Merging changes from Eientei

2022-05-28 23:48:19 +03:00
parent f1d5575247 beac518f29
commit 485d5ca3be
31 changed files with 762 additions and 103 deletions
@@ -109,6 +109,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Attachment dimensions and blurhashes are federated when available.
 - Mastodon API: support `poll` notification.
 - Pinned posts federation
+- Possibility to discover users like `user@example.org`, while Pleroma is working on `pleroma.example.org`. Additional configuration required.

 ### Fixed
 - Don't crash so hard when email settings are invalid.
@@ -867,6 +867,8 @@ config :pleroma, ConcurrentLimiter, [
  {Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy, [max_running: 5, max_waiting: 5]}
 ]

+config :pleroma, Pleroma.Web.WebFinger, domain: nil, extra_domains: [], update_nickname_on_user_fetch: true
+
 # Import environment specific config. This must remain at the bottom
 # of this file so it overrides the configuration defined above.
 import_config "#{Mix.env()}.exs"
@@ -3439,5 +3439,33 @@ config :pleroma, :config_description, [
        ]
      }
    ]
+  },
+  %{
+    group: :pleroma,
+    key: Pleroma.Web.WebFinger,
+    label: "Web finger",
+    type: :group,
+    description: "Web finger settings",
+    children: [
+      %{
+        key: :domain,
+        type: :string,
+        description: "The authoritative instance domain, that will be used in user account subjects. Default: listened HTTP hostname.",
+        suggestions: ["example.com"]
+      },
+      %{
+        key: :extra_domains,
+        label: "Extra domains",
+        type: {:list, :string},
+        description: "Additional domains that should be served by webfinger requests in addition to authoritative domain and listened http hostname. Default: empty.",
+        suggestions: ["oldexample.com", "sub.example.com"]
+      },
+      %{
+        key: :update_nickname_on_user_fetch,
+        label: "Update nickname on user fetch",
+        type: :boolean,
+        description: "Enables using nicknames for remote users as returned by their respective webfinger responses. Default: enabled"
+      }
+    ]
  }
 ]
@@ -129,6 +129,8 @@ config :pleroma, :pipeline,

 config :pleroma, :cachex, provider: Pleroma.CachexMock

+config :pleroma, Pleroma.Web.WebFinger, update_nickname_on_user_fetch: false
+
 config :pleroma, :side_effects,
  ap_streamer: Pleroma.Web.ActivityPub.ActivityPubMock,
  logger: Pleroma.LoggerMock
@@ -489,6 +489,37 @@ Available caches:
 * `:activity_pub` - activity pub routes (except question activities). Defaults to `nil` (no expiration).
 * `:activity_pub_question` - activity pub routes (question activities). Defaults to `30_000` (30 seconds).

+### Pleroma.Web.WebFinger
+
+!!! note
+    This is only meaningful if you have HTTP server/reverse proxy serving additional domains
+
+- `domain` - is the domain for which your Pleroma instance has authority, it's the domain used in `acct:` URI. In our example, `domain` would be set to `example.org.`
+             If it is not set, defaults to `host` in `Pleroma.Web.Endpoint`
+- `extra_domains` - extra domains besides `host` and `domain` that will be accepted by webfinger requests.
+  Useful when host and domain are the same, for example when changing main instance domain, webfinger can be used to service
+  accounts using previous domain names.
+- `update_nickname_on_user_fetch` - If enabled, nicknames for newly encountered remote users will be taken from their
+  respective webfinger response.
+
+Example:
+
+```elixir
+config :pleroma, Pleroma.Web.Endpoint,
+  url: [host: "pleroma.example.org"]
+
+config :pleroma, Pleroma.Web.WebFinger,
+  domain: "example.org",
+  extra_domains: ["sub2.example.org"]
+```
+
+Here pleroma is hosted on `pleroma.example.org` which is also part of AP ids, but authoritive domain and hence subject
+of local users would be `example.org`, while webfinger requests will be accepted on all three of `pleroma.example.org`, 
+`example.org` and `sub2.example.org`.
+
+See [how_to_serve_another_domain_for_webfinger.md](how_to_serve_another_domain_for_webfinger.md) for additional details
+and reverse proxy configuration example.
+
 ## HTTP client

 ### :http
@@ -0,0 +1,59 @@
+# How to use a different domain name for Pleroma and the users it serves
+
+Pleroma users are primarily identified by a `user@example.org` handle, and you might want this identifier to be the same as your email or jabber account, for instance.
+However, in this case, you are almost certainly serving some web content on `https://example.org` already, and you might want to use another domain (say `pleroma.example.org`) for Pleroma itself.
+
+Pleroma supports that, but it might be tricky to set up, and any error might prevent you from federating with other instances.
+
+*If you are already running Pleroma on `example.org`, it is no longer possible to move it to `pleroma.example.org`.*
+
+## Account identifiers
+
+It is important to understand that for federation purposes, a user in Pleroma has two unique identifiers associated:
+
+- A webfinger `acct:` URI, used for discovery and as a verifiable global name for the user across Pleroma instances. In our example, our account's acct: URI is `acct:user@example.org`
+- An author/actor URI, used in every other aspect of federation. This is the way in which users are identified in ActivityPub, the underlying protocol used for federation with other Pleroma instances.
+In our case, it is `https://pleroma.example.org/users/user`.
+
+Both account identifiers are unique and required for Pleroma. An important risk if you set up your Pleroma instance incorrectly is to create two users (with different acct: URIs) with conflicting author/actor URIs.
+
+## WebFinger
+
+As said earlier, each Pleroma user has an `acct`: URI, which is used for discovery and authentication. When you add @user@example.org, a webfinger query is performed. This is done in two steps:
+
+1. Querying `https://example.org/.well-known/host-meta` (where the domain of the URL matches the domain part of the `acct`: URI) to get information on how to perform the query.
+This file will indeed contain a URL template of the form `https://example.org/.well-known/webfinger?resource={uri}` that will be used in the second step.
+2. Fill the returned template with the `acct`: URI to be queried and perform the query: `https://example.org/.well-known/webfinger?resource=acct:user@example.org`
+
+## Configuring your Pleroma instance
+
+**_DO NOT ATTEMPT TO CONFIGURE YOUR INSTANCE THIS WAY IF YOU DID NOT UNDERSTAND THE ABOVE_**
+
+
+### Configuring WebFinger domain
+
+Now, you have Pleroma running at `https://pleroma.example.org` as well as a website at `https://example.org`. If you recall how webfinger queries work, the first step is to query `https://example.org/.well-known/host-meta`, which will contain an URL template.
+
+Therefore, the easiest way to configure `example.org` is to redirect `/.well-known/host-meta` to `pleroma.example.org`.
+
+With nginx, it would be as simple as adding:
+
+```nginx
+location = /.well-known/host-meta {
+       return 301 https://pleroma.example.org$request_uri;
+}
+```
+
+in example.org's server block.
+
+### Limitations
+
+Some BEs and FEs may still use AP id instead of account subject to present user handles in UI.
+
+### Warnings
+
+Change `host` in `Pleroma.Web.Endpoint` and `domain` in `Pleroma.Web.WebFinger` with caution, it will likely result in 
+local accounts being duplicated on remote instances, which will affect federation and users reachability.
+
+Webfinger results are generally cached by server implementations and may only be requested once (on first account encounter)
+or with set rate limit depending on the implementation.
@@ -106,5 +106,12 @@ defmodule Pleroma.HTTP do
    [Tesla.Middleware.FollowRedirects, Pleroma.Tesla.Middleware.ConnectionPool]
  end

-  defp adapter_middlewares(_), do: []
+  defp adapter_middlewares(_) do
+    if Pleroma.Config.get(:env) == :test do
+      # Emulate redirects in test env, which are handled by adapters in other environments
+      [Tesla.Middleware.FollowRedirects]
+    else
+      []
+    end
+  end
 end
@@ -44,9 +44,9 @@ defmodule Pleroma.PasswordResetToken do
         %User{} = user <- User.get_cached_by_id(token.user_id),
         {:ok, _user} <- User.reset_password(user, data),
         {:ok, token} <- Repo.update(used_changeset(token)) do
-      {:ok, token}
+      {:ok, token, user}
    else
-      _e -> {:error, token}
+      _e -> {:error, token, nil}
    end
  end

@@ -1458,7 +1458,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  defp normalize_image(urls) when is_list(urls), do: urls |> List.first() |> normalize_image()
  defp normalize_image(_), do: nil

-  defp object_to_user_data(data) do
+  defp object_to_user_data(data, additional) do
    fields =
      data
      |> Map.get("attachment", [])
@@ -1490,15 +1490,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    public_key =
      if is_map(data["publicKey"]) && is_binary(data["publicKey"]["publicKeyPem"]) do
        data["publicKey"]["publicKeyPem"]
-      else
-        nil
      end

    shared_inbox =
      if is_map(data["endpoints"]) && is_binary(data["endpoints"]["sharedInbox"]) do
        data["endpoints"]["sharedInbox"]
-      else
-        nil
      end

    birthday =
@@ -1513,7 +1509,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

    show_birthday = !!birthday

-    user_data = %{
+    # if WebFinger request was already done, we probably have acct, otherwise
+    # we request WebFinger here
+    nickname = additional[:nickname_from_acct] || generate_nickname(data)
+
+#    user_data = %{
+    %{
      ap_id: data["id"],
      uri: get_actor_url(data["url"]),
      ap_enabled: true,
@@ -1537,21 +1538,27 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
      accepts_chat_messages: accepts_chat_messages,
      pinned_objects: pinned_objects,
      birthday: birthday,
-      show_birthday: show_birthday
+      show_birthday: show_birthday,
+      nickname: nickname
    }
+  end

-    # nickname can be nil because of virtual actors
-    if data["preferredUsername"] do
-      Map.put(
-        user_data,
-        :nickname,
-        "#{data["preferredUsername"]}@#{URI.parse(data["id"]).host}"
-      )
+  defp generate_nickname(%{"preferredUsername" => username} = data) when is_binary(username) do
+    generated = "#{username}@#{URI.parse(data["id"]).host}"
+
+    if Config.get([WebFinger, :update_nickname_on_user_fetch]) do
+      case WebFinger.finger(generated) do
+        {:ok, %{"subject" => "acct:" <> acct}} -> acct
+        _ -> generated
+      end
    else
-      Map.put(user_data, :nickname, nil)
+      generated
    end
  end

+  # nickname can be nil because of virtual actors
+  defp generate_nickname(_), do: nil
+
  def fetch_follow_information_for_user(user) do
    with {:ok, following_data} <-
           Fetcher.fetch_and_contain_remote_object_from_id(user.following_address),
@@ -1623,17 +1630,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  defp collection_private(_data), do: {:ok, true}

-  def user_data_from_user_object(data) do
+  def user_data_from_user_object(data, additional \\ []) do
    with {:ok, data} <- MRF.filter(data) do
-      {:ok, object_to_user_data(data)}
+      {:ok, object_to_user_data(data, additional)}
    else
      e -> {:error, e}
    end
  end

-  def fetch_and_prepare_user_from_ap_id(ap_id) do
+  def fetch_and_prepare_user_from_ap_id(ap_id, additional \\ []) do
    with {:ok, data} <- Fetcher.fetch_and_contain_remote_object_from_id(ap_id),
-         {:ok, data} <- user_data_from_user_object(data) do
+         {:ok, data} <- user_data_from_user_object(data, additional) do
      {:ok, maybe_update_follow_information(data)}
    else
      # If this has been deleted, only log a debug and not an error
@@ -1711,13 +1718,13 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

-  def make_user_from_ap_id(ap_id) do
+  def make_user_from_ap_id(ap_id, additional \\ []) do
    user = User.get_cached_by_ap_id(ap_id)

    if user && !User.ap_enabled?(user) do
      Transmogrifier.upgrade_user_from_ap_id(ap_id)
    else
-      with {:ok, data} <- fetch_and_prepare_user_from_ap_id(ap_id) do
+      with {:ok, data} <- fetch_and_prepare_user_from_ap_id(ap_id, additional) do
        {:ok, _pid} = Task.start(fn -> pinned_fetch_task(data) end)

        if user do
@@ -1737,8 +1744,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  end

