activitypub: user view: do not expose oAuth endpoints for instance users

2 files changed, 16 insertions, 1 deletions

diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index 035463de2..b363a3dc4 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -17,7 +17,11 @@ defmodule Pleroma.Web.ActivityPub.UserView do
 
   import Ecto.Query
 
-  def render("endpoints.json", %{user: %User{nickname: _nickname, local: true} = _user}) do
+  def render("endpoints.json", %{user: %User{nickname: nil, local: true} = _user}) do
+    %{"sharedInbox" => Helpers.activity_pub_url(Endpoint, :inbox)}
+  end
+
+  def render("endpoints.json", %{user: %User{local: true} = _user}) do
     %{
       "oauthAuthorizationEndpoint" => Helpers.o_auth_url(Endpoint, :authorize),
       "oauthRegistrationEndpoint" => Helpers.mastodon_api_url(Endpoint, :create_app),
diff --git a/test/web/activity_pub/views/user_view_test.exs b/test/web/activity_pub/views/user_view_test.exs
index 95d736c50..0bc1d4728 100644
--- a/test/web/activity_pub/views/user_view_test.exs
+++ b/test/web/activity_pub/views/user_view_test.exs
@@ -42,5 +42,16 @@ defmodule Pleroma.Web.ActivityPub.UserViewTest do
       assert result["id"] == user.ap_id
       assert result["endpoints"] == %{}
     end
+
+    test "instance users do not expose oAuth endpoints" do
+      user = insert(:user, nickname: nil, local: true)
+      {:ok, user} = Pleroma.Web.WebFinger.ensure_keys_present(user)
+
+      result = UserView.render("user.json", %{user: user})
+
+      refute result["endpoints"]["oauthAuthorizationEndpoint"]
+      refute result["endpoints"]["oauthRegistrationEndpoint"]
+      refute result["endpoints"]["oauthTokenEndpoint"]
+    end
   end
 end