Code Coverage for projects/packages/connection/src/class-tokens.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	77.04% covered (warning)	77.04%	198 / 257	50.00% covered (danger)	50.00%	8 / 16	CRAP	0.00% covered (danger)	0.00%	0 / 1
Tokens	77.04% covered (warning)	77.04%	198 / 257	50.00% covered (danger)	50.00%	8 / 16	224.42	0.00% covered (danger)	0.00%	0 / 1
delete_all	100.00% covered (success)	100.00%	8 / 8	100.00% covered (success)	100.00%	1 / 1	1
validate	100.00% covered (success)	100.00%	24 / 24	100.00% covered (success)	100.00%	1 / 1	9
validate_blog_token	0.00% covered (danger)	0.00%	0 / 16	0.00% covered (danger)	0.00%	0 / 1	56
get	77.14% covered (warning)	77.14%	54 / 70	0.00% covered (danger)	0.00%	0 / 1	27.78
update_user_token	100.00% covered (success)	100.00%	9 / 9	100.00% covered (success)	100.00%	1 / 1	3
sign_role	75.00% covered (warning)	75.00%	6 / 8	0.00% covered (danger)	0.00%	0 / 1	5.39
return_30	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
get_access_token	70.37% covered (warning)	70.37%	38 / 54	0.00% covered (danger)	0.00%	0 / 1	56.00
update_blog_token	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
disconnect_user	75.00% covered (warning)	75.00%	6 / 8	0.00% covered (danger)	0.00%	0 / 1	3.14
get_connected_users		n/a	0 / 0		n/a	0 / 0	1
get_signed_token	96.88% covered (success)	96.88%	31 / 32	0.00% covered (danger)	0.00%	0 / 1	5
get_user_tokens	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
update_user_tokens	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
set_lock	50.00% covered (danger)	50.00%	2 / 4	0.00% covered (danger)	0.00%	0 / 1	2.50
remove_lock	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
is_locked	77.78% covered (warning)	77.78%	14 / 18	0.00% covered (danger)	0.00%	0 / 1	7.54

1	<?php
2	/**
3	* The Jetpack Connection Tokens class file.
4	*
5	* @package automattic/jetpack-connection
6	*/
7
8	namespace Automattic\Jetpack\Connection;
9
10	use Automattic\Jetpack\Constants;
11	use Automattic\Jetpack\Roles;
12	use DateInterval;
13	use DateTime;
14	use Exception;
15	use Jetpack_Options;
16	use WP_Error;
17
18	/**
19	* The Jetpack Connection Tokens class that manages tokens.
20	*/
21	class Tokens {
22
23	const MAGIC_NORMAL_TOKEN_KEY = ';normal;';
24
25	/**
26	* Datetime format.
27	*/
28	const DATE_FORMAT_ATOM = 'Y-m-d\TH:i:sP';
29
30	/**
31	* Deletes all connection tokens and transients from the local Jetpack site.
32	*/
33	public function delete_all() {
34	Jetpack_Options::delete_option(
35	array(
36	'blog_token',
37	'user_token',
38	'user_tokens',
39	)
40	);
41
42	$this->remove_lock();
43	}
44
45	/**
46	* Perform the API request to validate the blog and user tokens.
47	*
48	* @param int\|null $user_id ID of the user we need to validate token for. Current user's ID by default.
49	*
50	* @return array\|false\|WP_Error The API response: `array( 'blog_token_is_healthy' => true\|false, 'user_token_is_healthy' => true\|false )`.
51	*/
52	public function validate( $user_id = null ) {
53	$blog_id = Jetpack_Options::get_option( 'id' );
54	if ( ! $blog_id ) {
55	return new WP_Error( 'site_not_registered', 'Site not registered.' );
56	}
57	$url = sprintf(
58	'%s/%s/v%s/%s',
59	Constants::get_constant( 'JETPACK__WPCOM_JSON_API_BASE' ),
60	'wpcom',
61	'2',
62	'sites/' . $blog_id . '/jetpack-token-health'
63	);
64
65	$user_token = $this->get_access_token( $user_id ? $user_id : get_current_user_id() );
66	$blog_token = $this->get_access_token();
67
68	// Cannot validate non-existent tokens.
