External Media: Ensure the correct connect URL is used. (#37689)

A fix to the blog nonce check on WPCOM highlighted that the connect URL retrieved while connecting to services like Google Photos, had the incorrect blog ID (when a user has multiple blogs) and the nonce was based on the public-api blog ID. This fixes that problem by swapping to using the site specific endpoint to get the service details.
Automattic · Jun 4, 2024 · 2e3836c · 2e3836c
1 parent 2dd4e94
commit 2e3836c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/...ack/_inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-external-media.php b/...ack/_inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-external-media.php
@@ -7,6 +7,7 @@
  */
 
 use Automattic\Jetpack\Connection\Client;
+use Automattic\Jetpack\Connection\Manager;
 
 /**
  * External Media helper API.
@@ -368,19 +369,37 @@ public function copy_external_media( \WP_REST_Request $request ) {
 	 * @return array|\WP_Error|mixed
 	 */
 	public function get_connection_details( \WP_REST_Request $request ) {
-		$service    = rawurlencode( $request->get_param( 'service' ) );
-		$wpcom_path = sprintf( '/meta/external-media/connection/%s', $service );
+		$service = $request->get_param( 'service' );
 
 		if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
+			$wpcom_path       = sprintf( '/meta/external-media/connection/%s', rawurlencode( $service ) );
 			$internal_request = new \WP_REST_Request( 'GET', '/' . $this->namespace . $wpcom_path );
 			$internal_request->set_query_params( $request->get_params() );
 
 			return rest_do_request( $internal_request );
 		}
 
-		$response = Client::wpcom_json_api_request_as_user( $wpcom_path );
+		$site_id = Manager::get_site_id();
+		if ( is_wp_error( $site_id ) ) {
+			return $site_id;
+		}
 
-		return json_decode( wp_remote_retrieve_body( $response ), true );
+		$path     = sprintf( '/sites/%d/external-services', $site_id );
+		$response = Client::wpcom_json_api_request_as_user( $path );
+		if ( is_wp_error( $response ) ) {
+			return $response;
+		}
+
+		$body = json_decode( wp_remote_retrieve_body( $response ) );
+		if ( ! property_exists( $body, 'services' ) || ! property_exists( $body->services, $service ) ) {
+			return new WP_Error(
+				'bad_request',
+				__( 'An error occurred. Please try again later.', 'jetpack' ),
+				array( 'status' => 400 )
+			);
+		}
+
+		return $body->services->{ $service };
 	}
 
 	/**
@@ -404,7 +423,8 @@ public function delete_connection( WP_REST_Request $request ) {
 			$wpcom_path,
 			'2',
 			array(
-				'method' => 'DELETE',
+				'method'  => 'DELETE',
+				'blog_id' => Manager::get_site_id(),
 			)
 		);
 

diff --git a/projects/plugins/jetpack/changelog/fix-external-media-connect-url b/projects/plugins/jetpack/changelog/fix-external-media-connect-url
@@ -0,0 +1,4 @@
+Significance: patch
+Type: bugfix
+
+External media: Ensured the connect URL has the correct blog ID and verification values.