class.json-api.php — Jetpack – WP Security, Backup, Speed, & Growth 13.3.2

jetpack / class.json-api.php

jetpack Last commit date

class.json-api.php

1253 lines

1	<?php // phpcs:ignore WordPress.Files.FileName.InvalidClassFileName
2	/**
3	* Jetpack JSON API.
4	*
5	* @package automattic/jetpack
6	*/
7
8	use Automattic\Jetpack\Status;
9
10	if ( ! defined( 'WPCOM_JSON_API__DEBUG' ) ) {
11	define( 'WPCOM_JSON_API__DEBUG', false );
12	}
13
14	require_once __DIR__ . '/sal/class.json-api-platform.php';
15
16	/**
17	* Jetpack JSON API.
18	*/
19	class WPCOM_JSON_API {
20	/**
21	* Static instance.
22	*
23	* @todo This should be private.
24	* @var self\|null
25	*/
26	public static $self = null;
27
28	/**
29	* Registered endpoints.
30	*
31	* @var WPCOM_JSON_API_Endpoint[]
32	*/
33	public $endpoints = array();
34
35	/**
36	* Endpoint being processed.
37	*
38	* @var WPCOM_JSON_API_Endpoint
39	*/
40	public $endpoint = null;
41
42	/**
43	* Token details.
44	*
45	* @var array
46	*/
47	public $token_details = array();
48
49	/**
50	* Request HTTP method.
51	*
52	* @var string
53	*/
54	public $method = '';
55
56	/**
57	* Request URL.
58	*
59	* @var string
60	*/
61	public $url = '';
62
63	/**
64	* Path part of the request URL.
65	*
66	* @var string
67	*/
68	public $path = '';
69
70	/**
71	* Version extracted from the request URL.
72	*
73	* @var string\|null
74	*/
75	public $version = null;
76
77	/**
78	* Parsed query data.
79	*
80	* @var array
81	*/
82	public $query = array();
83
84	/**
85	* Post body, if the request is a POST.
86	*
87	* @var string\|null
88	*/
89	public $post_body = null;
90
91	/**
92	* Copy of `$_FILES` if the request is a POST.
93	*
94	* @var null\|array
95	*/
96	public $files = null;
97
98	/**
99	* Content type of the request.
100	*
101	* @var string\|null
102	*/
103	public $content_type = null;
104
105	/**
106	* Value of `$_SERVER['HTTP_ACCEPT']`, if any
107	*
108	* @var string
109	*/
110	public $accept = '';
111
112	/**
113	* Value of `$_SERVER['HTTPS']`, or "--UNset--" if unset.
114	*
115	* @var string
116	*/
117	public $_server_https; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
118
119	/**
120	* Whether to exit after serving a response.
121	*
122	* @var bool
123	*/
124	public $exit = true;
125
126	/**
127	* Public API scheme.
128	*
129	* @var string
130	*/
131	public $public_api_scheme = 'https';
132
133	/**
134	* Output status code.
135	*
136	* @var int
137	*/
138	public $output_status_code = 200;
139
140	/**
141	* Trapped error.
142	*
143	* @var null\|array
144	*/
145	public $trapped_error = null;
146
147	/**
148	* Whether output has been done.
149	*
150	* @var bool
151	*/
152	public $did_output = false;
153
154	/**
155	* Extra HTTP headers.
156	*
157	* @var string
158	*/
159	public $extra_headers = array();
160
161	/**
162	* AMP source origin.
163	*
164	* @var string
165	*/
166	public $amp_source_origin = null;
167
168	/**
169	* Initialize.
170	*
171	* @param string\|null $method As for `$this->setup_inputs()`.
172	* @param string\|null $url As for `$this->setup_inputs()`.
173	* @param string\|null $post_body As for `$this->setup_inputs()`.
174	* @return WPCOM_JSON_API instance
175	*/
176	public static function init( $method = null, $url = null, $post_body = null ) {
177	if ( ! self::$self ) {
178	self::$self = new static( $method, $url, $post_body );
179	}
180	return self::$self;
181	}
182
183	/**
184	* Add an endpoint.
185	*
186	* @param WPCOM_JSON_API_Endpoint $endpoint Endpoint to add.
187	*/
188	public function add( WPCOM_JSON_API_Endpoint $endpoint ) {
189	// @todo Determine if anything depends on this being serialized rather than e.g. JSON.
190	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_serialize -- Legacy, possibly depended on elsewhere.
191	$path_versions = serialize(
192	array(
193	$endpoint->path,
194	$endpoint->min_version,
195	$endpoint->max_version,
196	)
197	);
198	if ( ! isset( $this->endpoints[ $path_versions ] ) ) {
199	$this->endpoints[ $path_versions ] = array();
200	}
201	$this->endpoints[ $path_versions ][ $endpoint->method ] = $endpoint;
202	}
203
204	/**
205	* Determine if a string is truthy. If it's not a string, which can happen with
206	* not well-formed data coming from Jetpack sites, we still consider it a truthy value.
207	*
208	* @param mixed $value true, 1, "1", "t", and "true" (case insensitive) are truthy, everything else isn't.
