diff options
Diffstat (limited to 'internal/api')
| -rw-r--r-- | internal/api/client/account/accountcreate_test.go | 369 | ||||
| -rw-r--r-- | internal/api/client/auth/signin.go | 2 | ||||
| -rw-r--r-- | internal/api/client/emoji/emojisget.go | 8 | ||||
| -rw-r--r-- | internal/api/client/fileserver/fileserver.go | 2 | ||||
| -rw-r--r-- | internal/api/client/filter/filtersget.go | 8 | ||||
| -rw-r--r-- | internal/api/client/list/listsgets.go | 8 | ||||
| -rw-r--r-- | internal/api/client/status/statusdelete.go | 6 | ||||
| -rw-r--r-- | internal/api/client/timeline/home.go | 7 | ||||
| -rw-r--r-- | internal/api/model/timeline.go | 8 | ||||
| -rw-r--r-- | internal/api/s2s/user/inboxpost.go | 7 | ||||
| -rw-r--r-- | internal/api/s2s/webfinger/webfingerget.go | 11 | ||||
| -rw-r--r-- | internal/api/security/robots.go | 17 | ||||
| -rw-r--r-- | internal/api/security/security.go | 5 | ||||
| -rw-r--r-- | internal/api/security/useragentblock.go | 12 |
14 files changed, 83 insertions, 387 deletions
diff --git a/internal/api/client/account/accountcreate_test.go b/internal/api/client/account/accountcreate_test.go index da86ee940..675776331 100644 --- a/internal/api/client/account/accountcreate_test.go +++ b/internal/api/client/account/accountcreate_test.go @@ -17,372 +17,3 @@ // */ package account_test - -// import ( -// "bytes" -// "encoding/json" -// "fmt" -// "io" -// "io/ioutil" -// "mime/multipart" -// "net/http" -// "net/http/httptest" -// "os" -// "testing" - -// "github.com/gin-gonic/gin" -// "github.com/google/uuid" -// "github.com/stretchr/testify/assert" -// "github.com/stretchr/testify/suite" -// "github.com/superseriousbusiness/gotosocial/internal/api/client/account" -// "github.com/superseriousbusiness/gotosocial/internal/api/model" -// "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" -// "github.com/superseriousbusiness/gotosocial/testrig" - -// "github.com/superseriousbusiness/gotosocial/internal/oauth" -// "golang.org/x/crypto/bcrypt" -// ) - -// type AccountCreateTestSuite struct { -// AccountStandardTestSuite -// } - -// func (suite *AccountCreateTestSuite) SetupSuite() { -// suite.testTokens = testrig.NewTestTokens() -// suite.testClients = testrig.NewTestClients() -// suite.testApplications = testrig.NewTestApplications() -// suite.testUsers = testrig.NewTestUsers() -// suite.testAccounts = testrig.NewTestAccounts() -// suite.testAttachments = testrig.NewTestAttachments() -// suite.testStatuses = testrig.NewTestStatuses() -// } - -// func (suite *AccountCreateTestSuite) SetupTest() { -// suite.config = testrig.NewTestConfig() -// suite.db = testrig.NewTestDB() -// suite.storage = testrig.NewTestStorage() -// suite.log = testrig.NewTestLog() -// suite.federator = testrig.NewTestFederator(suite.db, testrig.NewTestTransportController(testrig.NewMockHTTPClient(nil))) -// suite.processor = testrig.NewTestProcessor(suite.db, suite.storage, suite.federator) -// suite.accountModule = account.New(suite.config, suite.processor, suite.log).(*account.Module) -// testrig.StandardDBSetup(suite.db) -// testrig.StandardStorageSetup(suite.storage, "../../../../testrig/media") -// } - -// func (suite *AccountCreateTestSuite) TearDownTest() { -// testrig.StandardDBTeardown(suite.db) -// testrig.StandardStorageTeardown(suite.storage) -// } - -// // TestAccountCreatePOSTHandlerSuccessful checks the happy path for an account creation request: all the fields provided are valid, -// // and at the end of it a new user and account should be added into the database. -// // -// // This is the handler served at /api/v1/accounts as POST -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerSuccessful() { - -// t := suite.testTokens["local_account_1"] -// oauthToken := oauth.TokenToOauthToken(t) - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"]) -// ctx.Set(oauth.SessionAuthorizedToken, oauthToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response - -// // 1. we should have OK from our call to the function -// suite.EqualValues(http.StatusOK, recorder.Code) - -// // 2. we should have a token in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// t := &model.Token{} -// err = json.Unmarshal(b, t) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), "we're authorized now!", t.AccessToken) - -// // check new account - -// // 1. we should be