JPMT-28 Connection: add provider-specific authentication endpoints (#42602)

* Add provider-specific authorization URL endpoint for Jetpack connection

* changelog

* Add support for magic link authentication and update provider options

* Replace string-based URL manipulation with proper URL parsing and construction for provider-specific authentication endpoints.

* Update doc, bring back $raw parameter

* Refactor email address assignment using null coalescing operator

* Update permission callback to use the correct method and handle optional redirect URI and email address parameters

* Refactor email address handling in magic link flow and ensure URL parameter values are properly encoded

* Add unit tests for provider-specific authentication endpoints

* Fix phan warning

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/14000537385

Upstream-Ref: Automattic/jetpack@96b2fa3

Author: Initsogar

composer.json

@@ -8,7 +8,7 @@
 		"automattic/jetpack-autoloader": "^5.0.5",
 		"automattic/jetpack-composer-plugin": "^4.0.4",
 		"automattic/jetpack-config": "^3.0.1",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-my-jetpack": "^5.9.0-alpha",
 		"automattic/jetpack-sync": "^4.9.2",
 		"automattic/jetpack-videopress": "^0.27.5-alpha",

jetpack_vendor/automattic/jetpack-boost-core/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7"
+		"automattic/jetpack-connection": "^6.8.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^3.0.0",

jetpack_vendor/automattic/jetpack-connection/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.8.0-alpha] - unreleased
+
+This is an alpha version! The changes listed here are not final.
+
+### Added
+- Add auth providers support
+
 ## [6.7.7] - 2025-03-21
 ### Changed
 - Internal updates.
@@ -1362,6 +1369,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Separate the connection library into its own package.
 
+[6.8.0-alpha]: https://github.com/Automattic/jetpack-connection/compare/v6.7.7...v6.8.0-alpha
 [6.7.7]: https://github.com/Automattic/jetpack-connection/compare/v6.7.6...v6.7.7
 [6.7.6]: https://github.com/Automattic/jetpack-connection/compare/v6.7.5...v6.7.6
 [6.7.5]: https://github.com/Automattic/jetpack-connection/compare/v6.7.4...v6.7.5

jetpack_vendor/automattic/jetpack-connection/composer.json

@@ -64,7 +64,7 @@
 			"link-template": "https://github.com/Automattic/jetpack-connection/compare/v${old}...v${new}"
 		},
 		"branch-alias": {
-			"dev-trunk": "6.7.x-dev"
+			"dev-trunk": "6.8.x-dev"
 		},
 		"dependencies": {
 			"test-only": [

jetpack_vendor/automattic/jetpack-connection/src/class-package-version.php

@@ -12,7 +12,7 @@
  */
 class Package_Version {
 
-	const PACKAGE_VERSION = '6.7.7';
+	const PACKAGE_VERSION = '6.8.0-alpha';
 
 	const PACKAGE_SLUG = 'connection';
 

jetpack_vendor/automattic/jetpack-connection/src/class-rest-connector.php

@@ -261,6 +261,34 @@ public function __construct( Manager $connection ) {
 			)
 		);
 
