Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Differentiate between profile URL redirections #57

Closed
fluffy-critter opened this issue Jan 24, 2020 · 2 comments · Fixed by #86
Closed

Differentiate between profile URL redirections #57

fluffy-critter opened this issue Jan 24, 2020 · 2 comments · Fixed by #86
Labels
low priority Things that are nice to have but not a big deal UX Relating to the end-user experience

Comments

@fluffy-critter
Copy link
Contributor

Per indieweb/indieauth#36, IndieAuth profiles (and probably other profiles) need a better way to handle URL redirections than simply accepting the final URL. Currently we just chase all redirections and use the final response URL as the canonical URL, but instead we should keep track of redirections and use the last URL that came before the first temporary redirect.

This is the edge-casiest of edge cases and only really applies to IndieAuth/IndieLogin (which are the only handlers which even retrieve the profile page) but it would still be helpful to do the redirection chase. See below for an example of what (again, very rare) edge case would fail.

For that matter, if the canonical profile URL is different, the URL-based detection logic could be rerun so that e.g. https://beesbuzz.biz/twitter will be treated as https://twitter.com/fluffy and not dropped as an unhandled auth type.

IndieAuth test cases

Provided profile URL Redirection chain me URL Pass/fail
http://alice.example.com permanent -> https://alice.example.com https://alice.example.com pass
http://alice.example.com temporary -> https://alice.example.com https://alice.example.com fail? (different scheme)
http://alice.example.com temporary -> https://alice.example.com http://alice.example.com pass
https://alice.example.com permanent -> https://example.com/~alice https://alice.example.com fail (different domain)
https://alice.example.com temporary -> https://example.com/~alice https://alice.example.com pass
https://alice.example.com permanent -> https://example.com/~alice https://example.com/~alice/ pass
@fluffy-critter fluffy-critter added UX Relating to the end-user experience low priority Things that are nice to have but not a big deal labels Jan 24, 2020
@fluffy-critter
Copy link
Contributor Author

Also, per the final-me-verification change (see #84), that needs to actually verify based on the redirection-target URL, not the initial me URL.

Ideally there should be a sibling to utils.request_url which returns a pair of (request,permanent_url) and indieauth.find_endpoint similarly returns a pair of (endpoint_url,profile_url).

@fluffy-critter
Copy link
Contributor Author

Oh actually that's not necessary, response.history provides the entire redirection chain as it is.

@fluffy-critter fluffy-critter mentioned this issue Aug 19, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
low priority Things that are nice to have but not a big deal UX Relating to the end-user experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle IndieAuth profile URL redirection PlaidWeb/Authl
1 participant
@fluffy-critter