spec/services/verify_link_service_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe VerifyLinkService, type: :service do
  subject { described_class.new }

  context 'given a local account' do
    let(:account) { Fabricate(:account, username: 'alice') }
    let(:field)   { Account::Field.new(account, 'name' => 'Website', 'value' => 'http://example.com') }

    before do
      stub_request(:head, 'https://redirect.me/abc').to_return(status: 301, headers: { 'Location' => ActivityPub::TagManager.instance.url_for(account) })
      stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
      subject.call(field)
    end

    context 'when a link contains an <a> back' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <body>
            <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me">Follow me on Mastodon</a>
          </body>
        HTML
      end

      it 'marks the field as verified' do
        expect(field.verified?).to be true
      end
    end

    context 'when a link contains an <a rel="noopener noreferrer"> back' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <body>
            <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me noopener noreferrer" target="_blank">Follow me on Mastodon</a>
          </body>
        HTML
      end

      it 'marks the field as verified' do
        expect(field.verified?).to be true
      end
    end

    context 'when a link contains a <link> back' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <head>
            <link type="text/html" href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me" />
          </head>
        HTML
      end

      it 'marks the field as verified' do
        expect(field.verified?).to be true
      end
    end

    context 'when a link goes through a redirect back' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <head>
            <link type="text/html" href="https://redirect.me/abc" rel="me" />
          </head>
        HTML
      end

      it 'marks the field as verified' do
        expect(field.verified?).to be true
      end
    end

    context 'when a document is truncated but the link back is valid' do
      let(:html) do
        "
          <!doctype html>
          <body>
            <a rel=\"me\" href=\"#{ActivityPub::TagManager.instance.url_for(account)}\"
        "
      end

      it 'marks the field as not verified' do
        expect(field.verified?).to be false
      end
    end

    context 'when a link back might be truncated' do
      let(:html) do
        "
          <!doctype html>
          <body>
            <a rel=\"me\" href=\"#{ActivityPub::TagManager.instance.url_for(account)}"
      end

      it 'does not mark the field as verified' do
        expect(field.verified?).to be false
      end
    end

    context 'when a link does not contain a link back' do
      let(:html) { '' }

      it 'does not mark the field as verified' do
        expect(field.verified?).to be false
      end
    end

    context 'when link has no `href` attribute' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <head>
            <link type="text/html" rel="me" />
          </head>
          <body>
            <a rel="me" target="_blank">Follow me on Mastodon</a>
          </body>
        HTML
      end

      it 'does not mark the field as verified' do
        expect(field.verified?).to be false
      end
    end
  end

  context 'given a remote account' do
    let(:account) { Fabricate(:account, username: 'alice', domain: 'example.com', url: 'https://profile.example.com/alice') }
    let(:field)   { Account::Field.new(account, 'name' => 'Website', 'value' => '<a href="http://example.com" rel="me"><span class="invisible">http://</span><span class="">example.com</span><span class="invisible"></span></a>') }

    before do
      stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
      subject.call(field)
    end

    context 'when a link contains an <a> back' do
      let(:html) do
        <<-HTML
          <!doctype html>
          <body>
            <a href="https://profile.example.com/alice" rel="me">Follow me on Mastodon</a>
          </body>
        HTML
      end

      it 'marks the field as verified' do
        expect(field.verified?).to be true
      end
    end

    context 'when the link contains a link with a missing protocol slash' do
      # This was seen in the wild where a user had three pages:
      # 1. their mastodon profile, which linked to github and the personal website
      # 2. their personal website correctly linking back to mastodon
      # 3. a github profile that was linking to the personal website, but with
      #    a malformed protocol of http:/
      #
      # This caused link verification between the mastodon profile and the
      # website to fail.
      #
      # apparently github allows the user to enter website URLs with a single
      # slash and makes no attempts to correct that.
      let(:html) { '<a href="http:/unrelated.example">Hello</a>' }

      it 'does not crash' do
        # We could probably put more effort into perhaps auto-correcting the
        # link and following it anyway, but at the very least we shouldn't let
        # exceptions bubble up
        expect(field.verified?).to be false
      end
    end
  end
end