Separate API endpoints more strictly/use different varification method #1077
Comments
|
This issue could use some more labels, to help prioritize and categorize our work. Could you please add at least a |
This is a proposal to use the `permission_callback`, instead of a general hook, to verify signatures. The advantage is, that it is easier to enable/disable verification for specific endpoints this way. See #1077
|
In #1078 you show that technically it's not necessary, more of a question of adding the right permisson_callbacks. I don't disagree with separating it out but it might be just more efficient for now to be very dilligent about the callbacks. |
pfefferle
added
[Pri] TBD
and removed
[Pri] High
[Status] Escalated to Product Ambassadors
labels
pfefferle
changed the title
|
A couple of options come to mind for me. We could group Editor related endpoints in a subdirectory of |
|
I think we can discuss other ways to optimize the structure, but #1078 should fix the issue for now. |
* Use a more explicit signature verification This is a proposal to use the `permission_callback`, instead of a general hook, to verify signatures. The advantage is, that it is easier to enable/disable verification for specific endpoints this way. See #1077 * phpcs fix * fix test * ignore this for now * changelog * keep the old error and change the function name to be more desciptive props @jeherve * add some phpdoc props @jeherve * verify actor endpoints * no need to mention `activitypub` here * rename functions * Update includes/rest/class-server.php Co-authored-by: Konstantin Obenland <[email protected]> * Update includes/rest/class-server.php Co-authored-by: Konstantin Obenland <[email protected]> * messed up search/replace * one last change * add some checks to prevent PHP warnings * add integration test * fix phpcs --------- Co-authored-by: Konstantin Obenland <[email protected]>
The current codebase does not strictly separate the endpoints we need "locally", like for example the endpoints needed by the blocks, from the ActivityPub APIs.
[Update] An alternate solution #1078
This could cause some issues in the future, or at lest bring some more complexity, when it comes to signature verification for example. Request to the ActivityPub endpoints should be verified, local requests might require a session or are open in general.
This is already a problem when you turn on
Authorized-Fetch!!!The text was updated successfully, but these errors were encountered: