Skip to content

Signature: Move HTTP request signing to a filter #1994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 25, 2025
Merged

Signature: Move HTTP request signing to a filter #1994

merged 8 commits into from
Jul 25, 2025
+38 −46

Conversation

obenland
Copy link
Member

Follow up to #1986 and #1991.

Moves double-knock into a filter that's always set.
With Signature getting an init callback, we can now also move the signing logic into a hook callback.

Proposed changes:

  • Moved HTTP request signing to a filter in Signature::init and removed direct calls from Http class.
  • Updated Signature class to add filters for signing and double knock logic.
  • Adjusted tests to use filter-based approach for signature verification.

Other information:

  • Have you written new tests for your changes, if applicable?

Testing instructions:

  • Go to '..'

Changelog entry

  • Automatically create a changelog entry from the details below.
Changelog Entry Details

Significance

  • Patch
  • Minor
  • Major

Type

  • Added - for new features
  • Changed - for changes in existing functionality
  • Deprecated - for soon-to-be removed features
  • Removed - for now removed features
  • Fixed - for any bug fixes
  • Security - in case of vulnerabilities

Message

Moved HTTP request signing to a filter instead of calling it directly.

@obenland
Signature: Move HTTP request signing to a filter
8ca7fd1 
Moved HTTP request signing to a filter in Signature::init and removed direct calls from Http class. Updated Signature class to add filters for signing and double knock logic. Adjusted tests to use filter-based approach for signature verification.
@obenland obenland requested a review from pfefferle July 23, 2025 19:07
@obenland obenland self-assigned this Jul 23, 2025
@Copilot Copilot AI review requested due to automatic review settings July 23, 2025 19:07
Copilot
Copilot AI reviewed Jul 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors HTTP request signing logic from direct method calls to a filter-based approach, improving code organization and consistency. The changes move signature handling into filters that are automatically applied to all HTTP requests.

  • Moves HTTP request signing from direct calls in Http class to a filter in Signature::init()
  • Implements automatic double-knock fallback logic through HTTP response filtering
  • Updates test infrastructure to work with the new filter-based approach

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
activitypub.php Adds Signature::init() to the initialization sequence
includes/class-signature.php Implements init() method with filters for request signing and double-knock logic
includes/class-http.php Removes direct Signature::sign_request() calls and redundant method specifications
tests/includes/class-test-signature.php Updates test to use specific filter removal instead of remove_all_filters
Comments suppressed due to low confidence (1)

includes/class-signature.php:38

  • The removed wp_parse_args() call that sets default method and Date header is essential for signature generation. Without these defaults, the signing process may fail when these values are not provided by the caller.
	public static function sign_request( $args, $url ) {

@pfefferle
Copy link
Member

You remove the method from the $args but it seems that Http_Signature_Draft is still using it in line 49.

I wonder why the tests are green 🤔

@pfefferle
Copy link
Member

Ah, the test is still adding the method in the $args array!

@obenland
Copy link
Member Author

Yes, that would be expected. Tests create signatures manually to sign "incoming" requests and they need the method provided.

When signing outgoing requests, http_request_args has a method set in those request args, GET by default, and any specific method based on the type of request is sent (post, head ).

pfefferle
pfefferle previously approved these changes Jul 24, 2025
View reviewed changes
@pfefferle
Copy link
Member

nice job!

pfefferle and others added 3 commits July 24, 2025 15:24
@pfefferle
Merge branch 'trunk' into update/signature-callbacks
defd4da
@pfefferle
Merge branch 'trunk' into update/signature-callbacks
d6cca7f
@obenland
Refactor signature tests to use http_request_args filter
08246e7 
Updated signature-related tests to apply the 'http_request_args' filter directly instead of invoking the sign() method. Also added setup and cleanup for the 'activitypub_rfc9421_signature' option in the RFC9421 test to ensure proper test isolation.
@obenland obenland requested a review from pfefferle July 24, 2025 19:20
@obenland obenland merged commit dcc2864 into trunk Jul 25, 2025
11 checks passed
@obenland obenland deleted the update/signature-callbacks branch July 25, 2025 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@pfefferle pfefferle pfefferle approved these changes

Assignees

@obenland obenland

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@obenland @pfefferle @matticbot