  def make_user_from_nickname(nickname) do
-    with {:ok, %{"ap_id" => ap_id}} when not is_nil(ap_id) <- WebFinger.finger(nickname) do
-      make_user_from_ap_id(ap_id)
+    with {:ok, %{"ap_id" => ap_id, "subject" => "acct:" <> acct}} when not is_nil(ap_id) <-
+           WebFinger.finger(nickname) do
+      make_user_from_ap_id(ap_id, nickname_from_acct: acct)
    else
      _e -> {:error, "No AP id in WebFinger"}
    end
@@ -0,0 +1,76 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.MRF.BlockBotPolicy do
+  alias Pleroma.User
+  alias Pleroma.Web.CommonAPI
+
+  @moduledoc "Notify local users upon remote block."
+
+  @behaviour Pleroma.Web.ActivityPub.MRF.Policy
+
+  defp is_block_or_unblock(%{"type" => "Block", "object" => object}),
+    do: {true, "blocked", object}
+
+  defp is_block_or_unblock(%{
+         "type" => "Undo",
+         "object" => %{"type" => "Block", "object" => object}
+       }),
+       do: {true, "unblocked", object}
+
+  defp is_block_or_unblock(_), do: {false, nil, nil}
+
+  defp is_remote_or_displaying_local?(%User{local: false}), do: true
+
+  defp is_remote_or_displaying_local?(_),
+    do: Pleroma.Config.get([:mrf_blockbotpolicy, :display_local])
+
+  @impl true
+  def filter(message) do
+
+    with {true, action, object} <- is_block_or_unblock(message),
+         %User{} = actor <- User.get_cached_by_ap_id(message["actor"]),
+         %User{} = recipient <- User.get_cached_by_ap_id(object),
+         true <- recipient.local,
+         true <- is_remote_or_displaying_local?(actor),
+         false <- User.blocks?(recipient, actor) do
+      bot_user = Pleroma.Config.get([:mrf_blockbotpolicy, :user])
+
+      _reply =
+        CommonAPI.post(User.get_by_nickname(bot_user), %{
+          status: "@" <> recipient.nickname <> " you are now " <> action <> " by " <> actor.nickname,
+          visibility: "direct"
+        })
+    end
+
+    {:ok, message}
+  end
+
+  @impl true
+  def config_description do
+    %{
+      key: :mrf_blockbotpolicy,
+      related_policy: "Pleroma.Web.ActivityPub.MRF.BlockBotPolicy",
+      label: "BlockBot notifications",
+      description: @moduledoc,
+      children: [
+        %{
+          key: :user,
+          type: :string,
+          description: "A name of blockbot account",
+          suggestions: ["blockbot"]
+        },
+        %{
+          key: :display_local,
+          type: :boolean,
+          description: "Display local blocks"
+        }
+      ]
+    }
+  end
+
+  @impl true
+  def describe,
+    do: {:ok, %{mrf_blockbotpolicy: Pleroma.Config.get(:mrf_blockbotpolicy) |> Enum.into(%{})}}
+end
@@ -0,0 +1,36 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.MRF.FixFormattingBullshit do
+  @behaviour Pleroma.Web.ActivityPub.MRF.Policy
+
+  @impl true
+  def filter(
+        %{
+          "type" => "Create",
+          "object" => %{"type" => "Note"}
+        } = object
+      )
+  do
+    content = object["object"]["content"] || ""
+
+    # fix poast newlines
+    content = Regex.replace(~r/<br><a[^>]*><\/a>/, content, "")
+
+    # fix poast mention spaces
+    content = Regex.replace(
+      ~r/(<span class="recipients-inline">(?:[ ]*<span[^>]*><a[^>]*>.*?<\/a>[ ]*<\/span>)*) (<\/span>)/,
+      content,
+      "\\1\\2 "
+    )
+
+    {:ok, put_in(object["object"]["content"], content)}
+  end
+
+  @impl true
+  def filter(object), do: {:ok, object}
+
+  @impl true
+  def describe, do: {:ok, %{}}
+end
@@ -91,11 +91,13 @@ defmodule Pleroma.Web.ActivityPub.MRF.ForceMentionsInContent do
      |> Enum.map(&User.get_cached_by_ap_id/1)
      |> Enum.reject(&is_nil/1)
      |> sort_replied_user(replied_to_user)
+      |> Enum.uniq()

    explicitly_mentioned_uris = extract_mention_uris_from_content(content)

    added_mentions =
-      Enum.reduce(mention_users, "", fn %User{ap_id: uri} = user, acc ->
+      Enum.reduce(mention_users, "", fn %User{} = user, acc ->
+        uri = user.uri || user.ap_id
        unless uri in explicitly_mentioned_uris do
          acc <> Formatter.mention_from_user(user, %{mentions_format: :compact}) <> " "
        else
@@ -103,10 +105,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.ForceMentionsInContent do
        end
      end)

-    recipients_inline =
-      if added_mentions != "",
-        do: "<span class=\"recipients-inline\">#{added_mentions}</span>",
-        else: ""
+    recipients_inline = added_mentions

    content =
      cond do
@@ -10,16 +10,6 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
  @moduledoc "Detect new emojis by their shortcode and steals them"
  @behaviour Pleroma.Web.ActivityPub.MRF.Policy

-  defp accept_host?(host), do: host in Config.get([:mrf_steal_emoji, :hosts], [])
-
-  defp shortcode_matches?(shortcode, pattern) when is_binary(pattern) do
-    shortcode == pattern
-  end
-
-  defp shortcode_matches?(shortcode, pattern) do
-    String.match?(shortcode, pattern)
-  end
-
  defp steal_emoji({shortcode, url}, emoji_dir_path) do
    url = Pleroma.Web.MediaProxy.url(url)

@@ -62,28 +52,25 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
  def filter(%{"object" => %{"emoji" => foreign_emojis, "actor" => actor}} = message) do
    host = URI.parse(actor).host

-    if host != Pleroma.Web.Endpoint.host() and accept_host?(host) do
+    if host != Pleroma.Web.Endpoint.host() do
      installed_emoji = Pleroma.Emoji.get_all() |> Enum.map(fn {k, _} -> k end)

      emoji_dir_path =
        Config.get(
          [:mrf_steal_emoji, :path],
-          Path.join(Config.get([:instance, :static_dir]), "emoji/stolen")
+          Path.join(Config.get([:instance, :static_dir]), "emoji/stolen/#{host}")
        )

-      File.mkdir_p(emoji_dir_path)
+      tograb_emojis =
+        foreign_emojis
+        |> Enum.reject(fn {shortcode, url} -> shortcode in installed_emoji || !Regex.match?(~r/\.(jpg|jpeg|png|gif)$/i, url) end)
+
+      if !Enum.empty?(tograb_emojis) do
+        File.mkdir_p(emoji_dir_path)
+      end

      new_emojis =
-        foreign_emojis
-        |> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end)
-        |> Enum.filter(fn {shortcode, _url} ->
-          reject_emoji? =
-            [:mrf_steal_emoji, :rejected_shortcodes]
-            |> Config.get([])
-            |> Enum.find(false, fn pattern -> shortcode_matches?(shortcode, pattern) end)
-
-          !reject_emoji?
-        end)
+        tograb_emojis
        |> Enum.map(&steal_emoji(&1, emoji_dir_path))
        |> Enum.filter(& &1)

@@ -78,6 +78,20 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
  # False if the user is logged out
  defp reblogged?(_activity, _user), do: false

+  defp reblogged_count(activity) do
+    with %Object{data: %{"announcements" => announcements, "announcement_count" => announcement_count}}
+      when is_list(announcements) <- Object.normalize(activity, fetch: false) do
+        if length(announcements) == 0 do
+          0
+        else
+          relays = length(Enum.filter(announcements, fn(x) -> Regex.match?(~r/\/relay$/, x) end))
+          announcement_count - relays
+        end
+    else
+      _ -> 0
+    end
+  end
+
  def render("index.json", opts) do
    reading_user = opts[:for]

@@ -208,7 +222,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
    user_follower_address = user.follower_address

    like_count = object.data["like_count"] || 0
-    announcement_count = object.data["announcement_count"] || 0
+    announcement_count = reblogged_count(object.data)

    hashtags = Object.hashtags(object)
    sensitive = object.data["sensitive"] || Enum.member?(hashtags, "nsfw")
@@ -117,7 +117,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
      if Config.get(:env) == :dev do
        "script-src 'self' 'unsafe-eval'"
      else
-        "script-src 'self'"
+        "script-src 'self' 'wasm-unsafe-eval'"
      end

    report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
@@ -43,7 +43,10 @@ defmodule Pleroma.Web.TwitterAPI.PasswordController do
  end

  def do_reset(conn, %{"data" => data}) do
-    with {:ok, _} <- PasswordResetToken.reset_password(data["token"], data) do
+    with {:ok, _, u} <- PasswordResetToken.reset_password(data["token"], data) do
+      with %User{} = user <- u, true <- user.local and !user.is_confirmed do
+        User.confirm(user)
+      end
      render(conn, "reset_success.html")
    else
      _e -> render(conn, "reset_failed.html")
@@ -32,9 +32,12 @@ defmodule Pleroma.Web.WebFinger do

  def webfinger(resource, fmt) when fmt in ["XML", "JSON"] do
    host = Pleroma.Web.Endpoint.host()
-    regex = ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@#{host}/
+    accepted_domains = [ host | extra_domains() ]

-    with %{"username" => username} <- Regex.named_captures(regex, resource),
+    regex = ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@(?<hostname>[^\/:]*)/
+
+    with %{"username" => username, "hostname" => hostname} <- Regex.named_captures(regex, resource),
+         hostname in accepted_domains,
         %User{} = user <- User.get_cached_by_nickname(username) do
      {:ok, represent_user(user, fmt)}
    else
@@ -58,15 +61,33 @@ defmodule Pleroma.Web.WebFinger do
    ] ++ Publisher.gather_webfinger_links(user)
  end

+  defp extra_domains() do
+    extra = Pleroma.Config.get([__MODULE__, :extra_domains]) || []
+    webfinger_domain = Pleroma.Config.get([__MODULE__, :domain])
+    host = Pleroma.Web.Endpoint.host()
+
+    if webfinger_domain && webfinger_domain != host && webfinger_domain not in extra do
+      [ webfinger_domain | extra ]
+    else
+      extra
+    end
+  end
+
+  defp extra_ap_ids(nickname) do
+    host_url = Pleroma.Web.Endpoint.struct_url()
+
+    Enum.map(extra_domains(), fn x -> "#{host_url.scheme}://#{x}/users/#{nickname}" end)
+  end
+
  defp gather_aliases(%User{} = user) do
-    [user.ap_id | user.also_known_as]
+    [user.ap_id | user.also_known_as] ++ extra_ap_ids(user.nickname)
  end

  def represent_user(user, "JSON") do
    {:ok, user} = User.ensure_keys_present(user)

    %{
-      "subject" => "acct:#{user.nickname}@#{Pleroma.Web.Endpoint.host()}",
+      "subject" => "acct:#{user.nickname}@#{domain()}",
      "aliases" => gather_aliases(user),
      "links" => gather_links(user)
    }
@@ -88,12 +109,16 @@ defmodule Pleroma.Web.WebFinger do
      :XRD,
      %{xmlns: "http://docs.oasis-open.org/ns/xri/xrd-1.0"},
      [
-        {:Subject, "acct:#{user.nickname}@#{Pleroma.Web.Endpoint.host()}"}
+        {:Subject, "acct:#{user.nickname}@#{domain()}"}
      ] ++ aliases ++ links
    }
    |> XmlBuilder.to_doc()
  end

+  defp domain do
+    Pleroma.Config.get([__MODULE__, :domain]) || Pleroma.Web.Endpoint.host()
+  end
+
  defp webfinger_from_xml(body) do
    with {:ok, doc} <- XML.parse_document(body) do
      subject = XML.string_from_xpath("//Subject", doc)
@@ -150,17 +175,15 @@ defmodule Pleroma.Web.WebFinger do
  end

  def find_lrdd_template(domain) do
-    with {:ok, %{status: status, body: body}} when status in 200..299 <-
-           HTTP.get("http://#{domain}/.well-known/host-meta") do
+    # WebFinger is restricted to HTTPS - https://tools.ietf.org/html/rfc7033#section-9.1
+    meta_url = "https://#{domain}/.well-known/host-meta"
+
+    with {:ok, %{status: status, body: body}} when status in 200..299 <- HTTP.get(meta_url) do
      get_template_from_xml(body)
    else
-      _ ->
-        with {:ok, %{body: body, status: status}} when status in 200..299 <-
-               HTTP.get("https://#{domain}/.well-known/host-meta") do
-          get_template_from_xml(body)
-        else
-          e -> {:error, "Can't find LRDD template: #{inspect(e)}"}
-        end
+      error ->
+        Logger.warn("Can't find LRDD template in #{inspect(meta_url)}: #{inspect(error)}")
+        {:error, :lrdd_not_found}
    end
  end

@@ -174,7 +197,7 @@ defmodule Pleroma.Web.WebFinger do
    end
  end

-  defp get_address_from_domain(_, _), do: nil
+  defp get_address_from_domain(_, _), do: {:error, :webfinger_no_domain}

