PluginProbe ʕ •ᴥ•ʔ
WooCommerce / 10.9.1
WooCommerce v10.9.1
10.9.3 10.9.2 10.9.1 10.9.0 10.9.0-rc.1 10.9.0-beta.2 10.9.0-beta.1 10.8.1 10.8.0 10.8.0-rc.1 10.8.0-beta.2 10.8.0-beta.1 7.8.0-beta.1 7.8.0-beta.2 7.8.0-rc.1 7.8.0-rc.2 7.8.1 7.8.2 7.8.3 7.8.4 7.9.0 7.9.0-beta.1 7.9.0-beta.2 7.9.0-rc.2 7.9.0-rc.3 7.9.1 7.9.2 8.0.0 8.0.0-beta.1 8.0.0-beta.2 8.0.0-rc.1 8.0.0-rc.2 8.0.1 8.0.2 8.0.3 8.0.4 8.0.5 8.1.0 8.1.0-beta.1 8.1.0-rc.1 8.1.0-rc.2 8.1.1 8.1.2 8.1.3 8.1.4 8.2.0 8.2.0-beta.1 8.2.0-rc.1 8.2.0-rc.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.3.0 8.3.0-beta.1 8.3.0-rc.1 8.3.0-rc.2 8.3.1 8.3.2 8.3.3 8.3.4 8.4.0 8.4.0-beta.1 8.4.0-rc.1 8.4.1 8.4.2 8.4.3 8.5.0 8.5.0-beta.1 8.5.0-rc.1 8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.6.0 8.6.0-beta.1 8.6.0-rc.1 8.6.1 8.6.2 8.6.3 8.6.4 8.7.0 8.7.0-beta.1 8.7.0-beta.2 8.7.0-rc.1 8.7.1 8.7.2 8.7.3 8.8.0 8.8.0-beta.1 8.8.0-rc.1 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.8.7 8.9.0 8.9.0-beta.1 8.9.0-rc.1 8.9.1 8.9.2 8.9.3 8.9.4 8.9.5 9.0.0 9.0.0-beta.1 9.0.0-beta.2 9.0.0-rc.1 9.0.1 9.0.2 9.0.3 9.0.4 9.1.0 9.1.0-beta.1 9.1.0-rc.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.2.0 9.2.0-beta.1 9.2.0-rc.1 9.2.1 9.2.2 9.2.3 9.2.4 9.2.5 9.3.0 9.3.0-beta.1 9.3.0-rc.1 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.3.6 9.4.0 9.4.0-beta.1 9.4.0-beta.2 9.4.0-rc.1 9.4.0-rc.2 9.4.0-rc.3 9.4.0-rc.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.5.0 9.5.0-beta.1 9.5.0-beta.2 9.5.0-rc.1 9.5.1 9.5.2 9.5.3 9.5.4 9.6.0 9.6.0-beta.1 9.6.0-beta.2 9.6.0-rc.1 9.6.1 9.6.2 9.6.3 9.6.4 9.7.0 9.7.0-beta.1 9.7.0-rc.1 9.7.1 9.7.2 9.7.3 9.8.0 9.8.0-beta.1 9.8.0-rc.1 9.8.1 9.8.2 9.8.3 9.8.4 9.8.5 9.8.6 9.8.7 9.9.0 9.9.0-beta.1 9.9.0-rc.1 9.9.1 9.9.2 9.9.3 9.9.4 9.9.5 9.9.6 9.9.7 3.7.3 7.1.2 3.8.0 7.2.0 3.8.0-beta.1 7.2.0-beta.1 3.8.0-rc.1 7.2.0-beta.2 3.8.0-rc.2 7.2.0-rc.1 3.8.1 7.2.0-rc.2 3.8.2 7.2.1 3.8.3 7.2.2 3.9.0 7.2.3 3.9.0-beta.1 7.2.4 3.9.0-beta.2 7.3.0 3.9.0-rc.1 7.3.0-beta.1 3.9.0-rc.2 7.3.0-beta.2 3.9.0-rc.3 7.3.0-rc.1 3.9.0-rc.4 7.3.0-rc.2 3.9.1 7.3.1 3.9.2 7.4.0 3.9.3 7.4.0-beta.1 3.9.4 7.4.0-beta.2 3.9.5 7.4.0-rc.1 4.0.0 7.4.0-rc.2 4.0.0-beta.1 7.4.1 4.0.0-rc.1 7.4.2 4.0.0-rc.2 7.5.0 4.0.1 7.5.0-beta.1 4.0.2 7.5.0-beta.2 4.0.3 7.5.0-rc.1 4.0.4 7.5.1 4.1.0 7.5.2 4.1.0-beta.1 7.6.0 4.1.0-beta.2 7.6.0-beta.1 4.1.0-rc.1 7.6.0-beta.2 4.1.0-rc.2 7.6.0-rc.1 4.1.1 7.6.0-rc.2 4.1.2 7.6.0-rc.3 4.1.3 7.6.1 4.1.4 7.6.2 4.2.0 7.7.0 4.2.0-RC.1 7.7.0-beta.1 4.2.0-RC.2 7.7.0-beta.2 4.2.0-beta.1 7.7.0-rc.1 4.2.1 7.7.1 4.2.2 7.7.2 4.2.3 7.7.3 4.2.4 7.8.0 4.2.5 4.3.0 4.3.0-beta.1 4.3.0-rc.1 4.3.0-rc.2 4.3.0-rc.