Timeline manager (#40)

* start messing about with timeline manager

* i have no idea what i'm doing

* i continue to not know what i'm doing

* it's coming along

* bit more progress

* update timeline with new posts as they come in

* lint and fmt

* Select accounts where empty string

* restructure a bunch, get unfaves working

* moving stuff around

* federate status deletes properly

* mention regex better but not 100% there

* fix regex

* some more hacking away at the timeline code phew

* fix up some little things

* i can't even

* more timeline stuff

* move to ulid

* fiddley

* some lil fixes for kibou compatibility

* timelines working pretty alright!

* tidy + lint

internal/api/client/account/accountcreate_test.go

@@ -17,372 +17,3 @@
 // */
 
 package account_test
-
-// import (
-// 	"bytes"
-// 	"encoding/json"
-// 	"fmt"
-// 	"io"
-// 	"io/ioutil"
-// 	"mime/multipart"
-// 	"net/http"
-// 	"net/http/httptest"
-// 	"os"
-// 	"testing"
-
-// 	"github.com/gin-gonic/gin"
-// 	"github.com/google/uuid"
-// 	"github.com/stretchr/testify/assert"
-// 	"github.com/stretchr/testify/suite"
-// 	"github.com/superseriousbusiness/gotosocial/internal/api/client/account"
-// 	"github.com/superseriousbusiness/gotosocial/internal/api/model"
-// 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
-// 	"github.com/superseriousbusiness/gotosocial/testrig"
-
-// 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
-// 	"golang.org/x/crypto/bcrypt"
-// )
-
-// type AccountCreateTestSuite struct {
-// 	AccountStandardTestSuite
-// }
-
-// func (suite *AccountCreateTestSuite) SetupSuite() {
-// 	suite.testTokens = testrig.NewTestTokens()
-// 	suite.testClients = testrig.NewTestClients()
-// 	suite.testApplications = testrig.NewTestApplications()
-// 	suite.testUsers = testrig.NewTestUsers()
-// 	suite.testAccounts = testrig.NewTestAccounts()
-// 	suite.testAttachments = testrig.NewTestAttachments()
-// 	suite.testStatuses = testrig.NewTestStatuses()
-// }
-
-// func (suite *AccountCreateTestSuite) SetupTest() {
-// 	suite.config = testrig.NewTestConfig()
-// 	suite.db = testrig.NewTestDB()
-// 	suite.storage = testrig.NewTestStorage()
-// 	suite.log = testrig.NewTestLog()
-// 	suite.federator = testrig.NewTestFederator(suite.db, testrig.NewTestTransportController(testrig.NewMockHTTPClient(nil)))
-// 	suite.processor = testrig.NewTestProcessor(suite.db, suite.storage, suite.federator)
-// 	suite.accountModule = account.New(suite.config, suite.processor, suite.log).(*account.Module)
-// 	testrig.StandardDBSetup(suite.db)
-// 	testrig.StandardStorageSetup(suite.storage, "../../../../testrig/media")
-// }
-
-// func (suite *AccountCreateTestSuite) TearDownTest() {
-// 	testrig.StandardDBTeardown(suite.db)
-// 	testrig.StandardStorageTeardown(suite.storage)
-// }
-
-// // TestAccountCreatePOSTHandlerSuccessful checks the happy path for an account creation request: all the fields provided are valid,
-// // and at the end of it a new user and account should be added into the database.
-// //
-// // This is the handler served at /api/v1/accounts as POST
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerSuccessful() {
-
-// 	t := suite.testTokens["local_account_1"]
-// 	oauthToken := oauth.TokenToOauthToken(t)
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
-// 	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-
-// 	// 1. we should have OK from our call to the function
-// 	suite.EqualValues(http.StatusOK, recorder.Code)
-
-// 	// 2. we should have a token in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	t := &model.Token{}
-// 	err = json.Unmarshal(b, t)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), "we're authorized now!", t.AccessToken)
-
-// 	// check new account
-
-// 	// 1. we should be able to get the new account from the db
-// 	acct := &gtsmodel.Account{}
-// 	err = suite.db.GetLocalAccountByUsername("test_user", acct)
-// 	assert.NoError(suite.T(), err)
-// 	assert.NotNil(suite.T(), acct)
-// 	// 2. reason should be set
-// 	assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("reason"), acct.Reason)
-// 	// 3. display name should be equal to username by default
-// 	assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("username"), acct.DisplayName)
-// 	// 4. domain should be nil because this is a local account
-// 	assert.Nil(suite.T(), nil, acct.Domain)
-// 	// 5. id should be set and parseable as a uuid
-// 	assert.NotNil(suite.T(), acct.ID)
-// 	_, err = uuid.Parse(acct.ID)
-// 	assert.Nil(suite.T(), err)
-// 	// 6. private and public key should be set
-// 	assert.NotNil(suite.T(), acct.PrivateKey)
-// 	assert.NotNil(suite.T(), acct.PublicKey)
-
-// 	// check new user
-
-// 	// 1. we should be able to get the new user from the db
-// 	usr := &gtsmodel.User{}
-// 	err = suite.db.GetWhere("unconfirmed_email", suite.newUserFormHappyPath.Get("email"), usr)
-// 	assert.Nil(suite.T(), err)
-// 	assert.NotNil(suite.T(), usr)
-
-// 	// 2. user should have account id set to account we got above
-// 	assert.Equal(suite.T(), acct.ID, usr.AccountID)
-
-// 	// 3. id should be set and parseable as a uuid
-// 	assert.NotNil(suite.T(), usr.ID)
-// 	_, err = uuid.Parse(usr.ID)
-// 	assert.Nil(suite.T(), err)
-
-// 	// 4. locale should be equal to what we requested
-// 	assert.Equal(suite.T(), suite.newUserFormHappyPath.Get("locale"), usr.Locale)
