Proposal: Streamline mastodon profile verification with direct hyperlinks

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Background

Currently, GitLab uses an interstitial page to handle Mastodon profile verification. This approach involves generating a URL with a rel="me" attribute and redirecting users through an intermediate page via external_redirect_path(), before they are sent to their Mastodon profile for verification. This method adheres to secure coding guidelines but may not be the most user-friendly approach. See this MR for the current verification workflow.

Possible Options

Option 1: Maintain Secure Coding Guidelines with External Redirect Path (Current)

Implementation:

- Continue using the existing `external_redirect_path()` method, which involves an interstitial page before redirecting to Mastodon. - Add a redirect for a user coming from Mastodon -> interstitial_page -> gitlab.com/ since the clicking on the gitlab link in mastodon redirects to the interstitial page. - Feature Flag rollout for `verify_mastodon_user` - Commit/Implement the webfinger_url generation fix
  • Pros:
    • Adheres to secure coding guidelines for SAST coverage by maintaining an intermediate page.
    • Offers a consistent and secure method of handling external links.
  • Cons:
    • Less user-friendly compared to direct redirection.
    • Additional steps required for user verification, which might be confusing.

Steps to Implement:

  1. Code Update:
  2. Documentation Update: Tell users that the interstitial page uri https://gitlab.com/-/external_redirect?rel=me&url=https%3A%2F%2F<server_name>%2F%40<username> has to be copied into their mastodon profile as opposed to gitab.com/<username>

Option 2: Directly Redirect to Mastodon Profile

See this relating webfinger MR for information on how it works.

Implementation:

  • Immediately redirect users to their Mastodon profile for verification without an interstitial redirect.
  • Pros:
    • Simplifies UX by removing the interstitial page and redirecting directly to the Mastodon profile.
    • Aligns with how other IDPs handle Mastodon verification (ex: GitHub, WordPress, blogs..).
    • Since the webfinger protocol only requires the user_name & mastodon servername needed to identify the mastodon user (Activity Pub actor), Gitlab would still handle the url generation.
  • Cons:
    • May not adhere to the current secure coding guidelines if the interstitial page is removed.
    • Requires approval from AppSec and potentially trigger changes to how all external social links are handled.

Steps to Implement:

  1. Remove the external_redirect_path() from all relevant mastodon redirects
  2. Update tests

Decision Needed:

  • AppSec Approval: Before proceeding with Option 2, obtain approval from the AppSec team to ensure that removing the interstitial page and using direct redirection complies with security policies.
  • Implementation Choice: Determine which of the above options or newly discussed options will be implemented.

Decision Made:

Option 1 was approved since it does not introduce any security issue unlike option 2.

Relevant issues/MRs

Checklist

  • Add in relating issues & MRs
  • Tag in relevant participants
  • Update readme after an option is reached
Edited by 🤖 GitLab Bot 🤖