Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
Commit fbef47a added a function to lib/private/Accounts/AccountManager.php, sanitizePropertyFediverse, that attempts to validate a fediverse handle using the Mastodon API, and attempts to call this API on the raw domain from the handle.
This is a flawed approach for a couple of main reasons:
- Mastodon is not the only fediverse software implementation, and its API is not universally adopted. This validation can fail if the user's host is using non-Mastodon software.
- Fediverse handles can point to instances running on another domain (or subdomain). For example, a user may have the handle
alice@example.combut the instance may only be accessible athttps://mastodon.example.com.
Instead, NextCloud should use the WebFinger protocol (RFC 7033) to validate that an account with the given handle exists, and that an appropriate link with rel=self and type=application/activity+json is returned in the WebFinger response body.
Steps to reproduce
- Navigate to user profile settings page.
- Enter a Mastodon handle that is valid, but where the Mastodon API is on another (sub)domain.
- The handle is rejected.
Expected behavior
The valid handle should be accepted.
Nextcloud Server version
30
Operating system
None
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response