AP: Don't serve Webfinger for accounts we don't own #1025

snarfed · 2024-05-06T14:51:07Z

Right now, a bit embarrassingly, we serve Webfinger responses for any addresses that comes in, regardless of whether we actually own it. Example: /.well-known/webfinger?resource=acct:[email protected], which we oddly get ~1-2qps for, steady state, from a ton of different instances. We should return 404 (I assume?) instead for addresses we don't own.

The text was updated successfully, but these errors were encountered:

snarfed · 2024-05-07T21:19:46Z

Ah right. This isn't quite as easy because of our support for web sites on arbitrary domains. We'd need to detect when a domain is an AP instance so that we know when to serve a 400 and not try to handle them as a normal web site.

snarfed · 2024-05-07T21:20:09Z

Manual workaround for now is to just opt out any problematic domains here.

snarfed · 2024-05-08T05:40:44Z

Related: #348

for #911, #1025

snarfed added the now label May 6, 2024

snarfed mentioned this issue May 8, 2024

Web sign-up: detect native AP servers #911

Closed

snarfed removed the now label May 9, 2024

snarfed closed this as completed in 68ef81c Jun 2, 2024

snarfed added a commit that referenced this issue Aug 5, 2024

webfinger: don't serve domain@domain for web users without redirects

6a0a0fb

for #911, #1025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AP: Don't serve Webfinger for accounts we don't own #1025

AP: Don't serve Webfinger for accounts we don't own #1025

snarfed commented May 6, 2024

snarfed commented May 7, 2024

snarfed commented May 7, 2024

snarfed commented May 8, 2024

AP: Don't serve Webfinger for accounts we don't own #1025

AP: Don't serve Webfinger for accounts we don't own #1025

Comments

snarfed commented May 6, 2024

snarfed commented May 7, 2024

snarfed commented May 7, 2024

snarfed commented May 8, 2024