Proxy HTTP get does not follow 3xx redirects #14

Open
opened 1 year ago by Ninetailed · 0 comments

Description

When trying to verify a proof in the form of an HTTP URI, the proxy produces a 400 response if the HTTP request results in a 3xx redirect.

This can occur when attempting to verify a Mastodon proof on an instance where the instance's web frontend and API are served on a subdomain relative to the domain used as the instance's name.

Steps to reproduce

  1. Publish a key with an attached key notation in the form proof@metacode.biz=https://site.name/uri where site.name/uri is a web address under your control.
  2. Configure /uri on the web server to produce a 301 Moved Permanently response with another controlled URI in the Location header.
  3. Open the keyoxide.org page for this key with the browser network monitor open.
  4. Check for the XHR request to https://proxy.keyoxide.org/api/2/get/http?url=https://site.name/uri&format=json

Expected behaviour

Response has a 200 code and the body contains data from the looked-up site, allowing verification to proceed against the page content using configured claim definitions.

Actual behaviour

Response has a 400 code and the body is {"errors":"Moved Permanently"}, causing verification to fail.

## Description When trying to verify a proof in the form of an HTTP URI, the proxy produces a 400 response if the HTTP request results in a 3xx redirect. This can occur when attempting to verify a Mastodon proof on an instance where the instance's web frontend and API are served on a subdomain relative to the domain used as the instance's name. ## Steps to reproduce 1. Publish a key with an attached key notation in the form `proof@metacode.biz=https://site.name/uri` where `site.name/uri` is a web address under your control. 2. Configure `/uri` on the web server to produce a 301 Moved Permanently response with another controlled URI in the Location header. 3. Open the keyoxide.org page for this key with the browser network monitor open. 4. Check for the XHR request to `https://proxy.keyoxide.org/api/2/get/http?url=https://site.name/uri&format=json` ## Expected behaviour Response has a 200 code and the body contains data from the looked-up site, allowing verification to proceed against the page content using configured claim definitions. ## Actual behaviour Response has a 400 code and the body is `{"errors":"Moved Permanently"}`, causing verification to fail.
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: keyoxide/doipjs#14
Loading…
There is no content yet.