able to get the new account from the db -// acct := >smodel.Account{} -// err = suite.db.GetLocalAccountByUsername("test_user", acct) -// assert.NoError(suite.T(), err) -// assert.NotNil(suite.T(), acct) -// // 2. reason should be set -// assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("reason"), acct.Reason) -// // 3. display name should be equal to username by default -// assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("username"), acct.DisplayName) -// // 4. domain should be nil because this is a local account -// assert.Nil(suite.T(), nil, acct.Domain) -// // 5. id should be set and parseable as a uuid -// assert.NotNil(suite.T(), acct.ID) -// _, err = uuid.Parse(acct.ID) -// assert.Nil(suite.T(), err) -// // 6. private and public key should be set -// assert.NotNil(suite.T(), acct.PrivateKey) -// assert.NotNil(suite.T(), acct.PublicKey) - -// // check new user - -// // 1. we should be able to get the new user from the db -// usr := >smodel.User{} -// err = suite.db.GetWhere("unconfirmed_email", suite.newUserFormHappyPath.Get("email"), usr) -// assert.Nil(suite.T(), err) -// assert.NotNil(suite.T(), usr) - -// // 2. user should have account id set to account we got above -// assert.Equal(suite.T(), acct.ID, usr.AccountID) - -// // 3. id should be set and parseable as a uuid -// assert.NotNil(suite.T(), usr.ID) -// _, err = uuid.Parse(usr.ID) -// assert.Nil(suite.T(), err) - -// // 4. locale should be equal to what we requested -// assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("locale"), usr.Locale) - -// // 5. created by application id should be equal to the app id -// assert.Equal(suite.T(), suite.testApplication.ID, usr.CreatedByApplicationID) - -// // 6. password should be matcheable to what we set above -// err = bcrypt.CompareHashAndPassword([]byte(usr.EncryptedPassword), []byte(suite.newUserFormHappyPath.Get("password"))) -// assert.Nil(suite.T(), err) -// } - -// // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no authorization is provided: -// // only registered applications can create accounts, and we don't provide one here. -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoAuth() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response - -// // 1. we should have forbidden from our call to the function because we didn't auth -// suite.EqualValues(http.StatusForbidden, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no form is provided at all. -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoForm() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"missing one or more required form values"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerWeakPassword makes sure that the handler fails when a weak password is provided -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeakPassword() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath -// // set a weak password -// ctx.Request.Form.Set("password", "weak") -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"insecure password, try including more special characters, using uppercase letters, using numbers or using a longer password"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerWeirdLocale makes sure that the handler fails when a weird locale is provided -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath -// // set an invalid locale -// ctx.Request.Form.Set("locale", "neverneverland") -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"language: tag is not well-formed"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerRegistrationsClosed makes sure that the handler fails when registrations are closed -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath - -// // close registrations -// suite.config.AccountsConfig.OpenRegistration = false -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"registration is not open for this server"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when no reason is provided but one is required -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath - -// // remove reason -// ctx.Request.Form.Set("reason", "") - -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"no reason provided"}`, string(b)) -// } - -// // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when a crappy reason is presented but a good one is required -// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerInsufficientReason() { - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting -// ctx.Request.Form = suite.newUserFormHappyPath - -// // remove reason -// ctx.Request.Form.Set("reason", "just cuz") - -// suite.accountModule.AccountCreatePOSTHandler(ctx) - -// // check response -// suite.EqualValues(http.StatusBadRequest, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// b, err := ioutil.ReadAll(result.Body) -// assert.NoError(suite.T(), err) -// assert.Equal(suite.T(), `{"error":"reason should be at least 40 chars but 'just cuz' was 8"}`, string(b)) -// } - -// /* -// TESTING: AccountUpdateCredentialsPATCHHandler -// */ - -// func (suite *AccountCreateTestSuite) TestAccountUpdateCredentialsPATCHHandler() { - -// // put test local account in db -// err := suite.db.Put(suite.testAccountLocal) -// assert.NoError(suite.T(), err) - -// // attach avatar to request -// aviFile, err := os.Open("../../media/test/test-jpeg.jpg") -// assert.NoError(suite.T(), err) -// body := &bytes.Buffer{} -// writer := multipart.NewWriter(body) - -// part, err := writer.CreateFormFile("avatar", "test-jpeg.jpg") -// assert.NoError(suite.T(), err) - -// _, err = io.Copy(part, aviFile) -// assert.NoError(suite.T(), err) - -// err = aviFile.Close() -// assert.NoError(suite.T(), err) - -// err = writer.Close() -// assert.NoError(suite.T(), err) - -// // setup -// recorder := httptest.NewRecorder() -// ctx, _ := gin.CreateTestContext(recorder) -// ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccountLocal) -// ctx.Set(oauth.SessionAuthorizedToken, suite.testToken) -// ctx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:8080/%s", account.UpdateCredentialsPath), body) // the endpoint we're hitting -// ctx.Request.Header.Set("Content-Type", writer.FormDataContentType()) -// suite.accountModule.AccountUpdateCredentialsPATCHHandler(ctx) - -// // check response - -// // 1. we should have OK because our request was valid -// suite.EqualValues(http.StatusOK, recorder.Code) - -// // 2. we should have an error message in the result body -// result := recorder.Result() -// defer result.Body.Close() -// // TODO: implement proper checks here -// // -// // b, err := ioutil.ReadAll(result.Body) -// // assert.NoError(suite.T(), err) -// // assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b)) -// } - -// func TestAccountCreateTestSuite(t *testing.T) { -// suite.Run(t, new(AccountCreateTestSuite)) -// } diff --git a/internal/api/client/auth/signin.go b/internal/api/client/auth/signin.go index e9385e39a..158cc5c4c 100644 --- a/internal/api/client/auth/signin.go +++ b/internal/api/client/auth/signin.go @@ -74,7 +74,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) { // ValidatePassword takes an email address and a password. // The goal is to authenticate the password against the one for that email -// address stored in the database. If OK, we return the userid (a uuid) for that user, +// address stored in the database. If OK, we return the userid (a ulid) for that user, // so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db. func (m *Module) ValidatePassword(email string, password string) (userid string, err error) { l := m.log.WithField("func", "ValidatePassword") diff --git a/internal/api/client/emoji/emojisget.go b/internal/api/client/emoji/emojisget.go index e4efb8825..0feb5d9cc 100644 --- a/internal/api/client/emoji/emojisget.go +++ b/internal/api/client/emoji/emojisget.go @@ -1,8 +1,12 @@ package emoji -import "github.com/gin-gonic/gin" +import ( + "net/http" + + "github.com/gin-gonic/gin" +) // EmojisGETHandler returns a list of custom emojis enabled on the instance func (m *Module) EmojisGETHandler(c *gin.Context) { - + c.JSON(http.StatusOK, []string{}) } diff --git a/internal/api/client/fileserver/fileserver.go b/internal/api/client/fileserver/fileserver.go index b06f48067..08e6abb62 100644 --- a/internal/api/client/fileserver/fileserver.go +++ b/internal/api/client/fileserver/fileserver.go @@ -32,7 +32,7 @@ import ( ) const ( - // AccountIDKey is the url key for account id (an account uuid) + // AccountIDKey is the url key for account id (an account ulid) AccountIDKey = "account_id" // MediaTypeKey is the url key for media type (usually something like attachment or header etc) MediaTypeKey = "media_type" diff --git