Does not Respond Correctly to a HTTP HEAD Request

[felixkrohn]

[...]
> HEAD /.well-known/webfinger?resource=acct:[email protected] HTTP/1.1
> Host: epiktistes.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Tue, 15 Nov 2022 18:48:08 GMT
< Content-Type: application/json
< Content-Length: 22
< Connection: keep-alive
< X-Powered-By: Kemal
[...]

while a GET returns the json along HTTP code 200 (as it should).

[toddsundsted]

i've left this broken because part of the fix depends on fixing kemal (see https://github.com/kemalcr/kemal/issues/614). let me see if i can step in over there an define a handler that runs the method, but does not return the body (vs. currently always responding with 200 OK).

[toddsundsted]

partially fixed in https://github.com/toddsundsted/ktistec/commit/76457332ca2eb1dbaf11bb2f76db62a303a2b009

the solution removes the failure due to the incorrectly applied authentication, and this specific case will now work correctly. however, due to the way this was implemented in Kemal, HEAD requests now always return 200 OK (assuming there's a route). you can see this in action by misspelling my name and comparing GET and HEAD.

[felixkrohn]

Hi Todd, Thanks for looking into it and for the fix! I can confirm it looks good to me now, and also to "debirdify" & similar tools (which triggered this issue in the first place). I guess having false-positives is less impacting than false-negatives, however looking forward to a full kemal fix as well.