diff --git a/changelog.d/link-verification.add b/changelog.d/link-verification.add
new file mode 100644
index 0000000000..d8b11ebbc2
--- /dev/null
+++ b/changelog.d/link-verification.add
@@ -0,0 +1 @@
+Verify profile link ownership with rel="me"
\ No newline at end of file
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 0773434c53..778e205265 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -8,6 +8,7 @@ defmodule Pleroma.User do
import Ecto.Changeset
import Ecto.Query
import Ecto, only: [assoc: 2]
+ import Pleroma.Web.Utils.Guards, only: [not_empty_string: 1]
alias Ecto.Multi
alias Pleroma.Activity
@@ -596,9 +597,23 @@ def update_changeset(struct, params \\ %{}) do
defp put_fields(changeset) do
if raw_fields = get_change(changeset, :raw_fields) do
+ old_fields = changeset.data.raw_fields
+
raw_fields =
raw_fields
|> Enum.filter(fn %{"name" => n} -> n != "" end)
+ |> Enum.map(fn field ->
+ previous =
+ old_fields
+ |> Enum.find(fn %{"value" => value} -> field["value"] == value end)
+
+ if previous && Map.has_key?(previous, "verified_at") do
+ field
+ |> Map.put("verified_at", previous["verified_at"])
+ else
+ field
+ end
+ end)
fields =
raw_fields
@@ -1200,6 +1215,10 @@ def update_and_set_cache(struct, params) do
def update_and_set_cache(changeset) do
with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do
+ if get_change(changeset, :raw_fields) do
+ BackgroundWorker.enqueue("verify_fields_links", %{"user_id" => user.id})
+ end
+
set_cache(user)
end
end
@@ -1975,8 +1994,45 @@ def perform(:delete, %User{} = user) do
maybe_delete_from_db(user)
end
+ def perform(:verify_fields_links, user) do
+ profile_urls = [user.ap_id]
+
+ fields =
+ user.raw_fields
+ |> Enum.map(&verify_field_link(&1, profile_urls))
+
+ changeset =
+ user
+ |> update_changeset(%{raw_fields: fields})
+
+ with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do
+ set_cache(user)
+ end
+ end
+
def perform(:set_activation_async, user, status), do: set_activation(user, status)
+ defp verify_field_link(field, profile_urls) do
+ verified_at =
+ with %{"value" => value} <- field,
+ {:verified_at, nil} <- {:verified_at, Map.get(field, "verified_at")},
+ %{scheme: scheme, userinfo: nil, host: host}
+ when not_empty_string(host) and scheme in ["http", "https"] <-
+ URI.parse(value),
+ {:not_idn, true} <- {:not_idn, to_string(:idna.encode(host)) == host},
+ "me" <- Pleroma.Web.RelMe.maybe_put_rel_me(value, profile_urls) do
+ CommonUtils.to_masto_date(NaiveDateTime.utc_now())
+ else
+ {:verified_at, value} when not_empty_string(value) ->
+ value
+
+ _ ->
+ nil
+ end
+
+ Map.put(field, "verified_at", verified_at)
+ end
+
@spec external_users_query() :: Ecto.Query.t()
def external_users_query do
User.Query.build(%{
@@ -2664,10 +2720,11 @@ def sanitize_html(%User{} = user) do
# - display name
def sanitize_html(%User{} = user, filter) do
fields =
- Enum.map(user.fields, fn %{"name" => name, "value" => value} ->
+ Enum.map(user.fields, fn %{"name" => name, "value" => value} = fields ->
%{
"name" => name,
- "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
+ "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly),
+ "verified_at" => Map.get(fields, "verified_at")
}
end)
diff --git a/lib/pleroma/workers/background_worker.ex b/lib/pleroma/workers/background_worker.ex
index 7a2210dc1c..dbf40ee1be 100644
--- a/lib/pleroma/workers/background_worker.ex
+++ b/lib/pleroma/workers/background_worker.ex
@@ -40,6 +40,11 @@ def perform(%Job{
Pleroma.FollowingRelationship.move_following(origin, target)
end