209	* @return bool
210	*/
211	public static function is_truthy( $value ) {
212	if ( true === $value ) {
213	return true;
214	}
215
216	if ( 1 === $value ) {
217	return true;
218	}
219
220	if ( ! is_string( $value ) ) {
221	return false;
222	}
223
224	switch ( strtolower( (string) $value ) ) {
225	case '1':
226	case 't':
227	case 'true':
228	return true;
229	}
230
231	return false;
232	}
233
234	/**
235	* Determine if a string is falsey.
236	*
237	* @param mixed $value false, 0, "0", "f", and "false" (case insensitive) are falsey, everything else isn't.
238	* @return bool
239	*/
240	public static function is_falsy( $value ) {
241	if ( false === $value ) {
242	return true;
243	}
244
245	if ( 0 === $value ) {
246	return true;
247	}
248
249	if ( ! is_string( $value ) ) {
250	return false;
251	}
252
253	switch ( strtolower( (string) $value ) ) {
254	case '0':
255	case 'f':
256	case 'false':
257	return true;
258	}
259
260	return false;
261	}
262
263	/**
264	* Constructor.
265	*
266	* @todo This should be private.
267	* @param string\|null $method As for `$this->setup_inputs()`.
268	* @param string\|null $url As for `$this->setup_inputs()`.
269	* @param string\|null $post_body As for `$this->setup_inputs()`.
270	*/
271	public function __construct( $method = null, $url = null, $post_body = null ) {
272	$this->setup_inputs( $method, $url, $post_body );
273	}
274
275	/**
276	* Setup inputs.
277	*
278	* @param string\|null $method Request HTTP method. Fetched from `$_SERVER` if null.
279	* @param string\|null $url URL requested. Determined from `$_SERVER` if null.
280	* @param string\|null $post_body POST body. Read from `php://input` if null and method is POST.
281	*/
282	public function setup_inputs( $method = null, $url = null, $post_body = null ) {
283	if ( $method === null ) {
284	$this->method = isset( $_SERVER['REQUEST_METHOD'] ) ? strtoupper( filter_var( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) ) : '';
285	} else {
286	$this->method = strtoupper( $method );
287	}
288	if ( $url === null ) {
289	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sniff misses the esc_url_raw.
290	$this->url = esc_url_raw( set_url_scheme( 'http://' . ( isset( $_SERVER['HTTP_HOST'] ) ? wp_unslash( $_SERVER['HTTP_HOST'] ) : '' ) . ( isset( $_SERVER['REQUEST_URI'] ) ? wp_unslash( $_SERVER['REQUEST_URI'] ) : '' ) ) );
291	} else {
292	$this->url = $url;
293	}
294
295	$parsed = wp_parse_url( $this->url );
296	if ( ! empty( $parsed['path'] ) ) {
297	$this->path = $parsed['path'];
298	}
299
300	if ( ! empty( $parsed['query'] ) ) {
301	wp_parse_str( $parsed['query'], $this->query );
302	}
303
304	if ( ! empty( $_SERVER['HTTP_ACCEPT'] ) ) {
305	$this->accept = filter_var( wp_unslash( $_SERVER['HTTP_ACCEPT'] ) );
306	}
307
308	if ( 'POST' === $this->method ) {
309	if ( $post_body === null ) {
310	$this->post_body = file_get_contents( 'php://input' );
311
312	if ( ! empty( $_SERVER['HTTP_CONTENT_TYPE'] ) ) {
313	$this->content_type = filter_var( wp_unslash( $_SERVER['HTTP_CONTENT_TYPE'] ) );
314	} elseif ( ! empty( $_SERVER['CONTENT_TYPE'] ) ) {
315	$this->content_type = filter_var( wp_unslash( $_SERVER['CONTENT_TYPE'] ) );
316	} elseif ( isset( $this->post_body[0] ) && '{' === $this->post_body[0] ) {
317	$this->content_type = 'application/json';
318	} else {
319	$this->content_type = 'application/x-www-form-urlencoded';
320	}
321
322	if ( str_starts_with( strtolower( $this->content_type ), 'multipart/' ) ) {
323	// phpcs:ignore WordPress.Security.NonceVerification.Missing
324	$this->post_body = http_build_query( stripslashes_deep( $_POST ) );
325	$this->files = $_FILES;
326	$this->content_type = 'multipart/form-data';
327	}
328	} else {
329	$this->post_body = $post_body;
330	$this->content_type = isset( $this->post_body[0] ) && '{' === $this->post_body[0] ? 'application/json' : 'application/x-www-form-urlencoded';
331	}
332	} else {
333	$this->post_body = null;
334	$this->content_type = null;
335	}
336
337	$this->_server_https = array_key_exists( 'HTTPS', $_SERVER ) ? filter_var( wp_unslash( $_SERVER['HTTPS'] ) ) : '--UNset--';
338	}
339
340	/**
341	* Initialize.
342	*
343	* @return null\|WP_Error (although this implementation always returns null)
344	*/
345	public function initialize() {
346	$this->token_details['blog_id'] = Jetpack_Options::get_option( 'id' );
347	return null;
348	}
349
350	/**
351	* Checks if the current request is authorized with a blog token.
