search

Automattic / jetpack

Security, performance, marketing, and design tools — Jetpack is made by WordPress experts to make WP sites safer and faster, and help you grow your traffic.
https://jetpack.com/
Other
1.59k stars 798 forks source link

WPCOM API: use Jetpack to authenticate when querying WordPress.com REST API endpoints #8347

Open TravisRothlisberger opened 6 years ago

TravisRothlisberger commented 6 years ago

Steps to reproduce the issue

This originated as a support request on the Jetpack plugin support forum but I was redirected here. See that discussion for additional details.

I am trying to use the authentication framework in Jetpack to reach the read/following/mine and read/liked endpoints on the Wordpress.com REST API, with the end goal of producing a plugin that does something like the 'Blogs I Follow' and 'Posts I Like' widgets, but for a self-hosted site.

I started by following the advice to call Jetpack_Client::wpcom_json_api_request_as_blog('read/following/mine') and Jetpack_Client::wpcom_json_api_request_as_blog('read/liked') from a simple plugin and received a 403 response of "That API call is not allowed for this account". Upon review of the code I found that this call was using a blog_token and theorized that this could account for the authentication failure.

So I tweaked Jetpack_Client::wpcom_json_api_request_as_blog to allow me to pass a user_id argument through and supplied the value from both Jetpack_Options::get_option('master_user') and get_current_user_id() (which are the same) as the user_id. This produced a successful response from the read/following/mine endpoint but returned an empty subscriptions array despite my having a large collection of followed blogs accessed in the Wordpress Reader. The read/liked endpoint returned a different 403 response of "An active access token must be used to query information about the current user."

What I expected

I was hoping that the authentication managed by Jetpack would give me access to the relevant endpoints for the Wordpress.com API without having to built up a separate framework for managing authentication for a plugin, which appears to be a relatively substantial task without clear precedent outside of (possibly) Jetpack. I'm hopeful that perhaps this is still true, but I don't know where to look next.

What happened instead

See responses noted in the steps above.

Please advise on the feasibility of reaching the desired endpoints via the Jetpack authentication framework and on the proper modes of utilizing the framework to successfully access those endpoints. Thanks.

jeherve commented 6 years ago

I was hoping that the authentication managed by Jetpack would give me access to the relevant endpoints for the Wordpress.com API without having to built up a separate framework for managing authentication for a plugin

We currently limit the list of endpoints that can be accessed when authenticating via Jetpack, since we do not query all endpoints in Jetpack. Which endpoints would you need to be able to query? Just read/following/mine and read/liked?

Internal reference: p3hLNG-ru-p2

TravisRothlisberger commented 6 years ago

Which endpoints would you need to be able to query? Just read/following/mine and read/liked?

Yes, those are the only endpoints I foresee wanting to query - assuming I am correctly interpreting those as corresponding to the content one would find in the 'Blogs I Follow' and 'Posts I Like' widgets on wordpress.com.

jeherve commented 6 years ago

Thank you.

This is being addressed internally in D8789-code.

TravisRothlisberger commented 6 years ago

Thanks. I don't know what "D8789-code" is referencing, so should I just assume that the only visibility comes through status updates on this issue?

jeherve commented 6 years ago

Yes, I will let you know as soon as we make the changes upstream!

stale[bot] commented 6 years ago

This issue has been marked as stale. This happened because:

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

TravisRothlisberger commented 6 years ago

@brbrr Thank you for removing the stale label. Do you by chance have any insight into whether this (or the corresponding D8789 code) will be implemented any time soon? I tried again using the new wpcom_json_api_request_as_user function and received a response recognizing my user account, but received {"code":"rest_no_route","message":"No route was found matching the URL and request method","data":{"status":404}} for both /read/liked and /read/following/mine. Thanks.

brbrr commented 6 years ago

Hi there, Unfortunately, we are not planning to address this issue in near future. We will update this ticket as soon as we going to work on this.

stale[bot] commented 5 years ago

This issue has been marked as stale. This happened because:

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.