ActivityPub: Widen Reader auth shim to user-actor routes

[pfefferle]

See CM-776

Proposed changes

The Jetpack-signed Reader-auth shim previously accepted only blog-actor routes (actors/0/...) and required the AP site to be in blog or actor_blog mode. The wpcom Reader also signs requests for user-actor routes when a Jetpack user token is available, so those calls were being rejected even though Rest_Authentication had installed the matching wpcom user.

• jetpack_activitypub_reader_auth_is_target_route() now accepts any user id (actors/\d+/...), not just actors/0/.... The AP plugin's own Activitypub\Rest\Verification::verify_owner enforces actor identity natively (get_current_user_id() === (int) $user_id for user actors; BLOG_USER_ID + user_can_act_as_blog() for the blog actor), so the shim does not need to repeat that check — its role is bypassing the OAuth bearer requirement on Jetpack-signed calls.
• The is_blog_mode early-return in jetpack_activitypub_reader_auth_check_permission() is now route-scoped via a new jetpack_activitypub_reader_auth_route_is_blog_actor() helper. User-actor existence is independent of activitypub_actor_mode, so the blog-mode gate is only relevant when the route targets the blog actor.
• Surrounding docblocks were updated to match the new contract (file-top scope description, is_blog_mode purpose, is_target_route rationale).

Related product discussion/links

Does this pull request change what data or activity we track or use?

No.

Testing instructions

Unit tests cover the new behaviour. Run them with:

jp docker phpunit jetpack -- --filter Jetpack_ActivityPub_Reader_Auth_Test

The suite in projects/plugins/jetpack/tests/php/3rd-party/Jetpack_ActivityPub_Reader_Auth_Test.php was extended with:

• New positive cases — user-actor inbox in actor mode, user-actor outbox in actor_blog mode (test_check_permission_grants_user_actor_in_user_mode, test_check_permission_grants_user_actor_in_actor_blog_mode).
• New data-provider cases for is_target_route accepting non-zero user ids (user_id 1, user_id 42, users/7 alias).
• New tests for the route_is_blog_actor helper (positive for actors/0/, negative for actors/5/, defensive against non-request payloads).
• The existing negative case is preserved and renamed (test_check_permission_null_for_blog_actor_in_user_mode) — a blog-actor route on a pure actor-mode site still abstains, since no blog actor exists there.

End-to-end manual verification (on a Jetpack-connected AP site in actor mode, signed-in admin via the wpcom Reader):

1. GET /wp-json/activitypub/1.0/actors/<your-user-id>/inbox — previously 401, now serves the user's inbox.
2. POST /wp-json/activitypub/1.0/actors/<your-user-id>/outbox with a Note — previously 401, now publishes.
3. GET /wp-json/activitypub/1.0/actors/0/inbox on the same actor-mode site — still returns 401, because the blog actor doesn't exist.

Local gates run

• PHPCS: clean on both changed files.
• PHP syntax: clean.
• Phan: 0 issues on the touched code (analyzer crashed later on an unrelated WordPress-stubs polyfill path; not a regression introduced here).
• PHPUnit: deferred to CI — this branch was prepared in implement-only mode without a local Docker WP environment.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the change/ap-reader-auth-user-actors branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack change/ap-reader-auth-user-actors

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: June 2, 2026
  • Code freeze: June 1, 2026

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/jetpack/3rd-party/activitypub.php	52/57 (91.23%)	1.23%	0 💚

Full summary · PHP report · JS report