Open
Conversation
dcalhoun
force-pushed
the
feat/authorize-ajax-with-application-passwords
branch
from
a051ea4 to
682e0df
Compare
dcalhoun
changed the title
dcalhoun
changed the title
dcalhoun
force-pushed
the
feat/authorize-ajax-with-application-passwords
branch
from
686ebf7 to
bbaf9c4
Compare
Member
Author
This comment was marked as outdated.
This comment was marked as outdated.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
android/Gutenberg/src/main/java/org/wordpress/gutenberg/model/EditorConfiguration.kt
Outdated
Show resolved
Hide resolved
android/Gutenberg/src/main/java/org/wordpress/gutenberg/GutenbergView.kt
Show resolved
Hide resolved
dcalhoun
force-pushed
the
feat/authorize-ajax-with-application-passwords
branch
from
394bce2 to
ea73b3c
Compare
dcalhoun
force-pushed
the
feat/authorize-ajax-with-application-passwords
branch
2 times, most recently
from
e2ead31 to
80aca45
Compare
Include authorization header in AJAX requets, as we do not have cookies to send in the mobile app environment.
If we configure AJAX before loading the library, the configuration is overridden.
This global is often used by WordPress Admin page scripts.
Useful when needing to allow CORS for specific domains.
Address PR feedback about potential race condition. The code now checks if `window.wp.ajax.send` and `window.wp.ajax.post` are functions before wrapping them. This prevents TypeError when calling the wrapped function if the original method was undefined during configuration. Update tests to verify that missing methods remain undefined rather than being wrapped with an undefined reference. Co-authored-by: Claude <noreply@anthropic.com>
When `videopress/video` is not in `allowed_block_types`, initialize the VideoPress AJAX bridge to handle `core/video` blocks extended to rely upon VideoPress upload services. AJAX auth is always initialized. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
WordPress's `lodash-js-after` inline script calls `_.noConflict()` to restore `window._` to Underscore.js. Since GutenbergKit excludes core WordPress assets from the editor assets endpoint but doesn't load Underscore, this wipes `window._` to `undefined`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GutenbergKit excludes core WordPress assets from the editor assets endpoint, so wp-util.js (which provides wp.ajax and wp.template) must be vendored and loaded directly. Load it via dynamic import at the end of initializeWordPressGlobals() after jQuery and lodash are on window, since its IIFE captures jQuery via closure at execution time. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The wp.ajax.send and wp.ajax.post wrappers accepted a single options argument, but wp-util's implementation accepts (action, options). Align the wrapper signatures so the action argument is forwarded correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use `homeUrlString()` instead of `siteUrlString()` from the REST API root response. The `url` field often returns `http://` for WordPress.com sites, while `home` returns the actual public-facing `https://` URL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
WordPress core sets these aliases in media-models.js, which GutenbergKit doesn't load. Alias them after auth wrapping so media uploads use the authenticated AJAX methods. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Avoid including latest changes from the WordPress/wordpress-develop repository.
Replace jQuery.ajaxSetup and wp.ajax.send/post wrappers with a single jQuery.ajaxPrefilter that only injects the Authorization header when the request URL starts with the configured siteURL. This prevents leaking credentials to cross-origin requests and avoids argument normalization issues with the previous wp.ajax wrapper approach. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents double-slash in constructed URLs (e.g., `https://example.com//wp-admin/admin-ajax.php`) when siteURL is provided with a trailing slash. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…JAX auth The ajaxPrefilter silently no-ops via optional chaining when jQuery is missing, but the debug log still claims auth was configured. Guard with an early return and warning so the log accurately reflects what happened. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace `startsWith(siteURL)` with `URL.origin` comparison so that scheme, host, and port must all match exactly. This prevents credential leakage to lookalike domains (e.g. `https://example.com.evil.com`). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move the iOS and Android code examples out of the Android-specific requirement so they are not visually nested under that bullet point. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
configureAjax() now initializes wp.ajax, wp.ajax.settings, and the AJAX URL before the VideoPress bridge runs, making the duplicate setup in initializeVideoPressAjaxBridge() unnecessary. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Wrap `new URL(siteURL)` in try/catch so a malformed siteURL logs a warning instead of throwing. - Guard `configureMediaAjax` against missing `wp.ajax.send`/`post` (e.g., if wp-util.js failed to load). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Throw IllegalArgumentException if the value contains a scheme, path, or is blank, so callers get a clear error instead of a malformed asset URL at runtime. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Record the upstream commit hash and rationale for vendoring so future maintainers know where the file came from and when to update it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Account.WpCom.username stores just the hostname (e.g., "dcpaid.wordpress.com") since it is extracted via URI.host during OAuth. ConfigurationItem was using this bare hostname as siteUrl, producing invalid AJAX endpoints. Prepend "https://" to match the self-hosted flow, which receives a full URL from the callback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dcalhoun
force-pushed
the
feat/authorize-ajax-with-application-passwords
branch
from
c09e90a to
282c499
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dcalhoun
commented
Mar 26, 2026
android/Gutenberg/src/main/java/org/wordpress/gutenberg/GutenbergView.kt
Outdated
Show resolved
Hide resolved
| return EditorConfigurationBuilder( | ||
| postType: selectedPostTypeDetails, | ||
| siteURL: URL(string: apiRoot.siteUrlString())!, | ||
| siteURL: URL(string: apiRoot.homeUrlString())!, |
Member
Author
There was a problem hiding this comment.
