Merge pull request #5277 from maxrice/rest-api-fix-5207

Allow query string fallback for REST API SSL authentication
2014-04-07 10:13:55 +01:00 · 2014-04-07 10:13:55 +01:00 · 021a889e66
parent eadedddd1c 09451855f2
commit 021a889e66
1 changed files with 37 additions and 14 deletions
--- a/includes/api/class-wc-api-authentication.php
+++ b/includes/api/class-wc-api-authentication.php
@ -56,8 +56,10 @@ class WC_API_Authentication {
 	}

 	/**
-	 * SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated
-	 * by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid
+	 * SSL-encrypted requests are not subject to sniffing or man-in-the-middle
+	 * attacks, so the request can be authenticated by simply looking up the user
+	 * associated with the given consumer key and confirming the consumer secret
+	 * provided is valid
 	 *
 	 * @since 2.1
 	 * @return WP_User
@ -65,19 +67,45 @@ class WC_API_Authentication {
 	 */
 	private function perform_ssl_authentication() {

-		if ( empty( $_SERVER['PHP_AUTH_USER'] ) )
-			throw new Exception( __( 'Consumer Key is missing', 'woocommerce' ), 404 );
+		$params = WC()->api->server->params['GET'];

-		if ( empty( $_SERVER['PHP_AUTH_PW'] ) )
-			throw new Exception( __( 'Consumer Secret is missing', 'woocommerce' ), 404 );
+		// get consumer key
+		if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) ) {

+			// should be in HTTP Auth header by default
 			$consumer_key = $_SERVER['PHP_AUTH_USER'];
+
+		} elseif ( ! empty( $params['consumer_key'] ) ) {
+
+			// allow a query string parameter as a fallback
+			$consumer_key = $params['consumer_key'];
+
+		} else {
+
+			throw new Exception( __( 'Consumer Key is missing', 'woocommerce' ), 404 );
+		}
+
+		// get consumer secret
+		if ( ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
+
+			// should be in HTTP Auth header by default
 			$consumer_secret = $_SERVER['PHP_AUTH_PW'];

+		} elseif ( ! empty( $params['consumer_secret'] ) ) {
+
+			// allow a query string parameter as a fallback
+			$consumer_secret = $params['consumer_secret'];
+
+		} else {
+
+			throw new Exception( __( 'Consumer Secret is missing', 'woocommerce' ), 404 );
+		}
+
 		$user = $this->get_user_by_consumer_key( $consumer_key );

-		if ( ! $this->is_consumer_secret_valid( $user, $consumer_secret ) )
+		if ( ! $this->is_consumer_secret_valid( $user, $consumer_secret ) ) {
 			throw new Exception( __( 'Consumer Secret is invalid', 'woocommerce' ), 401 );
+		}

 		return $user;
 	}
@ -119,11 +147,6 @@ class WC_API_Authentication {
 		$this->check_oauth_signature( $user, $params );
 		$this->check_oauth_timestamp_and_nonce( $user, $params['oauth_timestamp'], $params['oauth_nonce'] );

-		// remove oauth params before further parsing
-		foreach( $param_names as $param_name ) {
-			unset( WC()->api->server->params[ $param_name ] );
-		}
-
 		// authentication successful, return user
 		return $user;
 	}