@fedify/webfinger 2.3.0-dev.994 → 2.3.0-pr.809.37

package/dist/lookup.test.js

@@ -1,6 +1,6 @@
-import { test } from "@fedify/fixture";
+import { createTestMeterProvider, test } from "@fedify/fixture";
 import { withTimeout } from "es-toolkit";
-import { deepStrictEqual } from "node:assert/strict";
+import { deepStrictEqual, ok } from "node:assert/strict";
 import { UrlError, getUserAgent, validatePublicUrl } from "@fedify/vocab-runtime";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
@@ -11,7 +11,7 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
+var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
 var __copyProps = (to, from, except, desc) => {
 	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
 		key = keys[i];
@@ -1227,7 +1227,7 @@ var esm_default = new class FetchMock {
 //#endregion
 //#region deno.json
 var name = "@fedify/webfinger";
-var version = "2.3.0-dev.994+9071ca0a";
+var version = "2.3.0-pr.809.37+0574ba5c";
 //#endregion
 //#region src/lookup.ts
 const logger = getLogger([
@@ -1236,6 +1236,58 @@ const logger = getLogger([
 	"lookup"
 ]);
 const DEFAULT_MAX_REDIRECTION = 5;
+const WEBFINGER_HISTOGRAM_BUCKETS = [
+	5,
+	10,
+	25,
+	50,
+	75,
+	100,
+	250,
+	500,
+	750,
+	1e3,
+	2500,
+	5e3,
+	7500,
+	1e4
+];
+const webFingerInstruments = /* @__PURE__ */ new WeakMap();
+function getWebFingerInstruments(meterProvider) {
+	let instruments = webFingerInstruments.get(meterProvider);
+	if (instruments == null) {
+		const meter = meterProvider.getMeter(name, version);
+		instruments = {
+			lookup: meter.createCounter("webfinger.lookup", {
+				description: "Outgoing WebFinger lookup attempts.",
+				unit: "{lookup}"
+			}),
+			lookupDuration: meter.createHistogram("webfinger.lookup.duration", {
+				description: "Duration of outgoing WebFinger lookups.",
+				unit: "ms",
+				advice: { explicitBucketBoundaries: [...WEBFINGER_HISTOGRAM_BUCKETS] }
+			})
+		};
+		webFingerInstruments.set(meterProvider, instruments);
+	}
+	return instruments;
+}
+function getResourceScheme(resource) {
+	if (typeof resource === "string") {
+		const colon = resource.indexOf(":");
+		return colon > 0 ? resource.substring(0, colon).toLowerCase() : "";
+	}
+	return resource.protocol.replace(/:$/, "").toLowerCase();
+}
+const WEBFINGER_LOOKUP_SCHEME_WHITELIST = new Set([
+	"acct",
+	"http",
+	"https",
+	"mailto"
+]);
+function getMetricResourceScheme(scheme) {
+	return WEBFINGER_LOOKUP_SCHEME_WHITELIST.has(scheme) ? scheme : "other";
+}
 /**
 * Looks up a WebFinger resource.
 * @param resource The resource URL to look up.
@@ -1244,17 +1296,25 @@ const DEFAULT_MAX_REDIRECTION = 5;
 * @since 0.2.0
 */
 async function lookupWebFinger(resource, options = {}) {
-	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("webfinger.lookup", {
+	const tracer = (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version);
+	const scheme = getResourceScheme(resource);
+	return await tracer.startActiveSpan("webfinger.lookup", {
 		kind: SpanKind.CLIENT,
 		attributes: {
 			"webfinger.resource": resource.toString(),
-			"webfinger.resource.scheme": typeof resource === "string" ? resource.replace(/:.*$/, "") : resource.protocol.replace(/:$/, "")
+			"webfinger.resource.scheme": scheme
 		}
 	}, async (span) => {
+		const meterProvider = options.meterProvider;
+		const start = meterProvider == null ? 0 : performance.now();
+		let outcome = {
+			resource: null,
+			result: "error"
+		};
 		try {
-			const result = await lookupWebFingerInternal(resource, options);
-			span.setStatus({ code: result === null ? SpanStatusCode.ERROR : SpanStatusCode.OK });
-			return result;
+			outcome = await lookupWebFingerInternal(resource, options);
+			span.setStatus({ code: outcome.resource === null ? SpanStatusCode.ERROR : SpanStatusCode.OK });
+			return outcome.resource;
 		} catch (error) {
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
@@ -1262,19 +1322,41 @@ async function lookupWebFinger(resource, options = {}) {
 			});
 			throw error;
 		} finally {
+			if (meterProvider != null) recordWebFingerLookup(meterProvider, Math.max(0, performance.now() - start), scheme, outcome);
 			span.end();
 		}
 	});
 }
+function recordWebFingerLookup(meterProvider, durationMs, scheme, outcome) {
+	const attributes = {
+		"webfinger.lookup.result": outcome.result,
+		"webfinger.resource.scheme": getMetricResourceScheme(scheme)
+	};
+	if (outcome.remoteHost != null) attributes["activitypub.remote.host"] = outcome.remoteHost;
+	if (outcome.statusCode != null) attributes["http.response.status_code"] = outcome.statusCode;
+	const instruments = getWebFingerInstruments(meterProvider);
+	instruments.lookup.add(1, attributes);
+	instruments.lookupDuration.record(durationMs, attributes);
+}
 async function lookupWebFingerInternal(resource, options = {}) {
 	if (typeof resource === "string") resource = new URL(resource);
 	let protocol = "https:";
 	let server;
-	if (resource.protocol === "acct:") {
+	if (resource.protocol === "acct:" || resource.protocol === "mailto:") {
 		const atPos = resource.pathname.lastIndexOf("@");
-		if (atPos < 0) return null;
+		if (atPos < 0) return {
+			resource: null,
+			result: "invalid"
+		};
 		server = resource.pathname.substring(atPos + 1);
-		if (server === "") return null;
+		if (server === "" || /[/?#]/.test(server)) return {
+			resource: null,
+			result: "invalid"
+		};
+		if (resource.protocol === "acct:" && (resource.search !== "" || resource.hash !== "")) return {
+			resource: null,
+			result: "invalid"
+		};
 	} else {
 		protocol = resource.protocol;
 		server = resource.host;
@@ -1283,6 +1365,7 @@ async function lookupWebFingerInternal(resource, options = {}) {
 	url.searchParams.set("resource", resource.href);
 	let redirected = 0;
 	while (true) {
+		const remoteHost = url.host;
 		logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
 		let response;
 		if (options.allowPrivateAddress !== true) try {
@@ -1290,7 +1373,11 @@ async function lookupWebFingerInternal(resource, options = {}) {
 		} catch (e) {
 			if (e instanceof UrlError) {
 				logger.error("Invalid URL for WebFinger resource descriptor: {error}", { error: e });
-				return null;
+				return {
+					resource: null,
+					result: "network_error",
+					remoteHost
+				};
 			}
 			throw e;
 		}
@@ -1308,22 +1395,50 @@ async function lookupWebFingerInternal(resource, options = {}) {
 				url: url.href,
 				error
 			});
-			return null;
+			return {
+				resource: null,
+				result: "network_error",
+				remoteHost
+			};
 		}
 		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
 			redirected++;
 			const maxRedirection = options.maxRedirection ?? DEFAULT_MAX_REDIRECTION;
-			if (redirected >= maxRedirection) {
+			if (redirected > maxRedirection) {
 				logger.error("Too many redirections ({redirections}) while fetching WebFinger resource descriptor.", { redirections: redirected });
-				return null;
+				return {
+					resource: null,
+					result: "invalid",
+					statusCode: response.status,
+					remoteHost
+				};
+			}
+			let redirectedUrl;
+			try {
+				redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
+			} catch (e) {
+				logger.error("Invalid Location header while following WebFinger redirect: {error}", {
+					url: url.href,
+					error: e
+				});
+				return {
+					resource: null,
+					result: "invalid",
+					statusCode: response.status,
+					remoteHost
+				};
 			}
-			const redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
 			if (redirectedUrl.protocol !== url.protocol) {
 				logger.error("Redirected to a different protocol ({protocol} to {redirectedProtocol}) while fetching WebFinger resource descriptor.", {
 					protocol: url.protocol,
 					redirectedProtocol: redirectedUrl.protocol
 				});
-				return null;
+				return {
+					resource: null,
+					result: "invalid",
+					statusCode: response.status,
+					remoteHost
+				};
 			}
 			url = redirectedUrl;
 			continue;
@@ -1334,14 +1449,29 @@ async function lookupWebFingerInternal(resource, options = {}) {
 				status: response.status,
 				statusText: response.statusText
 			});
-			return null;
+			return {
+				resource: null,
+				result: response.status === 404 || response.status === 410 ? "not_found" : "error",
+				statusCode: response.status,
+				remoteHost
+			};
 		}
 		try {
-			return await response.json();
+			return {
+				resource: await response.json(),
+				result: "found",
+				statusCode: response.status,
+				remoteHost
+			};
 		} catch (e) {
 			if (e instanceof SyntaxError) {
 				logger.debug("Failed to parse WebFinger resource descriptor as JSON: {error}", { error: e });
-				return null;
+				return {
+					resource: null,
+					result: "invalid",
+					statusCode: response.status,
+					remoteHost
+				};
 			}
 			throw e;
 		}
@@ -1359,52 +1489,64 @@ test({
 			deepStrictEqual(await lookupWebFinger(new URL("acct:johndoe")), null);
 			deepStrictEqual(await lookupWebFinger("acct:johndoe@"), null);
 			deepStrictEqual(await lookupWebFinger(new URL("acct:johndoe@")), null);
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com/exploit"), null);
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com?x=1"), null);
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com#frag"), null);
 		});
 		await t.step("connection refused", async () => {
 			deepStrictEqual(await lookupWebFinger("acct:johndoe@fedify-test.internal"), null);
 			deepStrictEqual(await lookupWebFinger("https://fedify-test.internal/foo"), null);
 		});
 		esm_default.spyGlobal();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", { status: 404 });
-		await t.step("not found", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
-			deepStrictEqual(await lookupWebFinger("https://example.com/foo"), null);
-		});
-		const expected = {
-			subject: "acct:johndoe@example.com",
-			links: []
-		};
