wp_is_authorize_application_password_request_valid( array $request, WP_User $user )

Checks if the Authorize Application Password request is valid.


Parameters

$request

(Required) The array of request data. All arguments are optional and may be empty.<br>

  • 'app_name'
    (string) The suggested name of the application.<br>
  • 'app_id'
    (string) A UUID provided by the application to uniquely identify it.<br>
  • 'success_url'
    (string) The URL the user will be redirected to after approving the application.<br>
  • 'reject_url'
    (string) The URL the user will be redirected to after rejecting the application.<br>

$user

(Required) The user authorizing the application.


Return

(true|WP_Error) True if the request is valid, a WP_Error object contains errors if not.


Source

File: wp-admin/includes/user.php

function wp_is_authorize_application_password_request_valid( $request, $user ) {
	$error    = new WP_Error();

	if ( isset( $request['success_url'] ) ) {
		$validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
		if ( is_wp_error( $validated_success_url ) ) {
			$error->add(
				$validated_success_url->get_error_code(),
				$validated_success_url->get_error_message()
			);
		}
	}

	if ( isset( $request['reject_url'] ) ) {
		$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
		if ( is_wp_error( $validated_reject_url ) ) {
			$error->add(
				$validated_reject_url->get_error_code(),
				$validated_reject_url->get_error_message()
			);
		}
	}

	if ( ! empty( $request['app_id'] ) && ! wp_is_uuid( $request['app_id'] ) ) {
		$error->add(
			'invalid_app_id',
			__( 'The application ID must be a UUID.' )
		);
	}

	/**
	 * Fires before application password errors are returned.
	 *
	 * @since 5.6.0
	 *
	 * @param WP_Error $error   The error object.
	 * @param array    $request The array of request data.
	 * @param WP_User  $user    The user authorizing the application.
	 */
	do_action( 'wp_authorize_application_password_request_errors', $error, $request, $user );

	if ( $error->has_errors() ) {
		return $error;
	}

	return true;
}


Changelog

Changelog
Version Description
6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
6.2.0 Allow insecure HTTP connections for the local environment.
5.6.0 Introduced.