diff --git a/includes/class-wc-auth.php b/includes/class-wc-auth.php index 27065044b84..8ec42a0c7f7 100644 --- a/includes/class-wc-auth.php +++ b/includes/class-wc-auth.php @@ -4,15 +4,15 @@ * * Handles wc-auth endpoint requests. * - * @author WooThemes - * @category API - * @package WooCommerce/API - * @since 2.4.0 + * @package WooCommerce/API + * @since 2.4.0 */ -if ( ! defined( 'ABSPATH' ) ) { - exit; -} +defined( 'ABSPATH' ) || exit; + +/** + * Auth class. + */ class WC_Auth { /** @@ -28,23 +28,21 @@ class WC_Auth { * @since 2.4.0 */ public function __construct() { - // Add query vars + // Add query vars. add_filter( 'query_vars', array( $this, 'add_query_vars' ), 0 ); - // Register auth endpoint + // Register auth endpoint. add_action( 'init', array( __CLASS__, 'add_endpoint' ), 0 ); - // Handle auth requests - add_action( 'parse_request', array( $this, 'handle_auth_requests' ), 0 ); + // Handle auth requests. + add_action( 'parse_request.', array( $this, 'handle_auth_requests' ), 0 ); } /** * Add query vars. * * @since 2.4.0 - * - * @param array $vars - * + * @param array $vars Query variables. * @return string[] */ public function add_query_vars( $vars ) { @@ -66,9 +64,7 @@ class WC_Auth { * Get scope name. * * @since 2.4.0 - * - * @param string $scope - * + * @param string $scope Permission scope. * @return string */ protected function get_i18n_scope( $scope ) { @@ -85,34 +81,32 @@ class WC_Auth { * Return a list of permissions a scope allows. * * @since 2.4.0 - * - * @param string $scope - * + * @param string $scope Permission scope. * @return array */ protected function get_permissions_in_scope( $scope ) { $permissions = array(); switch ( $scope ) { - case 'read' : + case 'read': $permissions[] = __( 'View coupons', 'woocommerce' ); $permissions[] = __( 'View customers', 'woocommerce' ); $permissions[] = __( 'View orders and sales reports', 'woocommerce' ); $permissions[] = __( 'View products', 'woocommerce' ); - break; - case 'write' : + break; + case 'write': $permissions[] = __( 'Create webhooks', 'woocommerce' ); $permissions[] = __( 'Create coupons', 'woocommerce' ); $permissions[] = __( 'Create customers', 'woocommerce' ); $permissions[] = __( 'Create orders', 'woocommerce' ); $permissions[] = __( 'Create products', 'woocommerce' ); - break; - case 'read_write' : + break; + case 'read_write': $permissions[] = __( 'Create webhooks', 'woocommerce' ); $permissions[] = __( 'View and manage coupons', 'woocommerce' ); $permissions[] = __( 'View and manage customers', 'woocommerce' ); $permissions[] = __( 'View and manage orders and sales reports', 'woocommerce' ); $permissions[] = __( 'View and manage products', 'woocommerce' ); - break; + break; } return apply_filters( 'woocommerce_api_permissions_in_scope', $permissions, $scope ); } @@ -121,27 +115,28 @@ class WC_Auth { * Build auth urls. * * @since 2.4.0 - * - * @param array $data - * @param string $endpoint - * + * @param array $data Data to build URL. + * @param string $endpoint Endpoint. * @return string */ protected function build_url( $data, $endpoint ) { $url = wc_get_endpoint_url( 'wc-auth/v' . self::VERSION, $endpoint, home_url( '/' ) ); - return add_query_arg( array( - 'app_name' => wc_clean( $data['app_name'] ), - 'user_id' => wc_clean( $data['user_id'] ), - 'return_url' => urlencode( $this->get_formatted_url( $data['return_url'] ) ), - 'callback_url' => urlencode( $this->get_formatted_url( $data['callback_url'] ) ), - 'scope' => wc_clean( $data['scope'] ), - ), $url ); + return