mirror of
https://github.com/WordPress/WordPress.git
synced 2024-07-19 02:05:22 +02:00
d5ebe12f11
In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API. This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers. Application Passwords uses Basic Authentication, and by default is only available over an SSL connection. Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns. Fixes #42790. Built from https://develop.svn.wordpress.org/trunk@49109 git-svn-id: http://core.svn.wordpress.org/trunk@48871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
657 lines
18 KiB
PHP
657 lines
18 KiB
PHP
<?php
|
|
/**
|
|
* REST API: WP_REST_Application_Passwords_Controller class
|
|
*
|
|
* @package WordPress
|
|
* @subpackage REST_API
|
|
* @since 5.6.0
|
|
*/
|
|
|
|
/**
|
|
* Core class to access a user's application passwords via the REST API.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @see WP_REST_Controller
|
|
*/
|
|
class WP_REST_Application_Passwords_Controller extends WP_REST_Controller {
|
|
|
|
/**
|
|
* Application Passwords controller constructor.
|
|
*
|
|
* @since 5.6.0
|
|
*/
|
|
public function __construct() {
|
|
$this->namespace = 'wp/v2';
|
|
$this->rest_base = 'users/(?P<user_id>(?:[\d]+|me))/application-passwords';
|
|
}
|
|
|
|
/**
|
|
* Registers the REST API routes for the application passwords controller.
|
|
*
|
|
* @since 5.6.0
|
|
*/
|
|
public function register_routes() {
|
|
register_rest_route(
|
|
$this->namespace,
|
|
'/' . $this->rest_base,
|
|
array(
|
|
array(
|
|
'methods' => WP_REST_Server::READABLE,
|
|
'callback' => array( $this, 'get_items' ),
|
|
'permission_callback' => array( $this, 'get_items_permissions_check' ),
|
|
'args' => $this->get_collection_params(),
|
|
),
|
|
array(
|
|
'methods' => WP_REST_Server::CREATABLE,
|
|
'callback' => array( $this, 'create_item' ),
|
|
'permission_callback' => array( $this, 'create_item_permissions_check' ),
|
|
'args' => $this->get_endpoint_args_for_item_schema(),
|
|
),
|
|
array(
|
|
'methods' => WP_REST_Server::DELETABLE,
|
|
'callback' => array( $this, 'delete_items' ),
|
|
'permission_callback' => array( $this, 'delete_items_permissions_check' ),
|
|
),
|
|
'schema' => array( $this, 'get_public_item_schema' ),
|
|
)
|
|
);
|
|
|
|
register_rest_route(
|
|
$this->namespace,
|
|
'/' . $this->rest_base . '/(?P<uuid>[\w\-]+)',
|
|
array(
|
|
array(
|
|
'methods' => WP_REST_Server::READABLE,
|
|
'callback' => array( $this, 'get_item' ),
|
|
'permission_callback' => array( $this, 'get_item_permissions_check' ),
|
|
'args' => array(
|
|
'context' => $this->get_context_param( array( 'default' => 'view' ) ),
|
|
),
|
|
),
|
|
array(
|
|
'methods' => WP_REST_Server::EDITABLE,
|
|
'callback' => array( $this, 'update_item' ),
|
|
'permission_callback' => array( $this, 'update_item_permissions_check' ),
|
|
'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
|
|
),
|
|
array(
|
|
'methods' => WP_REST_Server::DELETABLE,
|
|
'callback' => array( $this, 'delete_item' ),
|
|
'permission_callback' => array( $this, 'delete_item_permissions_check' ),
|
|
),
|
|
'schema' => array( $this, 'get_public_item_schema' ),
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to get application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has read access, WP_Error object otherwise.
|
|
*/
|
|
public function get_items_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Retrieves a collection of application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function get_items( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$passwords = WP_Application_Passwords::get_user_application_passwords( $user->ID );
|
|
$response = array();
|
|
|
|
foreach ( $passwords as $password ) {
|
|
$response[] = $this->prepare_response_for_collection(
|
|
$this->prepare_item_for_response( $password, $request )
|
|
);
|
|
}
|
|
|
|
return new WP_REST_Response( $response );
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to get a specific application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
|
|
*/
|
|
public function get_item_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Retrieves one application password from the collection.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function get_item( $request ) {
|
|
$password = $this->get_application_password( $request );
|
|
|
|
if ( is_wp_error( $password ) ) {
|
|
return $password;
|
|
}
|
|
|
|
return $this->prepare_item_for_response( $password, $request );
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to create application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
|
|
*/
|
|
public function create_item_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Creates an application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function create_item( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$prepared = $this->prepare_item_for_database( $request );
|
|
|
|
if ( is_wp_error( $prepared ) ) {
|
|
return $prepared;
|
|
}
|
|
|
|
$created = WP_Application_Passwords::create_new_application_password( $user->ID, wp_slash( (array) $prepared ) );
|
|
|
|
if ( is_wp_error( $created ) ) {
|
|
return $created;
|
|
}
|
|
|
|
$password = $created[0];
|
|
$item = WP_Application_Passwords::get_user_application_password( $user->ID, $created[1]['uuid'] );
|
|
|
|
$item['new_password'] = WP_Application_Passwords::chunk_password( $password );
|
|
$fields_update = $this->update_additional_fields_for_object( $item, $request );
|
|
|
|
if ( is_wp_error( $fields_update ) ) {
|
|
return $fields_update;
|
|
}
|
|
|
|
/**
|
|
* Fires after a single application password is completely created or updated via the REST API.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param array $item Inserted or updated password item.
|
|
* @param WP_REST_Request $request Request object.
|
|
* @param bool $creating True when creating an application password, false when updating.
|
|
*/
|
|
do_action( 'rest_after_insert_application_password', $item, $request, true );
|
|
|
|
$request->set_param( 'context', 'edit' );
|
|
$response = $this->prepare_item_for_response( $item, $request );
|
|
|
|
$response->set_status( 201 );
|
|
$response->header( 'Location', $response->get_links()['self'][0]['href'] );
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to update application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
|
|
*/
|
|
public function update_item_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Updates an application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function update_item( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$item = $this->get_application_password( $request );
|
|
|
|
if ( is_wp_error( $item ) ) {
|
|
return $item;
|
|
}
|
|
|
|
$prepared = $this->prepare_item_for_database( $request );
|
|
|
|
if ( is_wp_error( $prepared ) ) {
|
|
return $prepared;
|
|
}
|
|
|
|
$saved = WP_Application_Passwords::update_application_password( $user->ID, $item['uuid'], wp_slash( (array) $prepared ) );
|
|
|
|
if ( is_wp_error( $saved ) ) {
|
|
return $saved;
|
|
}
|
|
|
|
$fields_update = $this->update_additional_fields_for_object( $item, $request );
|
|
|
|
if ( is_wp_error( $fields_update ) ) {
|
|
return $fields_update;
|
|
}
|
|
|
|
$item = WP_Application_Passwords::get_user_application_password( $user->ID, $item['uuid'] );
|
|
|
|
/** This action is documented in wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php */
|
|
do_action( 'rest_after_insert_application_password', $item, $request, false );
|
|
|
|
$request->set_param( 'context', 'edit' );
|
|
return $this->prepare_item_for_response( $item, $request );
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to delete all application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
|
|
*/
|
|
public function delete_items_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Deletes all application passwords.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function delete_items( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$deleted = WP_Application_Passwords::delete_all_application_passwords( $user->ID );
|
|
|
|
if ( is_wp_error( $deleted ) ) {
|
|
return $deleted;
|
|
}
|
|
|
|
return new WP_REST_Response(
|
|
array(
|
|
'deleted' => true,
|
|
'count' => $deleted,
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Checks if a given request has access to delete a specific application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
|
|
*/
|
|
public function delete_item_permissions_check( $request ) {
|
|
return $this->do_permissions_check( $request );
|
|
}
|
|
|
|
/**
|
|
* Deletes one application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Full details about the request.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function delete_item( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$password = $this->get_application_password( $request );
|
|
|
|
if ( is_wp_error( $password ) ) {
|
|
return $password;
|
|
}
|
|
|
|
$request->set_param( 'context', 'edit' );
|
|
$previous = $this->prepare_item_for_response( $password, $request );
|
|
$deleted = WP_Application_Passwords::delete_application_password( $user->ID, $password['uuid'] );
|
|
|
|
if ( is_wp_error( $deleted ) ) {
|
|
return $deleted;
|
|
}
|
|
|
|
return new WP_REST_Response(
|
|
array(
|
|
'deleted' => true,
|
|
'previous' => $previous->get_data(),
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Performs a permissions check for the request.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request
|
|
* @return true|WP_Error
|
|
*/
|
|
protected function do_permissions_check( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
if ( ! current_user_can( 'edit_user', $user->ID ) ) {
|
|
return new WP_Error(
|
|
'rest_cannot_manage_application_passwords',
|
|
__( 'Sorry, you are not allowed to manage application passwords for this user.' ),
|
|
array( 'status' => rest_authorization_required_code() )
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Prepares an application password for a create or update operation.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request Request object.
|
|
* @return object|WP_Error The prepared item, or WP_Error object on failure.
|
|
*/
|
|
protected function prepare_item_for_database( $request ) {
|
|
$prepared = (object) array(
|
|
'name' => $request['name'],
|
|
);
|
|
|
|
/**
|
|
* Filters an application password before it is inserted via the REST API.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param stdClass $prepared An object representing a single application password prepared for inserting or updating the database.
|
|
* @param WP_REST_Request $request Request object.
|
|
*/
|
|
return apply_filters( 'rest_pre_insert_application_password', $prepared, $request );
|
|
}
|
|
|
|
/**
|
|
* Prepares the application password for the REST response.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param array $item WordPress representation of the item.
|
|
* @param WP_REST_Request $request Request object.
|
|
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
|
*/
|
|
public function prepare_item_for_response( $item, $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$prepared = array(
|
|
'uuid' => $item['uuid'],
|
|
'name' => $item['name'],
|
|
'created' => gmdate( 'Y-m-d\TH:i:s', $item['created'] ),
|
|
'last_used' => $item['last_used'] ? gmdate( 'Y-m-d\TH:i:s', $item['last_used'] ) : null,
|
|
'last_ip' => $item['last_ip'] ? $item['last_ip'] : null,
|
|
);
|
|
|
|
if ( isset( $item['new_password'] ) ) {
|
|
$prepared['password'] = $item['new_password'];
|
|
}
|
|
|
|
$prepared = $this->add_additional_fields_to_object( $prepared, $request );
|
|
$prepared = $this->filter_response_by_context( $prepared, $request['context'] );
|
|
|
|
$response = new WP_REST_Response( $prepared );
|
|
$response->add_links( $this->prepare_links( $user, $item ) );
|
|
|
|
/**
|
|
* Filters the REST API response for an application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Response $response The response object.
|
|
* @param array $item The application password array.
|
|
* @param WP_REST_Request $request The request object.
|
|
*/
|
|
return apply_filters( 'rest_prepare_application_password', $response, $item, $request );
|
|
}
|
|
|
|
/**
|
|
* Prepares links for the object.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_User $user The requested user.
|
|
* @param array $item The application password.
|
|
* @return array The list of links.
|
|
*/
|
|
protected function prepare_links( WP_User $user, $item ) {
|
|
return array(
|
|
'self' => array(
|
|
'href' => rest_url( sprintf( '%s/users/%d/application-passwords/%s', $this->namespace, $user->ID, $item['uuid'] ) ),
|
|
),
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Gets the requested user.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request The request object.
|
|
* @return WP_User|WP_Error The WordPress user associated with the request, or a WP_Error if none found.
|
|
*/
|
|
protected function get_user( $request ) {
|
|
if ( ! wp_is_application_passwords_available() ) {
|
|
return new WP_Error(
|
|
'application_passwords_disabled',
|
|
__( 'Application passwords are not enabled.' ),
|
|
array( 'status' => 500 )
|
|
);
|
|
}
|
|
|
|
$error = new WP_Error(
|
|
'rest_user_invalid_id',
|
|
__( 'Invalid user ID.' ),
|
|
array( 'status' => 404 )
|
|
);
|
|
|
|
$id = $request['user_id'];
|
|
|
|
if ( 'me' === $id ) {
|
|
if ( ! is_user_logged_in() ) {
|
|
return new WP_Error(
|
|
'rest_not_logged_in',
|
|
__( 'You are not currently logged in.' ),
|
|
array( 'status' => 401 )
|
|
);
|
|
}
|
|
|
|
$user = wp_get_current_user();
|
|
} else {
|
|
$id = (int) $id;
|
|
|
|
if ( $id <= 0 ) {
|
|
return $error;
|
|
}
|
|
|
|
$user = get_userdata( $id );
|
|
}
|
|
|
|
if ( empty( $user ) || ! $user->exists() ) {
|
|
return $error;
|
|
}
|
|
|
|
if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
|
|
return $error;
|
|
}
|
|
|
|
if ( ! wp_is_application_passwords_available_for_user( $user ) ) {
|
|
return new WP_Error(
|
|
'application_passwords_disabled_for_user',
|
|
__( 'Application passwords are not enabled for your account. Please contact the site administrator for assistance.' ),
|
|
array( 'status' => 500 )
|
|
);
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
|
|
/**
|
|
* Gets the requested application password.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @param WP_REST_Request $request The request object.
|
|
* @return array|WP_Error The application password details if found, a WP_Error otherwise.
|
|
*/
|
|
protected function get_application_password( $request ) {
|
|
$user = $this->get_user( $request );
|
|
|
|
if ( is_wp_error( $user ) ) {
|
|
return $user;
|
|
}
|
|
|
|
$password = WP_Application_Passwords::get_user_application_password( $user->ID, $request['uuid'] );
|
|
|
|
if ( ! $password ) {
|
|
return new WP_Error(
|
|
'rest_application_password_not_found',
|
|
__( 'Application password not found.' ),
|
|
array( 'status' => 404 )
|
|
);
|
|
}
|
|
|
|
return $password;
|
|
}
|
|
|
|
/**
|
|
* Retrieves the query params for the collections.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @return array Query parameters for the collection.
|
|
*/
|
|
public function get_collection_params() {
|
|
return array(
|
|
'context' => $this->get_context_param( array( 'default' => 'view' ) ),
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Retrieves the application password's schema, conforming to JSON Schema.
|
|
*
|
|
* @since 5.6.0
|
|
*
|
|
* @return array Item schema data.
|
|
*/
|
|
public function get_item_schema() {
|
|
if ( $this->schema ) {
|
|
return $this->add_additional_fields_schema( $this->schema );
|
|
}
|
|
|
|
$this->schema = array(
|
|
'$schema' => 'http://json-schema.org/draft-04/schema#',
|
|
'title' => 'application-password',
|
|
'type' => 'object',
|
|
'properties' => array(
|
|
'uuid' => array(
|
|
'description' => __( 'The unique identifier for the application password.' ),
|
|
'type' => 'string',
|
|
'format' => 'uuid',
|
|
'context' => array( 'view', 'edit', 'embed' ),
|
|
'readonly' => true,
|
|
),
|
|
'name' => array(
|
|
'description' => __( 'The name of the application password.' ),
|
|
'type' => 'string',
|
|
'required' => true,
|
|
'context' => array( 'view', 'edit', 'embed' ),
|
|
),
|
|
'password' => array(
|
|
'description' => __( 'The generated password. Only available after adding an application.' ),
|
|
'type' => 'string',
|
|
'context' => array( 'edit' ),
|
|
'readonly' => true,
|
|
),
|
|
'created' => array(
|
|
'description' => __( 'The GMT date the application password was created.' ),
|
|
'type' => 'string',
|
|
'format' => 'date-time',
|
|
'context' => array( 'view', 'edit' ),
|
|
'readonly' => true,
|
|
),
|
|
'last_used' => array(
|
|
'description' => __( 'The GMT date the application password was last used.' ),
|
|
'type' => array( 'string', 'null' ),
|
|
'format' => 'date-time',
|
|
'context' => array( 'view', 'edit' ),
|
|
'readonly' => true,
|
|
),
|
|
'last_ip' => array(
|
|
'description' => __( 'The IP address the application password was last used by.' ),
|
|
'type' => array( 'string', 'null' ),
|
|
'format' => 'ip',
|
|
'context' => array( 'view', 'edit' ),
|
|
'readonly' => true,
|
|
),
|
|
),
|
|
);
|
|
|
|
return $this->add_additional_fields_schema( $this->schema );
|
|
}
|
|
}
|