AWonderPHP-Groovytar

Groovytar Replacement for Gravatar

The Gravatar system of avatar generation for WordPress has some serious privacy concerns. An unsalted (aka naked) md5() hash of the e-mail address is used, making it trivial to associate comments to a particular e-mail address through the use of a rainbow table. This can be very problematic, employers for example can simply take an employee’s e-mail address, or applicant’s e-mail address, hash it, and search the web for for that hash revealing places that person has left comments under the pretense of anonymity.

Furthermore, the Gravatar server are a source of tracking cookies.

Gravatar generates images in the PNG image format, which was probably the right thing to do historically when Internet Explorer did not support SVG, but in today’s world, generated avatars really should be scalable to accommodate the wide variety of screen sizes and pixel resolutions.

Groovytar is intended as a drop in API compatible replacement for Gravatar that solves those issues. It is automatically used when the Pluggable Unplugged plugin is installed.

Groovytar

Namespace: \AWonderPHP\Groovytar
Fully Qualified Class Name: \AWonderPHP\Groovytar\Groovytar
Class Type: Abstract

This is an abstract class intended to be extended.

public static function generateSalts(): array

This function returns an array containing two randomly generated salts. These are the salts used to properly anomymize the hash of an e-mail address so that the e-mail address can not be determined from the hash.

The hashes are generated using \AWonderPHP\PluggableUnplugged\Misc::saltShaker()

public function addDomain(string $input): array

When you do not want e-mail addresses from a specific domain to have the hashes anonymized with a salt, this function adds the domain to the white list of domains that will not be obfuscated.

Reality is, this function is legacy, it was written when this class still used Gravatar as the source for generated avatars. The function is pointless when the generated avatars are served from a Groovytar avatar server.

public function addEmailAddress($input): array

Similar to the addDomain function, but for a specific e-mail address.

public function removeDomain(string $input): array

Removes a domain from the domain whitelist.

public function removeEmailAddress($input): array

Removes an e-mail address from the e-mail whitelist.

public function referenceHash($email)

This is for a Groovytar feature not yet implemented. In the future, a user will be able to create an account an account with Groovytar tied to their e-mail address. They can then optionally upload an image to it, or just have the same generated SVG avatars served regardless of the salted hash.

When a user wants to opt-in to reduced anonymity at a blog, they can check a box. The blog will then make an API call to the Groovytar server and include the reference hash (which is not salted) as well as the salted hash. Groovytar will then send an e-mail to the user to confirm the user wants reduced anonymity at that blog, and when the user opts in, then the salted hashes from that blog will result in their chosen image being served.

public function getAvatarData($id_or_email, $args = null)

A substitute for the WordPress get_avatar_data() function. It takes an e-mail address as the argument and an optional array of arguments related to the avatar to be served. It returns an array of arguments including the URL for the avatar.

public function getAvatarUrl($id_or_email, $args = null)

A substitute for the WordPress get_avatar_url() function. It basically does the same thing as the getAvatarData() method (which it calls) except it only returns the URL component.

WordPressGroovytar

Namespace: \AWonderPHP\Groovytar
Fully Qualified Class Name: \AWonderPHP\Groovytar\WordPressGroovytar
Extends: \AWonderPHP\Groovytar\Groovytar

The primary reason this is a separate class that it allows the abstract class to be unit tested without needing WordPress loaded. WordPress specific functions can go in this class.

public static function groovytarFooter(): void

If the blogmaster has decided to let others know that they are using Groovytar, this public method creates the string for the notice that will be added to the page footer.

public function __construct()

Instantiates the class.

Anonymity protected with AWM Pluggable Unplugged