  @spec finger(String.t()) :: {:ok, map()} | {:error, any()}
  def finger(account) do
@@ -191,13 +214,11 @@ defmodule Pleroma.Web.WebFinger do
    encoded_account = URI.encode("acct:#{account}")

    with address when is_binary(address) <- get_address_from_domain(domain, encoded_account),
-         response <-
+         {:ok, %{status: status, body: body, headers: headers}} when status in 200..299 <-
           HTTP.get(
             address,
             [{"accept", "application/xrd+xml,application/jrd+json"}]
-           ),
-         {:ok, %{status: status, body: body, headers: headers}} when status in 200..299 <-
-           response do
+           ) do
      case List.keyfind(headers, "content-type", 0) do
        {_, content_type} ->
          case Plug.Conn.Utils.media_type(content_type) do
@@ -215,10 +236,9 @@ defmodule Pleroma.Web.WebFinger do
          {:error, {:content_type, nil}}
      end
    else
-      e ->
-        Logger.debug(fn -> "Couldn't finger #{account}" end)
-        Logger.debug(fn -> inspect(e) end)
-        {:error, e}
+      error ->
+        Logger.debug("Couldn't finger #{account}: #{inspect(error)}")
+        error
    end
  end
 end
@@ -27,8 +27,8 @@
  "db_connection": {:hex, :db_connection, "2.4.0", "d04b1b73795dae60cead94189f1b8a51cc9e1f911c234cc23074017c43c031e5", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "ad416c21ad9f61b3103d254a71b63696ecadb6a917b36f563921e0de00d7d7c8"},
  "decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
  "deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm", "ce708e5f094b9cd4e8f2be4f00d2f4250c4095be93f8cd6d018c753894885430"},
-  "earmark": {:hex, :earmark, "1.4.18", "618c4ff1563450d1832b7fb41dc6755e470f91a6fd4c70f350a58b14f64a7db8", [:mix], [{:earmark_parser, ">= 1.4.17", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "57ac3b6da3958ed09c669a9b159e86377fcccda56bacde8a209fa4dcdef52560"},
-  "earmark_parser": {:hex, :earmark_parser, "1.4.17", "6f3c7e94170377ba45241d394389e800fb15adc5de51d0a3cd52ae766aafd63f", [:mix], [], "hexpm", "f93ac89c9feca61c165b264b5837bf82344d13bebc634cd575cb711e2e342023"},
+  "earmark": {:hex, :earmark, "1.4.15", "2c7f924bf495ec1f65bd144b355d0949a05a254d0ec561740308a54946a67888", [:mix], [{:earmark_parser, ">= 1.4.13", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "3b1209b85bc9f3586f370f7c363f6533788fb4e51db23aa79565875e7f9999ee"},
+  "earmark_parser": {:hex, :earmark_parser, "1.4.25", "2024618731c55ebfcc5439d756852ec4e85978a39d0d58593763924d9a15916f", [:mix], [], "hexpm", "56749c5e1c59447f7b7a23ddb235e4b3defe276afc220a6227237f3efe83f51e"},
  "eblurhash": {:hex, :eblurhash, "1.1.0", "e10ccae762598507ebfacf0b645ed49520f2afa3e7e9943e73a91117dffce415", [:rebar3], [], "hexpm", "2e6b889d09fddd374e3c5ac57c486138768763264e99ac1074ae5fa7fc9ab51d"},
  "ecto": {:hex, :ecto, "3.6.2", "efdf52acfc4ce29249bab5417415bd50abd62db7b0603b8bab0d7b996548c2bc", [:mix], [{:decimal, "~> 1.6 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "efad6dfb04e6f986b8a3047822b0f826d9affe8e4ebdd2aeedbfcb14fd48884e"},
  "ecto_enum": {:hex, :ecto_enum, "1.4.0", "d14b00e04b974afc69c251632d1e49594d899067ee2b376277efd8233027aec8", [:mix], [{:ecto, ">= 3.0.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "> 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:mariaex, ">= 0.0.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:postgrex, ">= 0.0.0", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "8fb55c087181c2b15eee406519dc22578fa60dd82c088be376d0010172764ee4"},
@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><hm:Host xmlns:hm="http://host-meta.net/xrd/1.0">framatube.org</hm:Host><Link rel="lrdd" template="http://framatube.org/main/xrd?uri={uri}"><Title>Resource Descriptor</Title></Link></XRD>
+<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><hm:Host xmlns:hm="http://host-meta.net/xrd/1.0">framatube.org</hm:Host><Link rel="lrdd" template="https://framatube.org/main/xrd?uri={uri}"><Title>Resource Descriptor</Title></Link></XRD>
@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><hm:Host xmlns:hm="http://host-meta.net/xrd/1.0">status.alpicola.com</hm:Host><Link rel="lrdd" template="http://status.alpicola.com/main/xrd?uri={uri}"><Title>Resource Descriptor</Title></Link></XRD>
+<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><hm:Host xmlns:hm="http://host-meta.net/xrd/1.0">status.alpicola.com</hm:Host><Link rel="lrdd" template="https://status.alpicola.com/main/xrd?uri={uri}"><Title>Resource Descriptor</Title></Link></XRD>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
+  <Link rel="lrdd" template="https://{{domain}}/.well-known/webfinger?resource={uri}"/>
+</XRD>
@@ -0,0 +1,92 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/v1",
+    {
+      "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+      "toot": "http://joinmastodon.org/ns#",
+      "featured": {
+        "@id": "toot:featured",
+        "@type": "@id"
+      },
+      "featuredTags": {
+        "@id": "toot:featuredTags",
+        "@type": "@id"
+      },
+      "alsoKnownAs": {
+        "@id": "as:alsoKnownAs",
+        "@type": "@id"
+      },
+      "movedTo": {
+        "@id": "as:movedTo",
+        "@type": "@id"
+      },
+      "schema": "http://schema.org#",
+      "PropertyValue": "schema:PropertyValue",
+      "value": "schema:value",
+      "IdentityProof": "toot:IdentityProof",
+      "discoverable": "toot:discoverable",
+      "Device": "toot:Device",
+      "Ed25519Signature": "toot:Ed25519Signature",
+      "Ed25519Key": "toot:Ed25519Key",
+      "Curve25519Key": "toot:Curve25519Key",
+      "EncryptedMessage": "toot:EncryptedMessage",
+      "publicKeyBase64": "toot:publicKeyBase64",
+      "deviceId": "toot:deviceId",
+      "claim": {
+        "@type": "@id",
+        "@id": "toot:claim"
+      },
+      "fingerprintKey": {
+        "@type": "@id",
+        "@id": "toot:fingerprintKey"
+      },
+      "identityKey": {
+        "@type": "@id",
+        "@id": "toot:identityKey"
+      },
+      "devices": {
+        "@type": "@id",
+        "@id": "toot:devices"
+      },
+      "messageFranking": "toot:messageFranking",
+      "messageType": "toot:messageType",
+      "cipherText": "toot:cipherText",
+      "suspended": "toot:suspended",
+      "focalPoint": {
+        "@container": "@list",
+        "@id": "toot:focalPoint"
+      }
+    }
+  ],
+  "id": "https://{{domain}}/users/{{nickname}}",
+  "type": "Person",
+  "following": "https://{{domain}}/users/{{nickname}}/following",
+  "followers": "https://{{domain}}/users/{{nickname}}/followers",
+  "inbox": "https://{{domain}}/users/{{nickname}}/inbox",
+  "outbox": "https://{{domain}}/users/{{nickname}}/outbox",
+  "featured": "https://{{domain}}/users/{{nickname}}/collections/featured",
+  "featuredTags": "https://{{domain}}/users/{{nickname}}/collections/tags",
+  "preferredUsername": "{{nickname}}",
+  "name": "Name Name",
+  "summary": "<p>Summary</p>",
+  "url": "https://{{domain}}/@{{nickname}}",
+  "manuallyApprovesFollowers": false,
+  "discoverable": false,
+  "devices": "https://{{domain}}/users/{{nickname}}/collections/devices",
+  "publicKey": {
+    "id": "https://{{domain}}/users/{{nickname}}#main-key",
+    "owner": "https://{{domain}}/users/{{nickname}}",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwDujxmxoYHs64MyVB3L\nG5ZyBxV3ufaMRBFu42bkcTpISq1WwZ+3Zb6CI8zOO+nM+Q2llrVRYjZa4ZFnOLvM\nTq/Kf+Zf5wy2aCRer88gX+MsJOAtItSi412y0a/rKOuFaDYLOLeTkRvmGLgZWbsr\nZJOp+YWb3zQ5qsIOInkc5BwI172tMsGeFtsnbNApPV4lrmtTGaJ8RiM8MR7XANBO\nfOHggSt1+eAIKGIsCmINEMzs1mG9D75xKtC/sM8GfbvBclQcBstGkHAEj1VHPW0c\nh6Bok5/QQppicyb8UA1PAA9bznSFtKlYE4xCH8rlCDSDTBRtdnBWHKcj619Ujz4Q\nawIDAQAB\n-----END PUBLIC KEY-----\n"
+  },
+  "tag": [],
+  "attachment": [],
+  "endpoints": {
+    "sharedInbox": "https://{{domain}}/inbox"
+  },
+  "icon": {
+    "type": "Image",
+    "mediaType": "image/jpeg",
+    "url": "https://s3.wasabisys.com/merp/accounts/avatars/000/000/001/original/6fdd3eee632af247.jpg"
+  }
+}
@@ -0,0 +1,23 @@
+{
+  "subject": "acct:{{nickname}}@{{domain}}",
+  "aliases": [
+    "https://{{subdomain}}/@{{nickname}}",
+    "https://{{subdomain}}/users/{{nickname}}"
+  ],
+  "links": [
+    {
+      "rel": "http://webfinger.net/rel/profile-page",
+      "type": "text/html",
+      "href": "https://{{subdomain}}/@{{nickname}}"
+    },
+    {
+      "rel": "self",
+      "type": "application/activity+json",
+      "href": "https://{{subdomain}}/users/{{nickname}}"
+    },
+    {
+      "rel": "http://ostatus.org/schema/1.0/subscribe",
+      "template": "https://{{subdomain}}/authorize_interaction?uri={uri}"
+    }
+  ]
+}
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="lrdd" template="https://{{domain}}/.well-known/webfinger?resource={uri}" type="application/xrd+xml" /></XRD>
@@ -0,0 +1,58 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://{{domain}}/schemas/litepub-0.1.jsonld",
+    {
+      "@language": "und"
+    }
+  ],
+  "alsoKnownAs": [],
+  "attachment": [],
+  "capabilities": {
+    "acceptsChatMessages": true
+  },
+  "discoverable": true,
+  "endpoints": {
+    "oauthAuthorizationEndpoint": "https://{{domain}}/oauth/authorize",
+    "oauthRegistrationEndpoint": "https://{{domain}}/api/v1/apps",
+    "oauthTokenEndpoint": "https://{{domain}}/oauth/token",
+    "sharedInbox": "https://{{domain}}/inbox",
+    "uploadMedia": "https://{{domain}}/api/ap/upload_media"
+  },
+  "followers": "https://{{domain}}/users/{{nickname}}/followers",
+  "following": "https://{{domain}}/users/{{nickname}}/following",
+  "icon": {
+    "type": "Image",
+    "url": "https://{{domain}}/media/a932a27f158b63c3a97e3a57d5384f714a82249274c6fc66c9eca581b4fd8af2.jpg"
+  },
+  "id": "https://{{domain}}/users/{{nickname}}",
+  "image": {
+    "type": "Image",
+    "url": "https://{{domain}}/media/db15f476d0ad14488db4762b7800479e6ef67b1824f8b9ea5c1fa05b7525c5b7.jpg"
+  },
+  "inbox": "https://{{domain}}/users/{{nickname}}/inbox",
+  "manuallyApprovesFollowers": false,
+  "name": "{{nickname}} :verified:",
+  "outbox": "https://{{domain}}/users/{{nickname}}/outbox",
+  "preferredUsername": "{{nickname}}",
+  "publicKey": {
+    "id": "https://{{domain}}/users/{{nickname}}#main-key",
+    "owner": "https://{{domain}}/users/{{nickname}}",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu4XOAopC4nRIxNlHlt60\n//nCicuedu5wvLGIoQ+KUM2u7/PhLrrTDEqr1A7yQL95S0X8ryYtALgFLI5A54ww\nqjMIbIGAs44lEmDLMEd+XI+XxREE8wdsFpb4QQzWug0DTyqlMouTU25k0tfKh1rF\n4PMJ3uBSjDTAGgFvLNyFWTiVVgChbTNgGOmrEBucRl4NmKzQ69/FIUwENV88oQSU\n3bWvQTEH9rWH1rCLpkmQwdRiWfnhFX/4EUqXukfgoskvenKR8ff3nYhElDqFoE0e\nqUnIW1OZceyl8JewVLcL6m0/wdKeosTsfrcWc8DKfnRYQcBGNoBEq9GrOHDU0q2v\nyQIDAQAB\n-----END PUBLIC KEY-----\n\n"
+  },
+  "summary": "Pleroma BE dev",
+  "tag": [
+    {
+      "icon": {
+        "type": "Image",
+        "url": "https://{{domain}}/emoji/mine/6143373a807b1ae7.png"
+      },
+      "id": "https://{{domain}}/emoji/mine/6143373a807b1ae7.png",
+      "name": ":verified:",
+      "type": "Emoji",
+      "updated": "1970-01-01T00:00:00Z"
+    }
+  ],
+  "type": "Person",
+  "url": "https://{{domain}}/users/{{nickname}}"
+}
@@ -0,0 +1,27 @@
+{
+  "aliases": [
+    "https://{{subdomain}}/users/{{nickname}}"
+  ],
+  "links": [
+    {
+      "href": "https://{{subdomain}}/users/{{nickname}}",
+      "rel": "http://webfinger.net/rel/profile-page",
+      "type": "text/html"
+    },
+    {
+      "href": "https://{{subdomain}}/users/{{nickname}}",
+      "rel": "self",
+      "type": "application/activity+json"
+    },
+    {
+      "href": "https://{{subdomain}}/users/{{nickname}}",
+      "rel": "self",
+      "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\""
+    },
+    {
+      "rel": "http://ostatus.org/schema/1.0/subscribe",
+      "template": "https://{{subdomain}}/ostatus_subscribe?acct={uri}"
+    }
+  ],
+  "subject": "acct:{{nickname}}@{{domain}}"
+}
@@ -829,6 +829,116 @@ defmodule Pleroma.UserTest do
    end
  end

+  describe "get_or_fetch/1 remote users with tld, while BE is runned on subdomain" do
+    setup do: clear_config([Pleroma.Web.WebFinger, :update_nickname_on_user_fetch], true)
+
+    test "for mastodon" do
+      Tesla.Mock.mock(fn
+        %{url: "https://example.com/.well-known/host-meta"} ->
+          %Tesla.Env{
+            status: 302,
+            headers: [{"location", "https://sub.example.com/.well-known/host-meta"}]
+          }
+
+        %{url: "https://sub.example.com/.well-known/host-meta"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/masto-host-meta.xml"
+              |> File.read!()
+              |> String.replace("{{domain}}", "sub.example.com")
+          }
+
+        %{url: "https://sub.example.com/.well-known/webfinger?resource=acct:a@example.com"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/masto-webfinger.json"
+              |> File.read!()
+              |> String.replace("{{nickname}}", "a")
+              |> String.replace("{{domain}}", "example.com")
+              |> String.replace("{{subdomain}}", "sub.example.com"),
+            headers: [{"content-type", "application/jrd+json"}]
+          }
+
+        %{url: "https://sub.example.com/users/a"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/masto-user.json"
+              |> File.read!()
+              |> String.replace("{{nickname}}", "a")
+              |> String.replace("{{domain}}", "sub.example.com"),
+            headers: [{"content-type", "application/activity+json"}]
+          }
+
+        %{url: "https://sub.example.com/users/a/collections/featured"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              File.read!("test/fixtures/users_mock/masto_featured.json")
+              |> String.replace("{{domain}}", "sub.example.com")
+              |> String.replace("{{nickname}}", "a"),
+            headers: [{"content-type", "application/activity+json"}]
+          }
+      end)
+
+      ap_id = "a@example.com"
+      {:ok, fetched_user} = User.get_or_fetch(ap_id)
+
+      assert fetched_user.ap_id == "https://sub.example.com/users/a"
+      assert fetched_user.nickname == "a@example.com"
+    end
+
+    test "for pleroma" do
+      Tesla.Mock.mock(fn
+        %{url: "https://example.com/.well-known/host-meta"} ->
+          %Tesla.Env{
+            status: 302,
+            headers: [{"location", "https://sub.example.com/.well-known/host-meta"}]
+          }
+
+        %{url: "https://sub.example.com/.well-known/host-meta"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/pleroma-host-meta.xml"
+              |> File.read!()
+              |> String.replace("{{domain}}", "sub.example.com")
+          }
+
+        %{url: "https://sub.example.com/.well-known/webfinger?resource=acct:a@example.com"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/pleroma-webfinger.json"
+              |> File.read!()
+              |> String.replace("{{nickname}}", "a")
+              |> String.replace("{{domain}}", "example.com")
+              |> String.replace("{{subdomain}}", "sub.example.com"),
+            headers: [{"content-type", "application/jrd+json"}]
+          }
+
+        %{url: "https://sub.example.com/users/a"} ->
+          %Tesla.Env{
+            status: 200,
+            body:
+              "test/fixtures/webfinger/pleroma-user.json"
+              |> File.read!()
+              |> String.replace("{{nickname}}", "a")
+              |> String.replace("{{domain}}", "sub.example.com"),
+            headers: [{"content-type", "application/activity+json"}]
+          }
+      end)
+
+      ap_id = "a@example.com"
+      {:ok, fetched_user} = User.get_or_fetch(ap_id)
+
+      assert fetched_user.ap_id == "https://sub.example.com/users/a"
+      assert fetched_user.nickname == "a@example.com"
+    end
+  end
+
  describe "fetching a user from nickname or trying to build one" do
    test "gets an existing user" do
      user = insert(:user)
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: true

  alias Pleroma.MFA
  alias Pleroma.MFA.TOTP
@@ -28,6 +28,17 @@ defmodule Pleroma.Web.WebFinger.WebFingerControllerTest do
  end

  test "Webfinger JRD" do
+    Pleroma.Web.Endpoint.config_change(
+      [{Pleroma.Web.Endpoint, url: [host: "localhost", scheme: "https"]}],
+      []
+    )
+
+    clear_config([Pleroma.Web.Endpoint, :url, :host])
+
+    clear_config([Pleroma.Web.WebFinger, :domain])
+
+    clear_config([Pleroma.Web.WebFinger, :extra_domains])
+
    user =
      insert(:user,
        ap_id: "https://hyrule.world/users/zelda",
@@ -48,6 +59,74 @@ defmodule Pleroma.Web.WebFinger.WebFingerControllerTest do
           ]
  end

