Connectors: Add API key source detection and refactor REST dispatch#11228
Connectors: Add API key source detection and refactor REST dispatch#11228jorgefilipecosta wants to merge 4 commits intoWordPress:trunkfrom
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
jorgefilipecosta
force-pushed
the
connectors-api-key-source-and-rest-dispatch
branch
2 times, most recently
from
69aa0de to
ee1559e
Compare
|
It would be nice to commit #11227 first and rebase this branch. Alternatively, this can land first but we should ensure the approach taken is compatible with the function removal. |
desrosj
force-pushed
the
connectors-api-key-source-and-rest-dispatch
branch
from
bbd8e8f to
9379b18
Compare
Add `_wp_connectors_get_api_key_source()` to detect whether an API key comes from an environment variable, PHP constant, or the database. This enables the UI to show the key source and hide the remove button for externally configured keys. Refactor API key validation and masking from `sanitize_callback` and `option_` filters into a single `rest_post_dispatch` handler (`_wp_connectors_rest_settings_dispatch`). This ensures raw keys are never exposed via the REST API and simplifies the validation flow. Enrich `_wp_connectors_get_connector_settings()` with plugin installation/activation status and static memoization. Update `_wp_connectors_get_connector_script_module_data()` to expose `keySource`, `isConnected`, `logoUrl`, and plugin status to the admin. Backports WordPress/gutenberg#76266 Backports WordPress/gutenberg#76327 updates include ref update
jorgefilipecosta
force-pushed
the
connectors-api-key-source-and-rest-dispatch
branch
from
9379b18 to
45189ca
Compare
Add `_wp_connectors_get_api_key_source()` to detect whether an API key comes from an environment variable, PHP constant, or the database. This enables the UI to show the key source and hide the remove button for externally configured keys. Refactor API key validation and masking from `sanitize_callback` and `option_` filters into a single `rest_post_dispatch` handler (`_wp_connectors_rest_settings_dispatch`). This ensures raw keys are never exposed via the REST API and simplifies the validation flow. Enrich `_wp_connectors_get_connector_settings()` with plugin installation/activation status and static memoization. Update `_wp_connectors_get_connector_script_module_data()` to expose `keySource`, `isConnected`, `logoUrl`, and plugin status to the admin. Backports WordPress/gutenberg#76266 Backports WordPress/gutenberg#76327 updates include ref update # Conflicts: # src/wp-includes/connectors.php
src/wp-includes/connectors.php
Outdated
| foreach ( wp_get_connectors() as $connector_id => $connector_data ) { | ||
| $auth = $connector_data['authentication']; | ||
| if ( 'ai_provider' !== $connector_data['type'] || 'api_key' !== $auth['method'] || empty( $auth['setting_name'] ) ) { | ||
| if ( 'api_key' !== $auth['method'] || empty( $auth['setting_name'] ) ) { |
There was a problem hiding this comment.
The old _wp_connectors_validate_keys_in_rest also checked 'ai_provider' \!== $connector_data['type'] here, but this was dropped. Currently all connectors with api_key auth are ai_provider type, so it's functionally equivalent today — but it broadens scope for any future connector types that might use api_key auth. Was this intentional?
2 participants
Summary
Trac ticket: https://core.trac.wordpress.org/ticket/64819
Backports two Gutenberg PRs into WordPress core:
Gutenberg #76266 — Adds
_wp_connectors_get_api_key_source()to detect whether an API key is configured via environment variable, PHP constant, or database. The UI uses this to show the key source and hide "Remove and replace" for externally configured keys.Gutenberg #76327 — Refactors API key validation and masking from
sanitize_callback+option_filters into a singlerest_post_dispatchhandler (_wp_connectors_rest_settings_dispatch), ensuring raw keys are never exposed via REST API responses.Changes
_wp_connectors_get_api_key_source()— checks env var → PHP constant → database for API key origin_wp_connectors_rest_settings_dispatch()— masks keys in all/wp/v2/settingsresponses and validates on POST/PUT, reverting invalid keys_wp_connectors_get_real_api_key()— no longer needed since masking moved out of option filters_wp_connectors_validate_keys_in_rest()— replaced by the new dispatch handler_wp_connectors_get_connector_settings()— added static memoization and pluginis_installed/is_activatedstatus enrichment_wp_register_default_connector_settings()— simplifiedsanitize_callbacktosanitize_text_field, removed option mask filter_wp_connectors_pass_default_keys_to_ai_client()— skips keys from env/constant sources, usesget_option()directly_wp_connectors_get_connector_script_module_data()— exposeskeySource,isConnected,logoUrl, and plugin status (isInstalled,isActivated)Test plan
phpunit --group connectorsto verify existing tests pass