adding .well-known/webfinger #11396
adding .well-known/webfinger #11396
Conversation
ArtificialOwl
requested review from
MorrisJobke,
nickvergessen and
skjnldsv
|
Could you update the Nginx config as well? https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst And maybe a setup check for this would also be nice to detect that the config is missing or not working. ;) |
|
@MorrisJobke : nextcloud/documentation#877 note that this is nginx configuration, I have no idea what I am doing there (I mean, even less idea than usual) |
|
Check with @danxuliu on this tests and it seems that the javascript is executed each time an admin open the Overview page in the Settings So, the .well-known/webfinger will returns 500 if no app registered the core/public_webfinger config value, then we're dependant on what is returned by the app (and if the app is still installed/enabled) (which is 200 in the case of Social) |
But it should never return a 500, because that means "Internal server error". At least it should either return "404" for a not available source or "2xx"/"3xx". Obviously it should only be executed if there is something registered in the PHP side for this URL. I guess we can give this hint out to the JS part in the same way we return if those checks should be done at all - see #11411 for the code that does this. Or am I wrong? |
|
500 indeed seems odd... |
|
Fixing |
|
Done, ^ |
Just for the record, as far as I know it is not possible to know whether |
That's the reason why I said, that we need to check first if it is registered at all and only check then if it works. Otherwise a check would make no sense. |
Sorry, I misread you; you are totally right :-) |
Signed-off-by: Maxence Lange <[email protected]>
Signed-off-by: Joas Schilling <[email protected]>
The check is based on the HTTP status returned by the URL, and different URLs may return different status (for example, DAV returns 207, while a service like WebFinger would return 200), so the expected status needs to be set depending on the URL. Signed-off-by: Daniel Calviño Sánchez <[email protected]>
If the WebFinger service is not set in Nextcloud configuration no check is performed. Signed-off-by: Daniel Calviño Sánchez <[email protected]>
danxuliu
force-pushed
the
wellknown-webfinger
branch
from
938e0e5 to
20a5ce2
Compare
|
I have rebased onto current master to get the latest fixes to However, I have noticed that even if |
Isn't this then a bug in the app? Also a 500 indicates a "server error", while a "40x" indicates a client error. We should show the "wrongly configured .well-known" for 400s and a "general problem" for the 500s. Or did I miss something here? |
|
I think so, 404 if there is no configuration to catch the request on .well-known/webfinger, or if the configured app is disabled, or if the php file that should be called does not exists. The app that catch the request should return a 200 (or 203 on fail ?) |
|
So with our default nginx config this actually results in a 403 (a reqeust to |
Yes, I thought that the
No, that approach sounds good 👍 However, the misleading error message would come again if, for some reason, the redirection worked but the service returned a 40x error; as far as I know that would not happen in the URLs currently checked, so I think that it is not worth to worry about that scenario right now.
Note that if the configured app is disabled or if the php file that should be called does not exists the HTTP status is 500, not 404. Anyway in that case the error shown would be the right one with the approach mentioned by @MorrisJobke. |
|
So. I had another idea here. But it is more of a general improvement.
|
| RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
| RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L] | ||
| RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L] | ||
| RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L] |
There was a problem hiding this comment.
So I looked into it. And I'm not a fan of this.
Mostly because it redirect to a route that does not follow the appframework route.
All our apps should handle routes via the appframework. This ensures a lot of safety checks and features.
For now I would vote to make it a 301. And just to direct it to the route of the app.
If this becomes an issue we can later always add some wellKnownManager somewhere where apps can register themselfs. But for now this seems a bit of overengineering.
There was a problem hiding this comment.
Can we keep it like this at least for 15, just returns a 301 in case of no config, or config redirect to an non-existant app, or non-existant php file ?
rullzer
left a comment
rullzer
left a comment
There was a problem hiding this comment.
I'm still not a huge fan of this but I guess for now it is somewhat good enough.
|
Looks weird but unrelated: |
.wellknown/webfinger is used by ActivityPub to get local account. This would allow any app to catch requests using
./occ config:app:set --value path_to_phpfile core public_webfinger
Signed-off-by: Maxence Lange [email protected]