Implement basic auth improvements and query string fall back.
If the key and secret query strings are provided, do auth based on those. If not, and the Basic auth headers are set, do full basic auth (including sending the correct headers). Also implements a /reauth endpoint for basic auth.
This commit is contained in:
Justin Shreve
parent
ade8db4f21
commit
d63f7d014f
|
|
@ -41,8 +41,11 @@ class WC_API_Authentication {
|
|||
return new WP_User( 0 );
|
||||
}
|
||||
|
||||
try {
|
||||
if ( '/reauth' === untrailingslashit( WC()->api->server->path ) ) {
|
||||
$this->exit_with_unauthorized_headers();
|
||||
}
|
||||
|
||||
try {
|
||||
if ( is_ssl() ) {
|
||||
$keys = $this->perform_ssl_authentication();
|
||||
} else {
|
||||
|
|
@ -72,50 +75,48 @@ class WC_API_Authentication {
|
|||
* @throws Exception
|
||||
*/
|
||||
private function perform_ssl_authentication() {
|
||||
|
||||
$params = WC()->api->server->params['GET'];
|
||||
|
||||
// Get consumer key
|
||||
if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) ) {
|
||||
// if the $_GET parameters are present, use those first
|
||||
if ( ! empty( $params['consumer_key'] ) && ! empty( $params['consumer_secret'] ) ) {
|
||||
$keys = $this->get_keys_by_consumer_key( $params['consumer_key'] );
|
||||
|
||||
// Should be in HTTP Auth header by default
|
||||
$consumer_key = $_SERVER['PHP_AUTH_USER'];
|
||||
if ( ! $this->is_consumer_secret_valid( $keys['consumer_secret'], $params['consumer_secret'] ) ) {
|
||||
throw new Exception( __( 'Consumer Secret is invalid', 'woocommerce' ), 401 );
|
||||
}
|
||||
|
||||
} elseif ( ! empty( $params['consumer_key'] ) ) {
|
||||
|
||||
// Allow a query string parameter as a fallback
|
||||
$consumer_key = $params['consumer_key'];
|
||||
|
||||
} else {
|
||||
|
||||
throw new Exception( __( 'Consumer Key is missing', 'woocommerce' ), 404 );
|
||||
return $keys;
|
||||
}
|
||||
|
||||
// Get consumer secret
|
||||
if ( ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
|
||||
// if the above is not present, we will do full basic auth
|
||||
|
||||
// Should be in HTTP Auth header by default
|
||||
$consumer_secret = $_SERVER['PHP_AUTH_PW'];
|
||||
|
||||
} elseif ( ! empty( $params['consumer_secret'] ) ) {
|
||||
|
||||
// Allow a query string parameter as a fallback
|
||||
$consumer_secret = $params['consumer_secret'];
|
||||
|
||||
} else {
|
||||
|
||||
throw new Exception( __( 'Consumer Secret is missing', 'woocommerce' ), 404 );
|
||||
if ( empty( $_SERVER['PHP_AUTH_USER'] ) || empty( $_SERVER['PHP_AUTH_PW'] ) ) {
|
||||
$this->exit_with_unauthorized_headers();
|
||||
}
|
||||
|
||||
$keys = $this->get_keys_by_consumer_key( $consumer_key );
|
||||
$keys = $this->get_keys_by_consumer_key( $_SERVER['PHP_AUTH_USER'] );
|
||||
|
||||
if ( ! $this->is_consumer_secret_valid( $keys['consumer_secret'], $consumer_secret ) ) {
|
||||
throw new Exception( __( 'Consumer Secret is invalid', 'woocommerce' ), 401 );
|
||||
if ( ! $this->is_consumer_secret_valid( $keys['consumer_secret'], $_SERVER['PHP_AUTH_PW'] ) ) {
|
||||
$this->exit_with_unauthorized_headers();
|
||||
}
|
||||
|
||||
return $keys;
|
||||
}
|
||||
|
||||
/**
|
||||
* If the consumer_key and consumer_secret $_GET parameters are NOT provided
|
||||
* and the Basic auth headers are either not present or the consumer secret does not match the consumer
|
||||
* key provided, then return the correct Basic headers and an error message.
|
||||
*
|
||||
* @since 2.4
|
||||
*/
|
||||
private function exit_with_unauthorized_headers() {
|
||||
header( 'WWW-Authenticate: Basic realm="' . __( 'WooCommerce API', 'woocommerce' ) . '"' );
|
||||
header( 'HTTP/1.0 401 Unauthorized' );
|
||||
esc_html_e( 'A valid consumer key and secret must be provided to access this resource', 'woocommerce' );
|
||||
exit;
|
||||
}
|
||||
|
||||
/**
|
||||
* Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests
|
||||
*
|
||||
|
|
|
|||
Loading…
Reference in New Issue