wordpress-activitypub/includes/rest/class-server.php

<?php
namespace Activitypub\Rest;

use stdClass;
use WP_REST_Response;
use Activitypub\Signature;
use Activitypub\Model\Application_User;

/**
 * ActivityPub Server REST-Class
 *
 * @author Django Doucet
 *
 * @see https://www.w3.org/TR/activitypub/#security-verification
 */
class Server {
	/**
	 * Initialize the class, registering WordPress hooks
	 */
	public static function init() {
		\add_action( 'rest_api_init', array( self::class, 'register_routes' ) );
		\add_filter( 'rest_request_before_callbacks', array( self::class, 'authorize_activitypub_requests' ), 10, 3 );
	}

	/**
	 * Register routes
	 */
	public static function register_routes() {
		\register_rest_route(
			ACTIVITYPUB_REST_NAMESPACE,
			'/application',
			array(
				array(
					'methods'             => \WP_REST_Server::READABLE,
					'callback'            => array( self::class, 'application_actor' ),
					'permission_callback' => '__return_true',
				),
			)
		);
	}

	/**
	 * Render Application actor profile
	 *
	 * @return WP_REST_Response The JSON profile of the Application Actor.
	 */
	public static function application_actor() {
		$user = new Application_User();
		$json = $user->to_array();

		$response = new WP_REST_Response( $json, 200 );

		$response->header( 'Content-Type', 'application/activity+json' );

		return $response;
	}

	/**
	 * Callback function to authorize each api requests
	 *
	 * @see WP_REST_Request
	 *
	 * @param WP_REST_Response|WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
	 *                                                                   Usually a WP_REST_Response or WP_Error.
	 * @param array                                            $handler  Route handler used for the request.
	 * @param WP_REST_Request                                  $request  Request used to generate the response.
	 *
	 * @return mixed|WP_Error The response, error, or modified response.
	 */
	public static function authorize_activitypub_requests( $response, $handler, $request ) {
		$route = $request->get_route();

		// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints
		if (
			! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
			str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
			str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'nodeinfo' )
		) {
			return $response;
		}

		// POST-Requets are always signed
		if ( 'POST' === $request->get_method() ) {
			$verified_request = Signature::verify_http_signature( $request );
			if ( \is_wp_error( $verified_request ) ) {
				return $verified_request;
			}
		} elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode
			if ( ACTIVITYPUB_SECURE_MODE ) {
				$verified_request = Signature::verify_http_signature( $request );
				if ( \is_wp_error( $verified_request ) ) {
					return $verified_request;
				}
			}
		}

		return $response;
	}
}
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`<?php`
			`namespace Activitypub\Rest;`

some small improvements 2023-05-22 11:31:46 +02:00			`use stdClass;`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`use WP_REST_Response;`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`use Activitypub\Signature;`
updated signature feature to new structure 2023-06-01 11:45:07 +02:00			`use Activitypub\Model\Application_User;`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00
			`/**`
			`* ActivityPub Server REST-Class`
			`*`
			`* @author Django Doucet`
			`*`
			`* @see https://www.w3.org/TR/activitypub/#security-verification`
			`*/`
			`class Server {`
			`/**`
			`* Initialize the class, registering WordPress hooks`
			`*/`
			`public static function init() {`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`\add_action( 'rest_api_init', array( self::class, 'register_routes' ) );`
update rest paths to namespace 2023-05-18 08:03:11 +02:00			`\add_filter( 'rest_request_before_callbacks', array( self::class, 'authorize_activitypub_requests' ), 10, 3 );`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`}`

			`/**`
			`* Register routes`
			`*/`
			`public static function register_routes() {`
			`\register_rest_route(`
update rest paths to namespace 2023-05-18 08:03:11 +02:00			`ACTIVITYPUB_REST_NAMESPACE,`
service actor as application actor 2023-05-05 20:09:12 +02:00			`'/application',`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`array(`
			`array(`
			`'methods' => \WP_REST_Server::READABLE,`
service actor as application actor 2023-05-05 20:09:12 +02:00			`'callback' => array( self::class, 'application_actor' ),`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`'permission_callback' => '__return_true',`
			`),`
			`)`
			`);`
			`}`

			`/**`
service actor as application actor 2023-05-05 20:09:12 +02:00			`* Render Application actor profile`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`*`
phpdoc 2023-05-12 10:17:36 +02:00			`* @return WP_REST_Response The JSON profile of the Application Actor.`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00			`*/`
service actor as application actor 2023-05-05 20:09:12 +02:00			`public static function application_actor() {`
updated signature feature to new structure 2023-06-01 11:45:07 +02:00			`$user = new Application_User();`
			`$json = $user->to_array();`
Add Service actor for signing get requests 2023-05-05 20:02:12 +02:00
			`$response = new WP_REST_Response( $json, 200 );`

			`$response->header( 'Content-Type', 'application/activity+json' );`

			`return $response;`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`}`

			`/**`
			`* Callback function to authorize each api requests`
			`*`
some small improvements 2023-05-22 11:31:46 +02:00			`* @see WP_REST_Request`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`*`
phpdoc 2023-05-12 10:17:36 +02:00			`* @param WP_REST_Response\|WP_HTTP_Response\|WP_Error\|mixed $response Result to send to the client.`
			`* Usually a WP_REST_Response or WP_Error.`
			`* @param array $handler Route handler used for the request.`
			`* @param WP_REST_Request $request Request used to generate the response.`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`*`
phpdoc 2023-05-12 10:17:36 +02:00			`* @return mixed\|WP_Error The response, error, or modified response.`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`*/`
			`public static function authorize_activitypub_requests( $response, $handler, $request ) {`
make webfinger route available unsigned 2023-05-06 07:44:15 +02:00			`$route = $request->get_route();`
some small improvements 2023-05-22 11:31:46 +02:00
code doc 2023-05-22 13:35:46 +02:00			`// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints`
fix routing checks 2023-05-22 13:34:14 +02:00			`if (`
			`! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) \|\|`
			`str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) \|\|`
			`str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'nodeinfo' )`
			`) {`
some small improvements 2023-05-22 11:31:46 +02:00			`return $response;`
			`}`

code doc 2023-05-22 13:35:46 +02:00			`// POST-Requets are always signed`
fail early and always return $response as fallback 2023-05-09 11:57:43 +02:00			`if ( 'POST' === $request->get_method() ) {`
			`$verified_request = Signature::verify_http_signature( $request );`
			`if ( \is_wp_error( $verified_request ) ) {`
			`return $verified_request;`
			`}`
code doc 2023-05-22 13:35:46 +02:00			`} elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode`
some small improvements 2023-05-22 11:31:46 +02:00			`if ( ACTIVITYPUB_SECURE_MODE ) {`
			`$verified_request = Signature::verify_http_signature( $request );`
			`if ( \is_wp_error( $verified_request ) ) {`
			`return $verified_request;`
Add secure mode to REST get requests 2023-05-05 22:39:33 +02:00			`}`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`}`
			`}`
fail early and always return $response as fallback 2023-05-09 11:57:43 +02:00
			`return $response;`
Optimize verification code and returns WP_Errors 2023-04-21 23:25:39 +02:00			`}`
			`}`