+ def perform(%Job{args: %{"op" => "verify_fields_links", "user_id" => user_id}}) do
+ user = User.get_by_id(user_id)
+ User.perform(:verify_fields_links, user)
+ end
+
def perform(%Job{args: %{"op" => "delete_instance", "host" => host}}) do
Instance.perform(:delete_instance, host)
end
diff --git a/test/pleroma/user_test.exs b/test/pleroma/user_test.exs
index 15809ad636..a93f816594 100644
--- a/test/pleroma/user_test.exs
+++ b/test/pleroma/user_test.exs
@@ -2928,4 +2928,51 @@ test "it doesn't pin users you do not follow" do
refute User.endorses?(user, pinned_user)
end
end
+
+ test "it checks fields links for a backlink" do
+ user = insert(:user, ap_id: "https://social.example.org/users/lain")
+
+ fields = [
+ %{"name" => "Link", "value" => "http://example.com/rel_me/null"},
+ %{"name" => "Verified link", "value" => "http://example.com/rel_me/link"},
+ %{"name" => "Not a link", "value" => "i'm not a link"}
+ ]
+
+ user
+ |> User.update_and_set_cache(%{raw_fields: fields})
+
+ ObanHelpers.perform_all()
+
+ user = User.get_cached_by_id(user.id)
+
+ assert [
+ %{"verified_at" => nil},
+ %{"verified_at" => verified_at},
+ %{"verified_at" => nil}
+ ] = user.fields
+
+ assert is_binary(verified_at)
+ end
+
+ test "updating fields does not invalidate previously validated links" do
+ user = insert(:user, ap_id: "https://social.example.org/users/lain")
+
+ user
+ |> User.update_and_set_cache(%{
+ raw_fields: [%{"name" => "verified link", "value" => "http://example.com/rel_me/link"}]
+ })
+
+ ObanHelpers.perform_all()
+
+ %User{fields: [%{"verified_at" => verified_at}]} = user = User.get_cached_by_id(user.id)
+
+ user
+ |> User.update_and_set_cache(%{
+ raw_fields: [%{"name" => "Verified link", "value" => "http://example.com/rel_me/link"}]
+ })
+
+ user = User.get_cached_by_id(user.id)
+
+ assert [%{"verified_at" => ^verified_at}] = user.fields
+ end
end
diff --git a/test/pleroma/web/mastodon_api/update_credentials_test.exs b/test/pleroma/web/mastodon_api/update_credentials_test.exs
index cf26cd9a65..bea0cae69c 100644
--- a/test/pleroma/web/mastodon_api/update_credentials_test.exs
+++ b/test/pleroma/web/mastodon_api/update_credentials_test.exs
@@ -511,10 +511,15 @@ test "update fields", %{conn: conn} do
|> json_response_and_validate_schema(200)
assert account_data["fields"] == [
- %{"name" => "foo", "value" => "bar"},
+ %{
+ "name" => "foo",
+ "value" => "bar",
+ "verified_at" => nil
+ },
%{
"name" => "link.io",
- "value" => ~S(cofe.io)
+ "value" => ~S(cofe.io),
+ "verified_at" => nil
}
]
@@ -573,8 +578,8 @@ test "emojis in fields labels", %{conn: conn} do
|> json_response_and_validate_schema(200)
assert account_data["fields"] == [
- %{"name" => ":firefox:", "value" => "is best 2hu"},
- %{"name" => "they wins", "value" => ":blank:"}
+ %{"name" => ":firefox:", "value" => "is best 2hu", "verified_at" => nil},
+ %{"name" => "they wins", "value" => ":blank:", "verified_at" => nil}
]
assert account_data["source"]["fields"] == [
@@ -602,10 +607,11 @@ test "update fields via x-www-form-urlencoded", %{conn: conn} do
|> json_response_and_validate_schema(200)
assert account["fields"] == [
- %{"name" => "foo", "value" => "bar"},
+ %{"name" => "foo", "value" => "bar", "verified_at" => nil},
%{
"name" => "link",
- "value" => ~S(http://cofe.io)
+ "value" => ~S(http://cofe.io),
+ "verified_at" => nil
}
]
@@ -627,7 +633,7 @@ test "update fields with empty name", %{conn: conn} do
|> json_response_and_validate_schema(200)
assert account["fields"] == [
- %{"name" => "foo", "value" => ""}
+ %{"name" => "foo", "value" => "", "verified_at" => nil}
]
end