PluginProbe ʕ •ᴥ•ʔ
WooCommerce / 9.6.0-beta.1
WooCommerce v9.6.0-beta.1
10.9.1 10.9.0 10.9.0-rc.1 10.9.0-beta.2 10.9.0-beta.1 10.8.1 10.8.0 10.8.0-rc.1 10.8.0-beta.2 10.8.0-beta.1 7.8.0-beta.1 7.8.0-beta.2 7.8.0-rc.1 7.8.0-rc.2 7.8.1 7.8.2 7.8.3 7.8.4 7.9.0 7.9.0-beta.1 7.9.0-beta.2 7.9.0-rc.2 7.9.0-rc.3 7.9.1 7.9.2 8.0.0 8.0.0-beta.1 8.0.0-beta.2 8.0.0-rc.1 8.0.0-rc.2 8.0.1 8.0.2 8.0.3 8.0.4 8.0.5 8.1.0 8.1.0-beta.1 8.1.0-rc.1 8.1.0-rc.2 8.1.1 8.1.2 8.1.3 8.1.4 8.2.0 8.2.0-beta.1 8.2.0-rc.1 8.2.0-rc.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.3.0 8.3.0-beta.1 8.3.0-rc.1 8.3.0-rc.2 8.3.1 8.3.2 8.3.3 8.3.4 8.4.0 8.4.0-beta.1 8.4.0-rc.1 8.4.1 8.4.2 8.4.3 8.5.0 8.5.0-beta.1 8.5.0-rc.1 8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.6.0 8.6.0-beta.1 8.6.0-rc.1 8.6.1 8.6.2 8.6.3 8.6.4 8.7.0 8.7.0-beta.1 8.7.0-beta.2 8.7.0-rc.1 8.7.1 8.7.2 8.7.3 8.8.0 8.8.0-beta.1 8.8.0-rc.1 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.8.7 8.9.0 8.9.0-beta.1 8.9.0-rc.1 8.9.1 8.9.2 8.9.3 8.9.4 8.9.5 9.0.0 9.0.0-beta.1 9.0.0-beta.2 9.0.0-rc.1 9.0.1 9.0.2 9.0.3 9.0.4 9.1.0 9.1.0-beta.1 9.1.0-rc.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.2.0 9.2.0-beta.1 9.2.0-rc.1 9.2.1 9.2.2 9.2.3 9.2.4 9.2.5 9.3.0 9.3.0-beta.1 9.3.0-rc.1 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.3.6 9.4.0 9.4.0-beta.1 9.4.0-beta.2 9.4.0-rc.1 9.4.0-rc.2 9.4.0-rc.3 9.4.0-rc.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.5.0 9.5.0-beta.1 9.5.0-beta.2 9.5.0-rc.1 9.5.1 9.5.2 9.5.3 9.5.4 9.6.0 9.6.0-beta.1 9.6.0-beta.2 9.6.0-rc.1 9.6.1 9.6.2 9.6.3 9.6.4 9.7.0 9.7.0-beta.1 9.7.0-rc.1 9.7.1 9.7.2 9.7.3 9.8.0 9.8.0-beta.1 9.8.0-rc.1 9.8.1 9.8.2 9.8.3 9.8.4 9.8.5 9.8.6 9.8.7 9.9.0 9.9.0-beta.1 9.9.0-rc.1 9.9.1 9.9.2 9.9.3 9.9.4 9.9.5 9.9.6 9.9.7 3.7.3 7.1.2 3.8.0 7.2.0 3.8.0-beta.1 7.2.0-beta.1 3.8.0-rc.1 7.2.0-beta.2 3.8.0-rc.2 7.2.0-rc.1 3.8.1 7.2.0-rc.2 3.8.2 7.2.1 3.8.3 7.2.2 3.9.0 7.2.3 3.9.0-beta.1 7.2.4 3.9.0-beta.2 7.3.0 3.9.0-rc.1 7.3.0-beta.1 3.9.0-rc.2 7.3.0-beta.2 3.9.0-rc.3 7.3.0-rc.1 3.9.0-rc.4 7.3.0-rc.2 3.9.1 7.3.1 3.9.2 7.4.0 3.9.3 7.4.0-beta.1 3.9.4 7.4.0-beta.2 3.9.5 7.4.0-rc.1 4.0.0 7.4.0-rc.2 4.0.0-beta.1 7.4.1 4.0.0-rc.1 7.4.2 4.0.0-rc.2 7.5.0 4.0.1 7.5.0-beta.1 4.0.2 7.5.0-beta.2 4.0.3 7.5.0-rc.1 4.0.4 7.5.1 4.1.0 7.5.2 4.1.0-beta.1 7.6.0 4.1.0-beta.2 7.6.0-beta.1 4.1.0-rc.1 7.6.0-beta.2 4.1.0-rc.2 7.6.0-rc.1 4.1.1 7.6.0-rc.2 4.1.2 7.6.0-rc.3 4.1.3 7.6.1 4.1.4 7.6.2 4.2.0 7.7.0 4.2.0-RC.1 7.7.0-beta.1 4.2.0-RC.2 7.7.0-beta.2 4.2.0-beta.1 7.7.0-rc.1 4.2.1 7.7.1 4.2.2 7.7.2 4.2.3 7.7.3 4.2.4 7.8.0 4.2.5 4.3.0 4.3.0-beta.1 4.3.0-rc.1 4.3.0-rc.2 4.3.0-rc.