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.4.0 4.4.0-beta.1 4.4.0-rc.1 4.4.1 4.4.2 4.4.3 4.4.4 4.5.0 4.5.0-beta.1 4.5.0-rc.1 4.5.0-rc.3 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.6.0 4.6.0-beta.1 4.6.0-rc.1 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7.0 4.7.0-beta.1 4.7.0-beta.2 4.7.0-rc.1 4.7.1 4.7.1-beta.1 4.7.2 4.7.3 4.7.4 4.8.0 4.8.0-beta.1 4.8.0-rc.1 4.8.0-rc.2 4.8.1 4.8.2 4.8.3 4.9.0 4.9.0-beta.1 4.9.0-rc.1 4.9.0-rc.2 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 5.0.0 5.0.0-beta.1 5.0.0-beta.2 5.0.0-rc.1 5.0.0-rc.2 5.0.0-rc.3 5.0.1 5.0.2 5.0.3 5.1.0 5.1.0-beta.1 5.1.0-rc.1 trunk 5.1.1 10.0.0 5.1.2 10.0.0-rc.1 5.1.3 10.0.0-rc.2 5.2.0 10.0.1 5.2.0-beta.1 10.0.2 5.2.0-rc.1 10.0.3 5.2.0-rc.2 10.0.4 5.2.1 10.0.5 5.2.2 10.0.6 5.2.3 10.1.0 5.2.4 10.1.0-rc.1 5.2.5 10.1.0-rc.2 5.3.0 10.1.0-rc.3 5.3.0-beta.1 10.1.0-rc.4 5.3.0-rc.1 10.1.1 5.3.0-rc.2 10.1.2 5.3.1 10.1.3 5.3.2 10.1.4 5.3.3 10.2.0 5.4.0 10.2.0-beta.1 5.4.0-beta.1 10.2.0-beta.2 5.4.0-rc.1 10.2.0-rc.1 5.4.1 10.2.1 5.4.2 10.2.2 5.4.3 10.2.3 5.4.4 10.2.4 5.4.5 10.3.0 5.5.0 10.3.0-beta.1 5.5.0-beta.1 10.3.0-beta.2 5.5.0-rc.1 10.3.0-rc.1 5.5.0-rc.2 10.3.0-rc.2 5.5.1 10.3.1 5.5.2 10.3.2 5.5.3 10.3.3 5.5.4 10.3.4 5.5.5 10.3.5 5.6.0 10.3.6 5.6.0-beta.1 10.3.7 5.6.0-rc.1 10.3.8 5.6.0-rc.2 10.4.0 5.6.1 10.4.0-beta.1 5.6.2 10.4.0-beta.2 5.6.3 10.4.0-rc.1 5.7.0 10.4.1 5.7.0-beta.1 10.4.2 5.7.0-rc.1 10.4.3 5.7.1 10.4.4 5.7.2 10.5.0 5.7.3 10.5.0-beta.1 5.8.0 10.5.0-beta.2 5.8.0-beta.1 10.5.0-rc.1 5.8.0-beta.2 10.5.0-rc.2 5.8.0-rc.1 10.5.0-rc.3 5.8.1 10.5.1 5.8.2 10.5.2 5.9.0 10.5.3 5.9.0-beta.1 10.6.0 5.9.0-rc.1 10.6.0-beta.1 5.9.0-rc.2 10.6.0-beta.2 5.9.1 10.6.0-rc.1 5.9.2 10.6.1 6.0.0 10.6.2 6.0.0-beta.1 10.7.0 6.0.0-rc.1 10.7.0-beta.1 6.0.1 10.7.0-beta.2 6.0.2 10.7.0-rc.1 6.1.0 3.0.0 6.1.0-beta.1 3.0.1 6.1.0-rc.1 3.0.2 6.1.0-rc.2 3.0.3 6.1.1 3.0.4 6.1.2 3.0.5 6.1.3 3.0.6 6.2.0 3.0.7 6.2.0-beta.1 3.0.8 6.2.0-rc.1 3.0.9 6.2.0-rc.2 3.1.0 6.2.1 3.1.1 6.2.2 3.1.2 6.2.3 3.2.0 6.3.0 3.2.1 6.3.0-beta.1 3.2.2 6.3.0-rc.1 3.2.3 6.3.0-rc.2 3.2.4 6.3.1 3.2.5 6.3.2 3.2.6 6.4.0 3.3.0 6.4.0-beta.1 3.3.1 6.4.0-rc.1 3.3.2 6.4.1 3.3.2-rc.1 6.4.2 3.3.3 6.5.0 3.3.4 6.5.0-beta.1 3.3.5 6.5.0-rc.1 3.3.6 6.5.0-rc.2 3.4.0 6.5.1 3.4.0-beta.1 6.5.2 3.4.0-rc.2 6.6.0 3.4.1 6.6.0-beta.1 3.4.2 6.6.0-rc.1 3.4.3 6.6.0-rc.2 3.4.4 6.6.1 3.4.5 6.6.2 3.4.6 6.7.0 3.4.7 6.7.0-beta.1 3.4.8 6.7.0-beta.2 3.5.0 6.7.0-rc.1 3.5.0-beta.1 6.7.1 3.5.0-rc.1 6.8.0 3.5.0-rc.2 6.8.0-beta.1 3.5.1 6.8.0-beta.2 3.5.10 6.8.0-rc.1 