[C2S] Add Client-to-Server ActivityPub API support#2851
Open
[C2S] Add Client-to-Server ActivityPub API support#2851
Conversation
Implements the SWICG ActivityPub API specification for C2S interactions: - OAuth 2.0 with PKCE authentication - POST to outbox for creating activities - GET inbox for reading received activities - Actor discovery with OAuth endpoints - Handlers for Create, Update, Delete, Follow, Undo activities New files: - includes/oauth/ - OAuth server, tokens, clients, auth codes, scopes - includes/rest/class-oauth-controller.php - OAuth endpoints Modified: - Outbox controller extended with POST support - Inbox controller extended with GET support - Handler classes extended with outbox handlers - Actor models include OAuth endpoints when C2S enabled - New activitypub_enable_c2s setting
github-actions
bot
added
[Feature] REST API
[Feature] WP Admin
[Status] In Progress
labels
Add C2S support for Like and Announce activities by hooking into the activitypub_handled_outbox_like and activitypub_handled_outbox_announce actions. These handlers fire corresponding sent actions that can be used to track when activities are sent via C2S.
Add comprehensive test coverage for the OAuth infrastructure: - Test_Scope: Scope parsing, validation, and string conversion - Test_Token: Token creation, validation, refresh, and revocation - Test_Client: Client registration, validation, and scope filtering - Test_Authorization_Code: PKCE flow, code exchange, and security checks
Remove type hint from get_items_permissions_check() to match the parent WP_REST_Controller class signature, which doesn't use type hints.
Remove type hint from create_item_permissions_check() to match the parent WP_REST_Controller class signature.
Remove type hint from create_item() to match the parent WP_REST_Controller class signature.
Constants cannot be covered by PHPUnit, only methods can.
Validate that submitted activities have actor/attributedTo fields matching the authenticated user. This prevents clients from submitting activities with mismatched actor data. Checks: - activity.actor must match authenticated user (if present) - object.attributedTo must match authenticated user (if present)
pfefferle
force-pushed
the
add/c2s-support
branch
from
63225ba to
c498877
Compare
- Authorization codes now use WordPress transients (auto-expire after 10 min) - Tokens now use user meta instead of CPT (efficient per-user lookup) - Keep only Client CPT for persistent client registration - Add token introspection endpoint (RFC 7662) - Add revoke_for_client() method for cleanup when deleting clients - Add OAuth consent form template - Fix linting issues in Server class - Update tests for new error codes
- Rename handler methods to `incoming()` for inbox and `outgoing()` for outbox - Add deprecated proxy functions for backward compatibility (handle_*) - Update Create handler to support outbox POST with WordPress post creation - Add Dispatcher hook to fire outbox handlers after add_to_outbox() - Skip scheduler for already-federated posts to prevent duplicates - Remove C2S terminology from comments, use incoming/outgoing instead Handlers updated: Create, Update, Announce, Like, Undo, Follow, Delete
- Remove async scheduling from Post scheduler, call add_to_outbox directly - Create handler returns WP_Post instead of calling add_to_outbox - Add Outbox::get_by_object_id() to find outbox items by object ID and type - Controller handles WP_Post return from handlers and uses outbox_item directly
Update delete and update handlers to first resolve posts by permalink for C2S-created posts, falling back to GUID lookup for remote posts. Enhance OAuth server to respect previous auth errors and only process OAuth if C2S is enabled. Add type safety for user_id in REST controllers. Update template variable documentation and add PHPCS ignore comment in token class.
Contributor
|
One thing clients will need is a proxyURL endpoint, this allows the client to load Actor data from the inbox Activities This demo illustrates what I mean: https://social.coop/@django/115756317440812767 |
Pass the outbox item's ID instead of the object itself to the send_to_inboxes method in the test case. This aligns the test with the expected method signature.
- Add proxyUrl endpoint for C2S clients to fetch remote ActivityPub objects through the server's HTTP Signatures - Remove activitypub_enable_c2s option - C2S is now always enabled - Remove settings field for C2S toggle from advanced settings - Always include OAuth and C2S endpoints in actor profiles - Add security checks for proxy: HTTPS-only, block private networks - Use Remote_Actors::fetch_by_various() for efficient actor caching
- Add verify_oauth_read() and verify_oauth_write() methods to Server - Add verify_owner() to check token matches user_id parameter - Simplify permission checks in Inbox, Outbox, and Proxy controllers - Remove direct OAuth imports from controllers
- Create trait-verification.php with verify_signature, verify_oauth_read, verify_oauth_write, and verify_owner methods - Update controllers to use the trait instead of static Server methods - Maintain backwards compatibility by keeping static methods in Server class
- Update handler tests to use incoming() instead of deprecated handle_* methods - Add activitypub_oauth_check_permission filter for test mocking - Fix proxy controller tests to use rest_api_init for route registration - Update assertions to match actual return values (false vs null)
…oller Consolidates user inbox handling in the appropriate controller: - Actors_Inbox_Controller now handles user inbox GET (C2S) and POST (S2S) - Inbox_Controller now only handles shared inbox POST (S2S)
These methods are now provided by the Verification trait which controllers use directly. Removes 278 lines of duplicated code.
Broaden CORS headers to cover all ActivityPub REST namespace routes (actors, followers, following, etc.), not just inbox/outbox. Also add Accept to allowed headers for content negotiation.
Member
Author
@mediaformat I can not reproduce this issue. Can you give me an example URL? Does the User have the ActivityPub capability? |
Tests previously asserted actors and followers endpoints had no CORS headers. Now that CORS covers the full AP namespace, update assertions accordingly. Also verify Accept is in allowed headers.
Contributor
|
Am able to reproduce with the c2s-toolkit |
Contributor
|
@pfefferle I see, it works if I fetch the author URL |
Member
Author
|
You have to add the accept header then there should be no redirect |
Contributor
|
@pfefferle narrowing it down further: when its just the accept header it works, when accept AND the authorization header are present it stops working. |
Member
Author
|
@mediaformat Do you use the latest version of this branch? I still can't reproduce it, even with Auth headers!? |
|
@pfefferle you may also want to use Rich Authorization Requests for richer control over which resources a client can interact with: e.g., what collections (inbox, outbox, followers, likes, etc) the client can do things to. This is something AT Protocol missed the ball on, and they did this like, dynamic scopes thing which has a whole bunch of parsing logic around a space separated set of strings. |
Use `is_activity_public()` instead of `get_activity_visibility()` in outbox Create and Update handlers. Add `ensure_addressing()` to the outbox controller so the server adds default public addressing when a C2S client omits recipients, per the ActivityPub spec. Update tests to include proper `to` addressing.
pfefferle
changed the title
mediaformat
reviewed
Feb 19, 2026
mediaformat
reviewed
Feb 19, 2026
| 'description' => 'The URI of the remote ActivityPub object to fetch.', | ||
| 'type' => 'string', | ||
| 'required' => true, | ||
| 'sanitize_callback' => 'sanitize_url', |
Contributor
There was a problem hiding this comment.
The id will be urlencoded, so I think the sanitize_url will not work directly
Contributor
I'm having intermittent issues, even different results depending on Apache or Nginx. For now things are working. |
The proxyUrl endpoint should use POST with the `id` parameter in the request body, not GET with a query parameter. See https://www.w3.org/wiki/ActivityPub/Primer/proxyUrl_endpoint
Member
Author
|
@mediaformat do you use nginx as main webserver or (reverse) proxy? maybe the headers are not forwarded properly? |
When `activitypub_hide_social_graph` is enabled, the followers/following endpoints now still return orderedItems for authenticated owners (via OAuth or Application Passwords). The hide setting only applies to public/anonymous access.
Remove get_create_item_args() method and inline the args directly in register_routes() for consistency with all other controllers. Also fix permission_callback to use the Verification trait method instead of the removed Server::verify_signature static method.
Test the three OAuth REST controllers (Authorization, Token, Clients) at the dispatch level covering route registration, parameter validation, authentication, and success flows.
Replace the monolithic OAuth_Controller with Authorization_Controller, Token_Controller, and Clients_Controller under Rest\OAuth namespace for better separation of concerns.
…, and test improvements - Add missing backslash prefixes for WordPress functions in OAuth and REST classes - Replace return null with return false in outbox handlers to prevent unhandled activities from falling through to raw outbox insertion - Return WP_Error from Update handler when Posts::update() fails instead of swallowing the error - Add explicit return values in Like and Announce handlers - Rename filter rest_activitypub_outbox_activity_types to activitypub_outbox_activity_types - Use strpos for CORS route matching instead of strict equality - Add per-user rate limiting (30/min) to proxy controller - Fix outbox pagination test to use a fresh user for empty collection assertions - Add @group annotations to all OAuth test classes
11 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1255
Proposed changes:
OAuth 2.0 Foundation
/.well-known/oauth-authorization-server.POST to Outbox
statuspost format; Articles as regular posts.prepare_content()pipeline:wpautop()→ link processing → hashtag processing → HTML-to-Gutenberg-blocks conversion.Collection\Postsfor CRUD operations.Inbox & Proxy
Architecture
Collection\PostsintoCollection\Posts(local CRUD for C2S) andCollection\Remote_Posts(federated remote posts from S2S).Handler\Outboxnamespace (separate from S2S inbox handlers).Blocks::convert_from_html()for converting raw HTML into Gutenberg block markup.Verificationtrait for centralized OAuth + scope authentication checks.Connected Applications UI
Other information:
Testing instructions:
oauthAuthorizationEndpoint,oauthTokenEndpoint).statusformat and block markup content.namefield and verify title and excerpt are set.Changelog entry
Changelog Entry Details
Significance
Type
Message
Support for ActivityPub Client-to-Server (C2S) protocol, allowing apps like federated clients to create, edit, and delete posts on your behalf.