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.4.0 4.4.0-beta.1 4.4.0-rc.1 4.4.1 4.4.2 4.4.3 4.4.4 4.5.0 4.5.0-beta.1 4.5.0-rc.1 4.5.0-rc.3 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.6.0 4.6.0-beta.1 4.6.0-rc.1 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7.0 4.7.0-beta.1 4.7.0-beta.2 4.7.0-rc.1 4.7.1 4.7.1-beta.1 4.7.2 4.7.3 4.7.4 4.8.0 4.8.0-beta.1 4.8.0-rc.1 4.8.0-rc.2 4.8.1 4.8.2 4.8.3 4.9.0 4.9.0-beta.1 4.9.0-rc.1 4.9.0-rc.2 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 5.0.0 5.0.0-beta.1 5.0.0-beta.2 5.0.0-rc.1 5.0.0-rc.2 5.0.0-rc.3 5.0.1 5.0.2 5.0.3 5.1.0 5.1.0-beta.1 5.1.0-rc.1 trunk 5.1.1 10.0.0 5.1.2 10.0.0-rc.1 5.1.3 10.0.0-rc.2 5.2.0 10.0.1 5.2.0-beta.1 10.0.2 5.2.0-rc.1 10.0.3 5.2.0-rc.2 10.0.4 5.2.1 10.0.5 5.2.2 10.0.6 5.2.3 10.1.0 5.2.4 10.1.0-rc.1 5.2.5 10.1.0-rc.2 5.3.0 10.1.0-rc.3 5.3.0-beta.1 10.1.0-rc.4 5.3.0-rc.1 10.1.1 5.3.0-rc.2 10.1.2 5.3.1 10.1.3 5.3.2 10.1.4 5.3.3 10.2.0 5.4.0 10.2.0-beta.1 5.4.0-beta.1 10.2.0-beta.2 5.4.0-rc.1 10.2.0-rc.1 5.4.1 10.2.1 5.4.2 10.2.2 5.4.3 10.2.3 5.4.4 10.2.4 5.4.5 10.3.0 5.5.0 10.3.0-beta.1 5.5.0-beta.1 10.3.0-beta.2 5.5.0-rc.1 10.3.0-rc.1 5.5.0-rc.2 10.3.0-rc.2 5.5.1 10.3.1 5.5.2 10.3.2 5.5.3 10.3.3 5.5.4 10.3.4 5.5.5 10.3.5 5.6.0 10.3.6 5.6.0-beta.1 10.3.7 5.6.0-rc.1 10.3.8 5.6.0-rc.2 10.4.0 5.6.1 10.4.0-beta.1 5.6.2 10.4.0-beta.2 5.6.3 10.4.0-rc.1 5.7.0 10.4.1 5.7.0-beta.1 10.4.2 5.7.0-rc.1 10.4.3 5.7.1 10.4.4 5.7.2 10.5.0 5.7.3 10.5.0-beta.1 5.8.0 10.5.0-beta.2 5.8.0-beta.1 10.5.0-rc.1 5.8.0-beta.2 10.5.0-rc.2 5.8.0-rc.1 10.5.0-rc.3 5.8.1 10.5.1 5.8.2 10.5.2 5.9.0 10.5.3 5.9.0-beta.1 10.6.0 5.9.0-rc.1 10.6.0-beta.1 5.9.0-rc.2 10.6.0-beta.2 5.9.1 10.6.0-rc.1 5.9.2 10.6.1 6.0.0 10.6.2 6.0.0-beta.1 10.7.0 6.0.0-rc.1 10.7.0-beta.1 6.0.1 10.7.0-beta.2 6.0.2 10.7.0-rc.1 6.1.0 3.0.0 6.1.0-beta.1 3.0.1 6.1.0-rc.1 3.0.2 6.1.0-rc.2 3.0.3 6.1.1 3.0.4 6.1.2 3.0.5 6.1.3 3.0.6 6.2.0 3.0.7 6.2.0-beta.1 3.0.8 6.2.0-rc.1 3.0.9 6.2.0-rc.2 3.1.0 6.2.1 3.1.1 6.2.2 3.1.2 6.2.3 3.2.0 6.3.0 3.2.1 6.3.0-beta.1 3.2.2 6.3.0-rc.1 3.2.3 6.3.0-rc.2 3.2.4 6.3.1 3.2.5 6.3.2 3.2.6 6.4.0 3.3.0 6.4.0-beta.1 3.3.1 6.4.0-rc.1 3.3.2 6.4.1 3.3.2-rc.1 6.4.2 3.3.3 6.5.0 3.3.4 6.5.0-beta.1 3.3.5 6.5.0-rc.1 3.3.6 6.5.0-rc.2 