Context Navigation

← Previous Changeset
Next Changeset →

Changeset 61985

Timestamp:

03/12/2026 12:05:33 PM (3 weeks ago)

Author:

jorgefilipecosta

Message:

Connectors: Add API key source detection and refactor REST behaviour/masking.

Add _wp_connectors_get_api_key_source() to detect whether an API key is configured via environment variable, PHP constant, or database. The UI uses this to show the key source and hide "Remove and replace" for externally configured keys.
Replace _wp_connectors_validate_keys_in_rest() and _wp_connectors_get_real_api_key() with a single rest_post_dispatch handler, _wp_connectors_rest_settings_dispatch(), that masks keys in all /wp/v2/settings responses and validates on POST/PUT, reverting invalid keys.
Simplify _wp_register_default_connector_settings() by replacing the closure-based sanitize_callback and option_ mask filter with plain sanitize_text_field, since masking is now handled at the REST layer.
Enrich _wp_connectors_get_connector_script_module_data() to expose keySource, isConnected, logoUrl, and plugin isInstalled / isActivated status to the admin screen.
Update _wp_connectors_pass_default_keys_to_ai_client() to skip keys sourced from environment variables or constants and read the database directly via get_option().
Set _wp_connectors_init priority to 15 so the registry is ready before settings are registered at priority 20.

Backports https://github.com/WordPress/gutenberg/pull/76266.
Backports https://github.com/WordPress/gutenberg/pull/76327.

Props jorgefilipecosta, gziolo, swissspidy, flixos90.
Fixes #64819.

Location:

trunk/src/wp-includes

Files:

: 2 edited

connectors.php (modified) (12 diffs)
default-filters.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-includes/connectors.php

