Masks and validates connector API keys in REST responses.
Description
On every /wp/v2/settings response, masks connector API key values so raw keys are never exposed via the REST API.
On POST or PUT requests, validates each updated key against the provider before masking. If validation fails, the key is reverted to an empty string.
Parameters
$responseWP_REST_Responserequired- The response object.
$serverWP_REST_Serverrequired- The server instance.
$requestWP_REST_Requestrequired- The request object.
Source
function _wp_connectors_rest_settings_dispatch( WP_REST_Response $response, WP_REST_Server $server, WP_REST_Request $request ): WP_REST_Response {
if ( '/wp/v2/settings' !== $request->get_route() ) {
return $response;
}
$data = $response->get_data();
if ( ! is_array( $data ) ) {
return $response;
}
$is_update = 'POST' === $request->get_method() || 'PUT' === $request->get_method();
foreach ( wp_get_connectors() as $connector_id => $connector_data ) {
$auth = $connector_data['authentication'];
if ( 'api_key' !== $auth['method'] || empty( $auth['setting_name'] ) ) {
continue;
}
$setting_name = $auth['setting_name'];
if ( ! array_key_exists( $setting_name, $data ) ) {
continue;
}
$value = $data[ $setting_name ];
// On update, validate AI provider keys before masking.
// Non-AI connectors accept keys as-is; the service plugin handles its own validation.
if ( $is_update && is_string( $value ) && '' !== $value && 'ai_provider' === $connector_data['type'] ) {
if ( true !== _wp_connectors_is_ai_api_key_valid( $value, $connector_id ) ) {
update_option( $setting_name, '' );
$data[ $setting_name ] = '';
continue;
}
}
// Mask the key in the response.
if ( is_string( $value ) && '' !== $value ) {
$data[ $setting_name ] = _wp_connectors_mask_api_key( $value );
}
}
$response->set_data( $data );
return $response;
}
Changelog
| Version | Description |
|---|---|
| 7.0.0 | Introduced. |
User Contributed Notes
You must log in before being able to contribute a note or feedback.