// GoToSocial // Copyright (C) GoToSocial Authors admin@gotosocial.org // SPDX-License-Identifier: AGPL-3.0-or-later // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package web import ( "context" "encoding/json" "errors" "fmt" "net/http" "strings" "github.com/gin-gonic/gin" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/oauth" ) func (m *Module) threadGETHandler(c *gin.Context) { ctx := c.Request.Context() // We'll need the instance later, and we can also use it // before then to make it easier to return a web error. instance, errWithCode := m.processor.InstanceGetV1(ctx) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } // Return instance we already got from the db, // don't try to fetch it again when erroring. instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) { return instance, nil } // Parse account targetUsername and status ID from the URL. targetUsername, errWithCode := apiutil.ParseWebUsername(c.Param(apiutil.WebUsernameKey)) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } targetStatusID, errWithCode := apiutil.ParseWebStatusID(c.Param(apiutil.WebStatusIDKey)) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } // Normalize requested username + status ID: // // - Usernames on our instance are (currently) always lowercase. // - StatusIDs on our instance are (currently) always ULIDs. // // todo: Update this logic when different username patterns // are allowed, and/or when status slugs are introduced. targetUsername = strings.ToLower(targetUsername) targetStatusID = strings.ToUpper(targetStatusID) // Check what type of content is being requested. If we're getting an AP // request on this endpoint we should render the AP representation instead. accept, err := apiutil.NegotiateAccept(c, apiutil.HTMLOrActivityPubHeaders...) if err != nil { apiutil.WebErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), instanceGet) return } if accept == string(apiutil.AppActivityJSON) || accept == string(apiutil.AppActivityLDJSON) { // AP status representation has been requested. m.returnAPStatus(c, targetUsername, targetStatusID, accept, instanceGet) return } // text/html has been requested. Proceed with getting the web view of the status. // Don't require auth for web endpoints, but do take it if it was provided. // authed.Account might end up nil here, but that's fine in case of public pages. authed, err := oauth.Authed(c, false, false, false, false) if err != nil { apiutil.WebErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) return } // Fetch the target account so we can do some checks on it. targetAccount, errWithCode := m.processor.Account().GetLocalByUsername(ctx, authed.Account, targetUsername) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } // If target account is suspended, this page should not be visible. if targetAccount.Suspended { err := fmt.Errorf("target account %s is suspended", targetUsername) apiutil.WebErrorHandler(c, gtserror.NewErrorNotFound(err), instanceGet) return } // Get the status itself from the processor using provided ID and authorization (if any). status, errWithCode := m.processor.Status().WebGet(ctx, targetStatusID) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } // Ensure status actually belongs to target account. if status.GetAccountID() != targetAccount.ID { err := fmt.Errorf("target account %s does not own status %s", targetUsername, targetStatusID) apiutil.WebErrorHandler(c, gtserror.NewErrorNotFound(err), instanceGet) return } // Don't render boosts/reblogs as top-level statuses. if status.Reblog != nil { err := errors.New("status is a boost wrapper / reblog") apiutil.WebErrorHandler(c, gtserror.NewErrorNotFound(err), instanceGet) return } // Fill in the rest of the thread context. context, errWithCode := m.processor.Status().WebContextGet(ctx, targetStatusID) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } stylesheets := []string{ assetsPathPrefix + "/Fork-Awesome/css/fork-awesome.min.css", distPathPrefix + "/status.css", } if config.GetAccountsAllowCustomCSS() { stylesheets = append(stylesheets, "/@"+targetUsername+"/custom.css") } c.HTML(http.StatusOK, "thread.tmpl", gin.H{ "instance": instance, "status": status, "context": context, "ogMeta": ogBase(instance).withStatus(status), "stylesheets": stylesheets, "javascript": []string{distPathPrefix + "/frontend.js"}, }) } // returnAPStatus returns an ActivityPub representation of target status, // created by targetUsername. It will do http signature authentication. func (m *Module) returnAPStatus( c *gin.Context, targetUsername string, targetStatusID string, accept string, instanceGet func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode), ) { status, errWithCode := m.processor.Fedi().StatusGet(c.Request.Context(), targetUsername, targetStatusID) if errWithCode != nil { apiutil.WebErrorHandler(c, errWithCode, instanceGet) return } b, err := json.Marshal(status) if err != nil { err := gtserror.Newf("could not marshal json: %w", err) apiutil.WebErrorHandler(c, gtserror.NewErrorInternalError(err), instanceGet) return } c.Data(http.StatusOK, accept, b) }