352	* This method is overridden by a child class in WPCOM.
353	*
354	* @since 9.1.0
355	*
356	* @param boolean\|int $site_id The site id.
357	* @return boolean
358	*/
359	public function is_jetpack_authorized_for_site( $site_id = false ) {
360	if ( ! $this->token_details ) {
361	return false;
362	}
363
364	$token_details = (object) $this->token_details;
365
366	$site_in_token = (int) $token_details->blog_id;
367
368	if ( $site_in_token < 1 ) {
369	return false;
370	}
371
372	if ( $site_id && $site_in_token !== (int) $site_id ) {
373	return false;
374	}
375
376	if ( (int) get_current_user_id() !== 0 ) {
377	// If Jetpack blog token is used, no logged-in user should exist.
378	return false;
379	}
380
381	return true;
382	}
383
384	/**
385	* Serve.
386	*
387	* @param bool $exit Whether to exit.
388	* @return string\|null Content type (assuming it didn't exit), or null in certain error cases.
389	*/
390	public function serve( $exit = true ) {
391	ini_set( 'display_errors', false ); // phpcs:ignore WordPress.PHP.IniSet.display_errors_Blacklisted
392
393	$this->exit = (bool) $exit;
394
395	// This was causing problems with Jetpack, but is necessary for wpcom
396	// @see https://github.com/Automattic/jetpack/pull/2603
397	// @see r124548-wpcom .
398	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
399	add_filter( 'home_url', array( $this, 'ensure_http_scheme_of_home_url' ), 10, 3 );
400	}
401
402	add_filter( 'user_can_richedit', '__return_true' );
403
404	add_filter( 'comment_edit_pre', array( $this, 'comment_edit_pre' ) );
405
406	$initialization = $this->initialize();
407	if ( 'OPTIONS' === $this->method ) {
408	/**
409	* Fires before the page output.
410	* Can be used to specify custom header options.
411	*
412	* @module json-api
413	*
414	* @since 3.1.0
415	*/
416	do_action( 'wpcom_json_api_options' );
417	return $this->output( 200, '', 'text/plain' );
418	}
419
420	if ( is_wp_error( $initialization ) ) {
421	$this->output_error( $initialization );
422	return;
423	}
424
425	// Normalize path and extract API version.
426	$this->path = untrailingslashit( $this->path );
427	if ( preg_match( '#^/rest/v(\d+(\.\d+)*)#', $this->path, $matches ) ) {
428	$this->path = substr( $this->path, strlen( $matches[0] ) );
429	$this->version = $matches[1];
430	}
431
432	$allowed_methods = array( 'GET', 'POST' );
433	$four_oh_five = false;
434
435	$is_help = preg_match( '#/help/?$#i', $this->path );
436	$matching_endpoints = array();
437
438	if ( $is_help ) {
439	$origin = get_http_origin();
440
441	if ( ! empty( $origin ) && 'GET' === $this->method ) {
442	header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
443	}
444
445	$this->path = substr( rtrim( $this->path, '/' ), 0, -5 );
446	// Show help for all matching endpoints regardless of method.
447	$methods = $allowed_methods;
448	$find_all_matching_endpoints = true;
449	// How deep to truncate each endpoint's path to see if it matches this help request.
450	$depth = substr_count( $this->path, '/' ) + 1;
451	if ( false !== stripos( $this->accept, 'javascript' ) \|\| false !== stripos( $this->accept, 'json' ) ) {
452	$help_content_type = 'json';
453	} else {
454	$help_content_type = 'html';
455	}
456	} elseif ( in_array( $this->method, $allowed_methods, true ) ) {
457	// Only serve requested method.
458	$methods = array( $this->method );
459	$find_all_matching_endpoints = false;
460	} else {
461	// We don't allow this requested method - find matching endpoints and send 405.
462	$methods = $allowed_methods;
463	$find_all_matching_endpoints = true;
464	$four_oh_five = true;
465	}
466
467	// Find which endpoint to serve.
468	$found = false;
469	foreach ( $this->endpoints as $endpoint_path_versions => $endpoints_by_method ) {
470	// @todo Determine if anything depends on this being serialized rather than e.g. JSON.
471	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize -- Legacy, possibly depended on elsewhere.
472	$endpoint_path_versions = unserialize( $endpoint_path_versions );
473	$endpoint_path = $endpoint_path_versions[0];
474	$endpoint_min_version = $endpoint_path_versions[1];
475	$endpoint_max_version = $endpoint_path_versions[2];
476
477	// Make sure max_version is not less than min_version.
478	if ( version_compare( $endpoint_max_version, $endpoint_min_version, '<' ) ) {
479	$endpoint_max_version = $endpoint_min_version;
480	}
481
482	foreach ( $methods as $method ) {
483	if ( ! isset( $endpoints_by_method[ $method ] ) ) {
484	continue;
485	}
486
487	// Normalize.
488	$endpoint_path = untrailingslashit( $endpoint_path );
489	if ( $is_help ) {
490	// Truncate path at help depth.
