updated plugin ActivityPub version 8.3.0

wp-content/plugins/activitypub/includes/rest/class-server.php

@@ -7,13 +7,6 @@
 
 namespace Activitypub\Rest;
 
-use WP_Error;
-use WP_REST_Server;
-use WP_REST_Response;
-use Activitypub\Signature;
-
-use function Activitypub\use_authorized_fetch;
-
 /**
  * ActivityPub Server REST-Class.
  *
@@ -26,83 +19,23 @@ class Server {
 	 * Initialize the class, registering WordPress hooks.
 	 */
 	public static function init() {
-		self::add_hooks();
-	}
-
-	/**
-	 * Add sever hooks.
-	 */
-	public static function add_hooks() {
 		\add_filter( 'rest_request_before_callbacks', array( self::class, 'validate_requests' ), 9, 3 );
 		\add_filter( 'rest_request_parameter_order', array( self::class, 'request_parameter_order' ), 10, 2 );
-	}
 
-	/**
-	 * Callback function to authorize an api request.
-	 *
-	 * The function is meant to be used as part of permission callbacks for rest api endpoints.
-	 *
-	 * It verifies the signature of POST, PUT, PATCH, and DELETE requests, as well as GET requests in secure mode.
-	 * You can use the filter 'activitypub_defer_signature_verification' to defer the signature verification.
-	 * HEAD requests are always bypassed.
-	 *
-	 * @see https://www.w3.org/wiki/SocialCG/ActivityPub/Primer/Authentication_Authorization#Authorized_fetch
-	 * @see https://swicg.github.io/activitypub-http-signature/#authorized-fetch
-	 *
-	 * @param \WP_REST_Request $request The request object.
-	 *
-	 * @return bool|\WP_Error True if the request is authorized, WP_Error if not.
-	 */
-	public static function verify_signature( $request ) {
-		if ( 'HEAD' === $request->get_method() ) {
-			return true;
-		}
-
-		/**
-		 * Filter to defer signature verification.
-		 *
-		 * Skip signature verification for debugging purposes or to reduce load for
-		 * certain Activity-Types, like "Delete".
-		 *
-		 * @param bool             $defer   Whether to defer signature verification.
-		 * @param \WP_REST_Request $request The request used to generate the response.
-		 *
-		 * @return bool Whether to defer signature verification.
-		 */
-		$defer = \apply_filters( 'activitypub_defer_signature_verification', false, $request );
-
-		if ( $defer ) {
-			return true;
-		}
-
-		if (
-			// POST-Requests always have to be signed.
-			'GET' !== $request->get_method() ||
-			// GET-Requests only require a signature in secure mode.
-			( 'GET' === $request->get_method() && use_authorized_fetch() )
-		) {
-			$verified_request = Signature::verify_http_signature( $request );
-			if ( \is_wp_error( $verified_request ) ) {
-				return new WP_Error(
-					'activitypub_signature_verification',
-					$verified_request->get_error_message(),
-					array( 'status' => 401 )
-				);
-			}
-		}
-
-		return true;
+		\add_filter( 'rest_post_dispatch', array( self::class, 'filter_output' ), 10, 3 );
+		\add_filter( 'rest_post_dispatch', array( self::class, 'add_cors_headers' ), 10, 3 );
+		\add_filter( 'rest_allowed_cors_headers', array( self::class, 'allow_cors_headers' ), 10, 2 );
 	}
 
 	/**
 	 * Callback function to validate incoming ActivityPub requests
 	 *
-	 * @param WP_REST_Response|\WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
-	 *                                                                    Usually a WP_REST_Response or WP_Error.
-	 * @param array                                             $handler  Route handler used for the request.
-	 * @param \WP_REST_Request                                  $request  Request used to generate the response.
+	 * @param \WP_REST_Response|\WP_HTTP_Response|\WP_Error|mixed $response Result to send to the client.
+	 *                                                                      Usually a WP_REST_Response or WP_Error.
+	 * @param array                                               $handler  Route handler used for the request.
+	 * @param \WP_REST_Request                                    $request  Request used to generate the response.
 	 *
-	 * @return mixed|WP_Error The response, error, or modified response.
+	 * @return mixed|\WP_Error The response, error, or modified response.
 	 */
 	public static function validate_requests( $response, $handler, $request ) {
 		if ( 'HEAD' === $request->get_method() ) {
@@ -129,7 +62,7 @@ class Server {
 			ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS &&
 			in_array( $params['type'], array( 'Create', 'Like', 'Announce' ), true )
 		) {
-			return new WP_Error(
+			return new \WP_Error(
 				'activitypub_server_does_not_accept_incoming_interactions',
 				\__( 'This server does not accept incoming interactions.', 'activitypub' ),
 				// We have to use a 2XX status code here, because otherwise the response will be
@@ -159,7 +92,7 @@ class Server {
 
 		$method = $request->get_method();
 
-		if ( WP_REST_Server::CREATABLE !== $method ) {
+		if ( \WP_REST_Server::CREATABLE !== $method ) {
 			return $order;
 		}
 
@@ -170,4 +103,136 @@ class Server {
 			'defaults',
 		);
 	}
+
+	/**
+	 * Filters the REST API response to properly handle the ActivityPub error formatting.
+	 *
+	 * @see https://codeberg.org/fediverse/fep/src/branch/main/fep/c180/fep-c180.md
+	 *
+	 * @param \WP_HTTP_Response $response Result to send to the client. Usually a `WP_REST_Response`.
+	 * @param \WP_REST_Server   $server   Server instance.
+	 * @param \WP_REST_Request  $request  Request used to generate the response.
+	 *
+	 * @return \WP_HTTP_Response The filtered response.
+	 */
+	public static function filter_output( $response, $server, $request ) {
+		$route = $request->get_route();
+
+		// Check if it is an activitypub request and exclude webfinger and nodeinfo endpoints.
+		if ( ! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ) {
+			return $response;
+		}
+
+		// Exclude OAuth endpoints - they have their own error format per RFC 6749.
+		if ( \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE . '/oauth' ) ) {
+			return $response;
+		}
+
+		// Only alter responses that return an error status code.
+		if ( $response->get_status() < 400 ) {
+			return $response;
+		}
+
+		$data = $response->get_data();
+
+		// Ensure that `$data` was already converted to a response.
+		if ( \is_wp_error( $data ) ) {
+			$response = \rest_convert_error_to_response( $data );
+			$data     = $response->get_data();
+		}
+
+		$error = array(
+			'type'     => 'about:blank',
+			'title'    => $data['code'] ?? '',
+			'detail'   => $data['message'] ?? '',
+			'status'   => $response->get_status(),
+
+			/*
+			 * Provides the unstructured error data.
+			 *
+			 * @see https://nodeinfo.diaspora.software/schema.html#metadata.
+			 */
+			'metadata' => $data,
+		);
+
+		$response->set_data( $error );
+
+		return $response;
+	}
+
+	/**
+	 * Add CORS headers to ActivityPub REST responses.
+	 *
+	 * @param \WP_REST_Response $response The REST response.
+	 * @param \WP_REST_Server   $server   The REST server instance.
+	 * @param \WP_REST_Request  $request  The request object.
+	 *
+	 * @return \WP_REST_Response The modified response.
+	 */
+	public static function add_cors_headers( $response, $server, $request ) {
+		$route     = $request->get_route();
+		$namespace = '/' . ACTIVITYPUB_REST_NAMESPACE;
+
+		// Only add CORS to ActivityPub endpoints, except the interactive OAuth authorize endpoint.
+		if ( ! \str_starts_with( $route, $namespace ) || \str_starts_with( $route, $namespace . '/oauth/authorize' ) ) {
+			return $response;
+		}
+
+		/*
+		 * ActivityPub data is meant to be publicly readable by federation peers
+		 * and browser-side clients. We do not enable credentialed cross-origin
+		 * access: cookie auth would still be rejected by WordPress core's
+		 * REST nonce check, and OAuth Bearer tokens travel in the
+		 * Authorization header — which is permitted via Allow-Headers and
+		 * does not require Allow-Credentials.
+		 *
+		 * Allow-Headers is contributed by core (which already lists `X-WP-Nonce`,
+		 * `Authorization`, `Content-Type`, `Content-Disposition`, and `Content-MD5`)
+		 * and extended for ActivityPub via the `rest_allowed_cors_headers` filter
+		 * in self::allow_cors_headers().
+		 */
+		$response->header( 'Access-Control-Allow-Origin', '*' );
+		$response->header( 'Access-Control-Allow-Methods', 'GET, POST, OPTIONS' );
+
+		return $response;
+	}
+
+	/**
+	 * Extend the CORS Allow-Headers list for ActivityPub REST endpoints.
+	 *
+	 * Adds the headers ActivityPub clients need on top of WordPress core's
+	 * defaults: `Accept` for content negotiation and `Last-Event-ID` for
+	 * Server-Sent Events resume.
+	 *
+	 * @since 8.3.0
+	 *
+	 * @param string[]         $allow_headers Headers core currently permits in CORS requests.
+	 * @param \WP_REST_Request $request       The current REST request.
+	 *
+	 * @return string[] The (possibly extended) list of allowed headers.
+	 */
+	public static function allow_cors_headers( $allow_headers, $request ) {
+		$route     = $request->get_route();
+		$namespace = '/' . ACTIVITYPUB_REST_NAMESPACE;
+
+		if ( ! \str_starts_with( $route, $namespace ) || \str_starts_with( $route, $namespace . '/oauth/authorize' ) ) {
+			return $allow_headers;
+		}
+
+		return \array_values( \array_unique( \array_merge( (array) $allow_headers, array( 'Accept', 'Last-Event-ID' ) ) ) );
+	}
+
+	/**
+	 * Send CORS headers directly via header().
+	 *
+	 * Use this for endpoints that bypass the REST response flow
+	 * (e.g. SSE streams that call exit() instead of returning a WP_REST_Response).
+	 *
+	 * @since 8.1.0
+	 */
+	public static function send_cors_headers() {
+		\header( 'Access-Control-Allow-Origin: *' );
+		\header( 'Access-Control-Allow-Methods: GET, POST, OPTIONS' );
+		\header( 'Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type, Accept, Last-Event-ID' );
+	}
 }