3.5.2 6.8.1 3.5.3 6.8.2 3.5.4 6.8.3 3.5.5 6.9.0 3.5.6 6.9.0-beta.1 3.5.7 6.9.0-beta.2 3.5.8 6.9.0-rc.1 3.5.9 6.9.1 3.6.0 6.9.2 3.6.0-beta.1 6.9.3 3.6.0-rc.1 6.9.4 3.6.0-rc.2 6.9.5 3.6.0-rc.3 7.0.0 3.6.1 7.0.0-beta.1 3.6.2 7.0.0-beta.2 3.6.3 7.0.0-beta.3 3.6.4 7.0.0-rc.1 3.6.5 7.0.0-rc.2 3.6.6 7.0.1 3.6.7 7.0.2 3.7.0 7.1.0 3.7.0-beta.1 7.1.0-beta.1 3.7.0-rc.1 7.1.0-beta.2 3.7.0-rc.2 7.1.0-rc.1 3.7.1 7.1.0-rc.2 3.7.2 7.1.1
woocommerce / src / StoreApi / Utilities / JsonWebToken.php
woocommerce / src / StoreApi / Utilities Last commit date
AgenticCheckoutUtils.php 4 months ago ArrayUtils.php 2 years ago CartController.php 4 weeks ago CartTokenUtils.php 1 year ago CheckoutTrait.php 4 weeks ago DraftOrderTrait.php 1 year ago JsonWebToken.php 11 months ago LocalPickupUtils.php 5 months ago NoticeHandler.php 1 year ago OrderAuthorizationTrait.php 6 months ago OrderController.php 4 weeks ago Pagination.php 2 years ago PaymentUtils.php 1 year ago ProductItemTrait.php 4 weeks ago ProductLinksTrait.php 3 months ago ProductQuery.php 2 months ago ProductQueryFilters.php 11 months ago QuantityLimits.php 11 months ago RateLimits.php 1 year ago SanitizationUtils.php 2 years ago ValidationUtils.php 2 years ago
JsonWebToken.php
218 lines
1 <?php
2
3 namespace Automattic\WooCommerce\StoreApi\Utilities;
4
5 /**
6 * JsonWebToken class.
7 *
8 * Simple Json Web Token generator & verifier static utility class, currently supporting only HS256 signatures.
9 */
10 final class JsonWebToken {
11
12 /**
13 * JWT header type.
14 *
15 * @var string
16 */
17 private static $type = 'JWT';
18
19 /**
20 * JWT algorithm to generate signature.
21 *
22 * @var string
23 */
24 private static $algorithm = 'HS256';
25
26 /**
27 * Generates a token from provided data and secret.
28 *
29 * @param array $payload Payload data.
30 * @param string $secret The secret used to generate the signature.
31 *
32 * @return string
33 */
34 public static function create( array $payload, string $secret ) {
35 $header = self::to_base_64_url( self::generate_header() );
36 $payload = self::to_base_64_url( self::generate_payload( $payload ) );
37 $signature = self::to_base_64_url( self::generate_signature( $header . '.' . $payload, $secret ) );
38
39 return $header . '.' . $payload . '.' . $signature;
40 }
41
42 /**
43 * Validates a provided token against the provided secret.
44 * Checks for format, valid header for our class, expiration claim validity and signature.
45 * https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
46 *
47 * @param string $token Full token string.
48 * @param string $secret The secret used to generate the signature.
49 *
50 * @return bool
51 */
52 public static function validate( string $token, string $secret ) {
53 if ( ! self::shallow_validate( $token ) ) {
54 return false;
55 }
56
57 $parts = self::get_parts( $token );
58
59 /**
60 * Check if the token is based on our secret.
61 */
62 $encoded_regenerated_signature = self::to_base_64_url(
63 self::generate_signature( $parts->header_encoded . '.' . $parts->payload_encoded, $secret )
64 );
65
66 return hash_equals( $encoded_regenerated_signature, $parts->signature_encoded );
67 }
68
69 /**
70 * Shallow validate a token, it does not check the signature or expiration, but it checks the structure and expiry.
71 *
72 * @param string $token Full token string.
73 *
74 * @return bool
75 */
76 public static function shallow_validate( string $token ) {
77 if ( ! $token ) {
78 return false;
79 }
80
81 /**
82 * Confirm the structure of a JSON Web Token, it has three parts separated
83 * by dots and complies with Base64URL standards.
84 */
85 if ( preg_match( '/^[a-zA-Z\d\-_=]+\.[a-zA-Z\d\-_=]+\.[a-zA-Z\d\-_=]+$/', $token ) !== 1 ) {
86 return false;
87 }
88
89 $parts = self::get_parts( $token );
90
91 /**
92 * Check if header declares a supported JWT by this class.
93 */
94 if (
95 ! is_object( $parts->header ) ||
96 ! property_exists( $parts->header, 'typ' ) ||
97 ! property_exists( $parts->header, 'alg' ) ||
98 self::$type !== $parts->header->typ ||
99 self::$algorithm !== $parts->header->alg
100 ) {
101 return false;
102 }
103
104 /**
105 * Check if token is expired.
106 */
107 if ( ! property_exists( $parts->payload, 'exp' ) || time() > (int) $parts->payload->exp ) {
108 return false;
109 }
110
111 return true;
112 }
113
114 /**
115 * Returns the decoded/encoded header, payload and signature from a token string.
116 *
117 * @param string $token Full token string.
118 *
119 * @return object
120 */
121 public static function get_parts( string $token ) {
122 $parts = explode( '.', $token );
123
124 return (object) array(
125 'header' => json_decode( self::from_base_64_url( $parts[0] ) ),
126 'header_encoded' => $parts[0],
127 'payload' => json_decode( self::from_base_64_url( $parts[1] ) ),
128 'payload_encoded' => $parts[1],
129 'signature' => self::from_base_64_url( $parts[2] ),
130 'signature_encoded' => $parts[2],
131
132 );
133 }
134
135 /**
136 * Generates the json formatted header for our HS256 JWT token.
137 *
138 * @return string|bool
139 */
140 private static function generate_header() {
141 return wp_json_encode(
142 array(
143 'alg' => self::$algorithm,
144 'typ' => self::$type,
145 )
146 );
147 }
148
149 /**
150 * Generates a sha256 signature for the provided string using the provided secret.
151 *
152 * @param string $string Header + Payload token substring.
153 * @param string $secret The secret used to generate the signature.
154 *
155 * @return false|string
156 */
157 private static function generate_signature( string $string, string $secret ) {
158 return hash_hmac(
159 'sha256',
160 $string,
161 $secret,
162 true
163 );
164 }
165
166 /**
167 * Generates the payload in json formatted string.
168 *
169 * @param array $payload Payload data.
170 *
171 * @return string|bool
172 */
173 private static function generate_payload( array $payload ) {
174 return wp_json_encode( array_merge( $payload, [ 'iat' => time() ] ) );
175 }
176
177 /**
178 * Encodes a string to url safe base64.
179 *
180 * @param string $string The string to be encoded.
181 *
182 * @return string
183 */
184 private static function to_base_64_url( string $string ) {
185 return str_replace(
186 array( '+', '/', '=' ),
187 array( '-', '_', '' ),
188 base64_encode( $string ) // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
189 );
190 }
191
192 /**
193 * Decodes a string encoded using url safe base64, supporting auto padding.
194 *
195 * @param string $string the string to be decoded.
196 *
197 * @return string
198 */
199 private static function from_base_64_url( string $string ) {
200 /**
201 * Add padding to base64 strings which require it. Some base64 URL strings
202 * which are decoded will have missing padding which is represented by the
203 * equals sign.
204 */
205 if ( strlen( $string ) % 4 !== 0 ) {
206 return self::from_base_64_url( $string . '=' );
207 }
208
209 return base64_decode( // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
210 str_replace(
211 array( '-', '_' ),
212 array( '+', '/' ),
213 $string
214 )
215 );
216 }
217 }
218