Commit Graph

32 Commits

Author SHA1 Message Date
Claudio Sanches b43abff674 Merge pull request #8415 from justinshreve/oauth-7928
Fix issues with our OAuth implementation, including nonconformance to spec. Closes #7928
2015-06-22 15:00:51 -03:00
Justin Shreve 819a4fae0d wp_endswith doesn't actually exist (its a wpcom/jetpackism) - update with a simple substr check 2015-06-22 17:58:50 +00:00
Justin Shreve fcab013d53 $enc_type for http_build_query() is only available in PHP 5.4+
go back to a normalization approach
2015-06-19 23:03:45 +00:00
Justin Shreve 482303c0f9 Don't convert nested parameters to strings.
Switch to the native http_build_query instead of our own normalize function.
2015-06-19 16:11:17 +00:00
Justin Shreve 59bc17e0cb Check before building the current URL to see if a trailing slash should be appended or not, that way if a request includes one, the signature still matches. 2015-06-19 16:05:23 +00:00
Justin Shreve c43f9157c3 When generating the signature to compare, append a trailing &.
The OAuth spec (http://tools.ietf.org/html/rfc5849#section-3.4.2) states that a & character must be present, even if a token secret is not a part of the request.
2015-06-19 15:05:51 +00:00
Justin Shreve 9e2f0f55d8 Remove reauth endpoint. It's not going to work the way we want it to. If clients need to log out (like a browser), they can clear the sessions per browser. Also returns JSON error when auth is not returned correctly. 2015-06-19 13:42:10 +00:00
Justin Shreve 8da19e4dae Provide some directions in the Basic auth input box so the user knows where to provide the API key and secret. 2015-06-19 13:42:10 +00:00
Justin Shreve d63f7d014f Implement basic auth improvements and query string fall back.
If the key and secret query strings are provided, do auth based on those. If not, and the Basic auth headers are set, do full basic auth (including sending the correct headers).
Also implements a /reauth endpoint for basic auth.
2015-06-19 13:42:10 +00:00
Claudio Sanches 91bb8c7ba9 Updated the api authentication 2015-06-08 19:58:38 -03:00
Claudio Sanches 84c937c011 Improved the woocommerce_api_keys table 2015-05-15 22:52:00 -03:00
Claudio Sanches 20906f2248 Fixed the authentication with the new woocommerce_api_keys table 2015-05-15 21:16:53 -03:00
Max Rice 2d974987dc Check strings using hash_equals
time-constant string comparison to prevent timing attacks
2015-01-19 00:34:09 -05:00
Max Rice 512d77fb4c code standards 2015-01-19 00:33:38 -05:00
shivapoudel e6f6bcf368 Absolute path fix for REST API v2 2014-09-21 01:09:20 +05:45
Mike Jolley 021a889e66 Merge pull request #5277 from maxrice/rest-api-fix-5207
Allow query string fallback for REST API SSL authentication
2014-04-07 10:13:55 +01:00
Max Rice 09451855f2 Allow query string fallback for REST API SSL auth
In some environments, the PHP_AUTH_USER/PW server vars are empty which
prevents SSL authentication from working properly. This commit allows
the use of a query string fallback (e.g.
`?consumer_key=123&consumer_secret=abc`) for providing credentials over
SSL.

Fixes #5207
2014-04-04 14:24:14 -04:00
Max Rice 1dd24501f5 Remove unnecessary OAuth code
The parameters provided to the API endpoints only contain the
parameters specified in the method signature so there’s no need to
strip out the OAuth params.
2014-04-04 14:22:06 -04:00
Max Rice 1c437bdeb8 API: double-encode percent symbols when normalizing parameters 2014-04-03 16:56:26 -04:00
Max Rice 853520d40b API: normalize both key and value before calculating OAuth signature
The OAuth spec indicates that the full query string should be URL
encoded. The array_walk method does not change keys so when used with a
parameter like `filter[period]=week`, the key is not properly encoded.
This fixes that by properly encoding both the key and value.
2014-04-03 16:11:51 -04:00
Max Rice 9f463e4644 code standards 2014-04-03 16:10:08 -04:00
Gerhard 30c1486aa7 REST API OAuth signature issue fix when using filter params 2014-02-14 13:26:31 +02:00
Mike Jolley f504243b56 Update timestamp check Closes #4409 2014-01-08 13:40:06 +00:00
Gerhard 8e2bc1cebc remove harded api reference, use WooCommerce_api_url instead 2013-12-06 16:57:44 +02:00
Gerhard 5b27f37c23 Fix issue where oAuth signature is wrong when running site from a subfolder #4055 2013-12-06 15:07:42 +02:00
Ryan McCue ff6f2e070e Use correct variable for OAuth parameter check 2013-11-26 11:19:00 +10:00
Max Rice 38be2ee7a4 Perform core authentication at 0 priority
Makes it easier for plugins to override the core API authentication

Part of #4055
2013-11-23 13:28:26 -05:00
Max Rice ef22f03275 Add API key-specific permission check
Part of #4055
2013-11-19 03:04:00 -05:00
Max Rice 61fb0f760a Update authentication to use new API key meta names
Part of #4055
2013-11-19 03:03:39 -05:00
Max Rice 00c65b9cc3 Add site timezone to API index 2013-11-10 19:30:59 -05:00
Max Rice c3fa52b0b5 Update API classes to use new WC_API_Server class 2013-11-06 01:54:19 -05:00
Max Rice 45fa450760 Add REST API authentication class 2013-11-03 20:06:28 -05:00