69	if ( false === $user_token \|\| false === $blog_token ) {
70	return false;
71	}
72
73	$method = 'POST';
74	$body = array(
75	'user_token' => $this->get_signed_token( $user_token ),
76	'blog_token' => $this->get_signed_token( $blog_token ),
77	);
78	$response = Client::_wp_remote_request( $url, compact( 'body', 'method' ) );
79
80	if ( is_wp_error( $response ) \|\| ! wp_remote_retrieve_body( $response ) \|\| 200 !== wp_remote_retrieve_response_code( $response ) ) {
81	return false;
82	}
83
84	$body = json_decode( wp_remote_retrieve_body( $response ), true );
85
86	return $body ? $body : false;
87	}
88
89	/**
90	* Perform the API request to validate only the blog.
91	*
92	* @return bool\|WP_Error Boolean with the test result. WP_Error if test cannot be performed.
93	*/
94	public function validate_blog_token() {
95	$blog_id = Jetpack_Options::get_option( 'id' );
96	if ( ! $blog_id ) {
97	return new WP_Error( 'site_not_registered', 'Site not registered.' );
98	}
99	$url = sprintf(
100	'%s/%s/v%s/%s',
101	Constants::get_constant( 'JETPACK__WPCOM_JSON_API_BASE' ),
102	'wpcom',
103	'2',
104	'sites/' . $blog_id . '/jetpack-token-health/blog'
105	);
106
107	$method = 'GET';
108	$response = Client::remote_request( compact( 'url', 'method' ) );
109
110	if ( is_wp_error( $response ) \|\| ! wp_remote_retrieve_body( $response ) \|\| 200 !== wp_remote_retrieve_response_code( $response ) ) {
111	return false;
112	}
113
114	$body = json_decode( wp_remote_retrieve_body( $response ), true );
115
116	return is_array( $body ) && isset( $body['is_healthy'] ) && true === $body['is_healthy'];
117	}
118
119	/**
120	* Obtains the auth token.
121	*
122	* @param array $data The request data.
123	* @param string $token_api_url The URL of the Jetpack "token" API.
124	* @return object\|WP_Error Returns the auth token on success.
125	* Returns a WP_Error on failure.
126	*/
127	public function get( $data, $token_api_url ) {
128	$roles = new Roles();
129	$role = $roles->translate_current_user_to_role();
130
131	if ( ! $role ) {
132	return new WP_Error( 'role', __( 'An administrator for this blog must set up the Jetpack connection.', 'jetpack-connection' ) );
133	}
134
135	$client_secret = $this->get_access_token();
136	if ( ! $client_secret ) {
137	return new WP_Error( 'client_secret', __( 'You need to register your Jetpack before connecting it.', 'jetpack-connection' ) );
138	}
139
140	/**
141	* Filter the URL of the first time the user gets redirected back to your site for connection
142	* data processing.
143	*
144	* @since 1.7.0
145	* @since-jetpack 8.0.0
146	*
147	* @param string $redirect_url Defaults to the site admin URL.
148	*/
149	$processing_url = apply_filters( 'jetpack_token_processing_url', admin_url( 'admin.php' ) );
150
151	$redirect = isset( $data['redirect'] ) ? esc_url_raw( (string) $data['redirect'] ) : '';
152
153	/**
154	* Filter the URL to redirect the user back to when the authentication process
155	* is complete.
156	*
157	* @since 1.7.0
158	* @since-jetpack 8.0.0
159	*
160	* @param string $redirect_url Defaults to the site URL.
161	*/
162	$redirect = apply_filters( 'jetpack_token_redirect_url', $redirect );
163
164	$redirect_uri = ( 'calypso' === $data['auth_type'] )
165	? $data['redirect_uri']
166	: add_query_arg(
167	array(
168	'handler' => 'jetpack-connection-webhooks',
169	'action' => 'authorize',
170	'_wpnonce' => wp_create_nonce( "jetpack-authorize_{$role}_{$redirect}" ),
171	'redirect' => $redirect ? rawurlencode( $redirect ) : false,
172	),
173	esc_url( $processing_url )
174	);
175
176	/**
177	* Filters the token request data.
178	*
179	* @since 1.7.0
180	* @since-jetpack 8.0.0
181	*
182	* @param array $request_data request data.
183	*/
184	$body = apply_filters(
185	'jetpack_token_request_body',
186	array(
187	'client_id' => Jetpack_Options::get_option( 'id' ),
188	'client_secret' => $client_secret->secret,
189	'grant_type' => 'authorization_code',
190	'code' => $data['code'],
191	'redirect_uri' => $redirect_uri,
192	)
193	);
194
195	$args = array(
196	'method' => 'POST',
197	'body' => $body,
198	'headers' => array(
199	'Accept' => 'application/json',
200	),
201	);
202	add_filter( 'http_request_timeout', array( $this, 'return_30' ), PHP_INT_MAX - 1 );
203	$response = Client::_wp_remote_request( $token_api_url, $args );
204	remove_filter( 'http_request_timeout', array( $this, 'return_30' ), PHP_INT_MAX - 1 );
205
206	if ( is_wp_error( $response ) ) {
207	return new WP_Error( 'token_http_request_failed', $response->get_error_message() );
208	}
209
210	$code = wp_remote_retrieve_response_code( $response );
211	$entity = wp_remote_retrieve_body( $response );
212
213	if ( $entity ) {
214	$json = json_decode( $entity );
215	} else {
216	$json = false;
217	}
218
219	if ( 200 !== $code \|\| ! empty( $json->error ) ) {
220	if ( empty( $json->error ) ) {
221	return new WP_Error( 'unknown', '', $code );
222	}
223
224	/* translators: Error description string. */
225	$error_description = isset( $json->error_description ) ? sprintf( __( 'Error Details: %s', 'jetpack-connection' ), (string) $json->error_description ) : '';
226
227	return new WP_Error( (string) $json->error, $error_description, $code );
228	}
229
230	if ( empty( $json->access_token ) \|\| ! is_scalar( $json->access_token ) ) {
231	return new WP_Error( 'access_token', '', $code );
232	}
233
234	if ( empty( $json->token_type ) \|\| 'X_JETPACK' !== strtoupper( $json->token_type ) ) {
235	return new WP_Error( 'token_type', '', $code );
236	}
237
238	if ( empty( $json->scope ) ) {
239	return new WP_Error( 'scope', 'No Scope', $code );
240	}
241
242	// TODO: get rid of the error silencer.
243	// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
244	@list( $role, $hmac ) = explode( ':', $json->scope );
245	if ( empty( $role ) \|\| empty( $hmac ) ) {
246	return new WP_Error( 'scope', 'Malformed Scope', $code );
247	}
248
249	if ( $this->sign_role( $role ) !== $json->scope ) {
250	return new WP_Error( 'scope', 'Invalid Scope', $code );
251	}
252
253	$cap = $roles->translate_role_to_cap( $role );
254	if ( ! $cap ) {
255	return new WP_Error( 'scope', 'No Cap', $code );
256	}
257
258	if ( ! current_user_can( $cap ) ) {
259	return new WP_Error( 'scope', 'current_user_cannot', $code );
260	}
261
262	return (string) $json->access_token;
263	}
264
265	/**
266	* Enters a user token into the user_tokens option
267	*
268	* @param int $user_id The user id.
269	* @param string $token The user token.
270	* @param bool $is_master_user Whether the user is the master user.
271	* @return bool
272	*/
273	public function update_user_token( $user_id, $token, $is_master_user ) {
274	// Not designed for concurrent updates.
275	$user_tokens = $this->get_user_tokens();
276	if ( ! is_array( $user_tokens ) ) {
277	$user_tokens = array();
278	}
279	$user_tokens[ $user_id ] = $token;
280	if ( $is_master_user ) {
281	$master_user = $user_id;
282	$options = compact( 'user_tokens', 'master_user' );
283	} else {
284	$options = compact( 'user_tokens' );
285	}
286	return Jetpack_Options::update_options( $options );
287	}
288
289	/**
290	* Sign a user role with the master access token.
291	* If not specified, will default to the current user.
292	*
293	* @access public
294	*
295	* @param string $role User role.
296	* @param int $user_id ID of the user.
297	* @return string Signed user role.
298	*/
299	public function sign_role( $role, $user_id = null ) {
300	if ( empty( $user_id ) ) {
301	$user_id = (int) get_current_user_id();
302	}
303
304	if ( ! $user_id ) {
305	return false;
306	}
307
308	$token = $this->get_access_token();
309	if ( ! $token \|\| is_wp_error( $token ) ) {
310	return false;
311	}
312
313	return $role . ':' . hash_hmac( 'md5', "{$role}\|{$user_id}", $token->secret );
314	}
315
316	/**
317	* Increases the request timeout value to 30 seconds.
318	*
319	* @return int Returns 30.
320	*/
321	public function return_30() {
322	return 30;
323	}
324
325	/**
326	* Gets the requested token.
327	*
328	* Tokens are one of two types:
329	* 1. Blog Tokens: These are the "main" tokens. Each site typically has one Blog Token,
330	* though some sites can have multiple "Special" Blog Tokens (see below). These tokens
331	* are not associated with a user account. They represent the site's connection with
332	* the Jetpack servers.
