Aha! One needs to encode the secret, if I am not mistaken?
Once that’s fixed, I do get a URL but the API is returning a 404.
Very cool! I got the latest plug-in working, once I learned about/was told about the new Tinderbox Secret Key option in Wordpress. I also needed to allow the URLs on my websites firewall.
I wonder, is there a way to publish images and then include those in a blog post?
@webline, do you have a link to the Wordpress API documentation that you can share?
yes - the encoding - adding:
cleanText = cleanText.replace('?','.');
fixed the problem!
No need to encode the secret. I’m picking up the plain string in Wordpress.
@Michael: The Wordpress REST Api is the stuff you are looking for.
You register a new endpoint with register_rest_route and then a callback (function you defined) will be called. See: REST API Handbook | WordPress Developer Resources
Uploading media (image) is not that simple actually 
enclosed you find a new version of the plugin with an additional REST endpoint /favorite-image/ you pass the id of a post (you have it already in TBX) and the image and it will become the favourite image of the post.
tinderbox_rest.zip (6.7 KB)
and the CURL command would look like:
curl -X POST -F "file=@/path/to/your/image.jpg" "https://your-wordpress-site.com/wp-json/my-rest-plugin/v1/favorite-image/{post_id}"
No time to test it - but it should run… will add it to the TBX maybe tomorrow.
Since we are sending not only text but binary files now there has to be an authorisation method… The secret is not strong enough IMHO.
1 Like
Image upload will take more time - doesn’t work at the moment.
And cleanText = cleanText.replace('?','.'); is not a good idea - so I still have the problem with fetch(). Will dive into this one too.
Side note:
I just updated my note on fetch() to reflect the Tinderbox doesn’t restrict the choice of http request methods on offer. Hopefully this helps resolve questions like the one up-thread re possible use of DELETE. I’ve updated this part of the article:
httpMethod is an optional argument, indicating the HTTP request method to be used. HTTP 1.1. defined methods (per RFC 9110) are
GET,HEAD,POST,PUT(includingPATCH),DELETE,CONNECT,OPTIONS, andTRACE. If httpMethod is not specified, fetch() defaults to using a GET request. The methods allowed are as per the HTP protocol in use at the server, rather than a restriction by Tinderbox. Also be aware that support for a given method may also be a constraint at the server end of the request.
N.B. This isn’t my area of expertise, and so I am trying to document (in aTbRef) emergent issues I see being raised. Thus input from those more expert as to the clarity of the article for the user (especially first time use) are welcome, as ever (e.g. @webline’s helpful suggestion of a better general code example).
This is really cool!
I have got a couple questions.
-
Is there a way to post different author names, right now the wordpress plugin is defaulting to one author. I am a marketing manager I support multiple authors and I want to be able to publish under different names.
-
I’d like to be able to specify and upload images in my post is that possible?
-
Can I post an article as a draft and not have it published?
Thanks. Yes, I bet. But, if the media is already uploaded, I wonder how hard it would be to reference it in a blog post.
I have tested, I’ve tried to include a path to an image on my server and the https: keeps getting stripped out and an * is added to the end of \ the image somewhere in the posting process.
If I include in the body of my note:
<img src="https://www.myserver.com/wp-content/uploads/2023/05/TheIdentityNexus2023.png">
What the WordPress post shows is this:
<img src="//www.identitypraxis.com/wp-content/uploads/2023/05/TheIdentityNexus2023.png\*"
Also, note in the google reference how the https:// is getting replaced by and * and how an * is being added to the end of the URL.
Any ideas on how to make this work?
If we can figure out how to make this works, I wonder if there is a way to pull the index of media (name and URL) on a WordPress site into Tinderbox.
OK. The underlying problem appears to be that NSURL is not entirely sure which RFC it supports. I think that percent-encoding ? and / is what we need to do. I’ll do that in 9.6.1, but I believe you could do cleanText = cleanText.replace('?','%3F'); for the present.
I don’t use WordPress but … It looks like your URL is getting sanitised> IOW, from WP’s perspective it think its guarding you from malicious code/URL injection. I mention this because looking at the issue from a security perspective rather than one of encoding/string structure might offer some way forward. For instance, is there a method (token?) you can pass to establish your bona fides and thus stop the URL sanitisation question? I’ve tripped over a different but similar context before where I wasted a lot of time trying to fix the wrong problem (encoding input) and missing the actual problem (security configuration). Sadly the latter is a completely different system/use but the overall pattern looks similar. HTH.
1 Like
First the news, then the questions… this was a heavy task… now the image upload is running.
First: download the new files and install the updated PlugIn on your Wordpress machine
Second: go the your user profile in wordpress and scroll down. There is an area called “Application Passwords”. You have to create one. Name it as you like. You could also create a user with limited rights like a publisher. Tinderbox will connect to Wordpress with this Application Password and so with the role/rights where the password was created. Copy the Application Password now. You will not be able to copy it again later!
Third: Open the Terminal app on your Mac enter the name of the user where you created the Application Password and the password into
echo -n "your_username:your_application_password" | base64and copy this expression into the terminal window. Hit return and you get something like “jsdfgsdhiweklnjashbhsdfbkjp389hsdfh”
Fourth: copy this string into the attribute WordPress_AppToken of the note gWordPressAPI
That’s all it needs. Now you are ready to rumble
Uploading binaries to Wordpress is a security risk. So I had to implement a feature to get a save interface. Application Passwords are an official add on since Wordpress 5.6. I stay with the secret for all other functions.
@mwra yes, I use sanitize_text_field in the PlugIn to remove bad code from pasted text.
Now there is a prototyp called pWordPress. The notes in the demo used to test the interface rely on this prototype. After you send a note to WordPress the note stores the URL and the post_id of this post in the attributes URL and Wordpress_ID. You can click on the URL and jump directly to the post in WP.
The 3rd attribute is called Wordpress_FavImage. Hier you can enter the URL to an image (jpg, png, gif) on your local drive. You can upload this image to become the favourite image of the corresponding post. Currently it is not possible to upload images that are part of the $Text of a note.
You have four stamps to communicate with the Tinderbox-PlugIn:
- CreatePostInWP
- UpdatePostInWP
- DeletePostInWP
- ImageToPostInWP
See those stamps as examples for your own solution. (1) will create a new post with the title and text of the TBX note. If you run the stamp twice on the same note you get two copies in Wordpress.
(2) Will overwrite the title and text of an existing post in WP. The Wordpress_ID will be used for the reference.
(3) Will delete the post with the Wordpress_ID. (2) and (3) will only work on posts with the category “tinderbox” in WP. This is a security feature (kind of)
(4) here you can upload an image to the post with the Wordpress_ID.
There are several error handlers in the PlugIn - but we will see where the edge cases are
Stamp (1) is available in two version: one using cURL and one using fetch. (4) is cURL only.
@satikusala you may play with sending HTML including <img> with a full path. Maybe…
@Drew.Clabes (1) is currently sending status=publish but you can change that if you like. Currently only one author is supported. It’s complex because first I maybe would have to retrieve all author names from WP. Or I let you just enter the name and if the user doesn’t exist… will look into this
tinderbox_rest.zip (6.8 KB)
WPApiDemo.tbx (277.1 KB)
4 Likes
Super impressed!!!
OMG!!! This is SOOOOOOO AWESOME! 
Is anyone else seeing this?
I’m getting a red box when trying to create the application password, and so can’t copy it. I’ve disabled several plugins to see if that was causing the problem, they were not. Thougths?
since the Application Passwords are a core feature since WP 5.6 the only reason for the red box maybe another plugin (security: Wordfence and the like…) - disable all and see if it works, then switch them on again one by one… not very funny, but the only way.
I’ve learned a couple of things. The red box on Chrome never expands.
I turned off all the plugins and still got the issue.
On Firefox, the expand Window shows “Forbidden.” My hosting provider says they’ve blocked the XML-rpc services for security reasons. I’ve asked them is there is a way to work around this.
Hey. This is awesome. Thanks for it.
1 Like