-
-// 	// 5. created by application id should be equal to the app id
-// 	assert.Equal(suite.T(), suite.testApplication.ID, usr.CreatedByApplicationID)
-
-// 	// 6. password should be matcheable to what we set above
-// 	err = bcrypt.CompareHashAndPassword([]byte(usr.EncryptedPassword), []byte(suite.newUserFormHappyPath.Get("password")))
-// 	assert.Nil(suite.T(), err)
-// }
-
-// // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no authorization is provided:
-// // only registered applications can create accounts, and we don't provide one here.
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoAuth() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-
-// 	// 1. we should have forbidden from our call to the function because we didn't auth
-// 	suite.EqualValues(http.StatusForbidden, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no form is provided at all.
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoForm() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"missing one or more required form values"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerWeakPassword makes sure that the handler fails when a weak password is provided
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeakPassword() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-// 	// set a weak password
-// 	ctx.Request.Form.Set("password", "weak")
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"insecure password, try including more special characters, using uppercase letters, using numbers or using a longer password"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerWeirdLocale makes sure that the handler fails when a weird locale is provided
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-// 	// set an invalid locale
-// 	ctx.Request.Form.Set("locale", "neverneverland")
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"language: tag is not well-formed"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerRegistrationsClosed makes sure that the handler fails when registrations are closed
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-
-// 	// close registrations
-// 	suite.config.AccountsConfig.OpenRegistration = false
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"registration is not open for this server"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when no reason is provided but one is required
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-
-// 	// remove reason
-// 	ctx.Request.Form.Set("reason", "")
-
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"no reason provided"}`, string(b))
-// }
-
-// // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when a crappy reason is presented but a good one is required
-// func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerInsufficientReason() {
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplication)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080/%s", account.BasePath), nil) // the endpoint we're hitting
-// 	ctx.Request.Form = suite.newUserFormHappyPath
-
-// 	// remove reason
-// 	ctx.Request.Form.Set("reason", "just cuz")
-
-// 	suite.accountModule.AccountCreatePOSTHandler(ctx)
-
-// 	// check response
-// 	suite.EqualValues(http.StatusBadRequest, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	b, err := ioutil.ReadAll(result.Body)
-// 	assert.NoError(suite.T(), err)
-// 	assert.Equal(suite.T(), `{"error":"reason should be at least 40 chars but 'just cuz' was 8"}`, string(b))
-// }
-
-// /*
-// 	TESTING: AccountUpdateCredentialsPATCHHandler
-// */
-
-// func (suite *AccountCreateTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
-
-// 	// put test local account in db
-// 	err := suite.db.Put(suite.testAccountLocal)
-// 	assert.NoError(suite.T(), err)
-
-// 	// attach avatar to request
-// 	aviFile, err := os.Open("../../media/test/test-jpeg.jpg")
-// 	assert.NoError(suite.T(), err)
-// 	body := &bytes.Buffer{}
-// 	writer := multipart.NewWriter(body)
-
-// 	part, err := writer.CreateFormFile("avatar", "test-jpeg.jpg")
-// 	assert.NoError(suite.T(), err)
-
-// 	_, err = io.Copy(part, aviFile)
-// 	assert.NoError(suite.T(), err)
-
-// 	err = aviFile.Close()
-// 	assert.NoError(suite.T(), err)
-
-// 	err = writer.Close()
-// 	assert.NoError(suite.T(), err)
-
-// 	// setup
-// 	recorder := httptest.NewRecorder()
-// 	ctx, _ := gin.CreateTestContext(recorder)
-// 	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccountLocal)
-// 	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
-// 	ctx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:8080/%s", account.UpdateCredentialsPath), body) // the endpoint we're hitting
-// 	ctx.Request.Header.Set("Content-Type", writer.FormDataContentType())
-// 	suite.accountModule.AccountUpdateCredentialsPATCHHandler(ctx)
-
-// 	// check response
-
-// 	// 1. we should have OK because our request was valid
-// 	suite.EqualValues(http.StatusOK, recorder.Code)
-
-// 	// 2. we should have an error message in the result body
-// 	result := recorder.Result()
-// 	defer result.Body.Close()
-// 	// TODO: implement proper checks here
-// 	//
-// 	// b, err := ioutil.ReadAll(result.Body)
-// 	// assert.NoError(suite.T(), err)
-// 	// assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
-// }
-
-// func TestAccountCreateTestSuite(t *testing.T) {
-// 	suite.Run(t, new(AccountCreateTestSuite))
-// }