-                      r61983
+                      r61985
 /**
+ * Determines the source of an API key for a given provider.
+ *
+ * Checks in order: environment variable, PHP constant, database.
+ * Uses the same naming convention as the WP AI Client ProviderRegistry.
+ *
+ * @since 7.0.0
+ * @access private
+ *
+ * @param string $provider_id  The provider ID (e.g., 'openai', 'anthropic', 'google').
+ * @param string $setting_name The option name for the API key (e.g., 'connectors_ai_openai_api_key').
+ * @return string The key source: 'env', 'constant', 'database', or 'none'.
+ */
+function _wp_connectors_get_api_key_source( string $provider_id, string $setting_name ): string {
+    // Convert provider ID to CONSTANT_CASE for env var name.
+    // e.g., 'openai' -> 'OPENAI', 'anthropic' -> 'ANTHROPIC'.
+    $constant_case_id = strtoupper(
+        preg_replace( '/([a-z])([A-Z])/', '$1_$2', str_replace( '-', '_', $provider_id ) )
+    );
+    $env_var_name     = "{$constant_case_id}_API_KEY";
+    // Check environment variable first.
+    $env_value = getenv( $env_var_name );
+    if ( false !== $env_value && '' !== $env_value ) {
+        return 'env';
+    }
+    // Check PHP constant.
+    if ( defined( $env_var_name ) ) {
+        $const_value = constant( $env_var_name );
+        if ( is_string( $const_value ) && '' !== $const_value ) {
+            return 'constant';
+        }
+    }
+    // Check database.
+    $db_value = get_option( $setting_name, '' );
+    if ( '' !== $db_value ) {
+        return 'database';
+    }
+    return 'none';
+}
+/**
  * Checks whether an API key is valid for a given provider.
+ *
 …
 /**
+ * Retrieves the real (unmasked) value of a connector API key.
+ *
+ * Temporarily removes the masking filter, reads the option, then re-adds it.
+ *
+ * @since 7.0.0
+ * @access private
+ *
+ * @param string   $option_name   The option name for the API key.
+ * @param callable $mask_callback The mask filter function.
+ * @return string The real API key value.
+ */
+function _wp_connectors_get_real_api_key( string $option_name, callable $mask_callback ): string {
+    remove_filter( "option_{$option_name}", $mask_callback );
+    $value = get_option( $option_name, '' );
+    add_filter( "option_{$option_name}", $mask_callback );
+    return (string) $value;
+}
+/**
+ * Validates connector API keys in the REST response when explicitly requested.
+ *
+ * Runs on `rest_post_dispatch` for `/wp/v2/settings` requests that include connector
+ * fields via `_fields`. For each requested connector field, it validates the unmasked
+ * key against the provider and replaces the response value with `invalid_key` if
+ * validation fails.
+ * Masks and validates connector API keys in REST responses.
+ *
+ * On every `/wp/v2/settings` response, masks connector API key values so raw
+ * keys are never exposed via the REST API.
+ *
+ * On POST or PUT requests, validates each updated key against the provider
+ * before masking. If validation fails, the key is reverted to an empty string.
+ *
  * @since 7.0.0
 …
  * @param WP_REST_Server   $server   The server instance.
  * @param WP_REST_Request  $request  The request object.
  * @return WP_REST_Response The potentially modified response.
  */
 function _wp_connectors_validate_keys_in_rest( WP_REST_Response $response, WP_REST_Server $server, WP_REST_Request $request ): WP_REST_Response {
+ * @return WP_REST_Response The modified response with masked/validated keys.
+ */
+function _wp_connectors_rest_settings_dispatch( WP_REST_Response $response, WP_REST_Server $server, WP_REST_Request $request ): WP_REST_Response {
     if ( '/wp/v2/settings' !== $request->get_route() ) {
         return $response;
+    }
-    $fields = $request->get_param( '_fields' );
-    if ( ! $fields ) {
-        return $response;
+    }
-    if ( is_array( $fields ) ) {
-        $requested = $fields;
-    } else {
-        $requested = array_map( 'trim', explode( ',', $fields ) );
+    }
 …
         return $response;
+    }
+    $is_update = 'POST' === $request->get_method() || 'PUT' === $request->get_method();
     foreach ( wp_get_connectors() as $connector_id => $connector_data ) {
 …
         $setting_name = $auth['setting_name'];
         if ( ! in_array( $setting_name, $requested, true ) ) {
+        if ( ! array_key_exists( $setting_name, $data ) ) {
             continue;
+        }
+        $real_key = _wp_connectors_get_real_api_key( $setting_name, '_wp_connectors_mask_api_key' );
+        if ( '' === $real_key ) {
+            continue;
+        }
+        if ( true !== _wp_connectors_is_ai_api_key_valid( $real_key, $connector_id ) ) {
+            $data[ $setting_name ] = 'invalid_key';
+        $value = $data[ $setting_name ];
+        // On update, validate the key before masking.
+        if ( $is_update && is_string( $value ) && '' !== $value ) {
+            if ( true !== _wp_connectors_is_ai_api_key_valid( $value, $connector_id ) ) {
+                update_option( $setting_name, '' );
+                $data[ $setting_name ] = '';
+                continue;
+            }
+        }
+        // Mask the key in the response.
+        if ( is_string( $value ) && '' !== $value ) {
+            $data[ $setting_name ] = _wp_connectors_mask_api_key( $value );
+        }
+    }
 …
     return $response;
+}
 add_filter( 'rest_post_dispatch', '_wp_connectors_validate_keys_in_rest', 10, 3 );
 /**
  * Registers default connector settings and mask/sanitize filters.
+add_filter( 'rest_post_dispatch', '_wp_connectors_rest_settings_dispatch', 10, 3 );
+/**
+ * Registers default connector settings.
+ *
  * @since 7.0.0
 …
+        }
-        $setting_name = $auth['setting_name'];
         register_setting(
             'connectors',
             $setting_name,
+            $auth['setting_name'],
             array(
                 'type'              => 'string',
 …
                 'default'           => '',
                 'show_in_rest'      => true,
+                'sanitize_callback' => static function ( string $value ) use ( $connector_id ): string {
+                    $value = sanitize_text_field( $value );
+                    if ( '' === $value ) {
+                        return $value;
+                    }
+                    $valid = _wp_connectors_is_ai_api_key_valid( $value, $connector_id );
+                    return true === $valid ? $value : '';
+                },
+                'sanitize_callback' => 'sanitize_text_field',
+            )
         );
-        add_filter( "option_{$setting_name}", '_wp_connectors_mask_api_key' );
+    }
+}
 …
+            }
+            $api_key = _wp_connectors_get_real_api_key( $auth['setting_name'], '_wp_connectors_mask_api_key' );
+            // Skip if the key is already provided via env var or constant.
+            $key_source = _wp_connectors_get_api_key_source( $connector_id, $auth['setting_name'] );
+            if ( 'env' === $key_source || 'constant' === $key_source ) {
+                continue;
+            }
+            $api_key = get_option( $auth['setting_name'], '' );
             if ( '' === $api_key ) {
                 continue;
 …
  */
 function _wp_connectors_get_connector_script_module_data( array $data ): array {
+    $registry = AiClient::defaultRegistry();
+    // Build a slug-to-file map for plugin installation status.
+    if ( ! function_exists( 'get_plugins' ) ) {
+        require_once ABSPATH . 'wp-admin/includes/plugin.php';
+    }
+    $plugin_files_by_slug = array();
+    foreach ( array_keys( get_plugins() ) as $plugin_file ) {
+        $slug                          = str_contains( $plugin_file, '/' ) ? dirname( $plugin_file ) : str_replace( '.php', '', $plugin_file );
+        $plugin_files_by_slug[ $slug ] = $plugin_file;
+    }
     $connectors = array();
     foreach ( wp_get_connectors() as $connector_id => $connector_data ) {
 …
             $auth_out['settingName']    = $auth['setting_name'] ?? '';
             $auth_out['credentialsUrl'] = $auth['credentials_url'] ?? null;
+            $auth_out['keySource']      = _wp_connectors_get_api_key_source( $connector_id, $auth['setting_name'] ?? '' );
+            try {
+                $auth_out['isConnected'] = $registry->hasProvider( $connector_id ) && $registry->isProviderConfigured( $connector_id );
+            } catch ( Exception $e ) {
+                $auth_out['isConnected'] = false;
+            }
+        }
 …
             'name'           => $connector_data['name'],
             'description'    => $connector_data['description'],
+            'logoUrl'        => ! empty( $connector_data['logo_url'] ) ? $connector_data['logo_url'] : null,
             'type'           => $connector_data['type'],
             'authentication' => $auth_out,
         );
+        if ( ! empty( $connector_data['plugin'] ) ) {
+            $connector_out['plugin'] = $connector_data['plugin'];
+        if ( ! empty( $connector_data['plugin']['slug'] ) ) {
+            $plugin_slug = $connector_data['plugin']['slug'];
+            $plugin_file = $plugin_files_by_slug[ $plugin_slug ] ?? null;
+            $is_installed = null !== $plugin_file;
+            $is_activated = $is_installed && is_plugin_active( $plugin_file );
+            $connector_out['plugin'] = array(
+                'slug'        => $plugin_slug,
+                'isInstalled' => $is_installed,
+                'isActivated' => $is_activated,
+            );
+        }

trunk/src/wp-includes/default-filters.php

r61981	r61985
541	541
542	542	// Connectors API.
543		add_action( 'init', '_wp_connectors_init' );
	543	add_action( 'init', '_wp_connectors_init', 15 );
544	544
545	545	// Sitemaps actions.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 61985

Legend:

trunk/src/wp-includes/connectors.php

trunk/src/wp-includes/default-filters.php

Download in other formats: