From e3745529610622c27da66170cbc9a48aa069e4e0 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Tue, 7 Feb 2023 17:46:20 +0000
Subject: [PATCH] Application Passwords: Allow plain HTTP success and reject
 URLs when using a local environment type.

It's not uncommon for local environments to run over HTTP due to the relative complexity of configuring HTTPS for a local environment. This change allows HTTP URLs for application password responses when that is the case.

Props peterwilsoncc, wppunk, cadic, viralsampat

Fixes #52617

Built from https://develop.svn.wordpress.org/trunk@55283


git-svn-id: http://core.svn.wordpress.org/trunk@54816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/user.php | 8 +++++---
 wp-includes/version.php    | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php
index 5b6c6ffd8b..05dd852f2f 100644
--- a/wp-admin/includes/user.php
+++ b/wp-admin/includes/user.php
@@ -612,6 +612,7 @@ Please click the following link to activate your user account:
  * Checks if the Authorize Application Password request is valid.
  *
  * @since 5.6.0
+ * @since 6.2.0 Allow insecure HTTP connections for the local environment.
  *
  * @param array   $request {
  *     The array of request data. All arguments are optional and may be empty.
@@ -625,12 +626,13 @@ Please click the following link to activate your user account:
  * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not.
  */
 function wp_is_authorize_application_password_request_valid( $request, $user ) {
-	$error = new WP_Error();
+	$error    = new WP_Error();
+	$is_local = 'local' === wp_get_environment_type();
 
 	if ( ! empty( $request['success_url'] ) ) {
 		$scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
 
-		if ( 'http' === $scheme ) {
+		if ( 'http' === $scheme && ! $is_local ) {
 			$error->add(
 				'invalid_redirect_scheme',
 				__( 'The success URL must be served over a secure connection.' )
@@ -641,7 +643,7 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) {
 	if ( ! empty( $request['reject_url'] ) ) {
 		$scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
 
-		if ( 'http' === $scheme ) {
+		if ( 'http' === $scheme && ! $is_local ) {
 			$error->add(
 				'invalid_redirect_scheme',
 				__( 'The rejection URL must be served over a secure connection.' )
diff --git a/wp-includes/version.php b/wp-includes/version.php
index ee7184aec8..93971dd787 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.2-alpha-55282';
+$wp_version = '6.2-alpha-55283';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.