LookupWebFingerOptions.allowPrivateAddress

CHANGES.md

@@ -39,6 +39,8 @@ To be released.
      -  `new Object()` constructor now accepts `emojiReactions` option.
      -  `Object.clone()` method now accepts `emojiReactions` option.
 
+ -  Added `allowPrivateAddress` option to `LookupWebFingerOptions` interface.
+
  -  Added `-t`/`--traverse` option to the `fedify lookup` subcommand.  [[#195]]
 
  -  Added `-S`/`--suppress-errors` option to the `fedify lookup` subcommand.

src/federation/middleware.ts

@@ -182,6 +182,7 @@ export interface CreateFederationOptions {
    * Mostly useful for testing purposes.  *Do not use in production.*
    *
    * Turned off by default.
+   * @since 0.15.0
    */
   allowPrivateAddress?: boolean;
 
@@ -190,6 +191,7 @@ export interface CreateFederationOptions {
    * If a string is provided, it is used as the `User-Agent` header.
    * If an object is provided, it is passed to the {@link getUserAgent}
    * function.
+   * @since 1.3.0
    */
   userAgent?: GetUserAgentOptions | string;
 

src/vocab/lookup.ts

@@ -147,9 +147,8 @@ async function lookupObjectInternal(
     const jrd = await lookupWebFinger(identifier, {
       userAgent: options.userAgent,
       tracerProvider: options.tracerProvider,
-      // @ts-ignore: `allowPrivateAddress` is not in the type definition.
       allowPrivateAddress: "allowPrivateAddress" in options &&
-        options.allowPrivateAddress,
+        options.allowPrivateAddress === true,
     });
     if (jrd?.links == null) return null;
     for (const l of jrd.links) {

src/webfinger/lookup.test.ts

@@ -75,6 +75,40 @@ test("lookupWebFinger()", async (t) => {
     assertEquals(await lookupWebFinger("acct:[email protected]"), null);
   });
 
+  mf.mock("GET@/.well-known/webfinger", (_req) => {
+    return new Response(
+      JSON.stringify({
+        subject: "acct:test@localhost",
+        links: [
+          {
+            rel: "self",
+            type: "application/activity+json",
+            href: "https://localhost/actor",
+          },
+        ],
+      }),
+    );
+  });
+
+  await t.step("private address", async () => {
+    assertEquals(await lookupWebFinger("acct:test@localhost"), null);
+    assertEquals(
+      await lookupWebFinger("acct:test@localhost", {
+        allowPrivateAddress: true,
+      }),
+      {
+        subject: "acct:test@localhost",
+        links: [
+          {
+            rel: "self",
+            type: "application/activity+json",
+            href: "https://localhost/actor",
+          },
+        ],
+      },
+    );
+  });
+
   mf.mock(
     "GET@/.well-known/webfinger",
     (_) =>

src/webfinger/lookup.ts

@@ -30,6 +30,16 @@ export interface LookupWebFingerOptions {
    */
   userAgent?: GetUserAgentOptions | string;
 
+  /**
+   * Whether to allow private IP addresses in the URL.
+   *
+   * Mostly useful for testing purposes.  *Do not use this in production.*
+   *
+   * Turned off by default.
+   * @since 1.4.0
+   */
+  allowPrivateAddress?: boolean;
+
   /**
    * The OpenTelemetry tracer provider.  If omitted, the global tracer provider
    * is used.
@@ -109,7 +119,7 @@ async function lookupWebFingerInternal(
       { url: url.href },
     );
     let response: Response;
-    if (!("allowPrivateAddress" in options) || !options.allowPrivateAddress) {
+    if (options.allowPrivateAddress !== true) {
       try {
         await validatePublicUrl(url.href);
       } catch (e) {