491	$endpoint_path = implode( '/', array_slice( explode( '/', $endpoint_path ), 0, $depth ) );
492	}
493
494	// Generate regular expression from sprintf().
495	$endpoint_path_regex = str_replace( array( '%s', '%d' ), array( '([^/?&]+)', '(\d+)' ), $endpoint_path );
496
497	if ( ! preg_match( "#^$endpoint_path_regex\$#", $this->path, $path_pieces ) ) {
498	// This endpoint does not match the requested path.
499	continue;
500	}
501
502	if ( version_compare( $this->version, $endpoint_min_version, '<' ) \|\| version_compare( $this->version, $endpoint_max_version, '>' ) ) {
503	// This endpoint does not match the requested version.
504	continue;
505	}
506
507	$found = true;
508
509	if ( $find_all_matching_endpoints ) {
510	$matching_endpoints[] = array( $endpoints_by_method[ $method ], $path_pieces );
511	} else {
512	// The method parameters are now in $path_pieces.
513	$endpoint = $endpoints_by_method[ $method ];
514	break 2;
515	}
516	}
517	}
518
519	if ( ! $found ) {
520	return $this->output( 404, '', 'text/plain' );
521	}
522
523	if ( $four_oh_five ) {
524	$allowed_methods = array();
525	foreach ( $matching_endpoints as $matching_endpoint ) {
526	$allowed_methods[] = $matching_endpoint[0]->method;
527	}
528
529	header( 'Allow: ' . strtoupper( implode( ',', array_unique( $allowed_methods ) ) ) );
530	return $this->output(
531	405,
532	array(
533	'error' => 'not_allowed',
534	'error_message' => 'Method not allowed',
535	)
536	);
537	}
538
539	if ( $is_help ) {
540	/**
541	* Fires before the API output.
542	*
543	* @since 1.9.0
544	*
545	* @param string help.
546	*/
547	do_action( 'wpcom_json_api_output', 'help' );
548	$proxied = function_exists( 'wpcom_is_proxied_request' ) ? wpcom_is_proxied_request() : false;
549	if ( 'json' === $help_content_type ) {
550	$docs = array();
551	foreach ( $matching_endpoints as $matching_endpoint ) {
552	if ( $matching_endpoint[0]->is_publicly_documentable() \|\| $proxied \|\| WPCOM_JSON_API__DEBUG ) {
553	$docs[] = call_user_func( array( $matching_endpoint[0], 'generate_documentation' ) );
554	}
555	}
556	return $this->output( 200, $docs );
557	} else {
558	status_header( 200 );
559	foreach ( $matching_endpoints as $matching_endpoint ) {
560	if ( $matching_endpoint[0]->is_publicly_documentable() \|\| $proxied \|\| WPCOM_JSON_API__DEBUG ) {
561	call_user_func( array( $matching_endpoint[0], 'document' ) );
562	}
563	}
564	}
565	exit;
566	}
567
568	if ( $endpoint->in_testing && ! WPCOM_JSON_API__DEBUG ) {
569	return $this->output( 404, '', 'text/plain' );
570	}
571
572	/** This action is documented in class.json-api.php */
573	do_action( 'wpcom_json_api_output', $endpoint->stat );
574
575	$response = $this->process_request( $endpoint, $path_pieces );
576
577	if ( ! $response && ! is_array( $response ) ) {
578	return $this->output( 500, '', 'text/plain' );
579	} elseif ( is_wp_error( $response ) ) {
580	return $this->output_error( $response );
581	}
582
583	$output_status_code = $this->output_status_code;
584	$this->set_output_status_code();
585
586	return $this->output( $output_status_code, $response, 'application/json', $this->extra_headers );
587	}
588
589	/**
590	* Process a request.
591	*
592	* @param WPCOM_JSON_API_Endpoint $endpoint Endpoint.
593	* @param array $path_pieces Path pieces.
594	* @return array\|WP_Error Return value from the endpoint's callback.
595	*/
596	public function process_request( WPCOM_JSON_API_Endpoint $endpoint, $path_pieces ) {
597	$this->endpoint = $endpoint;
598	return call_user_func_array( array( $endpoint, 'callback' ), $path_pieces );
599	}
600
601	/**
602	* Output a response or error without exiting.
603	*
604	* @param int $status_code HTTP status code.
605	* @param mixed $response Response data.
606	* @param string $content_type Content type of the response.
607	*/
608	public function output_early( $status_code, $response = null, $content_type = 'application/json' ) {
609	$exit = $this->exit;
610	$this->exit = false;
611	if ( is_wp_error( $response ) ) {
612	$this->output_error( $response );
613	} else {
614	$this->output( $status_code, $response, $content_type );
615	}
616	$this->exit = $exit;
617	if ( ! defined( 'XMLRPC_REQUEST' ) \|\| ! XMLRPC_REQUEST ) {
618	$this->finish_request();
619	}
620	}
621
622	/**
623	* Set output status code.
624	*
625	* @param int $code HTTP status code.
626	*/
627	public function set_output_status_code( $code = 200 ) {
628	$this->output_status_code = $code;
629	}
630
631	/**
632	* Output a response.
