From 47ef7e17a126275fe350324f390aa295ef5cee23 Mon Sep 17 00:00:00 2001
From: Claudio Sanches <contato@claudiosmweb.com>
Date: Wed, 11 May 2016 13:14:00 -0300
Subject: [PATCH] Created new function to generate webhook secrets based on the
 user ID and username, closes #10881

---
 includes/admin/class-wc-admin-webhooks.php    |  2 +-
 .../api/class-wc-rest-webhooks-controller.php |  7 ++-----
 .../api/legacy/v2/class-wc-api-webhooks.php   |  2 +-
 .../api/legacy/v3/class-wc-api-webhooks.php   |  2 +-
 includes/wc-webhook-functions.php             | 19 +++++++++++++++++++
 5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/includes/admin/class-wc-admin-webhooks.php b/includes/admin/class-wc-admin-webhooks.php
index 0ccee3f7458..610e06d36c4 100644
--- a/includes/admin/class-wc-admin-webhooks.php
+++ b/includes/admin/class-wc-admin-webhooks.php
@@ -80,7 +80,7 @@ class WC_Admin_Webhooks {
 	 * @param WC_Webhook $webhook
 	 */
 	private function update_secret( $webhook ) {
-		$secret = ! empty( $_POST['webhook_secret'] ) ? $_POST['webhook_secret'] : get_user_meta( get_current_user_id(), 'woocommerce_api_consumer_secret', true );
+		$secret = ! empty( $_POST['webhook_secret'] ) ? $_POST['webhook_secret'] : wc_webhook_generate_secret();
 
 		$webhook->set_secret( $secret );
 	}
diff --git a/includes/api/class-wc-rest-webhooks-controller.php b/includes/api/class-wc-rest-webhooks-controller.php
index 229eb15d47c..8a61f619ded 100644
--- a/includes/api/class-wc-rest-webhooks-controller.php
+++ b/includes/api/class-wc-rest-webhooks-controller.php
@@ -72,9 +72,6 @@ class WC_REST_Webhooks_Controller extends WC_REST_Posts_Controller {
 					'delivery_url' => array(
 						'required' => true,
 					),
-					'secret' => array(
-						'required' => true,
-					),
 				) ),
 			),
 			'schema' => array( $this, 'get_public_item_schema' ),
@@ -159,7 +156,7 @@ class WC_REST_Webhooks_Controller extends WC_REST_Posts_Controller {
 		$webhook->set_delivery_url( $request['delivery_url'] );
 
 		// Set secret.
-		$webhook->set_secret( $request['secret'] );
+		$webhook->set_secret( ! empty( $request['secret'] ) ? $request['secret'] : wc_webhook_generate_secret() );
 
 		// Set status.
 		if ( ! empty( $request['status'] ) ) {
@@ -509,7 +506,7 @@ class WC_REST_Webhooks_Controller extends WC_REST_Posts_Controller {
 					'readonly'    => true,
 				),
 				'secret' => array(
-					'description' => __( "Secret key used to generate a hash of the delivered webhook and provided in the request headers. This will default to the current API user's consumer secret if not provided.", 'woocommerce' ),
+					'description' => __( "Secret key used to generate a hash of the delivered webhook and provided in the request headers. This will default is a MD5 hash from the current user's ID|username if not provided.", 'woocommerce' ),
 					'type'        => 'string',
 					'format'      => 'uri',
 					'context'     => array( 'edit' ),
diff --git a/includes/api/legacy/v2/class-wc-api-webhooks.php b/includes/api/legacy/v2/class-wc-api-webhooks.php
index 18d545e8ca2..1ddaeecba27 100644
--- a/includes/api/legacy/v2/class-wc-api-webhooks.php
+++ b/includes/api/legacy/v2/class-wc-api-webhooks.php
@@ -210,7 +210,7 @@ class WC_API_Webhooks extends WC_API_Resource {
 			$webhook->set_delivery_url( $data['delivery_url'] );
 
 			// set secret if provided, defaults to API users consumer secret
-			$webhook->set_secret( ! empty( $data['secret'] ) ? $data['secret'] : get_user_meta( get_current_user_id(), 'woocommerce_api_consumer_secret', true ) );
+			$webhook->set_secret( ! empty( $data['secret'] ) ? $data['secret'] : wc_webhook_generate_secret() );
 
 			// send ping
 			$webhook->deliver_ping();
diff --git a/includes/api/legacy/v3/class-wc-api-webhooks.php b/includes/api/legacy/v3/class-wc-api-webhooks.php
index 1851f789413..e6f8a5d358b 100644
--- a/includes/api/legacy/v3/class-wc-api-webhooks.php
+++ b/includes/api/legacy/v3/class-wc-api-webhooks.php
@@ -210,7 +210,7 @@ class WC_API_Webhooks extends WC_API_Resource {
 			$webhook->set_delivery_url( $data['delivery_url'] );
 
 			// set secret if provided, defaults to API users consumer secret
-			$webhook->set_secret( ! empty( $data['secret'] ) ? $data['secret'] : get_user_meta( get_current_user_id(), 'woocommerce_api_consumer_secret', true ) );
+			$webhook->set_secret( ! empty( $data['secret'] ) ? $data['secret'] : wc_webhook_generate_secret() );
 
 			// send ping
 			$webhook->deliver_ping();
diff --git a/includes/wc-webhook-functions.php b/includes/wc-webhook-functions.php
index 0dafe6a93d4..52d10e308a1 100644
--- a/includes/wc-webhook-functions.php
+++ b/includes/wc-webhook-functions.php
@@ -25,3 +25,22 @@ function wc_get_webhook_statuses() {
 		'disabled' => __( 'Disabled', 'woocommerce' ),
 	) );
 }
+
+/**
+ * Generate webhook secret based in the user data.
+ *
+ * @since 2.6.0
+ * @param int $user_id User ID.
+ * @return string Secret of empty string if not found the user.
+ */
+function wc_webhook_generate_secret( $user_id = 0 ) {
+	if ( 0 === $user_id ) {
+		$user_id = get_current_user_id();
+	}
+
+	if ( $user = get_userdata( $user_id ) ) {
+		return md5( $user_id . '|' . $user->data->user_login );
+	}
+
+	return '';
+}