add_query_arg( + array( + 'app_name' => wc_clean( $data['app_name'] ), + 'user_id' => wc_clean( $data['user_id'] ), + 'return_url' => rawurlencode( $this->get_formatted_url( $data['return_url'] ) ), + 'callback_url' => rawurlencode( $this->get_formatted_url( $data['callback_url'] ) ), + 'scope' => wc_clean( $data['scope'] ), + ), $url + ); } /** * Decode and format a URL. - * @param string $url + * + * @param string $url URL. * @return string */ protected function get_formatted_url( $url ) { @@ -158,8 +153,10 @@ class WC_Auth { * Make validation. * * @since 2.4.0 + * @throws Exception When validate fails. */ protected function make_validation() { + $data = array(); $params = array( 'app_name', 'user_id', @@ -169,19 +166,21 @@ class WC_Auth { ); foreach ( $params as $param ) { - if ( empty( $_REQUEST[ $param ] ) ) { + if ( empty( $_REQUEST[ $param ] ) ) { // WPCS: input var ok, CSRF ok. /* translators: %s: parameter */ throw new Exception( sprintf( __( 'Missing parameter %s', 'woocommerce' ), $param ) ); } + + $data[ $param ] = wp_unslash( $_REQUEST[ $param ] ); // WPCS: input var ok, CSRF ok, sanitization ok. } - if ( ! in_array( $_REQUEST['scope'], array( 'read', 'write', 'read_write' ) ) ) { + if ( ! in_array( $data['scope'], array( 'read', 'write', 'read_write' ), true ) ) { /* translators: %s: scope */ - throw new Exception( sprintf( __( 'Invalid scope %s', 'woocommerce' ), wc_clean( $_REQUEST['scope'] ) ) ); + throw new Exception( sprintf( __( 'Invalid scope %s', 'woocommerce' ), wc_clean( $data['scope'] ) ) ); } foreach ( array( 'return_url', 'callback_url' ) as $param ) { - $param = $this->get_formatted_url( $_REQUEST[ $param ] ); + $param = $this->get_formatted_url( $data[ $param ] ); if ( false === filter_var( $param, FILTER_VALIDATE_URL ) ) { /* translators: %s: url */ @@ -189,7 +188,7 @@ class WC_Auth { } } - $callback_url = $this->get_formatted_url( $_REQUEST['callback_url'] ); + $callback_url = $this->get_formatted_url( $data['callback_url'] ); if ( 0 !== stripos( $callback_url, 'https://' ) ) { throw new Exception( __( 'The callback_url needs to be over SSL', 'woocommerce' ) ); @@ -201,17 +200,17 @@ class WC_Auth { * * @since 2.4.0 * - * @param string $app_name - * @param string $app_user_id - * @param string $scope + * @param string $app_name App name. + * @param string $app_user_id User ID. + * @param string $scope Scope. * * @return array */ protected function create_keys( $app_name, $app_user_id, $scope ) { global $wpdb; - /* translators: 1: app name 2: scope 3: date 4: time */ $description = sprintf( + /* translators: 1: app name 2: scope 3: date 4: time */ __( '%1$s - API %2$s (created on %3$s at %4$s).', 'woocommerce' ), wc_clean( $app_name ), $this->get_i18n_scope( $scope ), @@ -221,7 +220,7 @@ class WC_Auth { $user = wp_get_current_user(); // Created API keys. - $permissions = ( in_array( $scope, array( 'read', 'write', 'read_write' ) ) ) ? sanitize_text_field( $scope ) : 'read'; + $permissions = in_array( $scope, array( 'read', 'write', 'read_write' ), true ) ? sanitize_text_field( $scope ) : 'read'; $consumer_key = 'ck_' . wc_rand_hash(); $consumer_secret = 'cs_' . wc_rand_hash(); @@ -259,17 +258,16 @@ class WC_Auth { * * @since 2.4.0 * - * @param array $consumer_data - * @param string $url - * + * @throws Exception When validation fails. + * @param array $consumer_data Consumer data. + * @param string $url URL. * @return bool - * @throws Exception */ protected function post_consumer_data( $consumer_data, $url ) { $params = array( - 'body' => json_encode( $consumer_data ), - 'timeout' => 60, - 'headers' => array( + 'body' => wp_json_encode( $consumer_data ), + 'timeout' => 60, + 'headers' => array( 'Content-Type' => 'application/json;charset=' . get_bloginfo( 'charset' ), ), ); @@ -278,7 +276,7 @@ class WC_Auth { if ( is_wp_error( $response ) ) { throw new Exception( $response->get_error_message() ); - } elseif ( 200 != $response['response']['code'] ) { + } elseif ( 200 !== intval( $response['response']['code'] ) ) { throw new Exception( __( 'An error occurred in the request and at the time were unable to send the consumer data', 'woocommerce' ) ); } @@ -293,15 +291,15 @@ class WC_Auth { public function handle_auth_requests() { global $wp; - if ( ! empty( $_GET['wc-auth-version'] ) ) { - $wp->query_vars['wc-auth-version'] = $_GET['wc-auth-version']; + if ( ! empty( $_GET['wc-auth-version'] ) ) { // WPCS: input var ok, CSRF ok. + $wp->query_vars['wc-auth-version'] = wc_clean( wp_unslash( $_GET['wc-auth-version'] ) ); // WPCS: input var ok, CSRF ok. } if ( ! empty( $_GET['wc-auth-route'] ) ) { - $wp->query_vars['wc-auth-route'] = $_GET['wc-auth-route']; + $wp->query_vars['wc-auth-route'] = wc_clean( wp_unslash( $_GET['wc-auth-route'] ) ); // WPCS: input var ok, CSRF ok. } - // wc-auth endpoint requests + // wc-auth endpoint requests. if ( ! empty( $wp->query_vars['wc-auth-version'] ) && ! empty( $wp->query_vars['wc-auth-route'] ) ) { $this->auth_endpoint( $wp->query_vars['wc-auth-route'] ); } @@ -311,8 +309,8 @@ class WC_Auth { * Auth endpoint. * * @since 2.4.0 - * - * @param string $route + * @throws Exception When validation fails. + * @param string $route Route. */ protected function auth_endpoint( $route ) { ob_start(); @@ -327,50 +325,74 @@ class WC_Auth { $route = strtolower( wc_clean( $route ) ); $this->make_validation(); - // Login endpoint - if ( 'login' == $route && ! is_user_logged_in() ) { - wc_get_template( 'auth/form-login.php', array( - 'app_name' => $_REQUEST['app_name'], - 'return_url' => add_query_arg( array( 'success' => 0, 'user_id' => wc_clean( $_REQUEST['user_id'] ) ), $this->get_formatted_url( $_REQUEST['return_url'] ) ), - 'redirect_url' => $this->build_url( $_REQUEST, 'authorize' ), - ) ); + $data = wp_unslash( $_REQUEST ); // WPCS: input var ok, CSRF ok. + // Login endpoint. + if ( 'login' === $route && ! is_user_logged_in() ) { + wc_get_template( + 'auth/form-login.php', array( + 'app_name' => wc_clean( $data['app_name'] ), + 'return_url' => add_query_arg( + array( + 'success' => 0, + 'user_id' => wc_clean( $data['user_id'] ), + ), $this->get_formatted_url( $data['return_url'] ) + ), + 'redirect_url' => $this->build_url( $data, 'authorize' ), + ) + ); exit; - // Redirect with user is logged in - } elseif ( 'login' == $route && is_user_logged_in() ) { - wp_redirect( esc_url_raw( $this->build_url( $_REQUEST, 'authorize' ) ) ); + } elseif ( 'login' === $route && is_user_logged_in() ) { + // Redirect with user is logged in. + wp_redirect( esc_url_raw( $this->build_url( $data, 'authorize' ) ) ); exit; - // Redirect with user is not logged in and trying to access the authorize endpoint - } elseif ( 'authorize' == $route && ! is_user_logged_in() ) { - wp_redirect( esc_url_raw( $this->build_url( $_REQUEST, 'login' ) ) ); + } elseif ( 'authorize' === $route && ! is_user_logged_in() ) { + // Redirect with user is not logged in and trying to access the authorize endpoint. + wp_redirect( esc_url_raw( $this->build_url( $data, 'login' ) ) ); exit; - // Authorize