-		esm_default.removeRoutes();
-		esm_default.get("https://example.com/.well-known/webfinger?resource=acct%3Ajohndoe%40example.com", { body: expected });
-		await t.step("acct", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
-		});
-		const expected2 = {
-			subject: "https://example.com/foo",
-			links: []
-		};
-		esm_default.removeRoutes();
-		esm_default.get("https://example.com/.well-known/webfinger?resource=https%3A%2F%2Fexample.com%2Ffoo", { body: expected2 });
-		await t.step("https", async () => {
-			deepStrictEqual(await lookupWebFinger("https://example.com/foo"), expected2);
-		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", { body: "not json" });
-		await t.step("invalid response", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
-		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://localhost/.well-known/webfinger?", {
-			subject: "acct:test@localhost",
-			links: [{
-				rel: "self",
-				type: "application/activity+json",
-				href: "https://localhost/actor"
-			}]
-		});
-		await t.step("private address", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:test@localhost"), null);
-			deepStrictEqual(await lookupWebFinger("acct:test@localhost", { allowPrivateAddress: true }), {
+		try {
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { status: 404 });
+			await t.step("not found", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+				deepStrictEqual(await lookupWebFinger("https://example.com/foo"), null);
+			});
+			const expected = {
+				subject: "acct:johndoe@example.com",
+				links: []
+			};
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=acct%3Ajohndoe%40example.com", { body: expected });
+			await t.step("acct", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
+			});
+			const expected2 = {
+				subject: "https://example.com/foo",
+				links: []
+			};
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=https%3A%2F%2Fexample.com%2Ffoo", { body: expected2 });
+			await t.step("https", async () => {
+				deepStrictEqual(await lookupWebFinger("https://example.com/foo"), expected2);
+			});
+			const mailtoExpected = {
+				subject: "mailto:juliet@example.com",
+				links: []
+			};
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=mailto%3Ajuliet%40example.com", { body: mailtoExpected });
+			await t.step("mailto", async () => {
+				deepStrictEqual(await lookupWebFinger("mailto:juliet@example.com"), mailtoExpected);
+			});
+			const mailtoQueryExpected = {
+				subject: "mailto:juliet@example.com?subject=Hi",
+				links: []
+			};
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=mailto%3Ajuliet%40example.com%3Fsubject%3DHi", { body: mailtoQueryExpected });
+			await t.step("mailto with hfields", async () => {
+				deepStrictEqual(await lookupWebFinger("mailto:juliet@example.com?subject=Hi"), mailtoQueryExpected);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { body: "not json" });
+			await t.step("invalid response", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://localhost/.well-known/webfinger?", {
 				subject: "acct:test@localhost",
 				links: [{
 					rel: "self",
@@ -1412,109 +1554,342 @@ test({
 					href: "https://localhost/actor"
 				}]
 			});
+			await t.step("private address", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:test@localhost"), null);
+				deepStrictEqual(await lookupWebFinger("acct:test@localhost", { allowPrivateAddress: true }), {
+					subject: "acct:test@localhost",
+					links: [{
+						rel: "self",
+						type: "application/activity+json",
+						href: "https://localhost/actor"
+					}]
+				});
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "/.well-known/webfinger2" }
+			});
+			esm_default.get("begin:https://example.com/.well-known/webfinger2", { body: expected });
+			await t.step("redirection", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "/.well-known/webfinger" }
+			});
+			await t.step("infinite redirection", async () => {
+				deepStrictEqual(await withTimeout(() => lookupWebFinger("acct:johndoe@example.com"), 2e3), null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "ftp://example.com/" }
+			});
+			await t.step("redirection to different protocol", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "https://localhost/" }
+			});
+			await t.step("redirection to private address", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+			});
+			esm_default.removeRoutes();
+			let redirectCount = 0;
+			esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
+				redirectCount++;
+				if (redirectCount < 3) return {
+					status: 302,
+					headers: { Location: `/.well-known/webfinger?redirect=${redirectCount}` }
+				};
+				return { body: expected };
+			});
+			await t.step("custom maxRedirection", async () => {
+				redirectCount = 0;
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 1 }), null);
+				redirectCount = 0;
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 2 }), expected);
