Social Image Generator: restrict direct access to token generation

[jeherve]

Follow-up to #44336
Fixes CML-668

Proposed changes:

When requesting a token directly from a WordPress.com simple site, we should check for the capability first.

#44336 uses the Social Image Generator service by calling \Automattic\Jetpack\Publicize\Social_Image_Generator\fetch_token().

• On self-hosted sites that method makes an API request to fetch a token, and in endpoint declaration we check for the capabiliity before to send a response:
  fbhepr%2Skers%2Sjcpbz%2Sjc%2Qpbagrag%2Serfg%2Qncv%2Qcyhtvaf%2Sraqcbvagf%2Swrgcnpx%2Qfbpvny.cuc%3Se%3Qr3s21441%2396-og
• On WordPress.com simple sites, however, the request is made directly, and thus we do not check for the capability.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

• N/A

Does this pull request change what data or activity we track or use?

• No

Testing instructions:

This is best tested on top of #44336

On a WordPress.com Simple site

1. Start with a free site
2. Load your site's home page
3. Check the og:image tag
   • It should not use a https://s0.wp.com/_si/ URL.

We should also ensure that other features relying on Social Image Generator are not impacted.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/token-access-free-wpcom-site branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/token-access-free-wpcom-site

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jeherve]

@manzoorwanijk @gmjuhasz Do you think you could take a look at this, and let me know if I missed anything obvious in my usage of the Social Image Generator service in #44336, something that would ensure we do not encounter the bug I'm fixing here?

Thank you!

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/packages/publicize/src/social-image-generator/utilities.php	19/24 (79.17%)	-11.31%	3 ❤️‍🩹

Full summary · PHP report · JS report