From c06765683ecdf9f973439c00859837316fe602e5 Mon Sep 17 00:00:00 2001 From: thingalon Date: Sat, 2 Nov 2019 07:21:35 +1100 Subject: [PATCH] Add security settings for Helper Script API methods (#13922) * Add endpoints for Jetpack Backup Helper Script methods - Project: https://[private link] - P2 post about this prototype: https://[private link] - Related Jetpack PR: https://github.com/Automattic/jetpack/pull/13830 - Related Rewind PR: https://github.com/Automattic/jetpack-backups/pull/975 This adds two new API endpoints for calling out to a Jetpack site, to install or delete a Helper Script. It also locks these new API endpoints down to require access through a Rewind API token, ensuring this is not called from any other source. This commit was generated from D34445-code. * Make the require_rewind_auth parameter optional --- class.json-api-endpoints.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/class.json-api-endpoints.php b/class.json-api-endpoints.php index fd171a7853769..ca8b4608f5d99 100644 --- a/class.json-api-endpoints.php +++ b/class.json-api-endpoints.php @@ -127,6 +127,11 @@ abstract class WPCOM_JSON_API_Endpoint { */ public $allow_upload_token_auth = false; + /** + * @var bool Set to true if the endpoint should require auth from a Rewind auth token. + */ + public $require_rewind_auth = false; + function __construct( $args ) { $defaults = array( 'in_testing' => false, @@ -194,6 +199,7 @@ function __construct( $args ) { $this->allow_unauthorized_request = (bool) $args['allow_unauthorized_request']; $this->allow_jetpack_site_auth = (bool) $args['allow_jetpack_site_auth']; $this->allow_upload_token_auth = (bool) $args['allow_upload_token_auth']; + $this->require_rewind_auth = isset( $args['require_rewind_auth'] ) ? (bool) $args['require_rewind_auth'] : false; $this->version = $args['version'];