a/internal/api/client/filter/filtersget.go b/internal/api/client/filter/filtersget.go index ad9783eb2..079d39f35 100644 --- a/internal/api/client/filter/filtersget.go +++ b/internal/api/client/filter/filtersget.go @@ -1,8 +1,12 @@ package filter -import "github.com/gin-gonic/gin" +import ( + "net/http" + + "github.com/gin-gonic/gin" +) // FiltersGETHandler returns a list of filters set by/for the authed account func (m *Module) FiltersGETHandler(c *gin.Context) { - + c.JSON(http.StatusOK, []string{}) } diff --git a/internal/api/client/list/listsgets.go b/internal/api/client/list/listsgets.go index fd695454b..5d8d7d194 100644 --- a/internal/api/client/list/listsgets.go +++ b/internal/api/client/list/listsgets.go @@ -1,8 +1,12 @@ package list -import "github.com/gin-gonic/gin" +import ( + "net/http" + + "github.com/gin-gonic/gin" +) // ListsGETHandler returns a list of lists created by/for the authed account func (m *Module) ListsGETHandler(c *gin.Context) { - + c.JSON(http.StatusOK, []string{}) } diff --git a/internal/api/client/status/statusdelete.go b/internal/api/client/status/statusdelete.go index e55416522..5c2a1aa32 100644 --- a/internal/api/client/status/statusdelete.go +++ b/internal/api/client/status/statusdelete.go @@ -56,5 +56,11 @@ func (m *Module) StatusDELETEHandler(c *gin.Context) { return } + // the status was already gone/never existed + if mastoStatus == nil { + c.JSON(http.StatusNotFound, gin.H{"error": "Record not found"}) + return + } + c.JSON(http.StatusOK, mastoStatus) } diff --git a/internal/api/client/timeline/home.go b/internal/api/client/timeline/home.go index 977a464a0..86606a0dd 100644 --- a/internal/api/client/timeline/home.go +++ b/internal/api/client/timeline/home.go @@ -87,12 +87,13 @@ func (m *Module) HomeTimelineGETHandler(c *gin.Context) { local = i } - statuses, errWithCode := m.processor.HomeTimelineGet(authed, maxID, sinceID, minID, limit, local) + resp, errWithCode := m.processor.HomeTimelineGet(authed, maxID, sinceID, minID, limit, local) if errWithCode != nil { - l.Debugf("error from processor account statuses get: %s", errWithCode) + l.Debugf("error from processor HomeTimelineGet: %s", errWithCode) c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()}) return } - c.JSON(http.StatusOK, statuses) + c.Header("Link", resp.LinkHeader) + c.JSON(http.StatusOK, resp.Statuses) } diff --git a/internal/api/model/timeline.go b/internal/api/model/timeline.go new file mode 100644 index 000000000..52d920879 --- /dev/null +++ b/internal/api/model/timeline.go @@ -0,0 +1,8 @@ +package model + +// StatusTimelineResponse wraps a slice of statuses, ready to be serialized, along with the Link +// header for the previous and next queries, to be returned to the client. +type StatusTimelineResponse struct { + Statuses []*Status + LinkHeader string +} diff --git a/internal/api/s2s/user/inboxpost.go b/internal/api/s2s/user/inboxpost.go index 642ba6498..a51cd8add 100644 --- a/internal/api/s2s/user/inboxpost.go +++ b/internal/api/s2s/user/inboxpost.go @@ -23,7 +23,7 @@ import ( "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" - "github.com/superseriousbusiness/gotosocial/internal/processing" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" ) // InboxPOSTHandler deals with incoming POST requests to an actor's inbox. @@ -42,17 +42,18 @@ func (m *Module) InboxPOSTHandler(c *gin.Context) { posted, err := m.processor.InboxPost(c.Request.Context(), c.Writer, c.Request) if err != nil { - if withCode, ok := err.(processing.ErrorWithCode); ok { + if withCode, ok := err.(gtserror.WithCode); ok { l.Debug(withCode.Error()) c.JSON(withCode.Code(), withCode.Safe()) return } - l.Debug(err) + l.Debugf("InboxPOSTHandler: error processing request: %s", err) c.JSON(http.StatusBadRequest, gin.H{"error": "unable to process request"}) return } if !posted { + l.Debugf("request could not be handled as an AP request; headers were: %+v", c.Request.Header) c.JSON(http.StatusBadRequest, gin.H{"error": "unable to process request"}) } } diff --git a/internal/api/s2s/webfinger/webfingerget.go b/internal/api/s2s/webfinger/webfingerget.go index 44d60670d..30e089162 100644 --- a/internal/api/s2s/webfinger/webfingerget.go +++ b/internal/api/s2s/webfinger/webfingerget.go @@ -24,42 +24,53 @@ import ( "strings" "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" ) // WebfingerGETRequest