WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/29/2021 12:05:20 AM (3 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Introduce introspection endpoint.

This introduces a new endpoint, wp/v2/users/me/application-passwords/introspect, that will return details about the App Password being used to authenticate the current request. This allows for an application to disambiguate between multiple installations of their application which would all share the same app_id.

Props xkon, peterwilsoncc, TimothyBlynJacobs.
Fixes #52275.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php

    r50030 r50065  
    5353                    'callback'            => array( $this, 'delete_items' ),
    5454                    'permission_callback' => array( $this, 'delete_items_permissions_check' ),
     55                ),
     56                'schema' => array( $this, 'get_public_item_schema' ),
     57            )
     58        );
     59
     60        register_rest_route(
     61            $this->namespace,
     62            '/' . $this->rest_base . '/introspect',
     63            array(
     64                array(
     65                    'methods'             => WP_REST_Server::READABLE,
     66                    'callback'            => array( $this, 'get_current_item' ),
     67                    'permission_callback' => array( $this, 'get_current_item_permissions_check' ),
     68                    'args'                => array(
     69                        'context' => $this->get_context_param( array( 'default' => 'view' ) ),
     70                    ),
    5571                ),
    5672                'schema' => array( $this, 'get_public_item_schema' ),
     
    375391
    376392    /**
     393     * Checks if a given request has access to get the currently used application password.
     394     *
     395     * @since 5.7.0
     396     *
     397     * @param WP_REST_Request $request Full details about the request.
     398     * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
     399     */
     400    public function get_current_item_permissions_check( $request ) {
     401        $user = $this->get_user( $request );
     402
     403        if ( is_wp_error( $user ) ) {
     404            return $user;
     405        }
     406
     407        if ( get_current_user_id() !== $user->ID ) {
     408            return new WP_Error(
     409                'rest_cannot_introspect_app_password_for_non_authenticated_user',
     410                __( 'The authenticated Application Password can only be introspected for the current user.' ),
     411                array( 'status' => rest_authorization_required_code() )
     412            );
     413        }
     414
     415        return true;
     416    }
     417
     418    /**
     419     * Retrieves the application password being currently used for authentication.
     420     *
     421     * @since 5.7.0
     422     *
     423     * @param WP_REST_Request $request Full details about the request.
     424     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
     425     */
     426    public function get_current_item( $request ) {
     427        $user = $this->get_user( $request );
     428
     429        if ( is_wp_error( $user ) ) {
     430            return $user;
     431        }
     432
     433        $uuid = rest_get_authenticated_app_password();
     434
     435        if ( ! $uuid ) {
     436            return new WP_Error(
     437                'rest_no_authenticated_app_password',
     438                __( 'Cannot introspect Application Password.' ),
     439                array( 'status' => 404 )
     440            );
     441        }
     442
     443        $password = WP_Application_Passwords::get_user_application_password( $user->ID, $uuid );
     444
     445        if ( ! $password ) {
     446            return new WP_Error(
     447                'rest_application_password_not_found',
     448                __( 'Application password not found.' ),
     449                array( 'status' => 500 )
     450            );
     451        }
     452
     453        return $this->prepare_item_for_response( $password, $request );
     454    }
     455
     456    /**
    377457     * Performs a permissions check for the request.
    378458     *
Note: See TracChangeset for help on using the changeset viewer.