Merge pull request #53844 from nextcloud/backport/53109/stable30

Author: provokateurin

AUTHORS

@@ -619,6 +619,7 @@
  - szaimen <[email protected]>
  - tbartenstein <[email protected]>
  - tbelau666 <[email protected]>
+ - TechnicalSuwako <[email protected]>
  - tgrant <[email protected]>
  - timm2k <[email protected]>
  - tux-rampage <[email protected]>

lib/private/Accounts/AccountManager.php

@@ -729,7 +729,7 @@ private function sanitizePropertyFediverse(IAccountProperty $property): void {
 
 				try {
 					// try the public account lookup API of mastodon
-					$response = $client->get("https://{$instance}/api/v1/accounts/lookup?acct={$username}@{$instance}");
+					$response = $client->get("https://{$instance}/.well-known/webfinger?resource=acct:{$username}@{$instance}");
 					// should be a json response with account information
 					$data = $response->getBody();
 					if (is_resource($data)) {
@@ -738,9 +738,26 @@ private function sanitizePropertyFediverse(IAccountProperty $property): void {
 					$decoded = json_decode($data, true);
 					// ensure the username is the same the user passed
 					// in this case we can assume this is a valid fediverse server and account
-					if (!is_array($decoded) || ($decoded['username'] ?? '') !== $username) {
+					if (!is_array($decoded) || ($decoded['subject'] ?? '') !== "acct:{$username}@{$instance}") {
 						throw new InvalidArgumentException();
 					}
+					// check for activitypub link
+					if (is_array($decoded['links']) && isset($decoded['links'])) {
+						$found = false;
+						foreach ($decoded['links'] as $link) {
+							// have application/activity+json or application/ld+json
+							if (isset($link['type']) && (
+								$link['type'] === 'application/activity+json' ||
+								$link['type'] === 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
+							)) {
+								$found = true;
+								break;
+							}
+						}
+						if (!$found) {
+							throw new InvalidArgumentException();
+						}
+					}
 				} catch (InvalidArgumentException) {
 					throw new InvalidArgumentException(self::PROPERTY_FEDIVERSE);
 				} catch (\Exception $error) {

tests/lib/Accounts/AccountManagerTest.php

@@ -786,20 +786,41 @@ public static function dataSanitizeFediverseServer(): array {
 				'@[email protected]',
 				'[email protected]',
 				true,
-				json_encode(['username' => 'foo']),
+				json_encode([
+					'subject' => 'acct:[email protected]',
+					'links' => [
+						[
+							'rel' => 'self',
+							'type' => 'application/activity+json',
+							'href' => 'https://example.com/users/foo',
+						],
+					],
+				]),
 			],
 			'valid response - no at' => [
 				'[email protected]',
 				'[email protected]',
 				true,
-				json_encode(['username' => 'foo']),
+				json_encode([
+					'subject' => 'acct:[email protected]',
+					'links' => [
+						[
+							'rel' => 'self',
+							'type' => 'application/activity+json',
+							'href' => 'https://example.com/users/foo',
+						],
+					],
+				]),
 			],
 			// failures
 			'invalid response' => [
 				'@[email protected]',
 				null,
 				true,
-				json_encode(['not found']),
+				json_encode([
+					'subject' => 'acct:[email protected]',
+					'links' => [],
+				]),
 			],
 			'no response' => [
 				'@[email protected]',
@@ -811,7 +832,9 @@ public static function dataSanitizeFediverseServer(): array {
 				'@[email protected]',
 				null,
 				true,
-				json_encode(['username' => '[email protected]']),
+				json_encode([
+					'links' => [],
+				]),
 			],
 		];
 	}
@@ -833,12 +856,12 @@ public function testSanitizingFediverseServer(string $input, ?string $output, bo
 					->willReturn($serverResponse);
 				$client->expects(self::once())
 					->method('get')
-					->with('https://example.com/api/v1/accounts/lookup?acct=[email protected]')
+					->with('https://example.com/.well-known/webfinger?resource=acct:[email protected]')
 					->willReturn($response);
 			} else {
 				$client->expects(self::once())
 					->method('get')
-					->with('https://example.com/api/v1/accounts/lookup?acct=[email protected]')
+					->with('https://example.com/.well-known/webfinger?resource=acct:[email protected]')
 					->willThrowException(new \Exception('404'));
 			}