+				redirectCount = 0;
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 3 }), expected);
+				redirectCount = 0;
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
+			});
+			await t.step("maxRedirection: 1 follows exactly one redirect", async () => {
+				esm_default.removeRoutes();
+				let count = 0;
+				esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
+					count++;
+					return count < 2 ? {
+						status: 302,
+						headers: { Location: "/.well-known/webfinger?after=1" }
+					} : { body: expected };
+				});
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 1 }), expected);
+				esm_default.removeRoutes();
+				count = 0;
+				esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
+					count++;
+					return count < 3 ? {
+						status: 302,
+						headers: { Location: `/.well-known/webfinger?after=${count}` }
+					} : { body: expected };
+				});
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 1 }), null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", () => new Promise((resolve) => {
+				const timeoutId = setTimeout(() => {
+					resolve({ body: expected });
+				}, 1e3);
+				return () => clearTimeout(timeoutId);
+			}));
+			await t.step("request cancellation", async () => {
+				const controller = new AbortController();
+				const promise = lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal });
+				controller.abort();
+				deepStrictEqual(await promise, null);
+			});
+			esm_default.removeRoutes();
+			let redirectCount2 = 0;
+			esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
+				redirectCount2++;
+				if (redirectCount2 === 1) return {
+					status: 302,
+					headers: { Location: "/.well-known/webfinger2" }
+				};
+				return new Promise((resolve) => {
+					const timeoutId = setTimeout(() => {
+						resolve({ body: expected });
+					}, 1e3);
+					return () => clearTimeout(timeoutId);
+				});
+			});
+			await t.step("cancellation during redirection", async () => {
+				const controller = new AbortController();
+				const promise = lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal });
+				setTimeout(() => controller.abort(), 100);
+				deepStrictEqual(await promise, null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", () => new Promise((resolve) => {
+				const timeoutId = setTimeout(() => {
+					resolve({ body: expected });
+				}, 500);
+				return () => clearTimeout(timeoutId);
+			}));
+			await t.step("cancellation with immediate abort", async () => {
+				const controller = new AbortController();
+				controller.abort();
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal }), null);
+			});
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { body: expected });
+			await t.step("successful request with signal", async () => {
+				deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { signal: new AbortController().signal }), expected);
+			});
+		} finally {
+			esm_default.removeRoutes();
+			esm_default.hardReset();
+		}
+	}
+});
+test("lookupWebFinger() records webfinger.lookup counter and duration", {
+	sanitizeOps: false,
+	sanitizeResources: false
+}, async (t) => {
+	esm_default.spyGlobal();
+	try {
+		const expected = {
+			subject: "acct:johndoe@example.com",
+			links: []
+		};
+		await t.step("records result=found for a successful acct lookup", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=acct%3Ajohndoe%40example.com", { body: expected });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { meterProvider }), expected);
+			const counters = recorder.getMeasurements("webfinger.lookup");
+			deepStrictEqual(counters.length, 1);
+			deepStrictEqual(counters[0].type, "counter");
+			deepStrictEqual(counters[0].value, 1);
+			deepStrictEqual(counters[0].attributes["webfinger.lookup.result"], "found");
+			deepStrictEqual(counters[0].attributes["webfinger.resource.scheme"], "acct");
+			deepStrictEqual(counters[0].attributes["activitypub.remote.host"], "example.com");
+			deepStrictEqual(counters[0].attributes["http.response.status_code"], 200);
+			const durations = recorder.getMeasurements("webfinger.lookup.duration");
+			deepStrictEqual(durations.length, 1);
+			deepStrictEqual(durations[0].type, "histogram");
+			deepStrictEqual(durations[0].attributes["webfinger.lookup.result"], "found");
+			deepStrictEqual(durations[0].attributes["webfinger.resource.scheme"], "acct");
+			ok(typeof durations[0].value === "number" && durations[0].value >= 0);
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", {
-			status: 302,
-			headers: { Location: "/.well-known/webfinger2" }
+		await t.step("records scheme=https for an https resource lookup", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=https%3A%2F%2Fexample.com%2Ffoo", { body: {
+				subject: "https://example.com/foo",
+				links: []
+			} });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("https://example.com/foo", { meterProvider });
