From 514229544f9a6a95e8ce8a38b3b7a33e75d6021c Mon Sep 17 00:00:00 2001 From: forgejo-backport-action Date: Wed, 6 Aug 2025 16:17:03 +0200 Subject: [PATCH] [v12.0/forgejo] fix: trim trailing slash in WebFinger OIDC issuer link (#8800) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/8794 As stated in a comment: https://codeberg.org/forgejo/forgejo/issues/8634#issuecomment-6136933 > `routers/web/webfinger.go` was left unchanged, so it still includes the trailing slash, no longer matching the issuer specified in other endpoints. > > ... > > From the [OpenID Connect Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery): > > > The Issuer location MUST be returned in the WebFinger response as the value of the href member of a links array element with rel member value http://openid.net/specs/connect/1.0/issuer. > > This sounds to me like the `href` should be the issuer location exactly. > > Using Forgejo for OIDC for auth with Tailscale is one instance of this change breaking something - signing up to Tailscale with OIDC now gives an error. Unsure what happens for existing accounts. In summary, since !8028, trailing slashes have been removed from the OIDC issuer locations specified by Forgejo everywhere except in WebFinger responses at `/.well-known/webfinger`, which still includes a trailing slash and so no longer matches the issuer as specified elsewhere (such as at `/.well-known/openid-configuration`). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/.md` to be be used for the release notes instead of the title. ## Release notes - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/8794): trim trailing slash in WebFinger OIDC issuer link Co-authored-by: hazycora Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8800 Reviewed-by: Gusted Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action --- routers/web/webfinger.go | 2 +- tests/integration/webfinger_test.go | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/routers/web/webfinger.go b/routers/web/webfinger.go index be3c2925fe..7636fd2d0c 100644 --- a/routers/web/webfinger.go +++ b/routers/web/webfinger.go @@ -153,7 +153,7 @@ func WebfingerQuery(ctx *context.Context) { }, { Rel: "http://openid.net/specs/connect/1.0/issuer", - Href: appURL.String(), + Href: strings.TrimSuffix(appURL.String(), "/"), }, } diff --git a/tests/integration/webfinger_test.go b/tests/integration/webfinger_test.go index 078be6fa54..4f07e4eb7f 100644 --- a/tests/integration/webfinger_test.go +++ b/tests/integration/webfinger_test.go @@ -7,6 +7,7 @@ import ( "fmt" "net/http" "net/url" + "strings" "testing" "forgejo.org/models/unittest" @@ -43,6 +44,8 @@ func TestWebfinger(t *testing.T) { session := loginUser(t, "user1") + ctx := t.Context() + req := NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, appURL.Host)) resp := MakeRequest(t, req, http.StatusOK) assert.Equal(t, "application/jrd+json", resp.Header().Get("Content-Type")) @@ -50,6 +53,26 @@ func TestWebfinger(t *testing.T) { var jrd webfingerJRD DecodeJSON(t, resp, &jrd) assert.Equal(t, "acct:user2@"+appURL.Host, jrd.Subject) + assert.ElementsMatch(t, []*webfingerLink{ + { + Rel: "http://webfinger.net/rel/profile-page", + Type: "text/html", + Href: user.HTMLURL(), + }, + { + Rel: "http://webfinger.net/rel/avatar", + Href: user.AvatarLink(ctx), + }, + { + Rel: "self", + Type: "application/activity+json", + Href: appURL.String() + "api/v1/activitypub/user-id/" + fmt.Sprint(user.ID), + }, + { + Rel: "http://openid.net/specs/connect/1.0/issuer", + Href: strings.TrimSuffix(appURL.String(), "/"), + }, + }, jrd.Links) assert.ElementsMatch(t, []string{user.HTMLURL(), appURL.String() + "api/v1/activitypub/user-id/" + fmt.Sprint(user.ID)}, jrd.Aliases) req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, "unknown.host"))