internal/api/client/auth/signin.go

@@ -74,7 +74,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 
 // ValidatePassword takes an email address and a password.
 // The goal is to authenticate the password against the one for that email
-// address stored in the database. If OK, we return the userid (a uuid) for that user,
+// address stored in the database. If OK, we return the userid (a ulid) for that user,
 // so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db.
 func (m *Module) ValidatePassword(email string, password string) (userid string, err error) {
 	l := m.log.WithField("func", "ValidatePassword")

internal/api/client/emoji/emojisget.go

@@ -1,8 +1,12 @@
 package emoji
 
-import "github.com/gin-gonic/gin"
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
 
 // EmojisGETHandler returns a list of custom emojis enabled on the instance
 func (m *Module) EmojisGETHandler(c *gin.Context) {
-
+	c.JSON(http.StatusOK, []string{})
 }

internal/api/client/fileserver/fileserver.go

@@ -32,7 +32,7 @@ import (
 )
 
 const (
-	// AccountIDKey is the url key for account id (an account uuid)
+	// AccountIDKey is the url key for account id (an account ulid)
 	AccountIDKey = "account_id"
 	// MediaTypeKey is the url key for media type (usually something like attachment or header etc)
 	MediaTypeKey = "media_type"

internal/api/client/filter/filtersget.go

@@ -1,8 +1,12 @@
 package filter
 
-import "github.com/gin-gonic/gin"
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
 
 // FiltersGETHandler returns a list of filters set by/for the authed account
 func (m *Module) FiltersGETHandler(c *gin.Context) {
-
+	c.JSON(http.StatusOK, []string{})
 }

internal/api/client/list/listsgets.go

@@ -1,8 +1,12 @@
 package list
 
-import "github.com/gin-gonic/gin"
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
 
 // ListsGETHandler returns a list of lists created by/for the authed account
 func (m *Module) ListsGETHandler(c *gin.Context) {
-
+	c.JSON(http.StatusOK, []string{})
 }

internal/api/client/status/statusdelete.go

@@ -56,5 +56,11 @@ func (m *Module) StatusDELETEHandler(c *gin.Context) {
 		return
 	}
 
+	// the status was already gone/never existed
+	if mastoStatus == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Record not found"})
+		return
+	}
+
 	c.JSON(http.StatusOK, mastoStatus)
 }

internal/api/client/timeline/home.go

@@ -87,12 +87,13 @@ func (m *Module) HomeTimelineGETHandler(c *gin.Context) {
 		local = i
 	}
 
-	statuses, errWithCode := m.processor.HomeTimelineGet(authed, maxID, sinceID, minID, limit, local)
+	resp, errWithCode := m.processor.HomeTimelineGet(authed, maxID, sinceID, minID, limit, local)
 	if errWithCode != nil {
-		l.Debugf("error from processor account statuses get: %s", errWithCode)
+		l.Debugf("error from processor HomeTimelineGet: %s", errWithCode)
 		c.JSON(errWithCode.Code(), gin.H{"error": errWithCode.Safe()})
 		return
 	}
 
-	c.JSON(http.StatusOK, statuses)
+	c.Header("Link", resp.LinkHeader)
+	c.JSON(http.StatusOK, resp.Statuses)
 }

internal/api/model/timeline.go

@@ -0,0 +1,8 @@
+package model
+
+// StatusTimelineResponse wraps a slice of statuses, ready to be serialized, along with the Link
+// header for the previous and next queries, to be returned to the client.
+type StatusTimelineResponse struct {
+	Statuses   []*Status
+	LinkHeader string
+}

internal/api/s2s/user/inboxpost.go

@@ -23,7 +23,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
-	"github.com/superseriousbusiness/gotosocial/internal/processing"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 )
 
 // InboxPOSTHandler deals with incoming POST requests to an actor's inbox.
@@ -42,17 +42,18 @@ func (m *Module) InboxPOSTHandler(c *gin.Context) {
 
 	posted, err := m.processor.InboxPost(c.Request.Context(), c.Writer, c.Request)
 	if err != nil {
-		if withCode, ok := err.(processing.ErrorWithCode); ok {
+		if withCode, ok := err.(gtserror.WithCode); ok {
 			l.Debug(withCode.Error())
 			c.JSON(withCode.Code(), withCode.Safe())
 			return
 		}
-		l.Debug(err)
+		l.Debugf("InboxPOSTHandler: error processing request: %s", err)
 		c.JSON(http.StatusBadRequest, gin.H{"error": "unable to process request"})
 		return
 	}
 
 	if !posted {
+		l.Debugf("request could not be handled as an AP request; headers were: %+v", c.Request.Header)
 		c.JSON(http.StatusBadRequest, gin.H{"error": "unable to process request"})
 	}
 }

internal/api/s2s/webfinger/webfingerget.go

@@ -24,42 +24,53 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
 )
 
 // WebfingerGETRequest handles requests to, for example, https://example.org/.well-known/webfinger?resource=acct:some_user@example.org
 func (m *Module) WebfingerGETRequest(c *gin.Context) {
+	l := m.log.WithFields(logrus.Fields{
+		"func":       "WebfingerGETRequest",
+		"user-agent": c.Request.UserAgent(),
+	})
 
 	q, set := c.GetQuery("resource")
 	if !set || q == "" {
+		l.Debug("aborting request because no resource was set in query")
 		c.JSON(http.StatusBadRequest, gin.H{"error": "no 'resource' in request query"})
 		return
 	}
 
 	withAcct := strings.Split(q, "acct:")
 	if len(withAcct) != 2 {
+		l.Debugf("aborting request because resource query %s could not be split by 'acct:'", q)
 		c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"})
 		return
 	}
 
 	usernameDomain := strings.Split(withAcct[1], "@")
 	if len(usernameDomain) != 2 {
+		l.Debugf("aborting request because username and domain could not be parsed from %s", withAcct[1])
 		c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"})
 		return
 	}
 	username := strings.ToLower(usernameDomain[0])
 	domain := strings.ToLower(usernameDomain[1])
 	if username == "" || domain == "" {
+		l.Debug("aborting request because username or domain was empty")
 		c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"})
 		return
 	}
 
 	if domain != m.config.Host {
+		l.Debugf("aborting request because domain %s does not belong to this instance", domain)
 		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("domain %s does not belong to this instance", domain)})
 		return
 	}
 
 	resp, err := m.processor.GetWebfingerAccount(username, c.Request)
 	if err != nil {
+		l.Debugf("aborting request with an error: %s", err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
 		return
 	}

internal/api/security/robots.go

@@ -0,0 +1,17 @@
+package security
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+const robotsString = `User-agent: *
+Disallow: /
+`
+
+// RobotsGETHandler returns the most restrictive possible robots.txt file in response to a call to /robots.txt.
+// The response instructs bots with *any* user agent not to index the instance at all.
+func (m *Module) RobotsGETHandler(c *gin.Context) {
+	c.String(http.StatusOK, robotsString)
+}

internal/api/security/security.go

@@ -19,12 +19,16 @@
 package security
 
 import (
+	"net/http"
+
 	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/router"
 )
 
+const robotsPath = "/robots.txt"
+
 // Module implements the ClientAPIModule interface for security middleware
 type Module struct {
 	config *config.Config
@@ -44,5 +48,6 @@ func (m *Module) Route(s router.Router) error {
 	s.AttachMiddleware(m.FlocBlock)
 	s.AttachMiddleware(m.ExtraHeaders)
 	s.AttachMiddleware(m.UserAgentBlock)
+	s.AttachHandler(http.MethodGet, robotsPath, m.RobotsGETHandler)
 	return nil
 }

internal/api/security/useragentblock.go

@@ -23,20 +23,24 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
 )
 
-// UserAgentBlock is a middleware that prevents google chrome cohort tracking by
-// writing the Permissions-Policy header after all other parts of the request have been completed.
-// See: https://plausible.io/blog/google-floc
+// UserAgentBlock blocks requests with undesired, empty, or invalid user-agent strings.
 func (m *Module) UserAgentBlock(c *gin.Context) {
+	l := m.log.WithFields(logrus.Fields{
+		"func": "UserAgentBlock",
+	})
 
 	ua := c.Request.UserAgent()
 	if ua == "" {
+		l.Debug("aborting request because there's no user-agent set")
 		c.AbortWithStatus(http.StatusTeapot)
 		return
 	}
 
-	if strings.Contains(strings.ToLower(c.Request.UserAgent()), strings.ToLower("friendica")) {
+	if strings.Contains(strings.ToLower(ua), strings.ToLower("friendica")) {
+		l.Debugf("aborting request with user-agent %s because it contains 'friendica'", ua)
 		c.AbortWithStatus(http.StatusTeapot)
 		return
 	}