FormHandlerService.php
10 months ago
NotificationManagementService.php
4 weeks ago
ProductPageIntegration.php
10 months ago
SignupResult.php
10 months ago
SignupService.php
4 weeks ago
NotificationManagementService.php
157 lines
| 1 | <?php |
| 2 | |
| 3 | declare( strict_types=1 ); |
| 4 | |
| 5 | namespace Automattic\WooCommerce\Internal\StockNotifications\Frontend; |
| 6 | |
| 7 | use Automattic\WooCommerce\Internal\StockNotifications\Emails\EmailManager; |
| 8 | use Automattic\WooCommerce\Internal\StockNotifications\Enums\NotificationStatus; |
| 9 | use Automattic\WooCommerce\Internal\StockNotifications\Factory; |
| 10 | use Automattic\WooCommerce\Internal\StockNotifications\Notification; |
| 11 | |
| 12 | /** |
| 13 | * Notification management service. |
| 14 | */ |
| 15 | class NotificationManagementService { |
| 16 | |
| 17 | /** |
| 18 | * Query argument carrying the notification id for a resend-verification request. |
| 19 | */ |
| 20 | public const RESEND_QUERY_ARG = 'wc_bis_resend_notification'; |
| 21 | |
| 22 | /** |
| 23 | * Nonce action for resend-verification URLs. |
| 24 | */ |
| 25 | public const RESEND_NONCE_ACTION = 'wc_bis_resend_verification_email_nonce'; |
| 26 | |
| 27 | /** |
| 28 | * Meta key tracking the last time a verification email was dispatched. |
| 29 | * |
| 30 | * Used to rate-limit the frontend resend endpoint. |
| 31 | */ |
| 32 | public const LAST_VERIFY_EMAIL_SENT_META = '_last_verify_email_sent_at'; |
| 33 | |
| 34 | /** |
| 35 | * Minimum seconds between back-to-back resend requests. |
| 36 | */ |
| 37 | public const RESEND_RATE_LIMIT_SECONDS = 60; |
| 38 | |
| 39 | /** |
| 40 | * Email manager. |
| 41 | * |
| 42 | * @var EmailManager |
| 43 | */ |
| 44 | private EmailManager $email_manager; |
| 45 | |
| 46 | /** |
| 47 | * Init the service. |
| 48 | * |
| 49 | * @internal |
| 50 | * |
| 51 | * @param EmailManager $email_manager The email manager. |
| 52 | */ |
| 53 | final public function init( EmailManager $email_manager ): void { |
| 54 | $this->email_manager = $email_manager; |
| 55 | |
| 56 | add_action( 'template_redirect', array( $this, 'maybe_process_resend_request' ) ); |
| 57 | } |
| 58 | |
| 59 | /** |
| 60 | * Get resend verification email URL. |
| 61 | * |
| 62 | * @param Notification $notification The notification. |
| 63 | * @return string The resend verification email URL. |
| 64 | */ |
| 65 | public function get_resend_verification_email_url( Notification $notification ): string { |
| 66 | $url = add_query_arg( |
| 67 | array( |
| 68 | self::RESEND_QUERY_ARG => $notification->get_id(), |
| 69 | ), |
| 70 | $notification->get_product_permalink() |
| 71 | ); |
| 72 | |
| 73 | return wp_nonce_url( $url, self::RESEND_NONCE_ACTION . '_' . $notification->get_id() ); |
| 74 | } |
| 75 | |
| 76 | /** |
| 77 | * Handle the resend-verification request if the current request carries one. |
| 78 | */ |
| 79 | public function maybe_process_resend_request(): void { |
| 80 | // Only run on frontend GET requests — skip admin, POST, CLI, etc. before doing any nonce/DB work. |
| 81 | if ( is_admin() ) { |
| 82 | return; |
| 83 | } |
| 84 | |
| 85 | // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.NonceVerification.Recommended |
