From f4d549d30081478b1fe2bde9d340262e132bb891 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Tue, 18 Sep 2018 16:45:58 +0200
Subject: Redesign forms, verify link ownership with rel="me" (#8703)

* Verify link ownership with rel="me"

* Add explanation about verification to UI

* Perform link verifications

* Add click-to-copy widget for verification HTML

* Redesign edit profile page

* Redesign forms

* Improve responsive design of settings pages

* Restore landing page sign-up form

* Fix typo

* Support <link> tags, add spec

* Fix links not being verified on first discovery and passive updates
---
 .../activitypub/process_account_service.rb         |  5 ++++
 app/services/fetch_link_card_service.rb            |  2 +-
 app/services/update_account_service.rb             |  5 +++-
 app/services/verify_link_service.rb                | 32 ++++++++++++++++++++++
 4 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 app/services/verify_link_service.rb

(limited to 'app/services')

diff --git a/app/services/activitypub/process_account_service.rb b/app/services/activitypub/process_account_service.rb
index 670a0e4d6..c77858f1d 100644
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@@ -34,6 +34,7 @@ class ActivityPub::ProcessAccountService < BaseService
     after_protocol_change! if protocol_changed?
     after_key_change! if key_changed? && !@options[:signed_with_known_key]
     check_featured_collection! if @account.featured_collection_url.present?
+    check_links! unless @account.fields.empty?
 
     @account
   rescue Oj::ParseError
@@ -99,6 +100,10 @@ class ActivityPub::ProcessAccountService < BaseService
     ActivityPub::SynchronizeFeaturedCollectionWorker.perform_async(@account.id)
   end
 
+  def check_links!
+    VerifyAccountLinksWorker.perform_async(@account.id)
+  end
+
   def actor_type
     if @json['type'].is_a?(Array)
       @json['type'].find { |type| ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES.include?(type) }
diff --git a/app/services/fetch_link_card_service.rb b/app/services/fetch_link_card_service.rb
index ea94e2491..4169c685b 100644
--- a/app/services/fetch_link_card_service.rb
+++ b/app/services/fetch_link_card_service.rb
@@ -29,7 +29,7 @@ class FetchLinkCardService < BaseService
     end
 
     attach_card if @card&.persisted?
-  rescue HTTP::Error, Addressable::URI::InvalidURIError, Mastodon::LengthValidationError => e
+  rescue HTTP::Error, Addressable::URI::InvalidURIError, Mastodon::HostValidationError, Mastodon::LengthValidationError => e
     Rails.logger.debug "Error fetching link #{@url}: #{e}"
     nil
   end
diff --git a/app/services/update_account_service.rb b/app/services/update_account_service.rb
index 09ea377e7..362d80c9e 100644
--- a/app/services/update_account_service.rb
+++ b/app/services/update_account_service.rb
@@ -2,11 +2,14 @@
 
 class UpdateAccountService < BaseService
   def call(account, params, raise_error: false)
-    was_locked = account.locked
+    was_locked    = account.locked
     update_method = raise_error ? :update! : :update
+
     account.send(update_method, params).tap do |ret|
       next unless ret
+
       authorize_all_follow_requests(account) if was_locked && !account.locked
+      VerifyAccountLinksWorker.perform_async(@account.id) if account.fields_changed?
     end
   end
 
diff --git a/app/services/verify_link_service.rb b/app/services/verify_link_service.rb
new file mode 100644
index 000000000..9da7f93c3
--- /dev/null
+++ b/app/services/verify_link_service.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class VerifyLinkService < BaseService
+  def call(field)
+    @link_back = ActivityPub::TagManager.instance.url_for(field.account)
+    @url       = field.value
+
+    perform_request!
+
+    return unless link_back_present?
+
+    field.mark_verified!
+    field.account.save!
+  rescue HTTP::Error, Addressable::URI::InvalidURIError, Mastodon::HostValidationError, Mastodon::LengthValidationError => e
+    Rails.logger.debug "Error fetching link #{@url}: #{e}"
+    nil
+  end
+
+  private
+
+  def perform_request!
+    @body = Request.new(:get, @url).add_headers('Accept' => 'text/html').perform do |res|
+      res.code != 200 ? nil : res.body_with_limit
+    end
+  end
+
+  def link_back_present?
+    return false if @body.empty?
+
+    Nokogiri::HTML(@body).xpath('//a[@rel="me"]|//link[@rel="me"]').any? { |link| link['href'] == @link_back }
+  end
+end
-- 
cgit 


