Add Arrive outbox handler for check-in activities#2977
Open
Add Arrive outbox handler for check-in activities#2977
Conversation
Implements the SWICG ActivityPub API specification for C2S interactions: - OAuth 2.0 with PKCE authentication - POST to outbox for creating activities - GET inbox for reading received activities - Actor discovery with OAuth endpoints - Handlers for Create, Update, Delete, Follow, Undo activities New files: - includes/oauth/ - OAuth server, tokens, clients, auth codes, scopes - includes/rest/class-oauth-controller.php - OAuth endpoints Modified: - Outbox controller extended with POST support - Inbox controller extended with GET support - Handler classes extended with outbox handlers - Actor models include OAuth endpoints when C2S enabled - New activitypub_enable_c2s setting
Add C2S support for Like and Announce activities by hooking into the activitypub_handled_outbox_like and activitypub_handled_outbox_announce actions. These handlers fire corresponding sent actions that can be used to track when activities are sent via C2S.
Add comprehensive test coverage for the OAuth infrastructure: - Test_Scope: Scope parsing, validation, and string conversion - Test_Token: Token creation, validation, refresh, and revocation - Test_Client: Client registration, validation, and scope filtering - Test_Authorization_Code: PKCE flow, code exchange, and security checks
Remove type hint from get_items_permissions_check() to match the parent WP_REST_Controller class signature, which doesn't use type hints.
Remove type hint from create_item_permissions_check() to match the parent WP_REST_Controller class signature.
Remove type hint from create_item() to match the parent WP_REST_Controller class signature.
Constants cannot be covered by PHPUnit, only methods can.
Validate that submitted activities have actor/attributedTo fields matching the authenticated user. This prevents clients from submitting activities with mismatched actor data. Checks: - activity.actor must match authenticated user (if present) - object.attributedTo must match authenticated user (if present)
- Authorization codes now use WordPress transients (auto-expire after 10 min) - Tokens now use user meta instead of CPT (efficient per-user lookup) - Keep only Client CPT for persistent client registration - Add token introspection endpoint (RFC 7662) - Add revoke_for_client() method for cleanup when deleting clients - Add OAuth consent form template - Fix linting issues in Server class - Update tests for new error codes
- Rename handler methods to `incoming()` for inbox and `outgoing()` for outbox - Add deprecated proxy functions for backward compatibility (handle_*) - Update Create handler to support outbox POST with WordPress post creation - Add Dispatcher hook to fire outbox handlers after add_to_outbox() - Skip scheduler for already-federated posts to prevent duplicates - Remove C2S terminology from comments, use incoming/outgoing instead Handlers updated: Create, Update, Announce, Like, Undo, Follow, Delete
- Remove async scheduling from Post scheduler, call add_to_outbox directly - Create handler returns WP_Post instead of calling add_to_outbox - Add Outbox::get_by_object_id() to find outbox items by object ID and type - Controller handles WP_Post return from handlers and uses outbox_item directly
Update delete and update handlers to first resolve posts by permalink for C2S-created posts, falling back to GUID lookup for remote posts. Enhance OAuth server to respect previous auth errors and only process OAuth if C2S is enabled. Add type safety for user_id in REST controllers. Update template variable documentation and add PHPCS ignore comment in token class.
Pass the outbox item's ID instead of the object itself to the send_to_inboxes method in the test case. This aligns the test with the expected method signature.
- Add proxyUrl endpoint for C2S clients to fetch remote ActivityPub objects through the server's HTTP Signatures - Remove activitypub_enable_c2s option - C2S is now always enabled - Remove settings field for C2S toggle from advanced settings - Always include OAuth and C2S endpoints in actor profiles - Add security checks for proxy: HTTPS-only, block private networks - Use Remote_Actors::fetch_by_various() for efficient actor caching
- Add verify_oauth_read() and verify_oauth_write() methods to Server - Add verify_owner() to check token matches user_id parameter - Simplify permission checks in Inbox, Outbox, and Proxy controllers - Remove direct OAuth imports from controllers
- Create trait-verification.php with verify_signature, verify_oauth_read, verify_oauth_write, and verify_owner methods - Update controllers to use the trait instead of static Server methods - Maintain backwards compatibility by keeping static methods in Server class
- Update handler tests to use incoming() instead of deprecated handle_* methods - Add activitypub_oauth_check_permission filter for test mocking - Fix proxy controller tests to use rest_api_init for route registration - Update assertions to match actual return values (false vs null)
…oller Consolidates user inbox handling in the appropriate controller: - Actors_Inbox_Controller now handles user inbox GET (C2S) and POST (S2S) - Inbox_Controller now only handles shared inbox POST (S2S)
These methods are now provided by the Verification trait which controllers use directly. Removes 278 lines of duplicated code.
The inbox GET endpoint now requires OAuth authentication (C2S). E2E tests cannot easily test OAuth-protected endpoints without a full OAuth flow. The functionality is covered by PHPUnit tests.
- Add verify_application_password() for WordPress core Application Passwords - Add verify_authentication() that checks OAuth first, falls back to Application Passwords - Update verify_owner() to support both OAuth tokens and WordPress users - Simplify permission callbacks in controllers to use verify_authentication()
Enable browser-based C2S clients to interact with OAuth and ActivityPub
endpoints without requiring a proxy server.
Endpoints with CORS headers:
- OAuth: /token, /revoke, /introspect, /clients, /.well-known/oauth-authorization-server
- C2S: /proxy, /actors/{id}/outbox, /actors/{id}/inbox
The /oauth/authorize endpoint is excluded as it redirects to the login page.
Register /.well-known/oauth-authorization-server to comply with RFC 8414. This enables OAuth clients to discover the server metadata at the standard location.
Make PKCE optional and improve ActivityPub/client redirect handling: - Authorization_Code::verify_pkce: Treat absence of a stored code_challenge as PKCE not used (skip verification); fail only when a challenge exists but no code_verifier is supplied. - OAuth_Controller: Treat code_challenge as recommended (optional) and remove hard requirement/error for missing challenge/verifier to maintain compatibility with non-PKCE clients. - Client metadata parsing: Accept ActivityPub actor types (Application, Person, Service, Group, Organization), map id/name (or preferredUsername) to client metadata, handle redirectURI/url, and set an is_actor flag for actor-based clients. - Redirect validation: Allow RFC 8252 loopback redirect flexibility (ignore port differences for loopback hosts like 127.0.0.1, ::1, localhost) while preserving exact-match behavior for non-loopback URIs; added is_loopback_redirect_match helper. - Server response handling: Exclude OAuth endpoints from the generic REST error format so OAuth endpoints keep RFC 6749 error responses. These changes improve interoperability with ActivityPub actors, support permissive loopback redirect ports per RFC 8252, and maintain backward compatibility for clients that do not use PKCE.
- Use wp_kses() instead of esc_html__() with printf() for HTML in OAuth consent template to prevent escaped tags from rendering as text. - Add backslash prefix to filter_var() calls in namespaced code. - Change @SInCE 1.3.0 to @SInCE unreleased on new outbox handlers hook. - Add Access-Control-Allow-Credentials header for browser-based C2S clients.
Extract IP detection into a helper with an `activitypub_client_ip` filter so sites behind reverse proxies can return the real client IP.
Cap active OAuth tokens at 50 per user. When exceeded, the oldest tokens are automatically revoked, preventing usermeta accumulation from repeated authentication.
Public clients can skip PKCE by default for backward compatibility, but site operators can require it via the `activitypub_oauth_require_pkce` filter, aligning with OAuth 2.1 which mandates PKCE for all public clients.
This reverts commit 099ee9e.
Replace hardcoded http://localhost:8889 with relative paths resolved against Playwright's baseURL config, and use the baseURL fixture for the webfinger resource parameter.
The uninstall hook was not removing OAuth data (ap_oauth_client posts and user meta tokens), leaving orphaned data in the database after plugin deletion.
Replace the serialized activitypub_oauth_token_users option with _activitypub_user_id post meta on ap_oauth_client posts, following the same pattern as _activitypub_following on ap_actor posts. This eliminates race conditions from concurrent read-modify-write on a shared option and allows direct client-to-user lookups.
Add get_display_name() and get_link_url() to Client class so the template delegates display logic to the model. For DCR apps where client_id is a UUID, the link falls back to client_uri or the redirect URI origin instead of producing a broken link. Consolidate loose request variables into a single $authorize_params array to reduce template scope.
…new tab Add current_user_can checks to all OAuth AJAX handlers: manage_options for client management, read for token revocation. Open the client link on the consent form in a new tab to avoid breaking the OAuth flow.
…pport Add @see tags between Posts (C2S) and Remote_Posts (S2S) to clarify the collection split. Extend get_client_ip() to check common proxy headers (Cloudflare, X-Forwarded-For, etc.) before falling back to REMOTE_ADDR.
Prevents brute-force and abuse on the GET /oauth/authorize endpoint using the same transient-based pattern as the token endpoint (max 20 requests per minute per IP).
Activities like Arrive have no explicit `object` property and may provide `actor` as an object instead of a URI string. The previous code passed the raw actor array into `filter_var()` / `Webfinger::resolve()`, causing a PHP fatal. Use `object_to_uri()` to extract a string URI from the actor and validate the object ID before proceeding, returning a clean 400 error instead of a 500.
Create WordPress posts from C2S Arrive activities (check-ins). The handler synthesizes a Note from the intransitive Arrive data, creates a post via Posts::create(), and saves location geodata (geo_address, geo_latitude, geo_longitude) via the activitypub_outbox_arrive_sent action hook. Also fixes the outbox controller to fall back to Create when looking up outbox entries, since the Post scheduler wraps new posts in Create activities regardless of the original C2S type.
github-actions
bot
added
[Feature] CLI
[Feature] Collections
[Feature] WP Admin
[Focus] Editor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #
Proposed changes:
Arriveoutbox handler that creates WordPress posts from C2S check-in activities (e.g. from checkin.swf.pub).Posts::create(), and saves location geodata (geo_address,geo_latitude,geo_longitude,geo_public) via theactivitypub_outbox_arrive_sentaction hook.Createwhen looking up outbox entries, since the Post scheduler wraps new posts inCreateactivities regardless of the original C2S activity type (e.g. Arrive → Create).Other information:
Testing instructions:
npm run env-startnpm run env-test -- --filter=test_c2s_arrive— both tests should passChangelog entry
Changelog Entry Details
Significance
Type
Message
Add support for check-in activities posted via compatible apps.