Add blog/user token verification.

Automattic · Sep 23, 2024 · 8bfbadb · 8bfbadb
1 parent 61b021e
commit 8bfbadb
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/projects/packages/connection/changelog/add-json-api-direct-access b/projects/packages/connection/changelog/add-json-api-direct-access
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add the 'is_signed_with_user_token()' method for REST authentication.
diff --git a/projects/packages/connection/src/class-rest-authentication.php b/projects/packages/connection/src/class-rest-authentication.php
@@ -219,4 +219,17 @@ public static function is_signed_with_blog_token() {
 
 		return true === $instance->rest_authentication_status && 'blog' === $instance->rest_authentication_type;
 	}
+
+	/**
+	 * Whether the request was signed with a user token.
+	 *
+	 * @since $$next-version$$
+	 *
+	 * @return bool True if the request was signed with a valid user token, false otherwise.
+	 */
+	public static function is_signed_with_user_token() {
+		$instance = self::init();
+
+		return true === $instance->rest_authentication_status && 'user' === $instance->rest_authentication_type;
+	}
 }
diff --git a/projects/plugins/jetpack/class.json-api-endpoints.php b/projects/plugins/jetpack/class.json-api-endpoints.php
@@ -7,6 +7,7 @@
 
 use Automattic\Jetpack\Connection\Client;
 use Automattic\Jetpack\Connection\Manager;
+use Automattic\Jetpack\Connection\Rest_Authentication;
 use Automattic\Jetpack\Status;
 
 require_once __DIR__ . '/json-api-config.php';
@@ -288,7 +289,7 @@ abstract class WPCOM_JSON_API_Endpoint {
 	/**
 	 * REST namespace.
 	 */
-	const REST_NAMESPACE = 'rest/v1';
+	const REST_NAMESPACE = 'jetpack/rest';
 
 	/**
 	 * Constructor.
@@ -2648,8 +2649,9 @@ public function create_rest_route_for_endpoint() {
 			static::REST_NAMESPACE,
 			$this->rest_route,
 			array(
-				'methods'  => $this->method,
-				'callback' => array( $this, 'rest_callback' ),
+				'methods'             => $this->method,
+				'callback'            => array( $this, 'rest_callback' ),
+				'permission_callback' => array( $this, 'rest_permission_callback' ),
 			)
 		);
 	}
@@ -2674,6 +2676,33 @@ public function rest_callback( WP_REST_Request $request ) {
 		);
 	}
 
+	/**
+	 * The REST endpoint should only be available for requests signed with a valid blog or user token.
+	 * Declaring it "final" so individual endpoints couldn't remove this requirement.
+	 *
+	 * @return true|WP_Error
+	 */
+	final public function rest_permission_callback() {
+		if ( Rest_Authentication::is_signed_with_blog_token() || Rest_Authentication::is_signed_with_user_token() ) {
+			return $this->rest_permission_callback_custom();
+		}
+
+		$message = esc_html__(
+			'You do not have the correct user permissions to perform this action. Please contact your site admin if you think this is a mistake.',
+			'jetpack'
+		);
+		return new WP_Error( 'rest_api_invalid_permission', $message, array( 'status' => rest_authorization_required_code() ) );
+	}
+
+	/**
+	 * Redefine in individual endpoint classes to further customize the permission check.
+	 *
+	 * @return true|WP_Error
+	 */
+	public function rest_permission_callback_custom() {
+		return true;
+	}
+
 	/**
 	 * Return endpoint response
 	 *