+  test "reach user on 2nd-level domain, while pleroma is running on 3rd-level domain" do
+    Pleroma.Web.Endpoint.config_change(
+      [{Pleroma.Web.Endpoint, url: [host: "sub.example.com", scheme: "https"]}],
+      []
+    )
+
+    clear_config([Pleroma.Web.Endpoint, :url, :host], "sub.example.com")
+
+    clear_config([Pleroma.Web.WebFinger, :domain], "example.com")
+
+    clear_config([Pleroma.Web.WebFinger, :extra_domains])
+
+    user = insert(:user, ap_id: "https://sub.example.com/users/bobby", nickname: "bobby")
+
+    response =
+      build_conn()
+      |> put_req_header("accept", "application/jrd+json")
+      |> get("/.well-known/webfinger?resource=acct:#{user.nickname}@example.com")
+      |> json_response(200)
+
+    assert response["subject"] == "acct:#{user.nickname}@example.com"
+    assert response["aliases"] == [
+             "https://sub.example.com/users/#{user.nickname}",
+             "https://example.com/users/#{user.nickname}"
+           ]
+
+    on_exit(fn ->
+      Pleroma.Web.Endpoint.config_change(
+        [{Pleroma.Web.Endpoint, url: [host: "localhost"]}],
+        []
+      )
+    end)
+  end
+
+  test "reach user on old abandoned domain, while pleroma is running on new domain" do
+    Pleroma.Web.Endpoint.config_change(
+      [{Pleroma.Web.Endpoint, url: [host: "example.com", scheme: "https"]}],
+      []
+    )
+
+    clear_config([Pleroma.Web.Endpoint, :url, :host], "example.com")
+
+    clear_config([Pleroma.Web.WebFinger, :domain], "example.com")
+
+    clear_config([Pleroma.Web.WebFinger, :extra_domains], ["oldexample.com"])
+
+    user = insert(:user, ap_id: "https://example.com/users/bobby", nickname: "bobby")
+
+    response =
+      build_conn()
+      |> put_req_header("accept", "application/jrd+json")
+      |> get("/.well-known/webfinger?resource=acct:#{user.nickname}@oldexample.com")
+      |> json_response(200)
+
+    assert response["subject"] == "acct:#{user.nickname}@example.com"
+    assert response["aliases"] == [
+             "https://example.com/users/#{user.nickname}",
+             "https://oldexample.com/users/#{user.nickname}"
+           ]
+
+    on_exit(fn ->
+      Pleroma.Web.Endpoint.config_change(
+        [{Pleroma.Web.Endpoint, url: [host: "localhost"]}],
+        []
+      )
+    end)
+  end
+
  test "it returns 404 when user isn't found (JSON)" do
    result =
      build_conn()
@@ -47,7 +47,7 @@ defmodule Pleroma.Web.WebFingerTest do

    test "returns error when there is no content-type header" do
      Tesla.Mock.mock(fn
-        %{url: "http://social.heldscal.la/.well-known/host-meta"} ->
+        %{url: "https://social.heldscal.la/.well-known/host-meta"} ->
          {:ok,
           %Tesla.Env{
             status: 200,
@@ -120,7 +120,7 @@ defmodule Pleroma.Web.WebFingerTest do
    test "it gets the xrd endpoint for statusnet" do
      {:ok, template} = WebFinger.find_lrdd_template("status.alpicola.com")

-      assert template == "http://status.alpicola.com/main/xrd?uri={uri}"
+      assert template == "https://status.alpicola.com/main/xrd?uri={uri}"
    end

    test "it works with idna domains as nickname" do
@@ -147,7 +147,7 @@ defmodule Pleroma.Web.WebFingerTest do
             headers: [{"content-type", "application/jrd+json"}]
           }}

-        %{url: "http://mastodon.social/.well-known/host-meta"} ->
+        %{url: "https://mastodon.social/.well-known/host-meta"} ->
          {:ok,
           %Tesla.Env{
             status: 200,
@@ -170,7 +170,7 @@ defmodule Pleroma.Web.WebFingerTest do
             headers: [{"content-type", "application/xrd+xml"}]
           }}

-        %{url: "http://pawoo.net/.well-known/host-meta"} ->
+        %{url: "https://pawoo.net/.well-known/host-meta"} ->
          {:ok,
           %Tesla.Env{
             status: 200,
@@ -424,14 +424,6 @@ defmodule HttpRequestMock do
    {:error, :nxdomain}
  end

-  def get("http://osada.macgirvin.com/.well-known/host-meta", _, _, _) do
-    {:ok,
-     %Tesla.Env{
-       status: 404,
-       body: ""
-     }}
-  end
-
  def get("https://osada.macgirvin.com/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{
@@ -756,7 +748,7 @@ defmodule HttpRequestMock do
    {:ok, %Tesla.Env{status: 406, body: ""}}
  end

-  def get("http://squeet.me/.well-known/host-meta", _, _, _) do
+  def get("https://squeet.me/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{status: 200, body: File.read!("test/fixtures/tesla_mock/squeet.me_host_meta")}}
  end
@@ -797,7 +789,7 @@ defmodule HttpRequestMock do
    {:ok, %Tesla.Env{status: 200, body: "", headers: [{"content-type", "application/jrd+json"}]}}
  end

-  def get("http://framatube.org/.well-known/host-meta", _, _, _) do
+  def get("https://framatube.org/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{
       status: 200,
@@ -806,7 +798,7 @@ defmodule HttpRequestMock do
  end

  def get(
-        "http://framatube.org/main/xrd?uri=acct:framasoft@framatube.org",
+        "https://framatube.org/main/xrd?uri=acct:framasoft@framatube.org",
        _,
        _,
        [{"accept", "application/xrd+xml,application/jrd+json"}]
@@ -841,7 +833,7 @@ defmodule HttpRequestMock do
     }}
  end

-  def get("http://status.alpicola.com/.well-known/host-meta", _, _, _) do
+  def get("https://status.alpicola.com/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{
       status: 200,
@@ -849,7 +841,7 @@ defmodule HttpRequestMock do
     }}
  end

-  def get("http://macgirvin.com/.well-known/host-meta", _, _, _) do
+  def get("https://macgirvin.com/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{
       status: 200,
@@ -857,7 +849,7 @@ defmodule HttpRequestMock do
     }}
  end

-  def get("http://gerzilla.de/.well-known/host-meta", _, _, _) do
+  def get("https://gerzilla.de/.well-known/host-meta", _, _, _) do
    {:ok,
     %Tesla.Env{
       status: 200,
				`@@ -0,0 +1 @@`
				`<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="lrdd" template="https://{{domain}}/.well-known/webfinger?resource={uri}" type="application/xrd+xml" /></XRD>`