handles requests to, for example, https://example.org/.well-known/webfinger?resource=acct:some_user@example.org func (m *Module) WebfingerGETRequest(c *gin.Context) { + l := m.log.WithFields(logrus.Fields{ + "func": "WebfingerGETRequest", + "user-agent": c.Request.UserAgent(), + }) q, set := c.GetQuery("resource") if !set || q == "" { + l.Debug("aborting request because no resource was set in query") c.JSON(http.StatusBadRequest, gin.H{"error": "no 'resource' in request query"}) return } withAcct := strings.Split(q, "acct:") if len(withAcct) != 2 { + l.Debugf("aborting request because resource query %s could not be split by 'acct:'", q) c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"}) return } usernameDomain := strings.Split(withAcct[1], "@") if len(usernameDomain) != 2 { + l.Debugf("aborting request because username and domain could not be parsed from %s", withAcct[1]) c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"}) return } username := strings.ToLower(usernameDomain[0]) domain := strings.ToLower(usernameDomain[1]) if username == "" || domain == "" { + l.Debug("aborting request because username or domain was empty") c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"}) return } if domain != m.config.Host { + l.Debugf("aborting request because domain %s does not belong to this instance", domain) c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("domain %s does not belong to this instance", domain)}) return } resp, err := m.processor.GetWebfingerAccount(username, c.Request) if err != nil { + l.Debugf("aborting request with an error: %s", err.Error()) c.JSON(err.Code(), gin.H{"error": err.Safe()}) return } diff --git a/internal/api/security/robots.go b/internal/api/security/robots.go new file mode 100644 index 000000000..65056072a --- /dev/null +++ b/internal/api/security/robots.go @@ -0,0 +1,17 @@ +package security + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +const robotsString = `User-agent: * +Disallow: / +` + +// RobotsGETHandler returns the most restrictive possible robots.txt file in response to a call to /robots.txt. +// The response instructs bots with *any* user agent not to index the instance at all. +func (m *Module) RobotsGETHandler(c *gin.Context) { + c.String(http.StatusOK, robotsString) +} diff --git a/internal/api/security/security.go b/internal/api/security/security.go index 523b5dd55..7298bc7cb 100644 --- a/internal/api/security/security.go +++ b/internal/api/security/security.go @@ -19,12 +19,16 @@ package security import ( + "net/http" + "github.com/sirupsen/logrus" "github.com/superseriousbusiness/gotosocial/internal/api" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/router" ) +const robotsPath = "/robots.txt" + // Module implements the ClientAPIModule interface for security middleware type Module struct { config *config.Config @@ -44,5 +48,6 @@ func (m *Module) Route(s router.Router) error { s.AttachMiddleware(m.FlocBlock) s.AttachMiddleware(m.ExtraHeaders) s.AttachMiddleware(m.UserAgentBlock) + s.AttachHandler(http.MethodGet, robotsPath, m.RobotsGETHandler) return nil } diff --git a/internal/api/security/useragentblock.go b/internal/api/security/useragentblock.go index f7d3a4ffc..82d65742a 100644 --- a/internal/api/security/useragentblock.go +++ b/internal/api/security/useragentblock.go @@ -23,20 +23,24 @@ import ( "strings" "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" ) -// UserAgentBlock is a middleware that prevents google chrome cohort tracking by -// writing the Permissions-Policy header after all other parts of the request have been completed. -// See: https://plausible.io/blog/google-floc +// UserAgentBlock blocks requests with undesired, empty, or invalid user-agent strings. func (m *Module) UserAgentBlock(c *gin.Context) { + l := m.log.WithFields(logrus.Fields{ + "func": "UserAgentBlock", + }) ua := c.Request.UserAgent() if ua == "" { + l.Debug("aborting request because there's no user-agent set") c.AbortWithStatus(http.StatusTeapot) return } - if strings.Contains(strings.ToLower(c.Request.UserAgent()), strings.ToLower("friendica")) { + if strings.Contains(strings.ToLower(ua), strings.ToLower("friendica")) { + l.Debugf("aborting request with user-agent %s because it contains 'friendica'", ua) c.AbortWithStatus(http.StatusTeapot) return } |