Pleroma Webfinger compatibility
-
wrote on 9 May 2025, 14:00 last edited by
Does anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why
@jmtd@pleroma.debian.social
won't resolve in NodeBB, and it's because the webfinger call returns400 Bad Request
.NodeBB is calling
https://pleroma.debian.social/.well-known/webfinger?resource=acct%3Ajmtd%40pleroma.debian.social
withUser-Agent
andContent-Type
headers (curiously, it's not sendingAccept
, but it also fails if that header is set, so that's irrelevant.)Navigating to that webfinger url in the browser returns XML, which is
but I'm not even getting that when NodeBB makes the call.
-
wrote on 9 May 2025, 14:20 last edited by
@julian fedify manages it, so many take a look at their webfinger implementation?
-
wrote on 9 May 2025, 14:22 last edited by
@julian try sending `Accept: application/jrd+json`
Since that's the content-type for webfinger, not application/json. In fedify, the fetch call is also with redirect manual, such that max redirection logic and SSRF checks can be done.
-
wrote on 9 May 2025, 14:23 last edited by
@julian oh! it's because you're sending the Content-Type header, send Accept instead.
-
@julian oh! it's because you're sending the Content-Type header, send Accept instead.
wrote on 9 May 2025, 14:24 last edited by@julian which actually makes sense, because with a GET request, you're not sending any request content, and Content-Type applies to the request body, not to the content type you want back.
-
@julian which actually makes sense, because with a GET request, you're not sending any request content, and Content-Type applies to the request body, not to the content type you want back.
wrote on 9 May 2025, 14:25 last edited bythisismissem@hachyderm.io yeah, I tried sending Accept too, which also fails. Will try the suggested type.
The library we use just blanket sends content-type because we're usually POSTing haha. Shouldn't hurt to include it, but who knows.
-
wrote on 9 May 2025, 14:29 last edited by
@julian eh? I mean, sure, or just detect whether the request is a GET / HEAD / OPTIONS request, and then don't send the content-type header? (since those methods don't support request bodies iirc)
-
@julian eh? I mean, sure, or just detect whether the request is a GET / HEAD / OPTIONS request, and then don't send the content-type header? (since those methods don't support request bodies iirc)
wrote on 9 May 2025, 14:35 last edited bythisismissem@hachyderm.io yes, but... that takes effforrrrrrrtttt
Anyway, ding ding ding,
application/jrd+json
was it -
wrote on 9 May 2025, 14:59 last edited by
@julian are you sending accept application/json or accept application/jrd+json instead of accept application/activity+json?
-
@julian are you sending accept application/json or accept application/jrd+json instead of accept application/activity+json?
wrote on 9 May 2025, 15:10 last edited by julian@community.nodebb.org 5 Sept 2025, 17:11trwnh@mastodon.social before, I was not sending
Accept
at all, now I am sendingapplication/jrd+json
.FWIW testing with cURL showed the same
Bad Request
withapplication/json
. -
wrote on 11 May 2025, 21:28 last edited by
@julian the Bad Request must be something else, because pleroma handles application/json and application/jrd+json just fine https://git.pleroma.social/pleroma/pleroma/-/blob/develop/lib/pleroma/web/web_finger/web_finger_controller.ex#L33
-
P projectmoon@forum.agnos.is shared this topic on 10 Jun 2025, 09:48