633	*
634	* @param int $status_code HTTP status code.
635	* @param mixed $response Response data.
636	* @param string $content_type Content type of the response.
637	* @param array $extra Additional HTTP headers.
638	* @return string Content type (assuming it didn't exit).
639	*/
640	public function output( $status_code, $response = null, $content_type = 'application/json', $extra = array() ) {
641	$status_code = (int) $status_code;
642
643	// In case output() was called before the callback returned.
644	if ( $this->did_output ) {
645	if ( $this->exit ) {
646	exit;
647	}
648	return $content_type;
649	}
650	$this->did_output = true;
651
652	// 400s and 404s are allowed for all origins
653	if ( 404 === $status_code \|\| 400 === $status_code ) {
654	header( 'Access-Control-Allow-Origin: *' );
655	}
656
657	/* Add headers for form submission from <amp-form/> */
658	if ( $this->amp_source_origin ) {
659	header( 'Access-Control-Allow-Origin: ' . wp_unslash( $this->amp_source_origin ) );
660	header( 'Access-Control-Allow-Credentials: true' );
661	}
662
663	if ( $response === null ) {
664	$response = new stdClass();
665	}
666
667	if ( 'text/plain' === $content_type \|\|
668	'text/html' === $content_type ) {
669	status_header( (int) $status_code );
670	header( 'Content-Type: ' . $content_type );
671	foreach ( $extra as $key => $value ) {
672	header( "$key: $value" );
673	}
674	echo $response; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
675	if ( $this->exit ) {
676	exit;
677	}
678
679	return $content_type;
680	}
681
682	$response = $this->filter_fields( $response );
683
684	if ( isset( $this->query['http_envelope'] ) && self::is_truthy( $this->query['http_envelope'] ) ) {
685	$headers = array(
686	array(
687	'name' => 'Content-Type',
688	'value' => $content_type,
689	),
690	);
691
692	foreach ( $extra as $key => $value ) {
693	$headers[] = array(
694	'name' => $key,
695	'value' => $value,
696	);
697	}
698
699	$response = array(
700	'code' => (int) $status_code,
701	'headers' => $headers,
702	'body' => $response,
703	);
704	$status_code = 200;
705	$content_type = 'application/json';
706	}
707
708	status_header( (int) $status_code );
709	header( "Content-Type: $content_type" );
710	if ( isset( $this->query['callback'] ) && is_string( $this->query['callback'] ) ) {
711	$callback = preg_replace( '/[^a-z0-9_.]/i', '', $this->query['callback'] );
712	} else {
713	$callback = false;
714	}
715
716	if ( $callback ) {
717	// Mitigate Rosetta Flash [1] by setting the Content-Type-Options: nosniff header
718	// and by prepending the JSONP response with a JS comment.
719	// [1] <https://blog.miki.it/2014/7/8/abusing-jsonp-with-rosetta-flash/index.html>.
720	echo "/**/$callback("; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- This is JSONP output, not HTML.
721
722	}
723	echo $this->json_encode( $response ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- This is JSON or JSONP output, not HTML.
724	if ( $callback ) {
725	echo ');';
726	}
727
728	if ( $this->exit ) {
729	exit;
730	}
731
732	return $content_type;
733	}
734
735	/**
736	* Serialize an error.
737	*
738	* @param WP_Error $error Error.
739	* @return array with 'status_code' and 'errors' data.
740	*/
741	public static function serializable_error( $error ) {
742
743	$status_code = $error->get_error_data();
744
745	if ( is_array( $status_code ) && isset( $status_code['status_code'] ) ) {
746	$status_code = $status_code['status_code'];
747	}
748
749	if ( ! $status_code ) {
750	$status_code = 400;
751	}
752	$response = array(
753	'error' => $error->get_error_code(),
754	'message' => $error->get_error_message(),
755	);
756
757	$additional_data = $error->get_error_data( 'additional_data' );
758	if ( $additional_data ) {
759	$response['data'] = $additional_data;
760	}
761
762	return array(
763	'status_code' => $status_code,
764	'errors' => $response,
765	);
766	}
767
768	/**
769	* Output an error.
770	*
771	* @param WP_Error $error Error.
772	* @return string Content type (assuming it didn't exit).
773	*/
774	public function output_error( $error ) {
775	$error_response = static::serializable_error( $error );
776
777	return $this->output( $error_response['status_code'], $error_response['errors'] );
778	}
779
780	/**
781	* Filter fields in a response.
782	*
783	* @param array\|object $response Response.
784	* @return array\|object Filtered response.