333	* 2. User Tokens: These are "sub-"tokens. Each connected user account has one User Token.
334	*
335	* All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the
336	* token, and $private is a secret that should never be displayed anywhere or sent
337	* over the network; it's used only for signing things.
338	*
339	* Blog Tokens can be "Normal" or "Special".
340	* * Normal: The result of a normal connection flow. They look like
341	* "{$random_string_1}.{$random_string_2}"
342	* That is, $token_key and $private are both random strings.
343	* Sites only have one Normal Blog Token. Normal Tokens are found in either
344	* Jetpack_Options::get_option( 'blog_token' ) (usual) or the JETPACK_BLOG_TOKEN
345	* constant (rare).
346	* * Special: A connection token for sites that have gone through an alternative
347	* connection flow. They look like:
348	* ";{$special_id}{$special_version};{$wpcom_blog_id};.{$random_string}"
349	* That is, $private is a random string and $token_key has a special structure with
350	* lots of semicolons.
351	* Most sites have zero Special Blog Tokens. Special tokens are only found in the
352	* JETPACK_BLOG_TOKEN constant.
353	*
354	* In particular, note that Normal Blog Tokens never start with ";" and that
355	* Special Blog Tokens always do.
356	*
357	* When searching for a matching Blog Tokens, Blog Tokens are examined in the following
358	* order:
359	* 1. Defined Special Blog Tokens (via the JETPACK_BLOG_TOKEN constant)
360	* 2. Stored Normal Tokens (via Jetpack_Options::get_option( 'blog_token' ))
361	* 3. Defined Normal Tokens (via the JETPACK_BLOG_TOKEN constant)
362	*
363	* @param int\|false $user_id false: Return the Blog Token. int: Return that user's User Token.
364	* @param string\|false $token_key If provided, check that the token matches the provided input.
365	* @param bool\|true $suppress_errors If true, return a falsy value when the token isn't found; When false, return a descriptive WP_Error when the token isn't found.
366	*
367	* @return object\|false\|WP_Error
368	*/
369	public function get_access_token( $user_id = false, $token_key = false, $suppress_errors = true ) {
370	if ( $this->is_locked() ) {
371	$this->delete_all();
372	return false;
373	}
374
375	$possible_special_tokens = array();
376	$possible_normal_tokens = array();
377	$user_tokens = $this->get_user_tokens();
378
379	if ( $user_id ) {
380	if ( ! $user_tokens ) {
381	return $suppress_errors ? false : new WP_Error( 'no_user_tokens', __( 'No user tokens found', 'jetpack-connection' ) );
382	}
383	if ( true === $user_id ) { // connection owner.
384	$user_id = Jetpack_Options::get_option( 'master_user' );
385	if ( ! $user_id ) {
386	return $suppress_errors ? false : new WP_Error( 'empty_master_user_option', __( 'No primary user defined', 'jetpack-connection' ) );
387	}
388	}
389	if ( ! isset( $user_tokens[ $user_id ] ) \|\| ! $user_tokens[ $user_id ] ) {
390	// translators: %s is the user ID.
391	return $suppress_errors ? false : new WP_Error( 'no_token_for_user', sprintf( __( 'No token for user %d', 'jetpack-connection' ), $user_id ) );
392	}
393	$user_token_chunks = explode( '.', $user_tokens[ $user_id ] );
394	if ( empty( $user_token_chunks[1] ) \|\| empty( $user_token_chunks[2] ) ) {
395	// translators: %s is the user ID.
396	return $suppress_errors ? false : new WP_Error( 'token_malformed', sprintf( __( 'Token for user %d is malformed', 'jetpack-connection' ), $user_id ) );
397	}
398	if ( $user_token_chunks[2] !== (string) $user_id ) {
399	// translators: %1$d is the ID of the requested user. %2$d is the user ID found in the token.
400	return $suppress_errors ? false : new WP_Error( 'user_id_mismatch', sprintf( __( 'Requesting user_id %1$d does not match token user_id %2$d', 'jetpack-connection' ), $user_id, $user_token_chunks[2] ) );
401	}
402	$possible_normal_tokens[] = "{$user_token_chunks[0]}.{$user_token_chunks[1]}";
403	} else {
404	$stored_blog_token = Jetpack_Options::get_option( 'blog_token' );
405	if ( $stored_blog_token ) {
406	$possible_normal_tokens[] = $stored_blog_token;
407	}
408
409	$defined_tokens_string = Constants::get_constant( 'JETPACK_BLOG_TOKEN' );
410
411	if ( $defined_tokens_string ) {
412	$defined_tokens = explode( ',', $defined_tokens_string );
413	foreach ( $defined_tokens as $defined_token ) {
414	if ( ';' === $defined_token[0] ) {
415	$possible_special_tokens[] = $defined_token;
416	} else {
417	$possible_normal_tokens[] = $defined_token;
418	}
419	}
420	}
421	}
422
423	if ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
424	$possible_tokens = $possible_normal_tokens;
425	} else {
426	$possible_tokens = array_merge( $possible_special_tokens, $possible_normal_tokens );
427	}
428
429	if ( ! $possible_tokens ) {
430	// If no user tokens were found, it would have failed earlier, so this is about blog token.
431	return $suppress_errors ? false : new WP_Error( 'no_possible_tokens', __( 'No blog token found', 'jetpack-connection' ) );
432	}
433
434	$valid_token = false;
435
436	if ( false === $token_key ) {
437	// Use first token.
438	$valid_token = $possible_tokens[0];
439	} elseif ( self::MAGIC_NORMAL_TOKEN_KEY === $token_key ) {
440	// Use first normal token.
441	$valid_token = $possible_tokens[0]; // $possible_tokens only contains normal tokens because of earlier check.
442	} else {
443	// Use the token matching $token_key or false if none.
444	// Ensure we check the full key.
445	$token_check = rtrim( $token_key, '.' ) . '.';
446
447	foreach ( $possible_tokens as $possible_token ) {
448	if ( hash_equals( substr( $possible_token, 0, strlen( $token_check ) ), $token_check ) ) {
449	$valid_token = $possible_token;
450	break;
451	}
452	}
453	}
454
455	if ( ! $valid_token ) {
456	if ( $user_id ) {
457	// translators: %d is the user ID.
458	return $suppress_errors ? false : new WP_Error( 'no_valid_user_token', sprintf( __( 'Invalid token for user %d', 'jetpack-connection' ), $user_id ) );
459	} else {
460	return $suppress_errors ? false : new WP_Error( 'no_valid_blog_token', __( 'Invalid blog token', 'jetpack-connection' ) );
461	}
462	}
463
464	return (object) array(
465	'secret' => $valid_token,
466	'external_user_id' => (int) $user_id,
467	);
468	}
469
470	/**
471	* Updates the blog token to a new value.
472	*
473	* @access public
474	*
475	* @param string $token the new blog token value.
476	* @return Boolean Whether updating the blog token was successful.
477	*/
478	public function update_blog_token( $token ) {
479	return Jetpack_Options::update_option( 'blog_token', $token );
480	}
481
482	/**
483	* Unlinks the current user from the linked WordPress.com user.
484	*
485	* @access public
486	* @static
487	*
488	* @todo Refactor to properly load the XMLRPC client independently.
489	*
490	* @param int $user_id The user identifier.
491	*
492	* @return bool Whether the disconnection of the user was successful.
493	*/
494	public function disconnect_user( $user_id ) {
495	$tokens = $this->get_user_tokens();
496	if ( ! $tokens ) {
497	return false;
498	}
499
500	if ( ! isset( $tokens[ $user_id ] ) ) {
501	return false;
502	}
503
504	unset( $tokens[ $user_id ] );
505
506	$this->update_user_tokens( $tokens );
507
508	return true;
509	}
510
511	/**
512	* Returns an array of user_id's that have user tokens for communicating with wpcom.
513	* Able to select by specific capability.
514	*
515	* @deprecated 1.30.0
516	* @see Manager::get_connected_users
517	*
518	* @param string $capability The capability of the user.
519	* @param int\|null $limit How many connected users to get before returning.
520	* @return array Array of WP_User objects if found.
521	*/
522	public function get_connected_users( $capability = 'any', $limit = null ) {
523	_deprecated_function( __METHOD__, '1.30.0' );
524	return ( new Manager( 'jetpack' ) )->get_connected_users( $capability, $limit );
525	}
526
527	/**
528	* Fetches a signed token.
529	*
530	* @param object $token the token.
