From 1dd24501f5412be3ee91d00adc907e88348cc7e2 Mon Sep 17 00:00:00 2001 From: Max Rice Date: Fri, 4 Apr 2014 14:22:06 -0400 Subject: [PATCH 1/2] Remove unnecessary OAuth code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The parameters provided to the API endpoints only contain the parameters specified in the method signature so there’s no need to strip out the OAuth params. --- includes/api/class-wc-api-authentication.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/includes/api/class-wc-api-authentication.php b/includes/api/class-wc-api-authentication.php index d3a6c6d2a5f..f09b28658fb 100644 --- a/includes/api/class-wc-api-authentication.php +++ b/includes/api/class-wc-api-authentication.php @@ -119,11 +119,6 @@ class WC_API_Authentication { $this->check_oauth_signature( $user, $params ); $this->check_oauth_timestamp_and_nonce( $user, $params['oauth_timestamp'], $params['oauth_nonce'] ); - // remove oauth params before further parsing - foreach( $param_names as $param_name ) { - unset( WC()->api->server->params[ $param_name ] ); - } - // authentication successful, return user return $user; } From 09451855f2438b65656a2630414c660f671fed1e Mon Sep 17 00:00:00 2001 From: Max Rice Date: Fri, 4 Apr 2014 14:24:14 -0400 Subject: [PATCH 2/2] Allow query string fallback for REST API SSL auth In some environments, the PHP_AUTH_USER/PW server vars are empty which prevents SSL authentication from working properly. This commit allows the use of a query string fallback (e.g. `?consumer_key=123&consumer_secret=abc`) for providing credentials over SSL. Fixes #5207 --- includes/api/class-wc-api-authentication.php | 46 ++++++++++++++++---- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/includes/api/class-wc-api-authentication.php b/includes/api/class-wc-api-authentication.php index f09b28658fb..64ceac6714d 100644 --- a/includes/api/class-wc-api-authentication.php +++ b/includes/api/class-wc-api-authentication.php @@ -56,8 +56,10 @@ class WC_API_Authentication { } /** - * SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated - * by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid + * SSL-encrypted requests are not subject to sniffing or man-in-the-middle + * attacks, so the request can be authenticated by simply looking up the user + * associated with the given consumer key and confirming the consumer secret + * provided is valid * * @since 2.1 * @return WP_User @@ -65,19 +67,45 @@ class WC_API_Authentication { */ private function perform_ssl_authentication() { - if ( empty( $_SERVER['PHP_AUTH_USER'] ) ) + $params = WC()->api->server->params['GET']; + + // get consumer key + if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) ) { + + // should be in HTTP Auth header by default + $consumer_key = $_SERVER['PHP_AUTH_USER']; + + } elseif ( ! empty( $params['consumer_key'] ) ) { + + // allow a query string parameter as a fallback + $consumer_key = $params['consumer_key']; + + } else { + throw new Exception( __( 'Consumer Key is missing', 'woocommerce' ), 404 ); + } + + // get consumer secret + if ( ! empty( $_SERVER['PHP_AUTH_PW'] ) ) { + + // should be in HTTP Auth header by default + $consumer_secret = $_SERVER['PHP_AUTH_PW']; + + } elseif ( ! empty( $params['consumer_secret'] ) ) { + + // allow a query string parameter as a fallback + $consumer_secret = $params['consumer_secret']; + + } else { - if ( empty( $_SERVER['PHP_AUTH_PW'] ) ) throw new Exception( __( 'Consumer Secret is missing', 'woocommerce' ), 404 ); - - $consumer_key = $_SERVER['PHP_AUTH_USER']; - $consumer_secret = $_SERVER['PHP_AUTH_PW']; + } $user = $this->get_user_by_consumer_key( $consumer_key ); - if ( ! $this->is_consumer_secret_valid( $user, $consumer_secret ) ) - throw new Exception( __( 'Consumer Secret is invalid', 'woocommerce'), 401 ); + if ( ! $this->is_consumer_secret_valid( $user, $consumer_secret ) ) { + throw new Exception( __( 'Consumer Secret is invalid', 'woocommerce' ), 401 ); + } return $user; }