Fediverse Auxiliary Service Provider #2312
Draft
+3,141
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
[Feature] REST API
[Status] In Progress
[Tests] Includes Tests
Docs
[Feature] WP Admin
[Focus] Compatibility
There was a problem hiding this comment.
Pull Request Overview
This PR implements FASP (Fediverse Auxiliary Service Provider) specification v0.1 support for the WordPress ActivityPub plugin, allowing WordPress sites to act as auxiliary service providers in the fediverse ecosystem.
Key Changes
- Adds FASP REST API endpoints for provider info, registration, and capability management
- Implements RFC-9421 HTTP Message Signatures for request/response authentication and signing
- Provides admin interface for managing FASP registrations (approve/reject/delete)
Reviewed Changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| includes/rest/class-fasp-controller.php | New REST controller implementing FASP endpoints (provider info, registration, capability activation) |
| includes/class-fasp.php | Core FASP class for registration management and capability handling |
| includes/signature/class-http-message-signature.php | Adds sign_response() method for RFC-9421 response signing |
| includes/wp-admin/class-admin.php | Admin action handlers for approve/reject/delete FASP registrations |
| includes/wp-admin/class-settings.php | Adds FASP registrations tab to settings page |
| integration/class-nodeinfo.php | Adds faspBaseUrl to nodeinfo metadata |
| templates/fasp-registrations.php | Admin template for managing FASP registrations |
| tests/phpunit/tests/includes/class-test-fasp.php | PHPUnit tests for FASP functionality |
| tests/e2e/specs/includes/rest/fasp-controller.test.js | E2E tests for FASP specification compliance |
| activitypub.php | Initializes FASP controller and class |
| docs/*.md | Documentation for FASP implementation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
obenland
reviewed
Oct 30, 2025
Member
obenland
left a comment
obenland
left a comment
There was a problem hiding this comment.
Some early feedback for a few files in case it's helpful
Introduces FAPI integration to the ActivityPub plugin, including a new REST controller for the provider info endpoint, nodeinfo metadata extension, and content-digest headers for integrity. Adds documentation for FAPI and signature handling, as well as PHPUnit tests for the new functionality. This enables the plugin to act as a Fediverse Auxiliary Service Provider in compliance with the FAPI v0.1 specification.
This commit introduces support for the Fediverse Auxiliary Service Provider (FASP) registration specification v0.1. It adds REST endpoints for FASP registration and capability activation, new classes for managing FASP registrations and admin UI, and updates all relevant documentation and code references from FAPI to FASP. The admin interface allows viewing, approving, rejecting, and deleting FASP registrations, and stores registration and capability data in WordPress options for compatibility.
Changed the protected $rest_base from 'fasp-registration' to 'fasp' and updated the registration route path to use the new base. Note: 'registeration' appears to be a typo and may need correction.
Corrected 'registeration' to 'registration' in the REST route path to ensure proper endpoint registration and consistency.
Updated the capability activation endpoint registration to prepend the route with $this->rest_base, ensuring the route is correctly namespaced.
Merged Fasp_Registration functionality into the Fasp class, removed the now-redundant Fasp_Registration and Fasp_Registration_Controller classes, and updated the Fasp_Controller to handle registration and capability endpoints directly. The admin interface was renamed and moved to includes/wp-admin/class-fasp-admin.php, now using the Fasp class for registration management. Documentation and tests were updated to reflect these changes.
Replaces the custom authenticate_request method with Activitypub\Rest\Server::verify_signature as the permission callback for the get_provider_info endpoint. Removes the now-unused authenticate_request method for consistency with other ActivityPub endpoints.
Updated Fasp_Controller to use the Application user's existing RSA keypair for HTTP Message Signatures (RFC-9421) instead of generating new Ed25519 keys. Removed the Ed25519 key generation logic and related test. Adjusted key handling and response data to reflect this change, improving consistency and simplifying key management.
Moved HTTP message signature logic from Fasp_Controller to the Http_Message_Signature helper class. Simplified provider info construction and response signing, improving maintainability and reusability. Exposed signature base string and params string methods as public in the signature helper.
