455 lines
16 KiB
PHP
455 lines
16 KiB
PHP
<?php
|
|
/**
|
|
* OAuth 2.0 Server for ActivityPub C2S.
|
|
*
|
|
* @package Activitypub
|
|
*/
|
|
|
|
namespace Activitypub\OAuth;
|
|
|
|
use Activitypub\Sanitize;
|
|
|
|
/**
|
|
* Server class for OAuth 2.0 authentication and PKCE verification.
|
|
*
|
|
* Integrates with WordPress REST API authentication system.
|
|
*/
|
|
class Server {
|
|
/**
|
|
* The current validated token for this request.
|
|
*
|
|
* @var Token|null
|
|
*/
|
|
private static $current_token = null;
|
|
|
|
/**
|
|
* Initialize the OAuth server.
|
|
*/
|
|
public static function init() {
|
|
// Hook into REST authentication - priority 20 to run after default auth.
|
|
\add_filter( 'rest_authentication_errors', array( self::class, 'authenticate_oauth' ), 20 );
|
|
|
|
// Schedule cleanup cron.
|
|
if ( ! \wp_next_scheduled( 'activitypub_oauth_cleanup' ) ) {
|
|
\wp_schedule_event( time(), 'daily', 'activitypub_oauth_cleanup' );
|
|
}
|
|
\add_action( 'activitypub_oauth_cleanup', array( self::class, 'cleanup' ) );
|
|
}
|
|
|
|
/**
|
|
* Authenticate OAuth Bearer token for REST API requests.
|
|
*
|
|
* @param \WP_Error|null|bool $result Authentication result from previous filters.
|
|
* @return \WP_Error|null|bool Authentication result.
|
|
*/
|
|
public static function authenticate_oauth( $result ) {
|
|
/*
|
|
* Reset OAuth state at the start of each authentication to prevent
|
|
* leaking state between multiple REST dispatches in the same process.
|
|
*/
|
|
self::$current_token = null;
|
|
|
|
$token = self::get_bearer_token();
|
|
|
|
if ( ! $token ) {
|
|
// No Bearer token — respect errors from earlier auth filters.
|
|
return $result;
|
|
}
|
|
|
|
$validated = Token::validate( $token );
|
|
|
|
if ( \is_wp_error( $validated ) ) {
|
|
return $validated;
|
|
}
|
|
|
|
self::$current_token = $validated;
|
|
\wp_set_current_user( $validated->get_user_id() );
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Get the current OAuth token from the request.
|
|
*
|
|
* @return Token|null The validated token or null.
|
|
*/
|
|
public static function get_current_token() {
|
|
return self::$current_token;
|
|
}
|
|
|
|
/**
|
|
* Check if the current request is authenticated via OAuth.
|
|
*
|
|
* @return bool True if OAuth authenticated.
|
|
*/
|
|
public static function is_oauth_request() {
|
|
return null !== self::$current_token;
|
|
}
|
|
|
|
/**
|
|
* Check if the current token has a specific scope.
|
|
*
|
|
* @param string $scope The scope to check.
|
|
* @return bool True if the current token has the scope.
|
|
*/
|
|
public static function has_scope( $scope ) {
|
|
if ( ! self::$current_token ) {
|
|
return false;
|
|
}
|
|
|
|
return self::$current_token->has_scope( $scope );
|
|
}
|
|
|
|
/**
|
|
* Extract Bearer token from Authorization header.
|
|
*
|
|
* @return string|null The token string or null.
|
|
*/
|
|
public static function get_bearer_token() {
|
|
$auth_header = self::get_authorization_header();
|
|
|
|
if ( ! $auth_header ) {
|
|
return null;
|
|
}
|
|
|
|
// Check for Bearer token.
|
|
if ( 0 !== strpos( $auth_header, 'Bearer ' ) ) {
|
|
return null;
|
|
}
|
|
|
|
return substr( $auth_header, 7 );
|
|
}
|
|
|
|
/**
|
|
* Get the Authorization header.
|
|
*
|
|
* @return string|null The authorization header value or null.
|
|
*/
|
|
private static function get_authorization_header() {
|
|
/*
|
|
* Only wp_unslash() is used here — sanitize_text_field() could
|
|
* corrupt opaque bearer tokens by stripping characters.
|
|
*/
|
|
|
|
// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Opaque auth token, must not be altered.