Ensures WP.com sites use TLS for the siteURL configuration in the demo app.
Comment on lines
+147
to
+151
| if ( ! allowedBlockTypes?.includes( 'videopress/video' ) ) { | ||
| // The VideoPress block isn't available, so initialize the bridge to handle | ||
| // any `core/video` blocks extended to rely upon VideoPress upload services. | ||
| initializeVideoPressAjaxBridge(); | ||
| } |
Member
Author
There was a problem hiding this comment.
Retained to continue support for WP.com core/video blocks that are extended to rely upon VideoPress upload services. This can be removed in the future once videopress/video support is enabled and deemed stable.
| accountId = account.id, | ||
| name = account.username, | ||
| siteUrl = account.username, | ||
| siteUrl = "https://${account.username}", |
Member
Author
There was a problem hiding this comment.
The account.username is protocol-less, which causes errors as a GBK.siteURL value. It is safe to assume TLS for WP.com sites.
Comment on lines
-30
to
-38
| // Initialize wp.ajax if not already present | ||
| window.wp.ajax = window.wp.ajax || {}; | ||
| window.wp.ajax.settings = window.wp.ajax.settings || {}; | ||
|
|
||
| // Set up AJAX settings with site URL | ||
| const { siteURL } = getGBKit(); | ||
| if ( siteURL ) { | ||
| window.wp.ajax.settings.url = `${ siteURL }/wp-admin/admin-ajax.php`; | ||
| } |
Member
Author
There was a problem hiding this comment.
Now redundant of the AJAX-specific configuration that runs before this bridge.
Derive the WebViewAssetLoader domain from the configured siteURL instead of defaulting to the synthetic appassets.androidplatform.net domain. This makes REST API and admin-ajax.php requests same-origin, eliminating CORS restrictions without requiring server-side headers. - Restrict shouldOverrideUrlLoading to /assets/ paths on the asset domain so arbitrary site pages don't load inside the WebView. - Reorder shouldInterceptRequest to check the cache interceptor before the asset loader, preventing cached JS/CSS from being short-circuited when both share the site domain. - Remove the now-unnecessary assetLoaderDomain configuration option from EditorConfiguration. - Update AJAX documentation to reflect the simplified setup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related:
@wordpress/api-fetchutility for GutenbergKit only Automattic/jetpack#45254What?
Authenticate AJAX requests with application passwords sent via an authorization header. Vendor
wp-util.jsand configure the WordPress AJAX and media globals.Why?
The GutenbergKit editor does not have authorization cookies, so we must rely upon a different authorization mechanism. Additionally, GutenbergKit excludes core WordPress assets from the editor assets endpoint, so
wp-util.js(which provideswp.ajaxandwp.template) must be vendored and loaded directly.Ref CMM-713. Close CMM-768.
How?
Authorizationheader viajQuery.ajaxPrefilterand by overloading thewindow.wp.ajaxutilities. This general-purpose AJAX auth is always initialized.wp-util.jsafter jQuery and lodash are onwindow, since its IIFE captures jQuery via closure at execution time.lodash-js-afterinline script from editor assets. WordPress's_.noConflict()call wipeswindow._because GutenbergKit doesn't load Underscore.js.wp.media.ajaxandwp.media.postto the authenticatedwp.ajaxmethods, since WordPress core'smedia-models.jsis not loaded.videopress/videois not inallowed_block_types, socore/videoblocks extended to rely upon VideoPress upload services continue to work.WebViewAssetLoaderdomain fromsiteURLso that the editor document shares the site's origin, making REST API andadmin-ajax.phprequests same-origin and eliminating CORS restrictions without server-side headers.homeURL from the REST API response instead ofurl, which returnshttp://for WordPress.com sites.Testing Instructions
1. Verify AJAX requests use token authentication
make buildchrome://inspect) device.Authorizationheader with the token.2. Verify VideoPress bridge continues functioning
make buildchrome://inspect) device.Accessibility Testing Instructions
N/A, no navigation changes.
Screenshots or screencast
N/A, no visual changes.