785	*/
786	public function filter_fields( $response ) {
787	if ( empty( $this->query['fields'] ) \|\| ( is_array( $response ) && ! empty( $response['error'] ) ) \|\| ! empty( $this->endpoint->custom_fields_filtering ) ) {
788	return $response;
789	}
790
791	$fields = array_map( 'trim', explode( ',', $this->query['fields'] ) );
792
793	if ( is_object( $response ) ) {
794	$response = (array) $response;
795	}
796
797	$has_filtered = false;
798	if ( is_array( $response ) && empty( $response['ID'] ) ) {
799	$keys_to_filter = array(
800	'categories',
801	'comments',
802	'connections',
803	'domains',
804	'groups',
805	'likes',
806	'media',
807	'notes',
808	'posts',
809	'services',
810	'sites',
811	'suggestions',
812	'tags',
813	'themes',
814	'topics',
815	'users',
816	);
817
818	foreach ( $keys_to_filter as $key_to_filter ) {
819	if ( ! isset( $response[ $key_to_filter ] ) \|\| $has_filtered ) {
820	continue;
821	}
822
823	foreach ( $response[ $key_to_filter ] as $key => $values ) {
824	if ( is_object( $values ) ) {
825	if ( is_object( $response[ $key_to_filter ] ) ) {
826	// phpcs:ignore Squiz.PHP.DisallowMultipleAssignments.Found -- False positive.
827	$response[ $key_to_filter ]->$key = (object) array_intersect_key( ( (array) $values ), array_flip( $fields ) );
828	} elseif ( is_array( $response[ $key_to_filter ] ) ) {
829	$response[ $key_to_filter ][ $key ] = (object) array_intersect_key( ( (array) $values ), array_flip( $fields ) );
830	}
831	} elseif ( is_array( $values ) ) {
832	$response[ $key_to_filter ][ $key ] = array_intersect_key( $values, array_flip( $fields ) );
833	}
834	}
835
836	$has_filtered = true;
837	}
838	}
839
840	if ( ! $has_filtered ) {
841	if ( is_object( $response ) ) {
842	$response = (object) array_intersect_key( (array) $response, array_flip( $fields ) );
843	} elseif ( is_array( $response ) ) {
844	$response = array_intersect_key( $response, array_flip( $fields ) );
845	}
846	}
847
848	return $response;
849	}
850
851	/**
852	* Filter for `home_url`.
853	*
854	* If `$original_scheme` is null, turns an https URL to http.
855	*
856	* @param string $url The complete home URL including scheme and path.
857	* @param string $path Path relative to the home URL. Blank string if no path is specified.
858	* @param string\|null $original_scheme Scheme to give the home URL context. Accepts 'http', 'https', 'relative', 'rest', or null.
859	* @return string URL.
860	*/
861	public function ensure_http_scheme_of_home_url( $url, $path, $original_scheme ) {
862	if ( $original_scheme ) {
863	return $url;
864	}
865
866	return preg_replace( '#^https:#', 'http:', $url );
867	}
868
869	/**
870	* Decode HTML special characters in comment content.
871	*
872	* @param string $comment_content Comment content.
873	* @return string
874	*/
875	public function comment_edit_pre( $comment_content ) {
876	return htmlspecialchars_decode( $comment_content, ENT_QUOTES );
877	}
878
879	/**
880	* JSON encode.
881	*
882	* @param mixed $data Data.
883	* @return string\|false
884	*/
885	public function json_encode( $data ) {
886	return wp_json_encode( $data );
887	}
888
889	/**
890	* Test if a string ends with a string.
891	*
892	* @param string $haystack String to check.
893	* @param string $needle Suffix to check.
894	* @return bool
895	*/
896	public function ends_with( $haystack, $needle ) {
897	return substr( $haystack, -strlen( $needle ) ) === $needle;
898	}
899
900	/**
901	* Returns the site's blog_id in the WP.com ecosystem
902	*
903	* @return int
904	*/
905	public function get_blog_id_for_output() {
906	return $this->token_details['blog_id'];
907	}
908
909	/**
910	* Returns the site's local blog_id.
911	*
912	* @param int $blog_id Blog ID.
913	* @return int
914	*/
915	public function get_blog_id( $blog_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
916	return $GLOBALS['blog_id'];
917	}
918
919	/**
920	* Switch to blog and validate user.
921	*
922	* @param int $blog_id Blog ID.
923	* @param bool $verify_token_for_blog Whether to verify the token.
924	* @return int Blog ID.
925	*/
926	public function switch_to_blog_and_validate_user( $blog_id = 0, $verify_token_for_blog = true ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
927	if ( $this->is_restricted_blog( $blog_id ) ) {
928	return new WP_Error( 'unauthorized', 'User cannot access this restricted blog', 403 );
929	}
930	/**
931	* If this is a private site we check for 2 things:
932	* 1. In case of user based authentication, we need to check if the logged-in user has the 'read' capability.
933	* 2. In case of site based authentication, make sure the endpoint accepts it.
934	*/
935	if ( ( new Status() )->is_private_site() &&
936	! current_user_can( 'read' ) &&
937	! $this->endpoint->accepts_site_based_authentication()
938	) {
939	return new WP_Error( 'unauthorized', 'User cannot access this private blog.', 403 );
940	}
941
942	return $blog_id;
943	}
944
945	/**
946	* Returns true if the specified blog ID is a restricted blog
947	*
948	* @param int $blog_id Blog ID.
949	* @return bool
950	*/
951	public function is_restricted_blog( $blog_id ) {
952	/**
953	* Filters all REST API access and return a 403 unauthorized response for all Restricted blog IDs.
954	*
955	* @module json-api
956	*
957	* @since 3.4.0
958	*
959	* @param array $array Array of Blog IDs.
960	*/
961	$restricted_blog_ids = apply_filters( 'wpcom_json_api_restricted_blog_ids', array() );
962	return true === in_array( $blog_id, $restricted_blog_ids ); // phpcs:ignore WordPress.PHP.StrictInArray.MissingTrueStrict -- I don't trust filters to return the right types.
963	}
964
965	/**
966	* Post like count.
967	*
968	* @param int $blog_id Blog ID.
969	* @param int $post_id Post ID.
970	* @return int
971	*/
972	public function post_like_count( $blog_id, $post_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
973	return 0;
974	}
975
976	/**
977	* Is liked?
978	*
979	* @param int $blog_id Blog ID.
980	* @param int $post_id Post ID.
981	* @return bool
982	*/
983	public function is_liked( $blog_id, $post_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
984	return false;
985	}
986
987	/**
988	* Is reblogged?
989	*
990	* @param int $blog_id Blog ID.
991	* @param int $post_id Post ID.
992	* @return bool
993	*/
994	public function is_reblogged( $blog_id, $post_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
995	return false;
996	}
997
998	/**
999	* Is following?
1000	*
1001	* @param int $blog_id Blog ID.
1002	* @return bool
1003	*/
1004	public function is_following( $blog_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
1005	return false;
1006	}
1007
1008	/**
1009	* Add global ID.
1010	*
1011	* @param int $blog_id Blog ID.
1012	* @param int $post_id Post ID.
1013	* @return string
1014	*/
1015	public function add_global_ID( $blog_id, $post_id ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable, WordPress.NamingConventions.ValidFunctionName.MethodNameInvalid
1016	return '';
1017	}
1018
1019	/**
1020	* Get avatar URL.
1021	*
1022	* @param string $email Email.
1023	* @param array $avatar_size Args for `get_avatar_url()`.
1024	* @return string\|false
1025	*/
1026	public function get_avatar_url( $email, $avatar_size = null ) {
1027	if ( function_exists( 'wpcom_get_avatar_url' ) ) {
1028	return null === $avatar_size
1029	? wpcom_get_avatar_url( $email )
1030	: wpcom_get_avatar_url( $email, $avatar_size );
1031	} else {
1032	return null === $avatar_size
1033	? get_avatar_url( $email )
1034	: get_avatar_url( $email, $avatar_size );
1035	}
1036	}
1037
1038	/**
1039	* Counts the number of comments on a site, including certain comment types.
1040	*
1041	* @param int $post_id Post ID.
1042	* @return array Array of counts, matching the output of https://developer.wordpress.org/reference/functions/get_comment_count/.
1043	*/
1044	public function wp_count_comments( $post_id ) {
1045	global $wpdb;
1046	if ( 0 !== $post_id ) {
1047	return wp_count_comments( $post_id );
1048	}
1049
1050	$counts = array(
1051	'total_comments' => 0,
1052	'all' => 0,
1053	);
1054
1055	/**
1056	* Exclude certain comment types from comment counts in the REST API.
1057	*
1058	* @since 6.9.0
1059	* @deprecated 11.1
1060	* @module json-api
1061	*
1062	* @param array Array of comment types to exclude (default: 'order_note', 'webhook_delivery', 'review', 'action_log')
1063	*/
1064	$exclude = apply_filters_deprecated( 'jetpack_api_exclude_comment_types_count', array( 'order_note', 'webhook_delivery', 'review', 'action_log' ), 'jetpack-11.1', 'jetpack_api_include_comment_types_count' ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
1065
1066	/**
1067	* Include certain comment types in comment counts in the REST API.
1068	* Note: the default array of comment types includes an empty string,
1069	* to support comments posted before WP 5.5, that used an empty string as comment type.
1070	*
1071	* @since 11.1
1072	* @module json-api
1073	*
1074	* @param array Array of comment types to include (default: 'comment', 'pingback', 'trackback')
1075	*/
1076	$include = apply_filters(
1077	'jetpack_api_include_comment_types_count',
1078	array( 'comment', 'pingback', 'trackback', '' )
1079	);
1080
1081	if ( empty( $include ) ) {
1082	return wp_count_comments( $post_id );
1083	}
1084
1085	array_walk( $include, 'esc_sql' );
1086	$where = sprintf(
1087	"WHERE comment_type IN ( '%s' )",
1088	implode( "','", $include )
1089	);
1090
1091	// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- `$where` is built with escaping just above.
