class-wc-wccom-site.php — WooCommerce 8.8.7

woocommerce / includes / wccom-site / class-wc-wccom-site.php

woocommerce / includes / wccom-site Last commit date

installation 2 years ago rest-api 2 years ago class-wc-wccom-site-installer.php 2 years ago class-wc-wccom-site.php 2 years ago

class-wc-wccom-site.php

250 lines

1	<?php
2	/**
3	* WooCommerce.com Product Installation.
4	*
5	* @package WooCommerce\WCCom
6	* @since 3.7.0
7	*/
8
9	use WC_REST_WCCOM_Site_Installer_Error_Codes as Installer_Error_Codes;
10	use WC_REST_WCCOM_Site_Installer_Error as Installer_Error;
11
12	defined( 'ABSPATH' ) \|\| exit;
13
14	/**
15	* WC_WCCOM_Site Class
16	*
17	* Main class for WooCommerce.com connected site.
18	*/
19	class WC_WCCOM_Site {
20
21	const AUTH_ERROR_FILTER_NAME = 'wccom_auth_error';
22
23	/**
24	* Load the WCCOM site class.
25	*
26	* @since 3.7.0
27	*/
28	public static function load() {
29	self::includes();
30
31	add_action( 'woocommerce_wccom_install_products', array( 'WC_WCCOM_Site_Installer', 'install' ) );
32	add_filter( 'determine_current_user', array( __CLASS__, 'authenticate_wccom' ), 14 );
33	add_action( 'woocommerce_rest_api_get_rest_namespaces', array( __CLASS__, 'register_rest_namespace' ) );
34	}
35
36	/**
37	* Include support files.
38	*
39	* @since 3.7.0
40	*/
41	protected static function includes() {
42	require_once WC_ABSPATH . 'includes/admin/helper/class-wc-helper.php';
43	require_once WC_ABSPATH . 'includes/wccom-site/class-wc-wccom-site-installer.php';
44	}
45
46	/**
47	* Authenticate WooCommerce.com request.
48	*
49	* @since 3.7.0
50	* @param int\|false $user_id User ID.
51	* @return int\|false
52	*/
53	public static function authenticate_wccom( $user_id ) {
54	if ( ! empty( $user_id ) \|\| ! self::is_request_to_wccom_site_rest_api() ) {
55	return $user_id;
56	}
57
58	$auth_header = trim( self::get_authorization_header() );
59
60	if ( stripos( $auth_header, 'Bearer ' ) === 0 ) {
61	$access_token = trim( substr( $auth_header, 7 ) );
62	} elseif ( ! empty( $_GET['token'] ) && is_string( $_GET['token'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
63	$access_token = trim( $_GET['token'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
64	} else {
65	add_filter(
66	self::AUTH_ERROR_FILTER_NAME,
67	function() {
68	return new Installer_Error( Installer_Error_Codes::NO_ACCESS_TOKEN );
69	}
70	);
71	return false;
72	}
73
74	if ( ! empty( $_SERVER['HTTP_X_WOO_SIGNATURE'] ) ) {
75	$signature = trim( $_SERVER['HTTP_X_WOO_SIGNATURE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
76	} elseif ( ! empty( $_GET['signature'] ) && is_string( $_GET['signature'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
77	$signature = trim( $_GET['signature'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
78	} else {
79	add_filter(
80	self::AUTH_ERROR_FILTER_NAME,
81	function() {
82	return new Installer_Error( Installer_Error_Codes::NO_SIGNATURE );
83	}
84	);
85	return false;
86	}
87
88	require_once WC_ABSPATH . 'includes/admin/helper/class-wc-helper-options.php';
89	$site_auth = WC_Helper_Options::get( 'auth' );
90
91	if ( empty( $site_auth['access_token'] ) ) {
92	add_filter(
93	self::AUTH_ERROR_FILTER_NAME,
94	function() {
95	return new Installer_Error( Installer_Error_Codes::SITE_NOT_CONNECTED );
96	}
97	);
98	return false;
99	}
100
101	if ( ! hash_equals( $access_token, $site_auth['access_token'] ) ) {
102	add_filter(
103	self::AUTH_ERROR_FILTER_NAME,
104	function() {
105	return new Installer_Error( Installer_Error_Codes::INVALID_TOKEN );
106	}
107	);
108	return false;
109	}
110
111	$body = WP_REST_Server::get_raw_data();
112
113	if ( ! self::verify_wccom_request( $body, $signature, $site_auth['access_token_secret'] ) ) {
114	add_filter(
115	self::AUTH_ERROR_FILTER_NAME,
116	function() {
117	return new Installer_Error( Installer_Error_Codes::REQUEST_VERIFICATION_FAILED );
118	}
119	);
120	return false;
121	}
122
123	$user = get_user_by( 'id', $site_auth['user_id'] );
124	if ( ! $user ) {
125	add_filter(
126	self::AUTH_ERROR_FILTER_NAME,
127	function() {
128	return new Installer_Error( Installer_Error_Codes::USER_NOT_FOUND );
129	}
130	);
131	return false;
132	}
133
134	return $user;
135	}
136
137	/**
138	* Get the authorization header.
139	*
140	* On certain systems and configurations, the Authorization header will be
141	* stripped out by the server or PHP. Typically this is then used to
142	* generate `PHP_AUTH_USER`/`PHP_AUTH_PASS` but not passed on. We use
143	* `getallheaders` here to try and grab it out instead.
144	*
145	* @since 3.7.0
146	* @return string Authorization header if set.
147	*/
148	protected static function get_authorization_header() {
149	if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
150	return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
151	}
152
153	if ( function_exists( 'getallheaders' ) ) {
154	$headers = getallheaders();
155	// Check for the authoization header case-insensitively.
156	foreach ( $headers as $key => $value ) {
157	if ( 'authorization' === strtolower( $key ) ) {
158	return $value;
159	}
160	}
161	}
162
163	return '';
164	}
165
166	/**
167	* Check if this is a request to WCCOM Site REST API.
168	*
169	* @since 3.7.0
170	* @return bool
171	*/
172	protected static function is_request_to_wccom_site_rest_api() {
173
174	if ( isset( $_REQUEST['rest_route'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
175	$route = wp_unslash( $_REQUEST['rest_route'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended
176	$rest_prefix = '';
177	} else {
178	$route = wp_unslash( add_query_arg( array() ) );
179	$rest_prefix = trailingslashit( rest_get_url_prefix() );
180	}
181
182	return false !== strpos( $route, $rest_prefix . 'wccom-site/' );
183	}
184
185	/**
186	* Verify WooCommerce.com request from a given body and signature request.
187	*
188	* @since 3.7.0
189	* @param string $body Request body.
190	* @param string $signature Request signature found in X-Woo-Signature header.
191	* @param string $access_token_secret Access token secret for this site.
192	* @return bool
193	*/
194	protected static function verify_wccom_request( $body, $signature, $access_token_secret ) {
195	// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
196	$data = array(
197	'host' => $_SERVER['HTTP_HOST'],
198	'request_uri' => urldecode( remove_query_arg( array( 'token', 'signature' ), $_SERVER['REQUEST_URI'] ) ),
199	'method' => strtoupper( $_SERVER['REQUEST_METHOD'] ),
200	);
201	// phpcs:enable
202
203	if ( ! empty( $body ) ) {
204	$data['body'] = $body;
205	}
206
207	$expected_signature = hash_hmac( 'sha256', wp_json_encode( $data ), $access_token_secret );
208
209	return hash_equals( $expected_signature, $signature );
210	}
211
212	/**
213	* Register wccom-site REST namespace.
214	*
215	* @since 3.7.0
216	* @param array $namespaces List of registered namespaces.
217	* @return array Registered namespaces.
218	*/
219	public static function register_rest_namespace( $namespaces ) {
220
221	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/class-wc-rest-wccom-site-installer-error-codes.php';
222	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/class-wc-rest-wccom-site-installer-error.php';
223	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/abstract-wc-rest-wccom-site-controller.php';
224	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/class-wc-rest-wccom-site-installer-controller.php';
225	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/class-wc-rest-wccom-site-ssr-controller.php';
226	require_once WC_ABSPATH . 'includes/wccom-site/rest-api/endpoints/class-wc-rest-wccom-site-status-controller.php';
227
228	require_once WC_ABSPATH . 'includes/wccom-site/installation/class-wc-wccom-site-installation-state.php';
229	require_once WC_ABSPATH . 'includes/wccom-site/installation/class-wc-wccom-site-installation-state-storage.php';
230	require_once WC_ABSPATH . 'includes/wccom-site/installation/class-wc-wccom-site-installation-manager.php';
231
232	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/interface-installaton-step.php';
233	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/class-wc-wccom-site-installation-step-get-product-info.php';
234	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/class-wc-wccom-site-installation-step-download-product.php';
235	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/class-wc-wccom-site-installation-step-unpack-product.php';
236	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/class-wc-wccom-site-installation-step-move-product.php';
237	require_once WC_ABSPATH . 'includes/wccom-site/installation/installation-steps/class-wc-wccom-site-installation-step-activate-product.php';
238
239	$namespaces['wccom-site/v2'] = array(
240	'installer' => 'WC_REST_WCCOM_Site_Installer_Controller',
241	'ssr' => 'WC_REST_WCCOM_Site_SSR_Controller',
242	'status' => 'WC_REST_WCCOM_Site_Status_Controller',
243	);
244
245	return $namespaces;
246	}
247	}
248
249	WC_WCCOM_Site::load();
250