_query_params(self, mock_get, _):
        half_redir = requests_response(
@ -1422,6 +1424,15 @@ Current vs expected:<pre>- http://localhost/.well-known/webfinger
 http://this/404s
  returned HTTP 404</pre>""")

+    def test_verify_webfinger_urlencoded(self, mock_get, _):
+        mock_get.side_effect = [
+            requests_response(
+                status=302,
+                redirected_url='http://localhost/.well-known/webfinger?resource=acct%3Auser.com%40user.com'),
+            requests_response(''),
+        ]
+        self._test_verify(True, False, None)
+
    def test_verify_no_hcard(self, mock_get, _):
        mock_get.side_effect = [
            FULL_REDIR,
--- a/tests/test_webfinger.py
+++ b/tests/test_webfinger.py
@ -159,6 +159,14 @@ class WebfingerTest(testutil.TestCase):
                self.assertEqual('application/jrd+json', got.headers['Content-Type'])
                self.assert_equals(WEBFINGER, got.json)

+    def test_webfinger_urlencoded(self):
+        """https://github.com/snarfed/bridgy-fed/issues/535"""
+        got = self.client.get('/.well-known/webfinger?resource=acct%3Auser.com%40user.com',
+                              headers={'Accept': 'application/json'})
+        self.assertEqual(200, got.status_code, got.get_data(as_text=True))
+        self.assertEqual('application/jrd+json', got.headers['Content-Type'])
+        self.assert_equals(WEBFINGER, got.json)
+
    def test_webfinger_custom_username(self):
        self.user.actor_as2 = {
            **self.actor_as2,
--- a/web.py
+++ b/web.py
@ -2,6 +2,7 @@
 import datetime
 import difflib
 import logging
+import urllib.parse
 from urllib.parse import urlencode, urljoin, urlparse

 import feedparser
@ -157,15 +158,16 @@ class Web(User, Protocol):
            domain_urls = ([f'https://{domain}/' for domain in common.DOMAINS] +
                           [common.host_url()])
            expected = [urljoin(url, path) for url in domain_urls]
-            if resp.ok:
-                if resp.url in expected:
+            if resp.ok and resp.url:
+                got = urllib.parse.unquote(resp.url)
+                if got in expected:
                    self.has_redirects = True
-                elif resp.url:
-                    diff = '\n'.join(difflib.Differ().compare([resp.url], [expected[0]]))
+                elif got:
+                    diff = '\n'.join(difflib.Differ().compare([got], [expected[0]]))
                    self.redirects_error = f'Current vs expected:<pre>{diff}</pre>'
            else:
                lines = [url, f'  returned HTTP {resp.status_code}']
-                if resp.url != url:
+                if resp.url and resp.url != url:
                    lines[1:1] = ['  redirected to:', resp.url]
                self.redirects_error = '<pre>' + '\n'.join(lines) + '</pre>'
        except RequestException: