updated plugin ActivityPub version 8.3.0
This commit is contained in:
Gitium
@ -0,0 +1,186 @@
|
||||
<?php
|
||||
/**
|
||||
* OAuth 2.0 Client Registration and Metadata REST Controller.
|
||||
*
|
||||
* @package Activitypub
|
||||
*/
|
||||
|
||||
namespace Activitypub\Rest\OAuth;
|
||||
|
||||
use Activitypub\OAuth\Client;
|
||||
use Activitypub\OAuth\Scope;
|
||||
use Activitypub\OAuth\Server as OAuth_Server;
|
||||
|
||||
use function Activitypub\get_client_ip;
|
||||
|
||||
/**
|
||||
* Clients_Controller class for handling OAuth 2.0 client and metadata endpoints.
|
||||
*
|
||||
* Implements:
|
||||
* - Dynamic client registration (POST /oauth/clients)
|
||||
* - Authorization Server Metadata (GET /oauth/authorization-server-metadata)
|
||||
*
|
||||
* @since 8.1.0
|
||||
*/
|
||||
class Clients_Controller extends \WP_REST_Controller {
|
||||
/**
|
||||
* The namespace of this controller's route.
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
protected $namespace = ACTIVITYPUB_REST_NAMESPACE;
|
||||
|
||||
/**
|
||||
* The base of this controller's route.
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
protected $rest_base = 'oauth';
|
||||
|
||||
/**
|
||||
* Register routes.
|
||||
*/
|
||||
public function register_routes() {
|
||||
// Dynamic client registration (RFC 7591).
|
||||
\register_rest_route(
|
||||
$this->namespace,
|
||||
'/' . $this->rest_base . '/clients',
|
||||
array(
|
||||
array(
|
||||
'methods' => \WP_REST_Server::CREATABLE,
|
||||
'callback' => array( $this, 'register_client' ),
|
||||
'permission_callback' => '__return_true',
|
||||
'args' => array(
|
||||
'client_name' => array(
|
||||
'description' => 'Human-readable name of the client.',
|
||||
'type' => 'string',
|
||||
'required' => true,
|
||||
),
|
||||
'redirect_uris' => array(
|
||||
'description' => 'Array of redirect URIs. Supports custom URI schemes for native apps.',
|
||||
'type' => 'array',
|
||||
'items' => array(
|
||||
'type' => 'string',
|
||||
),
|
||||
'required' => true,
|
||||
),
|
||||
'client_uri' => array(
|
||||
'description' => 'URL of the client homepage.',
|
||||
'type' => 'string',
|
||||
'format' => 'uri',
|
||||
),
|
||||
'scope' => array(
|
||||
'description' => 'Space-separated list of requested scopes.',
|
||||
'type' => 'string',
|
||||
),
|
||||
),
|
||||
),
|
||||
)
|
||||
);
|
||||
|
||||
// Authorization Server Metadata (RFC 8414).
|
||||
\register_rest_route(
|
||||
$this->namespace,
|
||||
'/' . $this->rest_base . '/authorization-server-metadata',
|
||||
array(
|
||||
array(
|
||||
'methods' => \WP_REST_Server::READABLE,
|
||||
'callback' => array( $this, 'get_metadata' ),
|
||||
'permission_callback' => '__return_true',
|
||||
),
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle dynamic client registration (POST /oauth/clients).
|
||||
*
|
||||
* @param \WP_REST_Request $request The request object.
|
||||
* @return \WP_REST_Response|\WP_Error
|
||||
*/
|
||||
public function register_client( \WP_REST_Request $request ) {
|
||||
/**
|
||||
* Filters whether RFC 7591 dynamic client registration is allowed.
|
||||
*
|
||||
* Enabled by default so C2S clients can register on the fly.
|
||||
* Return false to restrict registration to pre-configured clients only.
|
||||
*
|
||||
* @param bool $allowed Whether dynamic registration is allowed. Default true.
|
||||
*/
|
||||
if ( ! \apply_filters( 'activitypub_allow_dynamic_client_registration', true ) ) {
|
||||
return new \WP_Error(
|
||||
'activitypub_registration_disabled',
|
||||
\__( 'Dynamic client registration is not allowed.', 'activitypub' ),
|
||||
array( 'status' => 403 )
|
||||
);
|
||||
}
|
||||
|
||||
// Rate-limit registrations to prevent DB spam (max 10 per minute per IP).
|
||||
$ip = get_client_ip();
|
||||
if ( '' === $ip ) {
|
||||
return new \WP_Error(
|
||||
'activitypub_rate_limited',
|
||||
\__( 'Too many client registration requests. Please try again later.', 'activitypub' ),
|
||||
array( 'status' => 429 )
|
||||
);
|
||||
}
|
||||
$transient_key = 'ap_oauth_reg_' . \md5( $ip );
|
||||
$count = (int) \get_transient( $transient_key );
|
||||
|
||||
if ( $count >= 10 ) {
|
||||
return new \WP_Error(
|
||||
'activitypub_rate_limited',
|
||||
\__( 'Too many client registration requests. Please try again later.', 'activitypub' ),
|
||||
array( 'status' => 429 )
|
||||
);
|
||||
}
|
||||
|
||||
\set_transient( $transient_key, $count + 1, MINUTE_IN_SECONDS );
|
||||
|
||||
$client_name = $request->get_param( 'client_name' );
|
||||
$redirect_uris = $request->get_param( 'redirect_uris' );
|
||||
$client_uri = $request->get_param( 'client_uri' );
|
||||
$scope = $request->get_param( 'scope' );
|
||||
|
||||
$result = Client::register(
|
||||
array(
|
||||
'name' => $client_name,
|
||||
'redirect_uris' => $redirect_uris,
|
||||
'description' => $client_uri ?? '',
|
||||
'is_public' => true, // Dynamic clients are always public.
|
||||
'scopes' => $scope ? Scope::parse( $scope ) : Scope::ALL,
|
||||
)
|
||||
);
|
||||
|
||||
if ( \is_wp_error( $result ) ) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
// RFC 7591 response format.
|
||||
$response = array(
|
||||
'client_id' => $result['client_id'],
|
||||
'client_name' => $client_name,
|
||||
'redirect_uris' => $redirect_uris,
|
||||
'token_endpoint_auth_method' => 'none',
|
||||
);
|
||||
|
||||
if ( isset( $result['client_secret'] ) ) {
|
||||
$response['client_secret'] = $result['client_secret'];
|
||||
}
|
||||
|
||||
return new \WP_REST_Response( $response, 201 );
|
||||
}
|
||||
|
||||
/**
|
||||
* Get OAuth server metadata.
|
||||
*
|
||||
* @return \WP_REST_Response
|
||||
*/
|
||||
public function get_metadata() {
|
||||
return new \WP_REST_Response(
|
||||
OAuth_Server::get_metadata(),
|
||||
200,
|
||||
array( 'Content-Type' => 'application/json' )
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user