Log missing l param for WKD requests, return 400

2025-05-18 14:46:04 +04:00 · 2025-05-18 14:46:04 +04:00 · e66d134550
commit e66d134550
parent ebbd87368c
2 changed files with 11 additions and 4 deletions
--- a/app/controllers/web_key_directory_controller.rb
+++ b/app/controllers/web_key_directory_controller.rb
@ -3,8 +3,15 @@ class WebKeyDirectoryController < WellKnownController

  # /.well-known/openpgpkey/hu/:hashed_username(.txt)?l=username
  def show
-    username = params[:l] || ""
-    @user = User.find_by(cn: username.downcase)
+    if params[:l].blank?
+      # TODO store hashed username in db if existing implementations trigger
+      # this a lot
+      msg = "WKD request with \"l\" param omitted for hu: #{params[:hashed_username]})"
+      Sentry.capture_message(msg) if Setting.sentry_enabled?
+      http_status :bad_request and return
+    end
+
+    @user = User.find_by(cn: params[:l].downcase)

    if @user.nil? ||
       @user.pgp_pubkey.blank? ||
--- a/spec/requests/web_key_directory_spec.rb
+++ b/spec/requests/web_key_directory_spec.rb
@ -10,9 +10,9 @@ RSpec.describe "OpenPGP Web Key Directory", type: :request do
  end

  describe "omitted 'l' param" do
-    it "returns a 404 status" do
+    it "returns a 400 status" do
      get "/.well-known/openpgpkey/hu/fmb8gw3n4zdj4xpwaziki4mwcxr1368i"
-      expect(response).to have_http_status(:not_found)
+      expect(response).to have_http_status(:bad_request)
    end
  end