Updated get_signature_base_string and get_params_string methods from public to private to restrict their visibility within the Http_Message_Signature class.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Removed unused required field validation and private key retrieval from Fasp_Controller::handle_registration. Renamed admin FASP registration handler methods and their action hooks for consistency by dropping the 'handle_' prefix.
Co-authored-by: Konstantin Obenland <obenland@gmx.de>
Added 'sanitize_callback' to the 'name', 'baseUrl', 'serverId', and 'publicKey' arguments in the REST API registration route to ensure input is properly sanitized. Updated handle_registration() to use sanitized parameters directly from the request, as sanitization is now handled by the route definition.
- Use spaceship operator for sorting (obenland feedback) - Use rawurlencode for fasp_id in completion URI (Copilot feedback) - Replace MD5 with wp_generate_password for ID generation (Copilot feedback) - Split capability routes into separate POST/DELETE endpoints (obenland feedback) - Fix documentation endpoint paths (Copilot feedback) - Improve FASP lookup to also match by public key fingerprint for data URIs - Update tests to reflect new method names and validation behavior
Per FASP protocol basics, the keyId MUST be the serverId exchanged during registration - a simple string identifier, not a data URI or URL. Changes: - Simplify get_fasp_by_keyid() to only match by server_id - Remove unused data URI fingerprint matching - Remove ensure_request_key_matches_registration() and fingerprint_from_keyid() - Remove unused Remote_Actors import - Update tests to use serverId instead of data URIs
- Add `activitypub_pre_get_public_key` filter to Remote_Actors::get_public_key() allowing custom key resolution for non-URL keyIds (like FASP serverIds) - Add Ed25519 signature verification using WordPress's sodium_compat: - Http_Message_Signature now handles Ed25519 keys via sodium_crypto_sign_verify_detached() - Ed25519 keys are passed as arrays: ['type' => 'ed25519', 'key' => $raw_bytes] - FASP integration: - Fasp::init() registers filter to provide Ed25519 public keys for serverId lookups - Fasp::get_registration_by_server_id() added for server_id based lookups - FASP now uses the same signature verification code path as ActivityPub - Reuse Application actor's RSA keypair for signing FASP responses (already in place)
New FASP tests: - Registration lookup by server_id - Public key filter integration with Ed25519 keys - Rejection of unapproved FASP registrations - Pass-through for non-FASP keyIds - Respecting existing keys from other filters New Signature tests: - Ed25519 signature verification via sodium - Invalid signature detection - Invalid key length detection
- Add server-level Ed25519 keypair to Signature class - Add Ed25519 response signing to Http_Message_Signature - Update Fasp_Controller to use Ed25519 for response signing - Return Ed25519 public key in registration response
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Security fixes: - Ensure keyId comes from verified signature, not parsed headers - Validate Ed25519 public key format (32 bytes) on registration - Enforce serverId uniqueness on registration Copilot feedback: - Fix $version param type documentation (int -> string) - Use esc_js() in onclick handlers instead of esc_attr_e() - Fix completion URI path to match Settings tab structure - Use rejected_at/rejected_by for rejection timestamps
- Update verify_http_signature docblock to reflect string return type - Add alg parameter check for Ed25519 signatures to prevent mismatched algorithm from verifying with Ed25519 key
The Ed25519 public key validation we added requires keys to be exactly 32 bytes. Update E2E tests to generate real Ed25519 public keys instead of using arbitrary strings.
- Add activitypub_enable_fasp setting in Advanced Settings. - Gate FASP REST endpoints, hooks, and admin actions behind opt-in. - Rename tab to "Auxiliary Services" with user-friendly labels. - Hide technical details in collapsible sections. - Move inline CSS to activitypub-admin.css.
Update PHPUnit and E2E tests to enable the activitypub_enable_fasp option before running FASP-related tests, since FASP is now opt-in.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements FASP (Fediverse Auxiliary Service Provider) specification v0.1 support, allowing WordPress sites to integrate with auxiliary fediverse services.
Proposed changes:
Other information:
Testing instructions:
GET /wp-json/activitypub/1.0/fasp/provider_infoChangelog entry
Changelog Entry Details
Significance
Type
Message
Add support for auxiliary fediverse services like moderation tools and search providers.