Adding fallback in case "Authorization" or "X-Woo-Signature" headers are not present.

Check if access token and request signature set in query arguments if the headers are missing.

includes/wccom-site/class-wc-wccom-site.php

@@ -53,45 +53,38 @@ class WC_WCCOM_Site {
 			return $user_id;
 		}
 
-		$auth_header = self::get_authorization_header();
-		if ( empty( $auth_header ) ) {
+		$auth_header = trim( self::get_authorization_header() );
+
+		if ( stripos( $auth_header, 'Bearer ' ) === 0 ) {
+			$access_token = trim( substr( $auth_header, 7 ) );
+		} elseif ( ! empty( $_GET['token'] ) && is_string( $_GET['token'] ) ) {  // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			$access_token = trim( $_GET['token'] );  // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		} else {
 			add_filter(
 				self::AUTH_ERROR_FILTER_NAME,
 				function() {
 					return new WP_Error(
-						WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_CODE,
-						WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_MESSAGE,
-						array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_AUTH_HEADER_HTTP_CODE )
+						WC_REST_WCCOM_Site_Installer_Errors::NO_ACCESS_TOKEN_CODE,
+						WC_REST_WCCOM_Site_Installer_Errors::NO_ACCESS_TOKEN_MESSAGE,
+						array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_ACCESS_TOKEN_HTTP_CODE )
 					);
 				}
 			);
 			return false;
 		}
 
-		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		$request_auth = trim( $auth_header );
-		if ( stripos( $request_auth, 'Bearer ' ) !== 0 ) {
+		if ( ! empty( $_SERVER['HTTP_X_WOO_SIGNATURE'] ) ) {
+			$signature = trim( $_SERVER['HTTP_X_WOO_SIGNATURE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		} elseif ( ! empty( $_GET['signature'] ) && is_string( $_GET['signature'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			$signature = trim( $_GET['signature'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		} else {
 			add_filter(
 				self::AUTH_ERROR_FILTER_NAME,
 				function() {
 					return new WP_Error(
-						WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_CODE,
-						WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_MESSAGE,
-						array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::INVALID_AUTH_HEADER_HTTP_CODE )
-					);
-				}
-			);
-			return false;
-		}
-
-		if ( empty( $_SERVER['HTTP_X_WOO_SIGNATURE'] ) ) {
-			add_filter(
-				self::AUTH_ERROR_FILTER_NAME,
-				function() {
-					return new WP_Error(
-						WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_CODE,
-						WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_MESSAGE,
-						array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HEADER_HTTP_CODE )
+						WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_CODE,
+						WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_MESSAGE,
+						array( 'status' => WC_REST_WCCOM_Site_Installer_Errors::NO_SIGNATURE_HTTP_CODE )
 					);
 				}
 			);
@@ -99,8 +92,7 @@ class WC_WCCOM_Site {
 		}
 
 		require_once WC_ABSPATH . 'includes/admin/helper/class-wc-helper-options.php';
-		$access_token = trim( substr( $request_auth, 7 ) );
-		$site_auth    = WC_Helper_Options::get( 'auth' );
+		$site_auth = WC_Helper_Options::get( 'auth' );
 
 		if ( empty( $site_auth['access_token'] ) ) {
 			add_filter(
@@ -130,8 +122,7 @@ class WC_WCCOM_Site {
 			return false;
 		}
 
-		$body      = WP_REST_Server::get_raw_data();
-		$signature = trim( $_SERVER['HTTP_X_WOO_SIGNATURE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$body = WP_REST_Server::get_raw_data();
 
 		if ( ! self::verify_wccom_request( $body, $signature, $site_auth['access_token_secret'] ) ) {
 			add_filter(
@@ -226,7 +217,7 @@ class WC_WCCOM_Site {
 		// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		$data = array(
 			'host'        => $_SERVER['HTTP_HOST'],
-			'request_uri' => $_SERVER['REQUEST_URI'],
+			'request_uri' => urldecode( remove_query_arg( array( 'token', 'signature' ) ) ),
 			'method'      => strtoupper( $_SERVER['REQUEST_METHOD'] ),
 		);
 		// phpcs:enable

includes/wccom-site/rest-api/class-wc-rest-wccom-site-installer-errors.php

@@ -23,25 +23,18 @@ class WC_REST_WCCOM_Site_Installer_Errors {
 	const NOT_AUTHENTICATED_HTTP_CODE = 401;
 
 	/**
-	 * No Authorization header
+	 * No access token provided
 	 */
-	const NO_AUTH_HEADER_CODE      = 'no_auth_header';
-	const NO_AUTH_HEADER_MESSAGE   = 'No header "Authorization" present';
-	const NO_AUTH_HEADER_HTTP_CODE = 400;
+	const NO_ACCESS_TOKEN_CODE      = 'no_access_token';
+	const NO_ACCESS_TOKEN_MESSAGE   = 'No access token provided';
+	const NO_ACCESS_TOKEN_HTTP_CODE = 400;
 
 	/**
-	 * Authorization header invalid
+	 * No signature provided
 	 */
-	const INVALID_AUTH_HEADER_CODE      = 'no_auth_header';
-	const INVALID_AUTH_HEADER_MESSAGE   = 'Header "Authorization" is invalid';
-	const INVALID_AUTH_HEADER_HTTP_CODE = 400;
-
-	/**
-	 * No Signature header
-	 */
-	const NO_SIGNATURE_HEADER_CODE      = 'no_signature_header';
-	const NO_SIGNATURE_HEADER_MESSAGE   = 'No header "X-Woo-Signature" present';
-	const NO_SIGNATURE_HEADER_HTTP_CODE = 400;
+	const NO_SIGNATURE_CODE      = 'no_signature';
+	const NO_SIGNATURE_MESSAGE   = 'No signature provided';
+	const NO_SIGNATURE_HTTP_CODE = 400;
 
 	/**
 	 * Site not connected to WooCommerce.com