1092	$count = $wpdb->get_results(
1093	"SELECT comment_approved, COUNT(*) AS num_comments
1094	FROM $wpdb->comments
1095	{$where}
1096	GROUP BY comment_approved
1097	"
1098	);
1099	// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
1100
1101	$approved = array(
1102	'0' => 'moderated',
1103	'1' => 'approved',
1104	'spam' => 'spam',
1105	'trash' => 'trash',
1106	'post-trashed' => 'post-trashed',
1107	);
1108
1109	// <https://developer.wordpress.org/reference/functions/get_comment_count/#source>
1110	foreach ( $count as $row ) {
1111	if ( ! in_array( $row->comment_approved, array( 'post-trashed', 'trash', 'spam' ), true ) ) {
1112	$counts['all'] += $row->num_comments;
1113	$counts['total_comments'] += $row->num_comments;
1114	} elseif ( ! in_array( $row->comment_approved, array( 'post-trashed', 'trash' ), true ) ) {
1115	$counts['total_comments'] += $row->num_comments;
1116	}
1117	if ( isset( $approved[ $row->comment_approved ] ) ) {
1118	$counts[ $approved[ $row->comment_approved ] ] = $row->num_comments;
1119	}
1120	}
1121
1122	foreach ( $approved as $key ) {
1123	if ( empty( $counts[ $key ] ) ) {
1124	$counts[ $key ] = 0;
1125	}
1126	}
1127
1128	$counts = (object) $counts;
1129
1130	return $counts;
1131	}
1132
1133	/**
1134	* Traps `wp_die()` calls and outputs a JSON response instead.
1135	* The result is always output, never returned.
1136	*
1137	* @param string\|null $error_code Call with string to start the trapping. Call with null to stop.
1138	* @param int $http_status HTTP status code, 400 by default.
1139	*/
1140	public function trap_wp_die( $error_code = null, $http_status = 400 ) {
1141	// Determine the filter name; based on the conditionals inside the wp_die function.
1142	if ( wp_is_json_request() ) {
1143	$die_handler = 'wp_die_json_handler';
1144	} elseif ( wp_is_jsonp_request() ) {
1145	$die_handler = 'wp_die_jsonp_handler';
1146	} elseif ( wp_is_xml_request() ) {
1147	$die_handler = 'wp_die_xml_handler';
1148	} else {
1149	$die_handler = 'wp_die_handler';
1150	}
1151
1152	if ( $error_code === null ) {
1153	$this->trapped_error = null;
1154	// Stop trapping.
1155	remove_filter( $die_handler, array( $this, 'wp_die_handler_callback' ) );
1156	return;
1157	}
1158
1159	// If API called via PHP, bail: don't do our custom wp_die(). Do the normal wp_die().
1160	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
1161	if ( ! defined( 'REST_API_REQUEST' ) \|\| ! REST_API_REQUEST ) {
1162	return;
1163	}
1164	} elseif ( ! defined( 'XMLRPC_REQUEST' ) \|\| ! XMLRPC_REQUEST ) {
1165	return;
1166	}
1167
1168	$this->trapped_error = array(
1169	'status' => $http_status,
1170	'code' => $error_code,
1171	'message' => '',
1172	);
1173	// Start trapping.
1174	add_filter( $die_handler, array( $this, 'wp_die_handler_callback' ) );
1175	}
1176
1177	/**
1178	* Filter function for `wp_die_handler` and similar filters.
1179	*
1180	* @return callable
1181	*/
1182	public function wp_die_handler_callback() {
1183	return array( $this, 'wp_die_handler' );
1184	}
1185
1186	/**
1187	* Handler for `wp_die` calls.
1188	*
1189	* @param string\|WP_Error $message As for `wp_die()`.
1190	* @param string\|int $title As for `wp_die()`.
1191	* @param string\|array\|int $args As for `wp_die()`.
1192	* @return never
1193	*/
1194	public function wp_die_handler( $message, $title = '', $args = array() ) {
1195	// Allow wp_die calls to override HTTP status code...
1196	$args = wp_parse_args(
1197	$args,
1198	array(
1199	'response' => $this->trapped_error['status'],
1200	)
1201	);
1202
1203	// ... unless it's 500
1204	if ( 500 !== (int) $args['response'] ) {
1205	$this->trapped_error['status'] = $args['response'];
1206	}
1207
1208	if ( $title ) {
1209	$message = "$title: $message";
1210	}
1211
1212	$this->trapped_error['message'] = wp_kses( $message, array() );
1213
1214	switch ( $this->trapped_error['code'] ) {
1215	case 'comment_failure':
1216	if ( did_action( 'comment_duplicate_trigger' ) ) {
1217	$this->trapped_error['code'] = 'comment_duplicate';
1218	} elseif ( did_action( 'comment_flood_trigger' ) ) {
1219	$this->trapped_error['code'] = 'comment_flood';
1220	}
1221	break;
1222	}
1223
1224	// We still want to exit so that code execution stops where it should.
1225	// Attach the JSON output to the WordPress shutdown handler.
1226	add_action( 'shutdown', array( $this, 'output_trapped_error' ), 0 );
1227	exit;
1228	}
1229
1230	/**
1231	* Output the trapped error.
1232	*/
1233	public function output_trapped_error() {
1234	$this->exit = false; // We're already exiting once. Don't do it twice.
1235	$this->output(
1236	$this->trapped_error['status'],
1237	(object) array(
1238	'error' => $this->trapped_error['code'],
1239	'message' => $this->trapped_error['message'],
1240	)
1241	);
1242	}
1243
1244	/**
1245	* Finish the request.
1246	*/
1247	public function finish_request() {
1248	if ( function_exists( 'fastcgi_finish_request' ) ) {
1249	return fastcgi_finish_request();
1250	}
1251	}
1252	}
1253