<?php
/**
* Class Embed_Controller
*
* @link https://github.com/googleforcreators/web-stories-wp
*
* @copyright 2020 Google LLC
* @license https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
*/
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
declare(strict_types = 1);
namespace Google\Web_Stories\REST_API;
use DOMElement;
use DOMNode;
use DOMNodeList;
use Google\Web_Stories\Infrastructure\HasRequirements;
use Google\Web_Stories\Story_Post_Type;
use Google\Web_Stories_Dependencies\AmpProject\Dom\Document;
use WP_Error;
use WP_Http;
use WP_Network;
use WP_Post;
use WP_REST_Request;
use WP_REST_Response;
use WP_REST_Server;
/**
* Embed controller class.
*
* API endpoint to facilitate embedding web stories.
*
* @SuppressWarnings(PHPMD.ExcessiveClassComplexity)
*
* @phpstan-type SchemaEntry array{
* description: string,
* type: string,
* context: string[],
* default?: mixed,
* }
*
* @phpstan-type Schema array{
* properties: array<string, SchemaEntry>
* }
*/
class Embed_Controller extends REST_Controller implements HasRequirements {
/**
* Story_Post_Type instance.
*
* @var Story_Post_Type Story_Post_Type instance.
*/
private Story_Post_Type $story_post_type;
/**
* Constructor.
*
* @param Story_Post_Type $story_post_type Story_Post_Type instance.
*/
public function __construct( Story_Post_Type $story_post_type ) {
$this->story_post_type = $story_post_type;
$this->namespace = 'web-stories/v1';
$this->rest_base = 'embed';
}
/**
* Get the list of service IDs required for this service to be registered.
*
* Needed because the story post type needs to be registered first.
*
* @since 1.13.0
*
* @return string[] List of required services.
*/
public static function get_requirements(): array {
return [ 'story_post_type' ];
}
/**
* Registers routes for links.
*
* @see register_rest_route()
*/
public function register_routes(): void {
register_rest_route(
$this->namespace,
'/' . $this->rest_base,
[
[
'methods' => WP_REST_Server::READABLE,
'callback' => [ $this, 'get_proxy_item' ],
'permission_callback' => [ $this, 'get_proxy_item_permissions_check' ],
'args' => [
'url' => [
'description' => __( 'The URL for which to fetch embed data.', 'web-stories' ),
'required' => true,
'type' => 'string',
'format' => 'uri',
],
],
],
]
);
}
/**
* Callback for the Web Stories embed endpoints.
*
* Returns information about the given story.
*
* @SuppressWarnings(PHPMD.ExcessiveMethodLength)
*
* @since 1.0.0
*
* @param WP_REST_Request $request Full data about the request.
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
*/
public function get_proxy_item( $request ) {
/**
* Requested URL.
*
* @var string $url
*/
$url = $request['url'];
$url = urldecode( untrailingslashit( $url ) );
if ( empty( $url ) ) {
return new \WP_Error( 'rest_invalid_url', __( 'Invalid URL', 'web-stories' ), [ 'status' => 404 ] );
}
/**
* Filters the link data TTL value.
*
* @since 1.0.0
*
* @param int $time Time to live (in seconds). Default is 1 day.
* @param string $url The attempted URL.
*/
$cache_ttl = apply_filters( 'web_stories_embed_data_cache_ttl', DAY_IN_SECONDS, $url );
$cache_key = 'web_stories_embed_data_' . md5( $url );
$data = get_transient( $cache_key );
if ( \is_string( $data ) && ! empty( $data ) ) {
/**
* Decoded cached embed data.
*
* @var array<string,mixed>|null $embed
*/
$embed = json_decode( $data, true );
if ( $embed ) {
$response = $this->prepare_item_for_response( $embed, $request );
return rest_ensure_response( $response );
}
}
$data = $this->get_data_from_post( $url );
if ( $data ) {
$response = $this->prepare_item_for_response( $data, $request );
return rest_ensure_response( $response );
}
$args = [
'limit_response_size' => 153_600, // 150 KB.
'timeout' => 7, // phpcs:ignore WordPressVIPMinimum.Performance.RemoteRequestTimeout.timeout_timeout
];
/**
* Filters the HTTP request args for link data retrieval.
*
* Can be used to adjust timeout and response size limit.
*
* @since 1.0.0
*
* @param array<string,mixed> $args Arguments used for the HTTP request
* @param string $url The attempted URL.