endpoint - } elseif ( 'authorize' == $route && current_user_can( 'manage_woocommerce' ) ) { - wc_get_template( 'auth/form-grant-access.php', array( - 'app_name' => $_REQUEST['app_name'], - 'return_url' => add_query_arg( array( 'success' => 0, 'user_id' => wc_clean( $_REQUEST['user_id'] ) ), $this->get_formatted_url( $_REQUEST['return_url'] ) ), - 'scope' => $this->get_i18n_scope( wc_clean( $_REQUEST['scope'] ) ), - 'permissions' => $this->get_permissions_in_scope( wc_clean( $_REQUEST['scope'] ) ), - 'granted_url' => wp_nonce_url( $this->build_url( $_REQUEST, 'access_granted' ), 'wc_auth_grant_access', 'wc_auth_nonce' ), - 'logout_url' => wp_logout_url( $this->build_url( $_REQUEST, 'login' ) ), - 'user' => wp_get_current_user(), - ) ); + } elseif ( 'authorize' === $route && current_user_can( 'manage_woocommerce' ) ) { + // Authorize endpoint. + wc_get_template( + 'auth/form-grant-access.php', array( + 'app_name' => wc_clean( $data['app_name'] ), + 'return_url' => add_query_arg( + array( + 'success' => 0, + 'user_id' => wc_clean( $data['user_id'] ), + ), $this->get_formatted_url( $data['return_url'] ) + ), + 'scope' => $this->get_i18n_scope( wc_clean( $data['scope'] ) ), + 'permissions' => $this->get_permissions_in_scope( wc_clean( $data['scope'] ) ), + 'granted_url' => wp_nonce_url( $this->build_url( $data, 'access_granted' ), 'wc_auth_grant_access', 'wc_auth_nonce' ), + 'logout_url' => wp_logout_url( $this->build_url( $data, 'login' ) ), + 'user' => wp_get_current_user(), + ) + ); exit; - // Granted access endpoint - } elseif ( 'access_granted' == $route && current_user_can( 'manage_woocommerce' ) ) { - if ( ! isset( $_GET['wc_auth_nonce'] ) || ! wp_verify_nonce( $_GET['wc_auth_nonce'], 'wc_auth_grant_access' ) ) { + } elseif ( 'access_granted' === $route && current_user_can( 'manage_woocommerce' ) ) { + // Granted access endpoint. + if ( ! isset( $_GET['wc_auth_nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_GET['wc_auth_nonce'] ) ), 'wc_auth_grant_access' ) ) { // WPCS: input var ok. throw new Exception( __( 'Invalid nonce verification', 'woocommerce' ) ); } - $consumer_data = $this->create_keys( $_REQUEST['app_name'], $_REQUEST['user_id'], $_REQUEST['scope'] ); - $response = $this->post_consumer_data( $consumer_data, $this->get_formatted_url( $_REQUEST['callback_url'] ) ); + $consumer_data = $this->create_keys( $data['app_name'], $data['user_id'], $data['scope'] ); + $response = $this->post_consumer_data( $consumer_data, $this->get_formatted_url( $data['callback_url'] ) ); if ( $response ) { - wp_redirect( esc_url_raw( add_query_arg( array( 'success' => 1, 'user_id' => wc_clean( $_REQUEST['user_id'] ) ), $this->get_formatted_url( $_REQUEST['return_url'] ) ) ) ); + wp_redirect( + esc_url_raw( + add_query_arg( + array( + 'success' => 1, + 'user_id' => wc_clean( $data['user_id'] ), + ), $this->get_formatted_url( $data['return_url'] ) + ) + ) + ); exit; } } else { @@ -380,7 +402,7 @@ class WC_Auth { $this->maybe_delete_key( $consumer_data ); /* translators: %s: error message */ - wp_die( sprintf( __( 'Error: %s.', 'woocommerce' ), $e->getMessage() ), __( 'Access denied', 'woocommerce' ), array( 'response' => 401 ) ); + wp_die( sprintf( esc_html__( 'Error: %s.', 'woocommerce' ), esc_html( $e->getMessage() ) ), esc_html__( 'Access denied', 'woocommerce' ), array( 'response' => 401 ) ); } } @@ -389,7 +411,7 @@ class WC_Auth { * * @since 2.4.0 * - * @param array $key + * @param array $key Key. */ private function maybe_delete_key( $key ) { global $wpdb;