test[faustwp]: regression test for hash_equals secret-key comparison (follow-up to #2312)

[josephfusco]

Summary

Follow-up to #2312 (merged as 5d73ec86), which landed the hash_equals() fix for #2310 without regression test coverage. canary now has the timing-safe secret-key comparison in production code, but no automated guard against a future revert.

This PR adds plugins/faustwp/tests/integration/RestCallbacksTests.php — tests-only, no production code changes. Both REST permission callbacks (rest_authorize_permission_callback and the deprecated wpac_authorize_permission_callback) previously had zero direct test coverage; this brings coverage up plus a source-level guard against the specific revert that would reintroduce the timing-attack vulnerability.

Why this is a separate PR

The original #2312 had maintainerCanModify: false, so I couldn't push the test commit onto the contributor's fork branch. I'd opened this PR (#2362) with the same security fix plus tests, but #2312 merged first — so this PR's production-code commits are now empty against canary. Resetting the branch to a single tests-only commit keeps the safety net we built without re-shipping the already-merged code.

Scope

File	Status
plugins/faustwp/tests/integration/RestCallbacksTests.php	New — 8 tests, 12 assertions
No production code changes	—
No changeset	— (tests aren't customer-facing)

Tests

cd plugins/faustwp
composer install

WP_VERSION=6.8 composer run docker:start
docker compose exec wordpress init-testing-environment.sh
docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  wp plugin install wp-graphql --activate --allow-root

docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  ./vendor/bin/phpunit --filter=RestCallbacks
# Expected: OK (8 tests, 12 assertions)

# Full suite (single-site + multisite)
docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  composer test

Test inventory

Behavioural (rest_authorize_permission_callback):

• match → true
• mismatch → false
• missing header → false
• empty-string header → false
• server-side secret unset → false (deletes the faustwp_settings option directly, because sanitize_option_faustwp_settings would otherwise restore a UUID-shaped value)

Behavioural (deprecated wpac_authorize_permission_callback):

• match → true
• mismatch → false

Source-level regression guard (test_secret_comparisons_use_constant_time_hash_equals):

• Asserts === $header_key and !== $_SERVER['HTTP_X_FAUST_SECRET'] are NOT present in the callbacks files.
• Asserts hash_equals IS present (assertGreaterThanOrEqual(1, ...) to avoid false positives if a future contributor adds a legitimate third hash_equals call).
• Behavioural tests cannot distinguish hash_equals from === for valid/invalid inputs — both return the same boolean. The security difference is timing, which is impractical to assert in unit tests. The source-level check is the only way to catch a future revert of the fix[faustwp]: secret key comparisons use timing-vulnerable === instead of hash_equals() #2310 fix.

Verified red-on-revert against today's canary-based branch (HEAD 5f25cae7, 2026-05-14): with hash_equals reverted to === / !== in rest/callbacks.php and graphql/callbacks.php, the source guard fails cleanly (Failed asserting that ... does not contain "=== $header_key"). Restoring hash_equals greens the suite. Full plugin PHPUnit run on WP 6.8: 134 tests, 303 assertions on both single-site and multisite.

Related

• Follows up fix[faustwp]: (#2310) use hash_equals for secret key comparison #2312 (merged, closed fix[faustwp]: secret key comparisons use timing-vulnerable === instead of hash_equals() #2310)
• Sister PR fix[faustwp]: (#2311) clean up uploaded blockset zip when extraction fails #2338 (still in flight) adds analogous regression coverage for the blockset cleanup
• Sister PR fix[faustwp]: (#1872) use home_url() in handle_generate_endpoint #2339 (merged) added analogous regression coverage for the Bedrock home_url() fix (AuthCallbacksTests.php)

Together these three test files give handle_generate_endpoint, process_and_replace_blocks, and the REST permission callbacks their first dedicated regression coverage. (filter_introspection is already covered by four pre-existing tests in GraphQLCallbacksTests.php.)

Co-authored-by: latenighthackathon latenighthackathon@users.noreply.github.com

[changeset-bot]

⚠️ No Changeset found

Latest commit: df186fc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

📦 Next.js Bundle Analysis for @faustwp/getting-started-example

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

[Copilot]

Pull request overview

Adds integration/regression coverage for FaustWP’s REST permission callbacks, specifically guarding against regressions of the timing-safe hash_equals() secret comparison introduced in #2312/#2310.

Changes:

• Add a new integration test suite covering rest_authorize_permission_callback() behavior across match/mismatch/missing/empty/unset-secret scenarios.
• Add behavioral coverage for the deprecated wpac_authorize_permission_callback().
• Add a source-level regression guard intended to fail if comparisons revert away from hash_equals().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.