*
* @phpstan-param array{
* method?: string,
* timeout?: float,
* redirection?: int,
* httpversion?: string,
* user-agent?: string,
* reject_unsafe_urls?: bool,
* blocking?: bool,
* headers?: string|array,
* cookies?: array,
* body?: string|array,
* compress?: bool,
* decompress?: bool,
* sslverify?: bool,
* sslcertificates?: string,
* stream?: bool,
* filename?: string,
* limit_response_size?: int,
* } $args
*/
$args = apply_filters( 'web_stories_embed_data_request_args', $args, $url );
$response = wp_safe_remote_get( $url, $args );
if ( WP_Http::OK !== wp_remote_retrieve_response_code( $response ) ) {
// Not saving the error response to cache since the error might be temporary.
return new \WP_Error( 'rest_invalid_url', __( 'Invalid URL', 'web-stories' ), [ 'status' => 404 ] );
}
$html = wp_remote_retrieve_body( $response );
if ( ! $html ) {
return new \WP_Error( 'rest_invalid_story', __( 'URL is not a story', 'web-stories' ), [ 'status' => 404 ] );
}
$data = $this->get_data_from_document( $html );
if ( ! $data ) {
return new \WP_Error( 'rest_invalid_story', __( 'URL is not a story', 'web-stories' ), [ 'status' => 404 ] );
}
$response = $this->prepare_item_for_response( $data, $request );
set_transient( $cache_key, wp_json_encode( $data ), $cache_ttl );
return rest_ensure_response( $response );
}
/**
* Prepares a single embed output for response.
*
* @since 1.10.0
*
* @param array<string, mixed>|false $embed Embed value, default to false is not set.
* @param WP_REST_Request $request Request object.
* @return WP_REST_Response|WP_Error Response object.
*/
public function prepare_item_for_response( $embed, $request ) {
$fields = $this->get_fields_for_response( $request );
$schema = $this->get_item_schema();
$data = [];
if ( \is_array( $embed ) ) {
$check_fields = array_keys( $embed );
foreach ( $check_fields as $check_field ) {
if ( ! empty( $schema['properties'][ $check_field ] ) && rest_is_field_included( $check_field, $fields ) ) {
$data[ $check_field ] = rest_sanitize_value_from_schema( $embed[ $check_field ], $schema['properties'][ $check_field ] );
}
}
}
/**
* Request context.
*
* @var string $context
*/
$context = ! empty( $request['context'] ) ? $request['context'] : 'view';
$data = $this->add_additional_fields_to_object( $data, $request );
$data = $this->filter_response_by_context( $data, $context );
return rest_ensure_response( $data );
}
/**
* Retrieves the link's schema, conforming to JSON Schema.
*
* @since 1.10.0
*
* @return array Item schema data.
*
* @phpstan-return Schema
*/
public function get_item_schema(): array {
if ( $this->schema ) {
/**
* Schema.
*
* @phpstan-var Schema $schema
*/
$schema = $this->add_additional_fields_schema( $this->schema );
return $schema;
}
$schema = [
'$schema' => 'http://json-schema.org/draft-04/schema#',
'title' => 'embed',
'type' => 'object',
'properties' => [
'title' => [
'description' => __( 'Embed\'s title', 'web-stories' ),
'type' => 'string',
'context' => [ 'view', 'edit', 'embed' ],
],
'poster' => [
'description' => __( 'Embed\'s image', 'web-stories' ),
'type' => 'string',
'format' => 'uri',
'context' => [ 'view', 'edit', 'embed' ],
],
],
];
$this->schema = $schema;
/**
* Schema.
*
* @phpstan-var Schema $schema
*/
$schema = $this->add_additional_fields_schema( $this->schema );
return $schema;
}
/**
* Checks if current user can process links.
*
* @since 1.0.0
*
* @return true|WP_Error True if the request has read access, WP_Error object otherwise.
*/
public function get_proxy_item_permissions_check() {
if ( ! $this->story_post_type->has_cap( 'edit_posts' ) ) {
return new \WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to make proxied embed requests.', 'web-stories' ), [ 'status' => rest_authorization_required_code() ] );
}
return true;
}
/**
* Retrieves the story metadata for a given URL on the current site.
*
* @since 1.0.0
*
* @param string $url The URL that should be inspected for metadata.
* @return array{title: string, poster: string}|false Story metadata if the URL does belong to the current site. False otherwise.
*/
private function get_data_from_post( string $url ) {
$post = $this->url_to_post( $url );
if ( ! $post || $this->story_post_type->get_slug() !== $post->post_type ) {
return false;
}
return $this->get_data_from_document( $post->post_content );
}
/**
* Examines a URL and try to determine the post it represents.
*
* Checks are supposedly from the hosted site blog.
*
* @SuppressWarnings(PHPMD.NPathComplexity)
*
* @since 1.2.0
*
* @see get_oembed_response_data_for_url
* @see url_to_postid
*
* @param string $url Permalink to check.
* @return WP_Post|null Post object on success, null otherwise.
*/
private function url_to_post( $url ): ?WP_Post {
$post = null;
$switched_blog = $this->maybe_switch_site( $url );
if ( \function_exists( 'wpcom_vip_url_to_postid' ) ) {
$post_id = wpcom_vip_url_to_postid( $url );
} else {
// phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions
$post_id = url_to_postid( $url );
}
if ( $post_id ) {
$post = get_post( $post_id );
}
if ( ! $post_id ) {
// url_to_postid() does not recognize plain permalinks like https://example.com/?web-story=my-story.
