Allow OOB for out-of-band callbacks

See #28

Author: rmccue

lib/class-wp-rest-oauth1.php

@@ -402,7 +402,7 @@ public function set_request_token_callback( $key, $callback ) {
 		}
 
 		$consumer = $token['consumer'];
-		if ( ! $this->validate_callback( $callback ) || ! $this->check_callback( $callback, $consumer ) ) {
+		if ( ! $this->check_callback( $callback, $consumer ) ) {
 			return new WP_Error( 'json_oauth1_invalid_callback', __( 'Callback URL is invalid' ) );
 		}
 
@@ -457,6 +457,17 @@ public function check_callback( $url, $consumer_id ) {
 			return false;
 		}
 
+		// Out-of-band isn't a URL, but is still valid
+		if ( $registered === 'oob' || $url === 'oob' ) {
+			// Ensure both the registered URL and requested are 'oob'
+			return ( $registered === $url );
+		}
+
+		// Validate the supplied URL
+		if ( ! $this->validate_callback( $url ) ) {
+			return false;
+		}
+
 		$registered = wp_parse_url( $registered );
 		$supplied = wp_parse_url( $url );