REST API: Add Authentication method based on Jetpack Signatures

[oskosk]

Part of Automattic/wp-calypso#9171.

Changes proposed in this Pull Request:

Adds a token based authentication mechanism for the REST API.

We already generate tokens for the users when they connect thir self-hosted account to a WordPress.com account by means of the Jetpack connection process.

Remarks about this implementation

• This implementation currently accepts WP API requests from the Jetpack server only

Testing instructions:

1. Ping Rocco on slack for running tests from the Jetpack server

Running Unit tests

In a proper WordPress testing environment, try this command:
phpunit --filter=test_jetpack_rest_api_authentication --debug

Why

We're going to implement Jetpack module settings in Calypso and this communication mechanism ensures that we can update the Jetpack site in real time without the need of going through the XML-RPC API.

Proposed changelog entry for your changes:

Adds a token based authentication mechanism to the REST API in order for the site to be able to receive authenticated requests from WordPress.com

[roccotripaldi]

I haven't actually tested this yet. But it seems like a great start. I left a few comments.

[roccotripaldi]

Perhaps we should do
if ( Jetpack::is_active() && defined( 'REST_REQUEST' ) ) {

to limit these filters to rest request.

[roccotripaldi]

Does it have to be a $_GET param?
Could it instead be an actual authorization header? Should we support both?

[oskosk]

I'd vote for the header alternative

[nylen]

It looks like this sends user tokens unencrypted, which seems problematic for non-HTTPS sites. Does the existing XMLRPC-based authentication do this too?

[oskosk]

Thanks for the recommendations. I've just updated this PR description to take in account latest comments.

Note This PR was created as a kick-off for an implementation of securing the REST API with a mechanism that is currently not supported, so if you reach here please take in account those observations under Remarks about this implementation as they represent things that would need to be addressed for this implementation to be solid.

[nylen]

this practice sends the token unencrypted even when using SSL

GET parameters, along with the request URL itself, are encrypted in SSL requests.

sending it in a header, as @roccotripaldi mentions is the way to go

Using a header, the token would still be sent in plaintext over HTTP, which is not a great idea.

I assume that our existing XMLRPC auth strategy has some form of encryption and/or request signing for this reason. Unfortunately I'm not the person to ask about how that works, but this possible lack of transport-level encryption is why the OAuth1 flow and request signing mechanism look the way they do.

[nb]

We should definitely try and re-use as much as possible from the XML-RPC authentication. @mdawaffe might be able to help out with some specifics.

[mdawaffe]

These Jetpack tokens can't be included "raw" in requests, for the reasons others have outlined above.

This is why Jetpack uses the Jetpack_Signature class both when making requests from the site to WP.com and when making requests from WP.com to the site. It's similar to OAuth1 signatures in that the secrets are never transmitted, only HMACs are.

(The full background: Jetpack_Signature is an implementation of OAuth2 MAC, which never took off, with some tiny differences since MAC was only ever envisioned as a means of one way communication, whereas Jetpack needs to be able to make requests in either direction.)

Though we mostly only use Jetpack_Signature for XML-RPC, we should be able to use it for REST requests as well.

A few things that will need to happen:

• Make sure $HTTP_RAW_POST_DATA is available when we need it. For XML-RPC requests, we have some hacks to make sure it's available. It's possible the file_get_contents( 'php://input' ) call is good enough, but I'm not sure - it will need lots of testing in various environments.
• The Jetpack::verify_xml_rpc_signature() method should work fine for incoming REST API requests, though we should consider renaming it and some of its variables.
• Jetpack_Client::remote_request() in the plugin can be used to build a signed request to WP.com, and Jetpack_Client::remote_request() on WP.com (largely the same code) can be used to build a signed request to the Jetpack site.

[nylen]

Make sure $HTTP_RAW_POST_DATA is available when we need it

The method to use for this is WP_REST_Request::get_body() which is populated by WP_REST_Server::get_raw_data().

If there are further changes needed there for different environments, let's get these changes into WP core as well.

[DanReyLop]

I was using WordPress 4.5.4 and REST_REQUEST was not defined. Same thing happened in WordPress 4.6.1.

