search

Automattic / Co-Authors-Plus

Multiple bylines and Guest Authors for WordPress
https://wordpress.org/plugins/co-authors-plus/
GNU General Public License v2.0
290 stars 205 forks source link

Add back /wp/v2/coauthors endpoint removed in #851 #899

Closed sbcatania closed 1 year ago

sbcatania commented 1 year ago

Description

In #851, the /wp/v2/coauthors endpoint was removed from the plugin. However, this was a breaking change because this endpoint was used by some to make some WordPress plugins function and more importantly to be consumed by external applications like mobile apps to get full author information for posts. The endpoint's removal prevents some users of the plugin from updating it to the latest version because the change breaks their existing application, thus preventing them from accessing the latest in security and other improvements!

For context, this endpoint was originally added in #790. It seems like people's usage of it has exceeded the original intended use, but it was still a breaking change because of that to remove it. Thank you for your consideration!

Deploy Notes

No new dependencies.

Steps to Test

Since this re-enables a feature that was previously and recently integrated in the plugin, it should work correctly. It can be tested via accessing the endpoint at /wp/v2/coauthors

rebeccahum commented 1 year ago

@sbcatania This endpoint was removed because of the information disclosure vulnerability, as emails of guest authors were being leaked by it.

sbcatania commented 1 year ago

Hi @rebeccahum , thank you so much for the clarification and additional context here! That sounds like an important vulnerability and very serious issue. Is it possible for the endpoint to still exist but just not include the email addresses in the API response? I think that would be beneficial to users of the plugin to mitigate breaking changes caused by this endpoint's removal.

sbcatania commented 1 year ago

Hey @rebeccahum and @lschuyler, I hope you're both doing well! I was wondering if there were updates on this in response to my previous comment. I would love to find a way to address the security concerns while also preventing breaking changes and I think that not including the email address in the API response could help with this.

rebeccahum commented 1 year ago

@sbcatania Yep, did you want to update the PR with those changes?

MatthewTurk247 commented 1 year ago

Hey @rebeccahum, I have been working with @sbcatania on bringing back the /wp/v2/coauthors endpoint. We have now made all the changes that we believe are sufficient to enable the endpoint while eliminating the email-related disclosure vulnerabilities. What are the next steps?

sbcatania commented 1 year ago

Hey @rebeccahum and @lschuyler, I hope you're both doing well! I think we've successfully updated our code to fix the issues you raised, would love to know if there's anything we could do to help this move along :)

sbcatania commented 1 year ago

Hi @rebeccahum and @lschuyler, thank you so much for your hard work maintaining this repo. Please let me know if there's anything else we can do here or if we should contact someone else to review these changes. Otherwise, we would love to have these changes merged!

rebeccahum commented 1 year ago

Closing in favour of #931.