Pleroma Webfinger compatibility

julian · May 9, 2025, 2:00pm

Does anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why @jmtd@pleroma.debian.social won't resolve in NodeBB, and it's because the webfinger call returns 400 Bad Request.

NodeBB is calling https://pleroma.debian.social/.well-known/webfinger?resource=acct%3Ajmtd%40pleroma.debian.social with User-Agent and Content-Type headers (curiously, it's not sending Accept, but it also fails if that header is set, so that's irrelevant.)

Navigating to that webfinger url in the browser returns XML, which is :grimacing: but I'm not even getting that when NodeBB makes the call.

thisismissem1 · May 9, 2025, 2:20pm

@julian fedify manages it, so many take a look at their webfinger implementation?

thisismissem1 · May 9, 2025, 2:22pm

@julian try sending `Accept: application/jrd+json`

Since that's the content-type for webfinger, not application/json. In fedify, the fetch call is also with redirect manual, such that max redirection logic and SSRF checks can be done.

thisismissem1 · May 9, 2025, 2:23pm

@julian oh! it's because you're sending the Content-Type header, send Accept instead.

thisismissem1 · May 9, 2025, 2:24pm

@julian which actually makes sense, because with a GET request, you're not sending any request content, and Content-Type applies to the request body, not to the content type you want back.

julian · May 9, 2025, 2:26pm

@thisismissem@hachyderm.io yeah, I tried sending Accept too, which also fails. Will try the suggested type.

The library we use just blanket sends content-type because we're usually POSTing haha. Shouldn't hurt to include it, but who knows.

thisismissem1 · May 9, 2025, 2:29pm

@julian eh? I mean, sure, or just detect whether the request is a GET / HEAD / OPTIONS request, and then don't send the content-type header? (since those methods don't support request bodies iirc)

julian · May 9, 2025, 2:35pm

@thisismissem@hachyderm.io yes, but... that takes effforrrrrrrtttt :frowning:

Anyway, ding ding ding, application/jrd+json was it :trophy:

trwnh1 · May 9, 2025, 3:00pm

@julian are you sending accept application/json or accept application/jrd+json instead of accept application/activity+json?

julian · May 9, 2025, 3:10pm

@trwnh@mastodon.social before, I was not sending Accept at all, now I am sending application/jrd+json.

FWIW testing with cURL showed the same Bad Request with application/json.

trwnh1 · May 11, 2025, 9:28pm

@julian the Bad Request must be something else, because pleroma handles application/json and application/jrd+json just fine https://git.pleroma.social/pleroma/pleroma/-/blob/develop/lib/pleroma/web/web_finger/web_finger_controller.ex#L33