diff --git a/includes/rest/class-server.php b/includes/rest/class-server.php index 7e52772..351284d 100644 --- a/includes/rest/class-server.php +++ b/includes/rest/class-server.php @@ -88,6 +88,7 @@ class Server { public static function authorize_activitypub_requests( $response, $handler, $request ) { $route = $request->get_route(); + // check if it is an activitypub request and exclude webfinger and nodeinfo endpoints if ( ! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) || str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) || @@ -96,12 +97,13 @@ class Server { return $response; } + // POST-Requets are always signed if ( 'POST' === $request->get_method() ) { $verified_request = Signature::verify_http_signature( $request ); if ( \is_wp_error( $verified_request ) ) { return $verified_request; } - } elseif ( 'GET' === $request->get_method() ) { + } elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode if ( ACTIVITYPUB_SECURE_MODE ) { $verified_request = Signature::verify_http_signature( $request ); if ( \is_wp_error( $verified_request ) ) {