wowee some serious moving stuff around

2025-11-10 19:27:29 -06:00 · 2021-05-05 19:10:13 +02:00 · 2021-05-05 19:10:13 +02:00 · 41e6e8ed10
commit 41e6e8ed10
parent cc424df169
35 changed files with 611 additions and 459 deletions
--- a/internal/api/s2s/user/user.go
+++ b/internal/api/s2s/user/user.go
@ -0,0 +1,70 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package user
+
+import (
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/api"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/message"
+	"github.com/superseriousbusiness/gotosocial/internal/router"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+const (
+	// UsernameKey is for account usernames.
+	UsernameKey = "username"
+	// UsersBasePath is the base path for serving information about Users eg https://example.org/users
+	UsersBasePath = "/" + util.UsersPath
+	// UsersBasePathWithID is just the users base path with the Username key in it.
+	// Use this anywhere you need to know the username of the user being queried.
+	// Eg https://example.org/users/:username
+	UsersBasePathWithID = UsersBasePath + "/:" + UsernameKey
+)
+
+// ActivityPubAcceptHeaders represents the Accept headers mentioned here:
+// https://www.w3.org/TR/activitypub/#retrieving-objects
+var ActivityPubAcceptHeaders = []string{
+	`application/activity+json`,
+	`application/ld+json; profile="https://www.w3.org/ns/activitystreams"`,
+}
+
+// Module implements the FederationAPIModule interface
+type Module struct {
+	config    *config.Config
+	processor message.Processor
+	log       *logrus.Logger
+}
+
+// New returns a new auth module
+func New(config *config.Config, processor message.Processor, log *logrus.Logger) api.FederationModule {
+	return &Module{
+		config:    config,
+		processor: processor,
+		log:       log,
+	}
+}
+
+// Route satisfies the RESTAPIModule interface
+func (m *Module) Route(s router.Router) error {
+	s.AttachHandler(http.MethodGet, UsersBasePathWithID, m.UsersGETHandler)
+	return nil
+}
--- a/internal/api/s2s/user/userget.go
+++ b/internal/api/s2s/user/userget.go
@ -0,0 +1,114 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package user
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+// UsersGETHandler should be served at https://example.org/users/:username.
+//
+// The goal here is to return the activitypub representation of an account
+// in the form of a vocab.ActivityStreamsPerson. This should only be served
+// to REMOTE SERVERS that present a valid signature on the GET request, on
+// behalf of a user, otherwise we risk leaking information about users publicly.
+//
+// And of course, the request should be refused if the account or server making the
+// request is blocked.
+func (m *Module) UsersGETHandler(c *gin.Context) {
+	l := m.log.WithFields(logrus.Fields{
+		"func": "UsersGETHandler",
+		"url":  c.Request.RequestURI,
+	})
+
+	requestedUsername := c.Param(UsernameKey)
+	if requestedUsername == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified in request"})
+		return
+	}
+
+	// make sure this actually an AP request
+	format := c.NegotiateFormat(ActivityPubAcceptHeaders...)
+	if format == "" {
+		c.JSON(http.StatusNotAcceptable, gin.H{"error": "could not negotiate format with given Accept header(s)"})
+		return
+	}
+	l.Tracef("negotiated format: %s", format)
+
+	// get the account the request is referring to
+	requestedAccount := &gtsmodel.Account{}
+	if err := m.db.GetLocalAccountByUsername(requestedUsername, requestedAccount); err != nil {
+		l.Errorf("database error getting account with username %s: %s", requestedUsername, err)
+		// we'll just return not authorized here to avoid giving anything away
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	// and create a transport for it
+	transport, err := m.federator.TransportController().NewTransport(requestedAccount.PublicKeyURI, requestedAccount.PrivateKey)
+	if err != nil {
+		l.Errorf("error creating transport for username %s: %s", requestedUsername, err)
+		// we'll just return not authorized here to avoid giving anything away
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	// authenticate the request
+	authentication, err := federation.AuthenticateFederatedRequest(transport, c.Request)
+	if err != nil {
+		l.Errorf("error authenticating GET user request: %s", err)
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	if !authentication.Authenticated {
+		l.Debug("request not authorized")
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	requestingAccount := &gtsmodel.Account{}
+	if authentication.RequestingPublicKeyID != nil {
+		if err := m.db.GetWhere("public_key_uri", authentication.RequestingPublicKeyID.String(), requestingAccount); err != nil {
+
+		}
+	}
+
+	authorization, err := federation.AuthorizeFederatedRequest
+
+	person, err := m.tc.AccountToAS(requestedAccount)
+	if err != nil {
+		l.Errorf("error converting account to ap person: %s", err)
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	data, err := person.Serialize()
+	if err != nil {
+		l.Errorf("error serializing user: %s", err)
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	c.JSON(http.StatusOK, data)
+}