+		// Provider-specific authorization URL endpoint
+		register_rest_route(
+			'jetpack/v4',
+			'/connection/authorize_url/(?P<provider>[a-zA-Z]+)',
+			array(
+				'methods'             => WP_REST_Server::READABLE,
+				'callback'            => array( $this, 'connection_authorize_url_provider' ),
+				'permission_callback' => __CLASS__ . '::user_connection_data_permission_check',
+				'args'                => array(
+					'provider'      => array(
+						'description' => __( 'Authentication provider (google, github, apple, link)', 'jetpack-connection' ),
+						'type'        => 'string',
+						'required'    => true,
+						'enum'        => array( 'google', 'github', 'apple', 'link' ),
+					),
+					'redirect_uri'  => array(
+						'description' => __( 'URI of the admin page where the user should be redirected after connection flow', 'jetpack-connection' ),
+						'type'        => 'string',
+					),
+					'email_address' => array(
+						'description' => __( 'Email address for magic link authentication', 'jetpack-connection' ),
+						'type'        => 'string',
+						'format'      => 'email',
+					),
+				),
+			)
+		);
+
 		register_rest_route(
 			'jetpack/v4',
 			'/user-token',
@@ -1110,4 +1138,53 @@ public function connection_check_permission_check() {
 			? true
 			: new WP_Error( 'invalid_permission_connection_check', self::get_user_permissions_error_msg(), array( 'status' => rest_authorization_required_code() ) );
 	}
+
+	/**
+	 * Provider-specific authorization URL endpoint
+	 *
+	 * @param WP_REST_Request $request The request sent to the WP REST API.
+	 *
+	 * @return \WP_REST_Response|WP_Error
+	 */
+	public function connection_authorize_url_provider( $request ) {
+		$provider     = $request['provider'];
+		$redirect_uri = $request['redirect_uri'] ?? '';
+
+		// Validate magic link parameters if provider is 'link'
+		if ( 'link' === $provider ) {
+			if ( empty( $request['email_address'] ) ) {
+				return new WP_Error(
+					'missing_email',
+					__( 'Email address is required for magic link authentication.', 'jetpack-connection' ),
+					array( 'status' => 400 )
+				);
+			}
+
+			// Sanitize email address
+			$email = sanitize_email( $request['email_address'] );
+			if ( ! is_email( $email ) ) {
+				return new WP_Error(
+					'invalid_email',
+					__( 'Invalid email address format.', 'jetpack-connection' ),
+					array( 'status' => 400 )
+				);
+			}
+		}
+
+		$authorize_url = ( new Authorize_Redirect( $this->connection ) )->build_authorize_url(
+			$redirect_uri,
+			false,
+			false,
+			$provider,
+			array(
+				'email_address' => $email ?? '',
+			)
+		);
+
+		return rest_ensure_response(
+			array(
+				'authorizeUrl' => $authorize_url,
+			)
+		);
+	}
 }

jetpack_vendor/automattic/jetpack-connection/src/webhooks/class-authorize-redirect.php

@@ -101,22 +101,59 @@ function ( $domains ) {
 	 * Create the Jetpack authorization URL.
 	 *
 	 * @since 2.7.6 Added optional $from and $raw parameters.
+	 * @since 6.8.0-alpha Added optional $provider and $provider_args parameters.
 	 *
 	 * @param bool|string $redirect URL to redirect to.
 	 * @param bool|string $from     If not false, adds 'from=$from' param to the connect URL.
 	 * @param bool        $raw If true, URL will not be escaped.
+	 * @param string|null $provider The authentication provider (google, github, apple, link).
+	 * @param array|null  $provider_args Additional provider-specific arguments.
 	 *
 	 * @todo Update default value for redirect since the called function expects a string.
 	 *
 	 * @return mixed|void
 	 */
-	public function build_authorize_url( $redirect = false, $from = false, $raw = false ) {
+	public function build_authorize_url( $redirect = false, $from = false, $raw = false, $provider = null, $provider_args = null ) {
 
 		add_filter( 'jetpack_connect_request_body', array( __CLASS__, 'filter_connect_request_body' ) );
 		add_filter( 'jetpack_connect_redirect_url', array( __CLASS__, 'filter_connect_redirect_url' ) );
 
 		$url = $this->connection->get_authorization_url( wp_get_current_user(), $redirect, $from, $raw );
 
+		// If a provider is specified, modify the URL to use the provider-specific endpoint
+		if ( $provider && in_array( $provider, array( 'google', 'github', 'apple', 'link' ), true ) ) {
+			// Parse the URL to modify it safely
+			$url_parts = wp_parse_url( $url );
+
+			if ( ! empty( $url_parts['host'] ) && ! empty( $url_parts['path'] ) ) {
+				// Build the new URL using wordpress.com as the host
+				$url_parts['host'] = 'wordpress.com';
+				$url_parts['path'] = '/log-in/jetpack/' . $provider;
+
+				// Preserve the query parameters
+				$query_params = array();
+				if ( ! empty( $url_parts['query'] ) ) {
+					parse_str( $url_parts['query'], $query_params );
+				}
+
+				// Add magic link specific parameters if provider is 'link'
+				if ( 'link' === $provider && is_array( $provider_args ) && ! empty( $provider_args['email_address'] ) ) {
+					$query_params['email_address'] = $provider_args['email_address'];
+					// Add flag to trigger magic link flow
+					$query_params['auto_trigger'] = '1';
+				}
+
+				// URL encode all parameter values
+				$query_params = array_map( 'rawurlencode', $query_params );
+
+				// Rebuild the URL
+				$url = 'https://' . $url_parts['host'] . $url_parts['path'];
+				if ( ! empty( $query_params ) ) {
+					$url = add_query_arg( $query_params, $url );
+				}
+			}
+		}
+
 		remove_filter( 'jetpack_connect_request_body', array( __CLASS__, 'filter_connect_request_body' ) );
 		remove_filter( 'jetpack_connect_redirect_url', array( __CLASS__, 'filter_connect_redirect_url' ) );
 
@@ -125,11 +162,14 @@ public function build_authorize_url( $redirect = false, $from = false, $raw = fa
 		 *
 		 * @since jetpack-8.9.0
 		 * @since 2.7.6 Added $raw parameter.
+		 * @since 6.8.0-alpha Added $provider and $provider_args parameters.
 		 *
-		 * @param string $url Connection URL.
-		 * @param bool   $raw If true, URL will not be escaped.
+		 * @param string      $url           Connection URL.
+		 * @param bool        $raw           If true, URL will not be escaped.
+		 * @param string|null $provider      The authentication provider if specified.
+		 * @param array|null  $provider_args Additional provider-specific arguments.
 		 */
-		return apply_filters( 'jetpack_build_authorize_url', $url, $raw );
+		return apply_filters( 'jetpack_build_authorize_url', $url, $raw, $provider, $provider_args );
 	}
 
 	/**

jetpack_vendor/automattic/jetpack-explat/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7"
+		"automattic/jetpack-connection": "^6.8.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^3.0.0",

jetpack_vendor/automattic/jetpack-jitm/composer.json

@@ -7,7 +7,7 @@
 		"php": ">=7.2",
 		"automattic/jetpack-a8c-mc-stats": "^3.0.4",
 		"automattic/jetpack-assets": "^4.0.14",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-device-detection": "^3.0.5",
 		"automattic/jetpack-logo": "^3.0.4",
 		"automattic/jetpack-redirect": "^3.0.5",

jetpack_vendor/automattic/jetpack-licensing/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7"
+		"automattic/jetpack-connection": "^6.8.0-alpha"
 	},
 	"require-dev": {
 		"automattic/jetpack-test-environment": "@dev",

jetpack_vendor/automattic/jetpack-my-jetpack/composer.json

@@ -8,7 +8,7 @@
 		"automattic/jetpack-admin-ui": "^0.5.7",
 		"automattic/jetpack-assets": "^4.0.14",
 		"automattic/jetpack-boost-speed-score": "^0.4.6",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-explat": "^0.2.13",
 		"automattic/jetpack-jitm": "^4.2.6",
 		"automattic/jetpack-licensing": "^3.0.8",

jetpack_vendor/automattic/jetpack-protect-status/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-plugins-installer": "^0.5.4",
 		"automattic/jetpack-sync": "^4.9.2",
 		"automattic/jetpack-protect-models": "^0.5.4",

jetpack_vendor/automattic/jetpack-sync/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-constants": "^3.0.5",
 		"automattic/jetpack-password-checker": "^0.4.7",
 		"automattic/jetpack-ip": "^0.4.6",

jetpack_vendor/automattic/jetpack-videopress/composer.json

@@ -7,7 +7,7 @@
 		"php": ">=7.2",
 		"automattic/jetpack-admin-ui": "^0.5.7",
 		"automattic/jetpack-assets": "^4.0.14",
-		"automattic/jetpack-connection": "^6.7.7",
+		"automattic/jetpack-connection": "^6.8.0-alpha",
 		"automattic/jetpack-my-jetpack": "^5.9.0-alpha",
 		"automattic/jetpack-plans": "^0.6.1"
 	},

jetpack_vendor/i18n-map.php

@@ -26,7 +26,7 @@
     ),
     'jetpack-connection' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-connection',
-      'ver' => '6.7.7',
+      'ver' => '6.8.0-alpha1742589662',
     ),
     'jetpack-explat' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-explat',

vendor/automattic/jetpack-plans/composer.json

@@ -5,7 +5,7 @@
 	"license": "GPL-2.0-or-later",
 	"require": {
 		"php": ">=7.2",
-		"automattic/jetpack-connection": "^6.7.7"
+		"automattic/jetpack-connection": "^6.8.0-alpha"
 	},
 	"require-dev": {
 		"yoast/phpunit-polyfills": "^3.0.0",