3.4.0 6.5.1 3.4.0-beta.1 6.5.2 3.4.0-rc.2 6.6.0 3.4.1 6.6.0-beta.1 3.4.2 6.6.0-rc.1 3.4.3 6.6.0-rc.2 3.4.4 6.6.1 3.4.5 6.6.2 3.4.6 6.7.0 3.4.7 6.7.0-beta.1 3.4.8 6.7.0-beta.2 3.5.0 6.7.0-rc.1 3.5.0-beta.1 6.7.1 3.5.0-rc.1 6.8.0 3.5.0-rc.2 6.8.0-beta.1 3.5.1 6.8.0-beta.2 3.5.10 6.8.0-rc.1 3.5.2 6.8.1 3.5.3 6.8.2 3.5.4 6.8.3 3.5.5 6.9.0 3.5.6 6.9.0-beta.1 3.5.7 6.9.0-beta.2 3.5.8 6.9.0-rc.1 3.5.9 6.9.1 3.6.0 6.9.2 3.6.0-beta.1 6.9.3 3.6.0-rc.1 6.9.4 3.6.0-rc.2 6.9.5 3.6.0-rc.3 7.0.0 3.6.1 7.0.0-beta.1 3.6.2 7.0.0-beta.2 3.6.3 7.0.0-beta.3 3.6.4 7.0.0-rc.1 3.6.5 7.0.0-rc.2 3.6.6 7.0.1 3.6.7 7.0.2 3.7.0 7.1.0 3.7.0-beta.1 7.1.0-beta.1 3.7.0-rc.1 7.1.0-beta.2 3.7.0-rc.2 7.1.0-rc.1 3.7.1 7.1.0-rc.2 3.7.2 7.1.1
woocommerce / vendor / automattic / jetpack-connection / src / class-authorize-json-api.php
woocommerce / vendor / automattic / jetpack-connection / src Last commit date
identity-crisis 1 year ago sso 1 year ago webhooks 1 year ago class-authorize-json-api.php 1 year ago class-client.php 1 year ago class-connection-assets.php 1 year ago class-connection-notice.php 1 year ago class-error-handler.php 1 year ago class-heartbeat.php 1 year ago class-initial-state.php 1 year ago class-manager.php 1 year ago class-nonce-handler.php 2 years ago class-package-version-tracker.php 1 year ago class-package-version.php 1 year ago class-partner-coupon.php 1 year ago class-partner.php 1 year ago class-plugin-storage.php 1 year ago class-plugin.php 1 year ago class-rest-authentication.php 1 year ago class-rest-connector.php 1 year ago class-secrets.php 1 year ago class-server-sandbox.php 1 year ago class-terms-of-service.php 2 years ago class-tokens-locks.php 2 years ago class-tokens.php 2 years ago class-tracking.php 1 year ago class-urls.php 1 year ago class-utils.php 1 year ago class-webhooks.php 1 year ago class-xmlrpc-async-call.php 1 year ago class-xmlrpc-connector.php 1 year ago interface-manager.php 3 years ago
class-authorize-json-api.php
282 lines
1 <?php
2 /**
3 * Authorize_Json_Api handler class.
4 * Used to handle connections via JSON API.
5 * Ported from the Jetpack class.
6 *
7 * @since 2.7.6 Ported from the Jetpack class.
8 *
9 * @package automattic/jetpack-connection
10 */
11
12 namespace Automattic\Jetpack\Connection;
13
14 use Automattic\Jetpack\Redirect;
15 use Automattic\Jetpack\Status\Host;
16 use Jetpack_Options;
17
18 /**
19 * Authorize_Json_Api handler class.