From 68833a50d4f9952c9073c15bd13510048951d685 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Tue, 18 Sep 2018 23:57:21 +0200
Subject: Fix VerifyAccountLinksWorker not being queued (#8721)

UX-wise, people expect that saving the profile will re-check links even without changing fields content. Bug-wise, `@account` was undefined.

Regression from #8703
---
 app/services/update_account_service.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'app/services')

diff --git a/app/services/update_account_service.rb b/app/services/update_account_service.rb
index 362d80c9e..ec69d944a 100644
--- a/app/services/update_account_service.rb
+++ b/app/services/update_account_service.rb
@@ -9,16 +9,19 @@ class UpdateAccountService < BaseService
       next unless ret
 
       authorize_all_follow_requests(account) if was_locked && !account.locked
-      VerifyAccountLinksWorker.perform_async(@account.id) if account.fields_changed?
+      check_links(account)
     end
   end
 
   private
 
   def authorize_all_follow_requests(account)
-    follow_requests = FollowRequest.where(target_account: account)
-    AuthorizeFollowWorker.push_bulk(follow_requests) do |req|
+    AuthorizeFollowWorker.push_bulk(FollowRequest.where(target_account: account).select(:account_id, :target_account_id)) do |req|
       [req.account_id, req.target_account_id]
     end
   end
+
+  def check_links(account)
+    VerifyAccountLinksWorker.perform_async(account.id)
+  end
 end
-- 
cgit 


From 3da1cc7d5e9df22d3445cdf07020b6c57d14fa5c Mon Sep 17 00:00:00 2001
From: Yamagishi Kazutoshi <ykzts@desire.sh>
Date: Wed, 19 Sep 2018 23:47:31 +0900
Subject: Fix failed profile verification when rel attribute including values
 other than me (#8733)

---
 app/services/verify_link_service.rb       |  2 +-
 spec/services/verify_link_service_spec.rb | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

(limited to 'app/services')

diff --git a/app/services/verify_link_service.rb b/app/services/verify_link_service.rb
index 9da7f93c3..846751cd5 100644
--- a/app/services/verify_link_service.rb
+++ b/app/services/verify_link_service.rb
@@ -27,6 +27,6 @@ class VerifyLinkService < BaseService
   def link_back_present?
     return false if @body.empty?
 
-    Nokogiri::HTML(@body).xpath('//a[@rel="me"]|//link[@rel="me"]').any? { |link| link['href'] == @link_back }
+    Nokogiri::HTML(@body).xpath('//a[contains(concat(" ", normalize-space(@rel), " "), " me ")]|//link[contains(concat(" ", normalize-space(@rel), " "), " me ")]').any? { |link| link['href'] == @link_back }
   end
 end
diff --git a/spec/services/verify_link_service_spec.rb b/spec/services/verify_link_service_spec.rb
index 8ce867e9d..acd4e851e 100644
--- a/spec/services/verify_link_service_spec.rb
+++ b/spec/services/verify_link_service_spec.rb
@@ -26,6 +26,21 @@ RSpec.describe VerifyLinkService, type: :service do
     end
   end
 
+  context 'when a link contains an <a rel="noopener"> back' do
+    let(:html) do
+      <<-HTML
+        <!doctype html>
+        <body>
+          <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="noopener me" target="_blank">Follow me on Mastodon</a>
+        </body>
+      HTML
+    end
+
+    it 'marks the field as verified' do
+      expect(field.verified?).to be true
+    end
+  end
+
   context 'when a link contains a <link> back' do
     let(:html) do
       <<-HTML
-- 
cgit