From e2e21f4afa5e88c082193152fe0dd4075cfa78c3 Mon Sep 17 00:00:00 2001
From: Danielle McLean <dani@00dani.me>
Date: Fri, 27 Oct 2017 22:03:25 +1100
Subject: [PATCH] Make sure IndieAuth is agnostic to whether the 'me' parameter
 has a trailing slash or not

---
 lemonauth/views/indie.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py
index 3bef4a5..e7a7e5d 100644
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@@ -5,7 +5,8 @@ from django.http import HttpResponseForbidden, HttpResponseBadRequest
 from django.shortcuts import render
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
-from lemoncurry import breadcrumbs
+from lemoncurry import breadcrumbs, utils
+from urllib.parse import urljoin
 
 breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index')
 
@@ -25,12 +26,12 @@ class IndieView(TemplateView):
                 )
 
         me = params['me']
-        user = '{0}://{1}{2}'.format(
-            request.scheme,
-            request.META['HTTP_HOST'],
-            request.user.url
-        )
-        if me != user:
+        if me[-1] == '/':
+            me = me[:-1]
+
+        origin = utils.origin(request)
+        user = urljoin(origin, request.user.url)
+        if user not in (me, me + '/'):
             return HttpResponseForbidden(
                 'you are logged in but not as {0}'.format(me),
                 content_type='text/plain',