20 */
21 class Authorize_Json_Api {
22 /**
23 * Verified data for JSON authorization request
24 *
25 * @since 2.7.6
26 *
27 * @var array
28 */
29 public $json_api_authorization_request = array();
30
31 /**
32 * Verifies the request by checking the signature
33 *
34 * @since jetpack-4.6.0 Method was updated to use `$_REQUEST` instead of `$_GET` and `$_POST`. Method also updated to allow
35 * passing in an `$environment` argument that overrides `$_REQUEST`. This was useful for integrating with SSO.
36 * @since 2.7.6 Ported from Jetpack to the Connection package.
37 *
38 * @param null|array $environment Value to override $_REQUEST.
39 *
40 * @return void
41 */
42 public function verify_json_api_authorization_request( $environment = null ) {
43 $environment = $environment === null
44 ? $_REQUEST // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- nonce verification handled later in function and request data are 1) used to verify a cryptographic signature of the request data and 2) sanitized later in function.
45 : $environment;
46
47 if ( ! isset( $environment['token'] ) ) {
48 wp_die( esc_html__( 'You must connect your Jetpack plugin to WordPress.com to use this feature.', 'jetpack-connection' ) );
49 }
50
51 list( $env_token,, $env_user_id ) = explode( ':', $environment['token'] );
52 $token = ( new Tokens() )->get_access_token( (int) $env_user_id, $env_token );
53 if ( ! $token || empty( $token->secret ) ) {
54 wp_die( esc_html__( 'You must connect your Jetpack plugin to WordPress.com to use this feature.', 'jetpack-connection' ) );
55 }
56
57 $die_error = __( 'Someone may be trying to trick you into giving them access to your site. Or it could be you just encountered a bug :). Either way, please close this window.', 'jetpack-connection' );
58
59 // Host has encoded the request URL, probably as a result of a bad http => https redirect.
60 if (
61 preg_match( '/https?%3A%2F%2F/i', esc_url_raw( wp_unslash( $_GET['redirect_to'] ) ) ) > 0 // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotValidated -- no site changes, we're erroring out.
62 ) {
63 /**
64 * Jetpack authorisation request Error.
65 *
66 * @since jetpack-7.5.0
67 */
68 do_action( 'jetpack_verify_api_authorization_request_error_double_encode' );
69 $die_error = sprintf(
70 /* translators: %s is a URL */
71 __( 'Your site is incorrectly double-encoding redirects from http to https. This is preventing Jetpack from authenticating your connection. Please visit our <a href="%s">support page</a> for details about how to resolve this.', 'jetpack-connection' ),
72 esc_url( Redirect::get_url( 'jetpack-support-double-encoding' ) )
73 );
74 }
75
76 $jetpack_signature = new \Jetpack_Signature( $token->secret, (int) Jetpack_Options::get_option( 'time_diff' ) );
77
78 if ( isset( $environment['jetpack_json_api_original_query'] ) ) {
79 $signature = $jetpack_signature->sign_request(
80 $environment['token'],
81 $environment['timestamp'],
82 $environment['nonce'],
83 '',
84 'GET',
85 $environment['jetpack_json_api_original_query'],
86 null,
87 true
88 );
89 } else {
90 $signature = $jetpack_signature->sign_current_request(
91 array(
92 'body' => null,
93 'method' => 'GET',
94 )
95 );
96 }
97
98 if ( ! $signature ) {
99 wp_die(
100 wp_kses(
101 $die_error,
102 array(
103 'a' => array(
104 'href' => array(),
105 ),
106 )
107 )
108 );
109 } elseif ( is_wp_error( $signature ) ) {
110 wp_die(
111 wp_kses(
112 $die_error,
113 array(
114 'a' => array(
115 'href' => array(),
116 ),
117 )
118 )
119 );
120 } elseif ( ! hash_equals( $signature, $environment['signature'] ) ) {
121 if ( is_ssl() ) {
122 // If we signed an HTTP request on the Jetpack Servers, but got redirected to HTTPS by the local blog, check the HTTP signature as well.
123 $signature = $jetpack_signature->sign_current_request(
124 array(
125 'scheme' => 'http',
126 'body' => null,
127 'method' => 'GET',
128 )
129 );
130 if ( ! $signature || is_wp_error( $signature ) || ! hash_equals( $signature, $environment['signature'] ) ) {
131 wp_die(
132 wp_kses(
133 $die_error,
134 array(
135 'a' => array(
136 'href' => array(),
137 ),
138 )
139 )
140 );
141 }
142 } else {
143 wp_die(
144 wp_kses(
145 $die_error,
146 array(
147 'a' => array(
148 'href' => array(),
149 ),
150 )
151 )
152 );
153 }
154 }
155
156 $timestamp = (int) $environment['timestamp'];
157 $nonce = stripslashes( (string) $environment['nonce'] );
158
159 if ( ! ( new Nonce_Handler() )->add( $timestamp, $nonce ) ) {
160 // De-nonce the nonce, at least for 5 minutes.
