wp_is_authorize_application_password_request_valid()WP 5.6.0

Checks if the Authorize Application Password request is valid.

Hooks from the function

Return

true|WP_Error. True if the request is valid, a WP_Error object contains errors if not.

Usage

wp_is_authorize_application_password_request_valid( $request, $user );
$request(array) (required)

The array of request data. All arguments are optional and may be empty.

  • app_name(string)
    The suggested name of the application.

  • app_id(string)
    A UUID provided by the application to uniquely identify it.

  • success_url(string)
    The URL the user will be redirected to after approving the application.

  • reject_url(string)
    The URL the user will be redirected to after rejecting the application.
$user(WP_User) (required)
The user authorizing the application.

Changelog

Since 5.6.0 Introduced.
Since 6.2.0 Allow insecure HTTP connections for the local environment.
Since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol from being executed.

wp_is_authorize_application_password_request_valid() code WP 6.5.2

wp-admin/includes/user.php 
function wp_is_authorize_application_password_request_valid( $request, $user ) {
	$error = new WP_Error();

	if ( isset( $request['success_url'] ) ) {
		$validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
		if ( is_wp_error( $validated_success_url ) ) {
			$error->add(
				$validated_success_url->get_error_code(),
				$validated_success_url->get_error_message()
			);
		}
	}

	if ( isset( $request['reject_url'] ) ) {
		$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
		if ( is_wp_error( $validated_reject_url ) ) {
			$error->add(
				$validated_reject_url->get_error_code(),
				$validated_reject_url->get_error_message()
			);
		}
	}

	if ( ! empty( $request['app_id'] ) && ! wp_is_uuid( $request['app_id'] ) ) {
		$error->add(
			'invalid_app_id',
			__( 'The application ID must be a UUID.' )
		);
	}

	/**
	 * Fires before application password errors are returned.
	 *
	 * @since 5.6.0
	 *
	 * @param WP_Error $error   The error object.
	 * @param array    $request The array of request data.
	 * @param WP_User  $user    The user authorizing the application.
	 */
	do_action( 'wp_authorize_application_password_request_errors', $error, $request, $user );

	if ( $error->has_errors() ) {
		return $error;
	}

	return true;
}