| 86 | $method = isset( $_SERVER['REQUEST_METHOD'] ) ? strtoupper( sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) ) : 'GET'; |
| 87 | if ( 'GET' !== $method ) { |
| 88 | return; |
| 89 | } |
| 90 | |
| 91 | // phpcs:ignore WordPress.Security.NonceVerification.Recommended |
| 92 | if ( ! isset( $_GET[ self::RESEND_QUERY_ARG ] ) ) { |
| 93 | return; |
| 94 | } |
| 95 | |
| 96 | // phpcs:ignore WordPress.Security.NonceVerification.Recommended |
| 97 | $notification_id = absint( wp_unslash( $_GET[ self::RESEND_QUERY_ARG ] ) ); |
| 98 | $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : ''; |
| 99 | |
| 100 | if ( empty( $notification_id ) ) { |
| 101 | return; |
| 102 | } |
| 103 | |
| 104 | // Scope the nonce per-notification so one valid resend URL cannot be replayed |
| 105 | // across the notification id query arg to trigger emails for other customers. |
| 106 | if ( ! wp_verify_nonce( $nonce, self::RESEND_NONCE_ACTION . '_' . $notification_id ) ) { |
| 107 | return; |
| 108 | } |
| 109 | |
| 110 | $notification = Factory::get_notification( $notification_id ); |
| 111 | if ( ! $notification instanceof Notification ) { |
| 112 | return; |
| 113 | } |
| 114 | |
| 115 | $this->ensure_notice_session(); |
| 116 | |
| 117 | $redirect_url = $notification->get_product_permalink(); |
| 118 | if ( empty( $redirect_url ) ) { |
| 119 | $redirect_url = wc_get_page_permalink( 'shop' ); |
| 120 | } |
| 121 | |
| 122 | if ( NotificationStatus::PENDING !== $notification->get_status() ) { |
| 123 | wc_add_notice( esc_html__( 'This notification is already verified or cancelled.', 'woocommerce' ), 'error' ); |
| 124 | wp_safe_redirect( $redirect_url ); |
| 125 | exit; |
| 126 | } |
| 127 | |
| 128 | $last_sent_at = (int) $notification->get_meta( self::LAST_VERIFY_EMAIL_SENT_META ); |
| 129 | if ( $last_sent_at > 0 && ( time() - $last_sent_at ) < self::RESEND_RATE_LIMIT_SECONDS ) { |
| 130 | wc_add_notice( esc_html__( 'Please wait a moment before requesting another verification email.', 'woocommerce' ), 'notice' ); |
| 131 | wp_safe_redirect( $redirect_url ); |
| 132 | exit; |
| 133 | } |
| 134 | |
| 135 | // Persist the rate-limit timestamp before dispatching the email so two near-simultaneous |
| 136 | // requests can't both pass the rate-limit check and trigger duplicate sends. |
| 137 | $notification->update_meta_data( self::LAST_VERIFY_EMAIL_SENT_META, (string) time() ); |
| 138 | $notification->save(); |
| 139 | |
| 140 | $this->email_manager->send_verify_email( $notification ); |
| 141 | |
| 142 | /* translators: %s user email. */ |
| 143 | wc_add_notice( sprintf( esc_html__( 'Verification email sent to %s.', 'woocommerce' ), $notification->get_user_email() ), 'success' ); |
| 144 | wp_safe_redirect( $redirect_url ); |
| 145 | exit; |
| 146 | } |
| 147 | |
| 148 | /** |
| 149 | * Ensure there is a cookie-based session so frontend notices survive the redirect. |
| 150 | */ |
| 151 | private function ensure_notice_session(): void { |
| 152 | if ( WC()->session instanceof \WC_Session_Handler && ! WC()->session->has_session() ) { |
| 153 | WC()->session->set_customer_session_cookie( true ); |
| 154 | } |
| 155 | } |
| 156 | } |
| 157 |