updated plugin ActivityPub version 5.8.0

wp-content/plugins/activitypub/includes/rest/class-server.php

@@ -8,9 +8,11 @@
 namespace Activitypub\Rest;
 
 use WP_Error;
+use WP_REST_Server;
 use WP_REST_Response;
 use Activitypub\Signature;
-use Activitypub\Model\Application;
+
+use function Activitypub\use_authorized_fetch;
 
 /**
  * ActivityPub Server REST-Class.
@@ -24,79 +26,36 @@ class Server {
 	 * Initialize the class, registering WordPress hooks.
 	 */
 	public static function init() {
-		self::register_routes();
-
-		\add_filter( 'rest_request_before_callbacks', array( self::class, 'validate_activitypub_requests' ), 9, 3 );
-		\add_filter( 'rest_request_before_callbacks', array( self::class, 'authorize_activitypub_requests' ), 10, 3 );
+		self::add_hooks();
 	}
 
 	/**
-	 * Register routes
+	 * Add sever hooks.
 	 */
-	public static function register_routes() {
-		\register_rest_route(
-			ACTIVITYPUB_REST_NAMESPACE,
-			'/application',
-			array(
-				array(
-					'methods'             => \WP_REST_Server::READABLE,
-					'callback'            => array( self::class, 'application_actor' ),
-					'permission_callback' => '__return_true',
-				),
-			)
-		);
+	public static function add_hooks() {
+		\add_filter( 'rest_request_before_callbacks', array( self::class, 'validate_requests' ), 9, 3 );
+		\add_filter( 'rest_request_parameter_order', array( self::class, 'request_parameter_order' ), 10, 2 );
 	}
 
 	/**
-	 * Render Application actor profile
+	 * Callback function to authorize an api request.
 	 *
-	 * @return WP_REST_Response The JSON profile of the Application Actor.
-	 */
-	public static function application_actor() {
-		$user = new Application();
-
-		$json = $user->to_array();
-
-		$rest_response = new WP_REST_Response( $json, 200 );
-		$rest_response->header( 'Content-Type', 'application/activity+json; charset=' . get_option( 'blog_charset' ) );
-
-		return $rest_response;
-	}
-
-	/**
-	 * Callback function to authorize each api requests
+	 * The function is meant to be used as part of permission callbacks for rest api endpoints.
 	 *
-	 * @see WP_REST_Request
+	 * It verifies the signature of POST, PUT, PATCH, and DELETE requests, as well as GET requests in secure mode.
+	 * You can use the filter 'activitypub_defer_signature_verification' to defer the signature verification.
+	 * HEAD requests are always bypassed.
 	 *
 	 * @see https://www.w3.org/wiki/SocialCG/ActivityPub/Primer/Authentication_Authorization#Authorized_fetch
 	 * @see https://swicg.github.io/activitypub-http-signature/#authorized-fetch
 	 *
-	 * @param WP_REST_Response|\WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
-	 *                                                                    Usually a WP_REST_Response or WP_Error.
-	 * @param array                                             $handler  Route handler used for the request.
-	 * @param \WP_REST_Request                                  $request  Request used to generate the response.
+	 * @param \WP_REST_Request $request The request object.
 	 *
-	 * @return mixed|WP_Error The response, error, or modified response.
+	 * @return bool|\WP_Error True if the request is authorized, WP_Error if not.
 	 */
-	public static function authorize_activitypub_requests( $response, $handler, $request ) {
+	public static function verify_signature( $request ) {
 		if ( 'HEAD' === $request->get_method() ) {
-			return $response;
-		}
-
-		if ( \is_wp_error( $response ) ) {
-			return $response;
-		}
-
-		$route = $request->get_route();
-
-		// Check if it is an activitypub request and exclude webfinger and nodeinfo endpoints.
-		if (
-			! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
-			\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
-			\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'nodeinfo' ) ||
-			\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'application' )
-		) {
-			return $response;
+			return true;
 		}
 
 		/**
@@ -113,14 +72,14 @@ class Server {
 		$defer = \apply_filters( 'activitypub_defer_signature_verification', false, $request );
 
 		if ( $defer ) {
-			return $response;
+			return true;
 		}
 
 		if (
-			// POST-Requests are always signed.
+			// POST-Requests always have to be signed.
 			'GET' !== $request->get_method() ||
 			// GET-Requests only require a signature in secure mode.
-			( 'GET' === $request->get_method() && ACTIVITYPUB_AUTHORIZED_FETCH )
+			( 'GET' === $request->get_method() && use_authorized_fetch() )
 		) {
 			$verified_request = Signature::verify_http_signature( $request );
 			if ( \is_wp_error( $verified_request ) ) {
@@ -132,7 +91,7 @@ class Server {
 			}
 		}
 
-		return $response;
+		return true;
 	}
 
 	/**
@@ -145,7 +104,7 @@ class Server {
 	 *
 	 * @return mixed|WP_Error The response, error, or modified response.
 	 */
-	public static function validate_activitypub_requests( $response, $handler, $request ) {
+	public static function validate_requests( $response, $handler, $request ) {
 		if ( 'HEAD' === $request->get_method() ) {
 			return $response;
 		}
@@ -181,4 +140,34 @@ class Server {
 
 		return $response;
 	}
+
+	/**
+	 * Modify the parameter priority order for a REST API request.
+	 *
+	 * @param string[]         $order   Array of types to check, in order of priority.
+	 * @param \WP_REST_Request $request The request object.
+	 *
+	 * @return string[] The modified order of types to check.
+	 */
+	public static function request_parameter_order( $order, $request ) {
+		$route = $request->get_route();
+
+		// Check if it is an activitypub request and exclude webfinger and nodeinfo endpoints.
+		if ( ! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ) {
+			return $order;
+		}
+
+		$method = $request->get_method();
+
+		if ( WP_REST_Server::CREATABLE !== $method ) {
+			return $order;
+		}
+
+		return array(
+			'JSON',
+			'POST',
+			'URL',
+			'defaults',
+		);
+	}
 }