From 6131884ba7adb2314555cd7f0d5e65f8051fbe42 Mon Sep 17 00:00:00 2001 From: Sam Date: Tue, 18 Apr 2023 02:15:45 +0200 Subject: [PATCH] fix: reject instance domains with @ in them --- backend/routes/auth/fediverse.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/backend/routes/auth/fediverse.go b/backend/routes/auth/fediverse.go index 08a0b49..d8ae722 100644 --- a/backend/routes/auth/fediverse.go +++ b/backend/routes/auth/fediverse.go @@ -25,6 +25,11 @@ func (s *Server) getFediverseURL(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrBadRequest, Details: "Instance URL is empty"} } + // Too many people tried using @username@fediverse.example despite the warning + if strings.Contains(instance, "@") { + return server.APIError{Code: server.ErrBadRequest, Details: "Instance URL should only be the base URL, without username"} + } + app, err := s.DB.FediverseApp(ctx, instance) if err != nil { return s.noAppFediverseURL(ctx, w, r, instance)