// Let's check for that ourselves.
/**
* The URL's hostname.
*
* @var string|false|null $url_host
*/
$url_host = wp_parse_url( $url, PHP_URL_HOST );
if ( $url_host ) {
$url_host = str_replace( 'www.', '', $url_host );
}
/**
* The home URL's hostname.
*
* @var string|false|null $home_url_host
*/
$home_url_host = wp_parse_url( home_url(), PHP_URL_HOST );
if ( $home_url_host ) {
$home_url_host = str_replace( 'www.', '', $home_url_host );
}
if ( $url_host && $home_url_host && $url_host === $home_url_host ) {
$values = [];
if (
preg_match(
'#[?&](' . preg_quote( $this->story_post_type->get_slug(), '#' ) . ')=([^&]+)#',
$url,
$values
)
) {
$slug = $values[2];
if ( \function_exists( 'wpcom_vip_get_page_by_path' ) ) {
$post = wpcom_vip_get_page_by_path( $slug, OBJECT, $this->story_post_type->get_slug() );
} else {
// phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions
$post = get_page_by_path( $slug, OBJECT, $this->story_post_type->get_slug() );
}
}
}
}
if ( $switched_blog ) {
restore_current_blog();
}
if ( ! $post instanceof WP_Post ) {
return null;
}
return $post;
}
/**
* Maybe switch to site.
*
* @since 1.29.0
*
* @param string $url Permalink to check.
*/
private function maybe_switch_site( $url ): bool {
if ( ! is_multisite() ) {
return false;
}
$switched_blog = false;
/**
* URL parts.
*
* @var array<string, string>|false $url_parts
*/
$url_parts = wp_parse_url( $url );
if ( ! $url_parts ) {
$url_parts = [];
}
$url_parts = wp_parse_args(
$url_parts,
[
'host' => '',
'path' => '/',
]
);
$qv = [
'domain' => $url_parts['host'],
'path' => '/',
'number' => 1,
'update_site_cache' => false,
'update_site_meta_cache' => false,
];
// In case of subdirectory configs, set the path.
if ( ! is_subdomain_install() ) {
// Get "sub-site" part of "http://example.org/sub-site/web-stories/my-story/".
// But given just "http://example.org/web-stories/my-story/", don't treat "web-stories" as site path.
// This differs from the logic in get_oembed_response_data_for_url() which does not do this.
// TODO: Investigate possible core bug in get_oembed_response_data_for_url()?
$path = explode( '/', ltrim( $url_parts['path'], '/' ) );
$path = \count( $path ) > 2 ? reset( $path ) : false;
$network = get_network();
if ( $path && $network instanceof WP_Network ) {
$qv['path'] = $network->path . $path . '/';
}
}
$sites = (array) get_sites( $qv );
$site = reset( $sites );
if ( $site && get_current_blog_id() !== (int) $site->blog_id ) {
// phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.switch_to_blog_switch_to_blog
switch_to_blog( (int) $site->blog_id );
$switched_blog = true;
}
return $switched_blog;
}
/**
* Parses an HTML document to and returns the story's title and poster.
*
* @since 1.0.0
*
* @param string $html HTML document markup.
* @return array{title: string, poster: string}|false Response data or false if document is not a story.
*/
private function get_data_from_document( string $html ) {
try {
$doc = Document::fromHtml( $html );
} catch ( \DOMException $exception ) {
return false;
}
if ( ! $doc ) {
return false;
}
/**
* List of <amp-story> elements.
*
* @var DOMNodeList<DOMElement>|false $amp_story
*/
$amp_story = $doc->xpath->query( '//amp-story' );
if ( ! $amp_story instanceof DOMNodeList || 0 === $amp_story->length ) {
return false;
}
$title = $this->get_dom_attribute_content( $amp_story, 'title' );
$poster = $this->get_dom_attribute_content( $amp_story, 'poster-portrait-src' );
return [
'title' => $title ?: '',
'poster' => $poster ?: '',
];
}
/**
* Retrieve content of a given DOM node attribute.
*
* @since 1.0.0
*
* @param DOMNodeList<DOMElement>|false $query XPath query result.
* @param string $attribute Attribute name.
* @return string|false Attribute content on success, false otherwise.
*/
protected function get_dom_attribute_content( $query, string $attribute ) {
if ( ! $query instanceof DOMNodeList || 0 === $query->length ) {
return false;
}
/**
* DOMElement
*
* @var DOMElement|DOMNode $node
*/
$node = $query->item( 0 );
if ( ! $node instanceof DOMElement ) {
return false;
}
return $node->getAttribute( $attribute );
}
}