161 // We have to reuse this nonce at least once (used the first time when the initial request is made, used a second time when the login form is POSTed).
162 $old_nonce_time = get_option( "jetpack_nonce_{$timestamp}_{$nonce}" );
163 if ( $old_nonce_time < time() - 300 ) {
164 wp_die( esc_html__( 'The authorization process expired. Please go back and try again.', 'jetpack-connection' ) );
165 }
166 }
167
168 $data = json_decode(
169 base64_decode( stripslashes( $environment['data'] ) ) // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
170 );
171 $data_filters = array(
172 'state' => 'opaque',
173 'client_id' => 'int',
174 'client_title' => 'string',
175 'client_image' => 'url',
176 );
177
178 foreach ( $data_filters as $key => $sanitation ) {
179 if ( ! isset( $data->$key ) ) {
180 wp_die(
181 wp_kses(
182 $die_error,
183 array(
184 'a' => array(
185 'href' => array(),
186 ),
187 )
188 )
189 );
190 }
191
192 switch ( $sanitation ) {
193 case 'int':
194 $this->json_api_authorization_request[ $key ] = (int) $data->$key;
195 break;
196 case 'opaque':
197 $this->json_api_authorization_request[ $key ] = (string) $data->$key;
198 break;
199 case 'string':
200 $this->json_api_authorization_request[ $key ] = wp_kses( (string) $data->$key, array() );
201 break;
202 case 'url':
203 $this->json_api_authorization_request[ $key ] = esc_url_raw( (string) $data->$key );
204 break;
205 }
206 }
207
208 if ( empty( $this->json_api_authorization_request['client_id'] ) ) {
209 wp_die(
210 wp_kses(
211 $die_error,
212 array(
213 'a' => array(
214 'href' => array(),
215 ),
216 )
217 )
218 );
219 }
220 }
221
222 /**
223 * Add the Access Code details to the public-api.wordpress.com redirect.
224 *
225 * @since 2.7.6 Ported from Jetpack to the Connection package.
226 *
227 * @param string $redirect_to URL.
228 * @param string $original_redirect_to URL.
229 * @param \WP_User $user WP_User for the redirect.
230 *
231 * @return string
232 */
233 public function add_token_to_login_redirect_json_api_authorization( $redirect_to, $original_redirect_to, $user ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
234 return add_query_arg(
235 urlencode_deep(
236 array(
237 'jetpack-code' => get_user_meta(
238 $user->ID,
239 'jetpack_json_api_' . $this->json_api_authorization_request['client_id'],
240 true
241 ),
242 'jetpack-user-id' => (int) $user->ID,
243 'jetpack-state' => $this->json_api_authorization_request['state'],
244 )
245 ),
246 $redirect_to
247 );
248 }
249
250 /**
251 * If someone logs in to approve API access, store the Access Code in usermeta.
252 *
253 * @since 2.7.6 Ported from Jetpack to the Connection package.
254 *
255 * @param string $user_login Unused.
256 * @param \WP_User $user User logged in.
257 *
258 * @return void
259 */
260 public function store_json_api_authorization_token( $user_login, $user ) {
261 add_filter( 'login_redirect', array( $this, 'add_token_to_login_redirect_json_api_authorization' ), 10, 3 );
262 add_filter( 'allowed_redirect_hosts', array( Host::class, 'allow_wpcom_public_api_domain' ) );
263 $token = wp_generate_password( 32, false );
264 update_user_meta( $user->ID, 'jetpack_json_api_' . $this->json_api_authorization_request['client_id'], $token );
265 }
266
267 /**
268 * HTML for the JSON API authorization notice.
269 *
270 * @since 2.7.6 Ported from Jetpack to the Connection package.
271 *
272 * @return string
273 */
274 public function login_message_json_api_authorization() {
275 return '<p class="message">' . sprintf(
276 /* translators: Name/image of the client requesting authorization */
277 esc_html__( '%s wants to access your site’s data. Log in to authorize that access.', 'jetpack-connection' ),
278 '<strong>' . esc_html( $this->json_api_authorization_request['client_title'] ) . '</strong>'
279 ) . '<img src="' . esc_url( $this->json_api_authorization_request['client_image'] ) . '" /></p>';
280 }
281 }
282