+			const counters = recorder.getMeasurements("webfinger.lookup");
+			deepStrictEqual(counters.length, 1);
+			deepStrictEqual(counters[0].attributes["webfinger.resource.scheme"], "https");
+			deepStrictEqual(counters[0].attributes["webfinger.lookup.result"], "found");
 		});
-		esm_default.get("begin:https://example.com/.well-known/webfinger2", { body: expected });
-		await t.step("redirection", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
+		await t.step("records non-default ports for URL resources", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com:8443/.well-known/webfinger?resource=https%3A%2F%2Fexample.com%3A8443%2Ffoo", { body: {
+				subject: "https://example.com:8443/foo",
+				links: []
+			} });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("https://example.com:8443/foo", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["activitypub.remote.host"], "example.com:8443");
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", {
-			status: 302,
-			headers: { Location: "/.well-known/webfinger" }
+		await t.step("records result=not_found with status 404", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { status: 404 });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { meterProvider }), null);
+			const counters = recorder.getMeasurements("webfinger.lookup");
+			deepStrictEqual(counters.length, 1);
+			deepStrictEqual(counters[0].attributes["webfinger.lookup.result"], "not_found");
+			deepStrictEqual(counters[0].attributes["http.response.status_code"], 404);
+			deepStrictEqual(counters[0].attributes["activitypub.remote.host"], "example.com");
+			const durations = recorder.getMeasurements("webfinger.lookup.duration");
+			deepStrictEqual(durations.length, 1);
+			deepStrictEqual(durations[0].attributes["webfinger.lookup.result"], "not_found");
 		});
-		await t.step("infinite redirection", async () => {
-			deepStrictEqual(await withTimeout(() => lookupWebFinger("acct:johndoe@example.com"), 2e3), null);
+		await t.step("records result=not_found with status 410", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { status: 410 });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "not_found");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 410);
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", {
-			status: 302,
-			headers: { Location: "ftp://example.com/" }
+		await t.step("records result=error for non-2xx, non-404/410 HTTP responses", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { status: 500 });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "error");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 500);
 		});
-		await t.step("redirection to different protocol", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+		await t.step("records result=invalid for malformed JSON bodies", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", { body: "not json" });
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "invalid");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 200);
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", {
-			status: 302,
-			headers: { Location: "https://localhost/" }
+		await t.step("records result=network_error when fetch never reaches the remote", async () => {
+			esm_default.removeRoutes();
+			const [meterProvider, recorder] = createTestMeterProvider();
+			deepStrictEqual(await lookupWebFinger("acct:johndoe@fedify-test.internal", { meterProvider }), null);
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "network_error");
+			deepStrictEqual("http.response.status_code" in counter.attributes, false, "no HTTP response means no status code attribute");
+			deepStrictEqual(counter.attributes["activitypub.remote.host"], "fedify-test.internal");
 		});
-		await t.step("redirection to private address", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), null);
+		await t.step("records result=invalid for malformed acct: resources", async () => {
+			const [meterProvider, recorder] = createTestMeterProvider();
+			deepStrictEqual(await lookupWebFinger("acct:johndoe", { meterProvider }), null);
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "invalid");
+			deepStrictEqual(counter.attributes["webfinger.resource.scheme"], "acct");
+			deepStrictEqual("activitypub.remote.host" in counter.attributes, false, "a malformed acct resource has no usable remote host");
 		});
-		esm_default.removeRoutes();
-		let redirectCount = 0;
-		esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
-			redirectCount++;
-			if (redirectCount < 3) return {
+		await t.step("records result=invalid when the redirect chain exceeds maxRedirection", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger", {
 				status: 302,
-				headers: { Location: `/.well-known/webfinger?redirect=${redirectCount}` }
-			};
-			return { body: expected };
+				headers: { Location: "/.well-known/webfinger" }
+			});
+			const [meterProvider, recorder] = createTestMeterProvider();
+			deepStrictEqual(await withTimeout(() => lookupWebFinger("acct:johndoe@example.com", {
+				meterProvider,
+				maxRedirection: 3
+			}), 2e3), null);
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "invalid");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 302);
+			deepStrictEqual(counter.attributes["activitypub.remote.host"], "example.com");
 		});
-		await t.step("custom maxRedirection", async () => {
-			redirectCount = 0;
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 2 }), null);
-			redirectCount = 0;
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { maxRedirection: 3 }), expected);
-			redirectCount = 0;
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com"), expected);
+		await t.step("records result=invalid for cross-protocol redirects", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "ftp://example.com/" }
+			});
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "invalid");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 302);
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", () => new Promise((resolve) => {
-			const timeoutId = setTimeout(() => {
-				resolve({ body: expected });
-			}, 1e3);
-			return () => clearTimeout(timeoutId);
-		}));
-		await t.step("request cancellation", async () => {
-			const controller = new AbortController();
-			const promise = lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal });
-			controller.abort();
-			deepStrictEqual(await promise, null);
+		await t.step("records result=network_error when a redirect points to a private address", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
+				status: 302,
+				headers: { Location: "https://localhost/" }
+			});
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "network_error");
+			deepStrictEqual(counter.attributes["activitypub.remote.host"], "localhost", "remote.host reflects the latest URL we attempted, even after a redirect");
 		});
-		esm_default.removeRoutes();
-		let redirectCount2 = 0;
-		esm_default.get("begin:https://example.com/.well-known/webfinger", () => {
-			redirectCount2++;
-			if (redirectCount2 === 1) return {
+		await t.step("records result=invalid for malformed Location headers", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("begin:https://example.com/.well-known/webfinger?", {
 				status: 302,
-				headers: { Location: "/.well-known/webfinger2" }
-			};
-			return new Promise((resolve) => {
-				const timeoutId = setTimeout(() => {
-					resolve({ body: expected });
-				}, 1e3);
-				return () => clearTimeout(timeoutId);
+				headers: { Location: "http://[bad" }
 			});
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.lookup.result"], "invalid");
+			deepStrictEqual(counter.attributes["http.response.status_code"], 302);
+			deepStrictEqual(counter.attributes["activitypub.remote.host"], "example.com");
 		});
-		await t.step("cancellation during redirection", async () => {
-			const controller = new AbortController();
-			const promise = lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal });
-			setTimeout(() => controller.abort(), 100);
-			deepStrictEqual(await promise, null);
+		await t.step("buckets unknown resource schemes as 'other' to keep metric cardinality bounded", async () => {
+			esm_default.removeRoutes();
+			const [meterProvider, recorder] = createTestMeterProvider();
+			await lookupWebFinger("ssh://example.com/foo", { meterProvider });
+			const counter = recorder.getMeasurement("webfinger.lookup");
+			ok(counter != null);
+			deepStrictEqual(counter.attributes["webfinger.resource.scheme"], "other");
 		});
-		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", () => new Promise((resolve) => {
-			const timeoutId = setTimeout(() => {
-				resolve({ body: expected });
-			}, 500);
-			return () => clearTimeout(timeoutId);
-		}));
-		await t.step("cancellation with immediate abort", async () => {
-			const controller = new AbortController();
-			controller.abort();
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { signal: controller.signal }), null);
+		await t.step("omits measurements when no meterProvider is provided", async () => {
+			esm_default.removeRoutes();
+			esm_default.get("https://example.com/.well-known/webfinger?resource=acct%3Ajohndoe%40example.com", { body: expected });
+			const [_unused, recorder] = createTestMeterProvider();
+			await lookupWebFinger("acct:johndoe@example.com");
+			deepStrictEqual(recorder.getMeasurements("webfinger.lookup").length, 0);
+			deepStrictEqual(recorder.getMeasurements("webfinger.lookup.duration").length, 0);
 		});
+	} finally {
 		esm_default.removeRoutes();
-		esm_default.get("begin:https://example.com/.well-known/webfinger?", { body: expected });
-		await t.step("successful request with signal", async () => {
-			deepStrictEqual(await lookupWebFinger("acct:johndoe@example.com", { signal: new AbortController().signal }), expected);
-		});
 		esm_default.hardReset();
 	}
 });