Check Webfinger-returned author URI even when not redirected (#5213)

The whole point of verified_webfinger? is to check the WebFinger-discoverable URI maps back to the known author URI. This was not actually verified if the first Webfinger request was not a redirection.
author: ThibG <thib@sitedethib.com> 2017-10-04 09:59:28 +0200
committer: Eugen Rochko <eugen@zeonfederated.com> 2017-10-04 09:59:28 +0200
commit: 0e1b0f2747af373e3d51251337f40bfff13ef160 (patch)
tree: 00b905d355c5f8c70d1e6c079d128fdb79f22ed5 /app
parent: 468523f4ad85f99d78fd341ca4f5fc96f561a533 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb
index e6c6338be..d6ba625a9 100644
--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
@@ -31,7 +31,7 @@ class ActivityPub::FetchRemoteAccountService < BaseService
     webfinger                            = Goldfinger.finger("acct:#{@username}@#{@domain}")
     confirmed_username, confirmed_domain = split_acct(webfinger.subject)
 
-    return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
+    return webfinger.link('self')&.href == @uri if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
 
     webfinger                            = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
     @username, @domain                   = split_acct(webfinger.subject)
author	ThibG <thib@sitedethib.com>	2017-10-04 09:59:28 +0200
committer	Eugen Rochko <eugen@zeonfederated.com>	2017-10-04 09:59:28 +0200
commit	0e1b0f2747af373e3d51251337f40bfff13ef160 (patch)
tree	00b905d355c5f8c70d1e6c079d128fdb79f22ed5 /app
parent	468523f4ad85f99d78fd341ca4f5fc96f561a533 (diff)