I've put some var_dump() here and there, and what is happening is that this code is being executed, and after that, wp-includes/rest-api.php#rest_api_loaded() is executed (and the REST_REQUEST constant is set).

Which version of WordPress did you use to test this?

[oskosk]

I was using 4.5 But I didn't update the code here to move the hooking to a safe place yet. I've just labeled this PR to "In Progress" as there's a lot to be changed.

[roccotripaldi]

I added a commit to address @DanReyLop 's feedback.

I get this when trying to run the curl request in the testing instructions above:
{"code":"rest_forbidden","message":"Sorry, you are not allowed to do that.","data":{"status":403}}

But i was also getting that prior to my commit. I think if we start addressing the feedback from @nb and @mdawaffe we will be on the right track. i'm happy to help out this week. :)

[roccotripaldi]

Testing instructions have been updated. Please ping me on Slack for how to run tests from the Jetpack server.

[tyxla]

Added a small comment, but this worked just fine for me, and looks great 👍

[tyxla]

! empty() will include a check for null values, so the ! is_null() check is now obsolete.

[roccotripaldi]

Good catch

[nylen]

This needs unit tests for requests with both valid and invalid signatures.

[nylen]

With the latest changes this is ready for review again.

[roccotripaldi]

High fives @nylen and @georgestephanis ! This looks good and works well. I think all concerns have been addressed. If George would give it a thumbs up, I am completely confident to merge.

[georgestephanis]

@nylen @roccotripaldi -- Last thing -- one thing I had to do with Application Passwords was this -- WordPress/application-passwords@4226502 -- because I was only allowing my override of determine_current_user to happen on rest api requests where the constant was defined -- which occasionally would happen before the constant was defined, so the old lack of a current user would get cached in the global. I don't /think/ that would be the case here -- would it?

edit: the code in the changeset linked above eventually changed to https://github.com/georgestephanis/application-passwords/blob/c975c312b4f448d6dab0d016e152ab75354d38cd/class.application-passwords.php#L40-L67

Apart from that, 💯

[samhotchkiss]

@vortfu is going to be reviewing shortly, once he signs off, let's go ahead and merge to master and branch-4.5

[nylen]

Discussed #5418 (comment) a bit with George via DM. This comment highlights the fact that we are currently running our auth logic on every request, but we should probably only be running it for a REST_REQUEST like Application Passwords does.

As George points out, this is a bit tricky, because the determine_current_user filter runs before the REST_REQUEST constant is defined. To get around that, we can unset the $current_user global soon after the constant is defined, which will cause the next call to wp_get_current_user() to call determine_current_user again (ref).

@samhotchkiss Let me know if y'all would like to fix this here or in a separate PR, either one should be fine.

[samhotchkiss]

@nylen -- if you can fix here in the next couple of hours, that's 👍

[nylen]

So, I am a little bit uncomfortable with adding the $current_user hackery without further testing of this PR. Most requests would have been fine as-is, because they wouldn't have ?token or ?signature params so they would quickly be ignored. And XMLRPC requests are fine because determine_current_user does not run under XMLRPC: https://github.com/WordPress/wordpress-develop/blob/4.7.0/src/wp-includes/user.php#L2506-L2509

Where we might have run into problems is if someone did another API request (unrelated to Jetpack) that happened to contain a ?token or ?signature parameter. These would have caused our new auth method to kick in and raise an error.

In 1937dcd I addressed this by following the existing convention of a ?for=jetpack parameter, but I'm calling it ?_for=jetpack instead because the leading underscore denotes a WP REST API "meta" or "internal" parameter that individual API endpoints shouldn't care about.

Note - this new parameter will require changes to existing WP.com server code. See D3926-code.

I still think this is good to ship. Possible future enhancements:

• Only run our determine_current_user filter if the REST_REQUEST constant is defined, using a similar approach to the application passwords plugin. This is more complicated, though, and for what we will need this code to do, I think ?_for=jetpack will be fine.
• Make it possible to pass token and signature parameters (and a few others like body-hash) to WP REST API endpoints. This will currently be problematic because these parameters are used by the authentication scheme. We can either hack around this later or just avoid using these parameter names.

[roccotripaldi]

Note - this new parameter will require changes to existing WP.com server code. See D3926-code.

@nylen : noted. Thanks.