Claudio Sanches
b43abff674
Merge pull request #8415 from justinshreve/oauth-7928
...
Fix issues with our OAuth implementation, including nonconformance to spec. Closes #7928
2015-06-22 15:00:51 -03:00
Justin Shreve
819a4fae0d
wp_endswith doesn't actually exist (its a wpcom/jetpackism) - update with a simple substr check
2015-06-22 17:58:50 +00:00
Justin Shreve
fcab013d53
$enc_type for http_build_query() is only available in PHP 5.4+
...
go back to a normalization approach
2015-06-19 23:03:45 +00:00
Justin Shreve
482303c0f9
Don't convert nested parameters to strings.
...
Switch to the native http_build_query instead of our own normalize function.
2015-06-19 16:11:17 +00:00
Justin Shreve
59bc17e0cb
Check before building the current URL to see if a trailing slash should be appended or not, that way if a request includes one, the signature still matches.
2015-06-19 16:05:23 +00:00
Justin Shreve
c43f9157c3
When generating the signature to compare, append a trailing &.
...
The OAuth spec (http://tools.ietf.org/html/rfc5849#section-3.4.2 ) states that a & character must be present, even if a token secret is not a part of the request.
2015-06-19 15:05:51 +00:00
Justin Shreve
9e2f0f55d8
Remove reauth endpoint. It's not going to work the way we want it to. If clients need to log out (like a browser), they can clear the sessions per browser. Also returns JSON error when auth is not returned correctly.
2015-06-19 13:42:10 +00:00
Justin Shreve
8da19e4dae
Provide some directions in the Basic auth input box so the user knows where to provide the API key and secret.
2015-06-19 13:42:10 +00:00
Justin Shreve
d63f7d014f
Implement basic auth improvements and query string fall back.
...
If the key and secret query strings are provided, do auth based on those. If not, and the Basic auth headers are set, do full basic auth (including sending the correct headers).
Also implements a /reauth endpoint for basic auth.
2015-06-19 13:42:10 +00:00
Claudio Sanches
91bb8c7ba9
Updated the api authentication
2015-06-08 19:58:38 -03:00
Claudio Sanches
84c937c011
Improved the woocommerce_api_keys table
2015-05-15 22:52:00 -03:00
Claudio Sanches
20906f2248
Fixed the authentication with the new woocommerce_api_keys table
2015-05-15 21:16:53 -03:00
Max Rice
2d974987dc
Check strings using hash_equals
...
time-constant string comparison to prevent timing attacks
2015-01-19 00:34:09 -05:00
Max Rice
512d77fb4c
code standards
2015-01-19 00:33:38 -05:00
shivapoudel
e6f6bcf368
Absolute path fix for REST API v2
2014-09-21 01:09:20 +05:45
Mike Jolley
021a889e66
Merge pull request #5277 from maxrice/rest-api-fix-5207
...
Allow query string fallback for REST API SSL authentication
2014-04-07 10:13:55 +01:00
Max Rice
09451855f2
Allow query string fallback for REST API SSL auth
...
In some environments, the PHP_AUTH_USER/PW server vars are empty which
prevents SSL authentication from working properly. This commit allows
the use of a query string fallback (e.g.
`?consumer_key=123&consumer_secret=abc`) for providing credentials over
SSL.
Fixes #5207
2014-04-04 14:24:14 -04:00
Max Rice
1dd24501f5
Remove unnecessary OAuth code
...
The parameters provided to the API endpoints only contain the
parameters specified in the method signature so there’s no need to
strip out the OAuth params.
2014-04-04 14:22:06 -04:00
Max Rice
1c437bdeb8
API: double-encode percent symbols when normalizing parameters
2014-04-03 16:56:26 -04:00
Max Rice
853520d40b
API: normalize both key and value before calculating OAuth signature
...
The OAuth spec indicates that the full query string should be URL
encoded. The array_walk method does not change keys so when used with a
parameter like `filter[period]=week`, the key is not properly encoded.
This fixes that by properly encoding both the key and value.
2014-04-03 16:11:51 -04:00
Max Rice
9f463e4644
code standards
2014-04-03 16:10:08 -04:00
Gerhard
30c1486aa7
REST API OAuth signature issue fix when using filter params
2014-02-14 13:26:31 +02:00
Mike Jolley
f504243b56
Update timestamp check Closes #4409
2014-01-08 13:40:06 +00:00
Gerhard
8e2bc1cebc
remove harded api reference, use WooCommerce_api_url instead
2013-12-06 16:57:44 +02:00
Gerhard
5b27f37c23
Fix issue where oAuth signature is wrong when running site from a subfolder #4055
2013-12-06 15:07:42 +02:00
Ryan McCue
ff6f2e070e
Use correct variable for OAuth parameter check
2013-11-26 11:19:00 +10:00
Max Rice
38be2ee7a4
Perform core authentication at 0 priority
...
Makes it easier for plugins to override the core API authentication
Part of #4055
2013-11-23 13:28:26 -05:00
Max Rice
ef22f03275
Add API key-specific permission check
...
Part of #4055
2013-11-19 03:04:00 -05:00
Max Rice
61fb0f760a
Update authentication to use new API key meta names
...
Part of #4055
2013-11-19 03:03:39 -05:00
Max Rice
00c65b9cc3
Add site timezone to API index
2013-11-10 19:30:59 -05:00
Max Rice
c3fa52b0b5
Update API classes to use new WC_API_Server class
2013-11-06 01:54:19 -05:00
Max Rice
45fa450760
Add REST API authentication class
2013-11-03 20:06:28 -05:00