531	* @return WP_Error\|string a signed token
532	*/
533	public function get_signed_token( $token ) {
534	if ( ! isset( $token->secret ) \|\| empty( $token->secret ) ) {
535	return new WP_Error( 'invalid_token' );
536	}
537
538	list( $token_key, $token_secret ) = explode( '.', $token->secret );
539
540	$token_key = sprintf(
541	'%s:%d:%d',
542	$token_key,
543	Constants::get_constant( 'JETPACK__API_VERSION' ),
544	$token->external_user_id
545	);
546
547	$timestamp = time();
548
549	if ( function_exists( 'wp_generate_password' ) ) {
550	$nonce = wp_generate_password( 10, false );
551	} else {
552	$nonce = substr( sha1( (string) wp_rand( 0, 1000000 ) ), 0, 10 );
553	}
554
555	$normalized_request_string = implode(
556	"\n",
557	array(
558	$token_key,
559	$timestamp,
560	$nonce,
561	)
562	) . "\n";
563
564	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
565	$signature = base64_encode( hash_hmac( 'sha1', $normalized_request_string, $token_secret, true ) );
566
567	$auth = array(
568	'token' => $token_key,
569	'timestamp' => $timestamp,
570	'nonce' => $nonce,
571	'signature' => $signature,
572	);
573
574	$header_pieces = array();
575	foreach ( $auth as $key => $value ) {
576	$header_pieces[] = sprintf( '%s="%s"', $key, $value );
577	}
578
579	return implode( ' ', $header_pieces );
580	}
581
582	/**
583	* Gets the list of user tokens
584	*
585	* @since 1.30.0
586	*
587	* @return bool\|array An array of user tokens where keys are user IDs and values are the tokens. False if no user token is found.
588	*/
589	public function get_user_tokens() {
590	return Jetpack_Options::get_option( 'user_tokens' );
591	}
592
593	/**
594	* Updates the option that stores the user tokens
595	*
596	* @since 1.30.0
597	*
598	* @param array $tokens An array of user tokens where keys are user IDs and values are the tokens.
599	* @return bool Was the option successfully updated?
600	*
601	* @todo add validate the input.
602	*/
603	public function update_user_tokens( $tokens ) {
604	return Jetpack_Options::update_option( 'user_tokens', $tokens );
605	}
606
607	/**
608	* Lock the tokens to the current site URL.
609	*
610	* @param int $timespan How long the tokens should be locked, in seconds.
611	*
612	* @return bool
613	*/
614	public function set_lock( $timespan = HOUR_IN_SECONDS ) {
615	try {
616	$expires = ( new DateTime() )->add( DateInterval::createFromDateString( (int) $timespan . ' seconds' ) );
617	} catch ( Exception $e ) {
618	return false;
619	}
620
621	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
622	return Jetpack_Options::update_option( 'token_lock', $expires->format( static::DATE_FORMAT_ATOM ) . '\|\|\|' . base64_encode( Urls::site_url() ) );
623	}
624
625	/**
626	* Remove the site lock from tokens.
627	*
628	* @return bool
629	*/
630	public function remove_lock() {
631	Jetpack_Options::delete_option( 'token_lock' );
632
633	return true;
634	}
635
636	/**
637	* Check if the domain is locked, remove the lock if needed.
638	* Possible scenarios:
639	* - lock expired, site URL matches the lock URL: remove the lock, return false.
640	* - lock not expired, site URL matches the lock URL: return false.
641	* - site URL does not match the lock URL (expiration date is ignored): return true, do not remove the lock.
642	*
643	* @return bool
644	*/
645	public function is_locked() {
646	$the_lock = Jetpack_Options::get_option( 'token_lock' );
647	if ( ! $the_lock ) {
648	// Not locked.
649	return false;
650	}
651
652	$the_lock = explode( '\|\|\|', $the_lock, 2 );
653	if ( count( $the_lock ) !== 2 ) {
654	// Something's wrong with the lock.
655	$this->remove_lock();
656	return false;
657	}
658
659	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
660	$locked_site_url = base64_decode( $the_lock[1] );
661	$expires = $the_lock[0];
662
663	$expiration_date = DateTime::createFromFormat( static::DATE_FORMAT_ATOM, $expires );
664	if ( false === $expiration_date \|\| ! $locked_site_url ) {
665	// Something's wrong with the lock.
666	$this->remove_lock();
667	return false;
668	}
669
670	if ( Urls::site_url() === $locked_site_url ) {
671	if ( new DateTime() > $expiration_date ) {
672	// Site lock expired.
673	// Site URL matches, removing the lock.
674	$this->remove_lock();
675	}
676
677	return false;
678	}
679
680	// Site URL doesn't match.
681	return true;
682	}
683	}