Skip to content

feat: Expand application password abilities #45220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: trunk
Choose a base branch
from
Draft

feat: Expand application password abilities #45220

wants to merge 5 commits into from

Conversation

@dcalhoun
Copy link
Member

@dcalhoun dcalhoun commented Sep 17, 2025
edited
Loading

Allow authenticating for admin-ajax and post preview requests with application passwords. This enables cookie-less clients—e.g, the iOS and Android mobile apps—to successfully authenticate these requests.

Ref CMM-713. Close CMM-766.

Proposed changes:

Leverage the application_password_is_api_request filter to conditionally extend application password authentication for:

  • admin-ajax
  • Post previews

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

pbArwn-7AD-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

Tip

Apply these Jetpack changes to your site (see comment) before testing.

1. Authenticate admin-ajax requests with application passwords

  1. Request an admin-ajaxaction: 
    curl -I 'https://<site_domain>/wp-admin/admin-ajax.php?action=logged-in'
  2. Verify the 400 response.
  3. Request an admin-ajaxaction: 
    curl -I 'https://<site_domain>/wp-admin/admin-ajax.php?action=logged-in' \
  -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"
  4. Verify the 200 response.

2. Authenticate post preview request with application passwords

  1. Save a draft post and note the post ID.
  2. Request a preview: 
    curl -I 'https://<site_domain>/?p=<post_id>&preview=true'
  3. Verify the 404 response.
  4. Request a preview: 
    curl -I 'https://<site_domain>/?p=<post_id>&preview=true' \
  -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"
  5. Verify the 200 response.

3. Retrieve application password abilities

  1. Request the REST API endpoint: 
    curl 'https://<site_domain>/wp-json/wpcom/v2/application-password-extras/abilities' \
  -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"
  2. Verify the expected response: 
    {"admin-ajax":true,"post-previews":true}

@dcalhoun dcalhoun added [Status] In Progress [Feature] WP REST API [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ labels Sep 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 17, 2025
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the feat/expand-application-passwords-abilities branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack feat/expand-application-passwords-abilities

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions
Copy link
Contributor

github-actions bot commented Sep 17, 2025
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  • ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
  3. You can use GitHub's Reviewers functionality to request a review.
  4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly:
    • Scheduled release: December 2, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@jp-launch-control
Copy link

jp-launch-control bot commented Sep 17, 2025
edited
Loading

Code Coverage Summary

Cannot generate coverage summary while tests are failing. 🤐

Please fix the tests, or re-run the Code coverage job if it was something being flaky.

Full summary · PHP report · JS report

@dcalhoun dcalhoun added [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it [Tests] Includes Tests labels Sep 17, 2025
@dcalhoun dcalhoun force-pushed the feat/expand-application-passwords-abilities branch from 1b9ad63 to ac4c623 Compare September 18, 2025 20:31
@dcalhoun dcalhoun mentioned this pull request Sep 24, 2025
Draft
@dcalhoun
feat: Expand application password abilities
a03b040 
Allow authenticating for `admin-ajax` and post preview requests with
application passwords. This enables cookie-less clients--e.g, the iOS
and Android mobile apps--to successfully authenticate these requests.
@dcalhoun
changelog
2c781fb
@dcalhoun
test: Assert application password extras functionality
72ff273
@dcalhoun
feat: Increase robustness of post preview requests
764b891
@dcalhoun
perf: Optimize application_password_extras processing
cc53440 
Return early if the provided value is already truthy.
@dcalhoun dcalhoun force-pushed the feat/expand-application-passwords-abilities branch from 8e1970e to cc53440 Compare November 26, 2025 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

[Feature] WP REST API [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress [Tests] Includes Tests [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcalhoun