feat: Authorize AJAX with application passwords

dcalhoun · dcalhoun · commit 470c26828e84 · 2025-09-19T09:11:01.000-04:00
Include authorization header in AJAX requets, as we do not have cookies
to send in the mobile app environment.
diff --git a/src/utils/ajax.js b/src/utils/ajax.js
@@ -0,0 +1,77 @@
+/**
+ * Internal dependencies
+ */
+import { getGBKit } from './bridge';
+import { warn, debug } from './logger';
+
+/**
+ * GutenbergKit lacks authentication cookies required for AJAX requests.
+ * This configures a root URL and authentication header for AJAX requests.
+ *
+ * @return {void}
+ */
+export function initializeAjax() {
+	window.wp = window.wp || {};
+	window.wp.ajax = window.wp.ajax || {};
+	window.wp.ajax.settings = window.wp.ajax.settings || {};
+
+	const { siteURL, authHeader } = getGBKit();
+	configureAjaxUrl( siteURL );
+	configureAjaxAuth( authHeader );
+}
+
+function configureAjaxUrl( siteURL ) {
+	if ( ! siteURL ) {
+		warn( 'Unable to configure AJAX URL without siteURL' );
+		return;
+	}
+
+	window.wp.ajax.settings.url = `${ siteURL }/wp-admin/admin-ajax.php`;
+
+	debug( 'AJAX URL configured' );
+}
+
+function configureAjaxAuth( authHeader ) {
+	if ( ! authHeader ) {
+		warn( 'Unable to configure AJAX auth without authHeader' );
+		return;
+	}
+
+	window.jQuery?.ajaxSetup( {
+		headers: {
+			Authorization: authHeader,
+		},
+	} );
+
+	const originalSend = window.wp.ajax.send;
+	window.wp.ajax.send = function ( options ) {
+		const originalBeforeSend = options.beforeSend;
+
+		options.beforeSend = function ( xhr ) {
+			xhr.setRequestHeader( 'Authorization', authHeader );
+
+			if ( typeof originalBeforeSend === 'function' ) {
+				originalBeforeSend( xhr );
+			}
+		};
+
+		return originalSend.call( this, options );
+	};
+
+	const originalPost = window.wp.ajax.post;
+	window.wp.ajax.post = function ( options ) {
+		const originalBeforeSend = options.beforeSend;
+
+		options.beforeSend = function ( xhr ) {
+			xhr.setRequestHeader( 'Authorization', authHeader );
+
+			if ( typeof originalBeforeSend === 'function' ) {
+				originalBeforeSend( xhr );
+			}
+		};
+
+		return originalPost.call( this, options );
+	};
+
+	debug( 'AJAX auth configured' );
+}
diff --git a/src/utils/remote-editor.jsx b/src/utils/remote-editor.jsx
@@ -3,7 +3,7 @@
  */
 import { awaitGBKitGlobal } from './bridge';
 import { loadEditorAssets } from './editor-loader';
-import { initializeVideoPressAjaxBridge } from './videopress-bridge';
+import { initializeAjax } from './ajax';
 import { error, warn } from './logger';
 import { isDevMode } from './dev-mode';
 import './editor-styles.js';
@@ -71,7 +71,7 @@ function initializeApiFetch( assetsResult ) {
 }
 
 function initializeEditor( assetsResult ) {
-	initializeVideoPressAjaxBridge();
+	initializeAjax();
 
 	const { allowedBlockTypes } = assetsResult;
 	return import( './editor' ).then(
diff --git a/src/utils/videopress-bridge.js b/src/utils/videopress-bridge.js
