From e1ce48753d2fc80c9438c9dafeeac410bce36f57 Mon Sep 17 00:00:00 2001
From: Angus McLeod <angus@mcleod.org.au>
Date: Wed, 12 Jun 2024 13:17:53 +0200
Subject: [PATCH] Add more checks and tests

---
 app/lib/activitypub/activity/update.rb       |   7 +-
 spec/lib/activitypub/activity/update_spec.rb | 103 ++++++++++++-------
 2 files changed, 71 insertions(+), 39 deletions(-)

diff --git a/app/lib/activitypub/activity/update.rb b/app/lib/activitypub/activity/update.rb
index b132258aec3..1dfa6b73121 100644
--- a/app/lib/activitypub/activity/update.rb
+++ b/app/lib/activitypub/activity/update.rb
@@ -52,7 +52,12 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
   end
 
   def updated_username_confirmed?
-    webfinger = Webfinger.new("acct:#{@object['preferredUsername']}@#{@account.domain}").perform
+    begin
+      webfinger = Webfinger.new("acct:#{@object['preferredUsername']}@#{@account.domain}").perform
+    rescue Webfinger::Error
+      return false
+    end
+
     confirmed_username, confirmed_domain = webfinger.subject.delete_prefix('acct:').split('@')
     confirmed_username == @object['preferredUsername'] && confirmed_domain == @account.domain
   end
diff --git a/spec/lib/activitypub/activity/update_spec.rb b/spec/lib/activitypub/activity/update_spec.rb
index 88ca2c0a4a5..ca483397654 100644
--- a/spec/lib/activitypub/activity/update_spec.rb
+++ b/spec/lib/activitypub/activity/update_spec.rb
@@ -77,38 +77,41 @@ RSpec.describe ActivityPub::Activity::Update do
             object: updated_username_json,
           }.with_indifferent_access
         end
-        let(:webfinger_response) do
-          {
-            subject: "acct:#{updated_handle}",
-            links: [
-              {
-                rel: 'self',
-                type: 'application/activity+json',
-                href: sender.uri,
-              },
-            ],
-          }
-        end
 
         before do
-          stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:#{updated_handle}")
-            .to_return(
-              body: webfinger_response.to_json,
-              headers: {
-                'Content-Type' => 'application/json',
-              },
-              status: 200
-            )
+          stub_request(:get, 'https://example.com/.well-known/host-meta').to_return(status: 404)
         end
 
-        it 'updates profile' do
-          subject.perform
-          expect(sender.reload.display_name).to eq 'Totally modified now'
-        end
+        context 'when updated username is unique and confirmed' do
+          before do
+            stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:#{updated_handle}")
+              .to_return(
+                body: {
+                  subject: "acct:#{updated_handle}",
+                  links: [
+                    {
+                      rel: 'self',
+                      type: 'application/activity+json',
+                      href: sender.uri,
+                    },
+                  ],
+                }.to_json,
+                headers: {
+                  'Content-Type' => 'application/json',
+                },
+                status: 200
+              )
+          end
 
-        it 'updates username' do
-          subject.perform
-          expect(sender.reload.username).to eq updated_username
+          it 'updates profile' do
+            subject.perform
+            expect(sender.reload.display_name).to eq 'Totally modified now'
+          end
+
+          it 'updates username' do
+            subject.perform
+            expect(sender.reload.username).to eq updated_username
+          end
         end
 
         context 'when updated username is not unique for domain' do
@@ -131,18 +134,42 @@ RSpec.describe ActivityPub::Activity::Update do
           end
         end
 
-        context 'when updated username is not confirmed via webfinger' do
-          let(:webfinger_response) do
-            {
-              subject: "acct:#{original_handle}",
-              links: [
-                {
-                  rel: 'self',
-                  type: 'application/activity+json',
-                  href: sender.uri,
+        context 'when webfinger of updated username does not contain updated username' do
+          before do
+            stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:#{updated_handle}")
+              .to_return(
+                body: {
+                  subject: "acct:#{original_handle}",
+                  links: [
+                    {
+                      rel: 'self',
+                      type: 'application/activity+json',
+                      href: sender.uri,
+                    },
+                  ],
+                }.to_json,
+                headers: {
+                  'Content-Type' => 'application/json',
                 },
-              ],
-            }
+                status: 200
+              )
+          end
+
+          it 'updates profile' do
+            subject.perform
+            expect(sender.reload.display_name).to eq 'Totally modified now'
+          end
+
+          it 'does not update username' do
+            subject.perform
+            expect(sender.reload.username).to eq original_username
+          end
+        end
+
+        context 'when webfinger request of updated username fails' do
+          before do
+            stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:#{updated_handle}")
+              .to_return(status: 404)
           end
 
           it 'updates profile' do