|
|
if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
|
|
return \wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
|
|
}
|
|
|
|
if ( ! empty( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
|
|
return \wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
|
|
}
|
|
// phpcs:enable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
|
|
|
|
// Fallback: read from Apache's own header API (case-insensitive).
|
|
if ( ! function_exists( 'apache_request_headers' ) ) {
|
|
return null;
|
|
}
|
|
|
|
$headers = apache_request_headers();
|
|
|
|
foreach ( $headers as $key => $value ) {
|
|
if ( 'authorization' === strtolower( $key ) ) {
|
|
return $value;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Verify PKCE code_verifier against code_challenge.
|
|
*
|
|
* @param string $code_verifier The PKCE code verifier.
|
|
* @param string $code_challenge The stored code challenge.
|
|
* @param string $method The challenge method (only S256 is supported).
|
|
* @return bool True if valid.
|
|
*/
|
|
public static function verify_pkce( $code_verifier, $code_challenge, $method = 'S256' ) {
|
|
return Authorization_Code::verify_pkce( $code_verifier, $code_challenge, $method );
|
|
}
|
|
|
|
/**
|
|
* Generate a cryptographically secure random string.
|
|
*
|
|
* @param int $length The length of the string in bytes.
|
|
* @return string The random string as hex.
|
|
*/
|
|
public static function generate_token( $length = 32 ) {
|
|
return Token::generate_token( $length );
|
|
}
|
|
|
|
/**
|
|
* Permission callback for OAuth-protected endpoints.
|
|
*
|
|
* @param \WP_REST_Request $request The REST request.
|
|
* @param string $scope Required scope (optional).
|
|
* @return bool|\WP_Error True if authorized, error otherwise.
|
|
*/
|
|
public static function check_oauth_permission( $request, $scope = null ) {
|
|
/**
|
|
* Filter to override OAuth permission check.
|
|
*
|
|
* Useful for testing. Return true to bypass OAuth check, false to continue.
|
|
*
|
|
* @param bool|null $result The permission result. Null to continue normal check.
|
|
* @param \WP_REST_Request $request The REST request.
|
|
* @param string|null $scope Required scope.
|
|
*/
|
|
$override = \apply_filters( 'activitypub_oauth_check_permission', null, $request, $scope );
|
|
|
|
if ( null !== $override ) {
|
|
return $override;
|
|
}
|
|
|
|
if ( ! self::is_oauth_request() ) {
|
|
return new \WP_Error(
|
|
'activitypub_oauth_required',
|
|
\__( 'OAuth authentication required.', 'activitypub' ),
|
|
array( 'status' => 401 )
|
|
);
|
|
}
|
|
|
|
if ( $scope && ! self::has_scope( $scope ) ) {
|
|
return new \WP_Error(
|
|
'activitypub_insufficient_scope',
|
|
/* translators: %s: The required scope */
|
|
sprintf( \__( 'This action requires the "%s" scope.', 'activitypub' ), $scope ),
|
|
array( 'status' => 403 )
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Run cleanup tasks for OAuth data.
|
|
*/
|
|
public static function cleanup() {
|
|
// Clean up expired tokens.
|
|
Token::cleanup_expired();
|
|
|
|
// Clean up expired authorization codes.
|
|
Authorization_Code::cleanup();
|
|
}
|
|
|
|
/**
|
|
* Get OAuth server metadata for discovery.
|
|
*
|
|
* @return array OAuth server metadata.
|
|
*/
|
|
public static function get_metadata() {
|
|
$base_url = \trailingslashit( \get_rest_url( null, ACTIVITYPUB_REST_NAMESPACE ) );
|
|
|
|
return array(
|
|
'issuer' => \home_url(),
|
|
'authorization_endpoint' => $base_url . 'oauth/authorize',
|
|
'token_endpoint' => $base_url . 'oauth/token',
|
|
'revocation_endpoint' => $base_url . 'oauth/revoke',
|
|
'introspection_endpoint' => $base_url . 'oauth/introspect',
|
|
'registration_endpoint' => $base_url . 'oauth/clients',
|
|
'scopes_supported' => Scope::ALL,
|
|
'response_types_supported' => array( 'code' ),
|
|
'response_modes_supported' => array( 'query' ),
|
|
'grant_types_supported' => array( 'authorization_code', 'refresh_token' ),
|
|
'token_endpoint_auth_methods_supported' => array( 'none', 'client_secret_post', 'client_secret_basic' ),
|
|
'introspection_endpoint_auth_methods_supported' => array( 'bearer' ),
|
|
'code_challenge_methods_supported' => array( 'S256' ),
|
|
'service_documentation' => 'https://github.com/swicg/activitypub-api',
|
|
'client_id_metadata_document_supported' => true,
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Handle OAuth authorization consent page via wp-login.php.
|
|
*
|
|
* This is triggered by wp-login.php?action=activitypub_authorize
|
|
*/
|
|
public static function login_form_authorize() {
|
|
// Require user to be logged in.
|
|
if ( ! \is_user_logged_in() ) {
|
|
\auth_redirect();
|
|
}
|
|
|
|
$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? \sanitize_text_field( \wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : '';
|
|
|
|
if ( 'GET' === $request_method ) {
|
|
self::render_authorize_form();
|
|
} elseif ( 'POST' === $request_method ) {
|
|
self::process_authorize_form();
|
|
}
|
|
|
|
exit;
|
|
}
|
|
|
|
/**
|
|
* Render the OAuth authorization consent form.
|
|
*/
|
|
private static function render_authorize_form() {
|
|
// phpcs:disable WordPress.Security.NonceVerification.Recommended -- Initial form display, nonce checked on POST.
|
|
|
|
// Check for error token (redirected from REST authorization endpoint).
|
|
if ( isset( $_GET['auth_error'] ) ) {
|
|
$token = \sanitize_text_field( \wp_unslash( $_GET['auth_error'] ) );
|
|
$error_message = \get_transient( 'ap_oauth_err_' . $token ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
\delete_transient( 'ap_oauth_err_' . $token );
|
|
|
|
if ( ! $error_message ) {
|
|
$error_message = \__( 'An authorization error occurred. Please try again.', 'activitypub' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
}
|
|
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
return;
|
|
}
|
|
|
|
$authorize_params = array(
|
|
'client_id' => isset( $_GET['client_id'] ) ? \sanitize_text_field( \wp_unslash( $_GET['client_id'] ) ) : '',
|
|
'redirect_uri' => isset( $_GET['redirect_uri'] ) ? Sanitize::redirect_uri( \wp_unslash( $_GET['redirect_uri'] ) ) : '', // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized via Sanitize::redirect_uri().
|
|
'scope' => isset( $_GET['scope'] ) ? \sanitize_text_field( \wp_unslash( $_GET['scope'] ) ) : '',
|
|
'state' => isset( $_GET['state'] ) ? \wp_unslash( $_GET['state'] ) : '', // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- OAuth state is opaque; must be round-tripped exactly.
|
|
'code_challenge' => isset( $_GET['code_challenge'] ) ? \sanitize_text_field( \wp_unslash( $_GET['code_challenge'] ) ) : '',
|
|
'code_challenge_method' => isset( $_GET['code_challenge_method'] ) ? \sanitize_text_field( \wp_unslash( $_GET['code_challenge_method'] ) ) : 'S256',
|
|
);
|
|
// phpcs:enable WordPress.Security.NonceVerification.Recommended
|
|
|
|
// Validate client.
|
|
$client = Client::get( $authorize_params['client_id'] );
|
|
if ( \is_wp_error( $client ) ) {
|
|
$error_message = $client->get_error_message(); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
return;
|
|
}
|
|
|
|
// Validate redirect URI.
|
|
if ( ! $client->is_valid_redirect_uri( $authorize_params['redirect_uri'] ) ) {
|
|
$error_message = \__( 'Invalid redirect URI for this client.', 'activitypub' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
return;
|
|
}
|
|
|
|
// Use the canonical client ID (may differ from the raw input for discovered clients).
|
|
$authorize_params['client_id'] = $client->get_client_id();
|
|
|
|
// These variables are used in the template.
|
|
$current_user = \wp_get_current_user(); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
|
|
$scopes = Scope::validate( Scope::parse( $authorize_params['scope'] ) ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
|
|
|
|
// Build form action URL.
|
|
// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
|
|
$form_url = \add_query_arg(
|
|
array_merge( array( 'action' => 'activitypub_authorize' ), $authorize_params ),
|
|
\wp_login_url()
|
|
);
|
|
|
|
// Include the template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-authorize.php'; // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $authorize_params used in template.
|
|
}
|
|
|
|
/**
|
|
* Process the OAuth authorization consent form submission.
|
|
*/
|
|
private static function process_authorize_form() {
|
|
// Verify nonce.
|
|
if ( ! isset( $_POST['_wpnonce'] ) || ! \wp_verify_nonce( \sanitize_text_field( \wp_unslash( $_POST['_wpnonce'] ) ), 'activitypub_oauth_authorize' ) ) {
|
|
$error_message = \__( 'Security check failed. Please try again.', 'activitypub' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
exit;
|
|
}
|
|
|
|
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce verified above.
|
|
$client_id = isset( $_POST['client_id'] ) ? \sanitize_text_field( \wp_unslash( $_POST['client_id'] ) ) : '';
|
|
$redirect_uri = isset( $_POST['redirect_uri'] ) ? Sanitize::redirect_uri( \wp_unslash( $_POST['redirect_uri'] ) ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized via Sanitize::redirect_uri().
|
|
$scope = isset( $_POST['scope'] ) ? \sanitize_text_field( \wp_unslash( $_POST['scope'] ) ) : '';
|
|
$state = isset( $_POST['state'] ) ? \wp_unslash( $_POST['state'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- OAuth state is opaque; must be round-tripped exactly.
|
|
$code_challenge = isset( $_POST['code_challenge'] ) ? \sanitize_text_field( \wp_unslash( $_POST['code_challenge'] ) ) : '';
|
|
$code_challenge_method = isset( $_POST['code_challenge_method'] ) ? \sanitize_text_field( \wp_unslash( $_POST['code_challenge_method'] ) ) : 'S256';
|
|
$approve = isset( $_POST['approve'] );
|
|
// phpcs:enable WordPress.Security.NonceVerification.Missing
|
|
|
|
// Only S256 is supported; normalize empty/missing values and reject anything else.
|
|
if ( empty( $code_challenge_method ) ) {
|
|
$code_challenge_method = 'S256';
|
|
} elseif ( 'S256' !== $code_challenge_method ) {
|
|
$error_message = \__( 'Only S256 is supported as PKCE code challenge method.', 'activitypub' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
exit;
|
|
}
|
|
|
|
// Re-validate client and redirect URI (form fields could be tampered with).
|
|
$client = Client::get( $client_id );
|
|
|
|
if ( \is_wp_error( $client ) ) {
|
|
$error_message = $client->get_error_message(); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
exit;
|
|
}
|
|
|
|
if ( ! $client->is_valid_redirect_uri( $redirect_uri ) ) {
|
|
$error_message = \__( 'Invalid redirect URI for this client.', 'activitypub' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used in template.
|
|
include ACTIVITYPUB_PLUGIN_DIR . 'templates/oauth-error.php';
|
|
exit;
|
|
}
|
|
|
|
// User denied authorization.
|
|
if ( ! $approve ) {
|
|
self::redirect_to_client(
|
|
$redirect_uri,
|
|
array(
|
|
'error' => 'access_denied',
|
|
'error_description' => 'The user denied the authorization request.',
|
|
'state' => $state,
|
|
)
|
|
);
|
|
}
|
|
|
|
// Create authorization code.
|
|
$scopes = Scope::validate( Scope::parse( $scope ) );
|
|
$code = Authorization_Code::create(
|
|
\get_current_user_id(),
|
|
$client_id,
|
|
$redirect_uri,
|
|
$scopes,
|
|
$code_challenge,
|
|
$code_challenge_method
|
|
);
|
|
|
|
if ( \is_wp_error( $code ) ) {
|
|
self::redirect_to_client(
|
|
$redirect_uri,
|
|
array(
|
|
'error' => 'server_error',
|
|
'error_description' => $code->get_error_message(),
|
|
'state' => $state,
|
|
)
|
|
);
|
|
}
|
|
|
|
self::redirect_to_client(
|
|
$redirect_uri,
|
|
array(
|
|
'code' => $code,
|
|
'state' => $state,
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Redirect to an OAuth client's redirect URI with query parameters.
|
|
*
|
|
* Uses a manual Location header because wp_redirect() strips custom
|
|
* URI schemes used by native/mobile apps (RFC 8252 Section 7.1).
|
|
* The URI is pre-validated against the registered client's redirect_uris
|
|
* before this method is called.
|
|
*
|
|
* @param string $redirect_uri The client's redirect URI.
|
|
* @param array $params Query parameters to append.
|
|
*/
|
|
private static function redirect_to_client( $redirect_uri, $params ) {
|
|
$url = Sanitize::redirect_uri( \add_query_arg( $params, $redirect_uri ) );
|
|
|
|
\nocache_headers();
|
|
header( 'Location: ' . $url, true, 303 );
|
|
exit;
|
|
}
|
|
}
|