wordpress-activitypub/includes/rest/class-server.php

146 lines
4.4 KiB
PHP
Raw Normal View History

<?php
namespace Activitypub\Rest;
2023-05-22 11:31:46 +02:00
use stdClass;
2023-10-24 14:54:03 +02:00
use WP_Error;
use WP_REST_Response;
use Activitypub\Signature;
use Activitypub\Model\Application_User;
/**
* ActivityPub Server REST-Class
*
* @author Django Doucet
*
* @see https://www.w3.org/TR/activitypub/#security-verification
*/
class Server {
/**
* Initialize the class, registering WordPress hooks
*/
public static function init() {
self::register_routes();
2023-05-18 08:03:11 +02:00
\add_filter( 'rest_request_before_callbacks', array( self::class, 'authorize_activitypub_requests' ), 10, 3 );
}
/**
* Register routes
*/
public static function register_routes() {
\register_rest_route(
2023-05-18 08:03:11 +02:00
ACTIVITYPUB_REST_NAMESPACE,
2023-05-05 20:09:12 +02:00
'/application',
array(
array(
'methods' => \WP_REST_Server::READABLE,
2023-05-05 20:09:12 +02:00
'callback' => array( self::class, 'application_actor' ),
'permission_callback' => '__return_true',
),
)
);
}
/**
2023-05-05 20:09:12 +02:00
* Render Application actor profile
*
2023-05-12 10:17:36 +02:00
* @return WP_REST_Response The JSON profile of the Application Actor.
*/
2023-05-05 20:09:12 +02:00
public static function application_actor() {
$user = new Application_User();
$user->set_context(
\Activitypub\Activity\Activity::CONTEXT
);
$json = $user->to_array();
$rest_response = new WP_REST_Response( $json, 200 );
$rest_response->header( 'Content-Type', 'application/activity+json; charset=' . get_option( 'blog_charset' ) );
return $rest_response;
}
/**
* Callback function to authorize each api requests
*
2023-05-22 11:31:46 +02:00
* @see WP_REST_Request
*
2023-05-12 10:17:36 +02:00
* @param WP_REST_Response|WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
* Usually a WP_REST_Response or WP_Error.
* @param array $handler Route handler used for the request.
* @param WP_REST_Request $request Request used to generate the response.
*
2023-05-12 10:17:36 +02:00
* @return mixed|WP_Error The response, error, or modified response.
*/
public static function authorize_activitypub_requests( $response, $handler, $request ) {
if ( 'HEAD' === $request->get_method() ) {
return $response;
}
$route = $request->get_route();
2023-05-22 11:31:46 +02:00
2023-05-22 13:35:46 +02:00
// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints
2023-05-22 13:34:14 +02:00
if (
! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'nodeinfo' )
2023-05-22 13:34:14 +02:00
) {
2023-05-22 11:31:46 +02:00
return $response;
}
/**
* Filter to defer signature verification
*
* Skip signature verification for debugging purposes or to reduce load for
* certain Activity-Types, like "Delete".
*
* @param bool $defer Whether to defer signature verification.
* @param WP_REST_Request $request The request used to generate the response.
*
* @return bool Whether to defer signature verification.
*/
$defer = \apply_filters( 'activitypub_defer_signature_verification', false, $request );
if ( $defer ) {
return $response;
}
2023-05-22 13:35:46 +02:00
// POST-Requets are always signed
2023-10-23 08:28:25 +02:00
if ( 'GET' !== $request->get_method() ) {
2023-11-13 17:52:59 +01:00
if ( Application::is_actor_delete_request( $request ) ) {
if ( ! Application::is_known_actor( $request ) ) {
return $response;
}
}
$verified_request = Signature::verify_http_signature( $request );
if ( \is_wp_error( $verified_request ) ) {
2023-11-13 18:29:53 +01:00
$error_code = $verified_request->get_error_code();
if ( Application::is_actor_delete_request( $request ) && '404' === $error_code ) {
$actor = Application::is_known_actor( $request );
if ( wp_http_validate_url( $actor ) ) {
\wp_schedule_single_event(
\time(),
'activitypub_delete_remote_actor_comments',
array( $actor )
);
return $response;
}
}
2023-10-24 14:54:03 +02:00
return new WP_Error( 'activitypub_signature_verification', $verified_request->get_error_message(), array( 'status' => 401 ) );
}
2023-10-23 08:28:25 +02:00
} elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode
if ( ACTIVITYPUB_AUTHORIZED_FETCH ) {
2023-05-22 11:31:46 +02:00
$verified_request = Signature::verify_http_signature( $request );
if ( \is_wp_error( $verified_request ) ) {
2023-10-24 14:54:03 +02:00
return new WP_Error( 'activitypub_signature_verification', $verified_request->get_error_message(), array( 'status' => 401 ) );
2023-05-05 22:39:33 +02:00
}
}
}
return $response;
}
}