Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
0.00% |
0 / 11 |
|
0.00% |
0 / 5 |
CRAP | |
0.00% |
0 / 1 |
| Nonce | |
0.00% |
0 / 11 |
|
0.00% |
0 / 5 |
42 | |
0.00% |
0 / 1 |
| __construct | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
2 | |||
| verify | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
6 | |||
| generate_nonce | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
2 | |||
| save_generated_nonce | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| get_generated_nonces | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| 1 | <?php |
| 2 | |
| 3 | namespace Automattic\Jetpack_Boost\REST_API\Permissions; |
| 4 | |
| 5 | use Automattic\Jetpack_Boost\REST_API\Contracts\Permission; |
| 6 | |
| 7 | /** |
| 8 | * Nonces are tricky in REST. |
| 9 | * |
| 10 | * `rest_api_init` action is only tirgered when visiting an URL that looks like a REST Endopint. |
| 11 | * This means that if nonces are generated there, they won't be available in regular |
| 12 | * `init` or `admin_init` parts of the app. But that's exactly where we need them. |
| 13 | * |
| 14 | * So we need a way to both generate named nonces, but also know what nonces |
| 15 | * we have generated and pass them to the front-end of the application. |
| 16 | * |
| 17 | * To do this without scattering nonce names across the application, |
| 18 | * this class is using static properties while complying to with |
| 19 | * the Permission contract and keeping track of the nonces |
| 20 | * that have been generated, that way they can be |
| 21 | * retrieved later using: |
| 22 | * |
| 23 | * Nonce::get_generated_nonces() |
| 24 | */ |
| 25 | class Nonce implements Permission { |
| 26 | |
| 27 | /** |
| 28 | * WordPress calls nonce keys "actions" |
| 29 | * |
| 30 | * @var string The nonce key to validate |
| 31 | */ |
| 32 | private $action; |
| 33 | |
| 34 | /** |
| 35 | * @var string Key used by `verify` method to validate \WP_Request |
| 36 | */ |
| 37 | private $request_key; |
| 38 | |
| 39 | /** |
| 40 | * Whenever this class is invoked, it will statically save the generated nonce |
| 41 | * So that they can be retrieved and passed to the admin UI |
| 42 | * |
| 43 | * @var array Associate array of nonces |
| 44 | */ |
| 45 | private static $saved_nonces = array(); |
| 46 | |
| 47 | public function __construct( $action, $request_key = 'nonce' ) { |
| 48 | $this->action = $action; |
| 49 | $this->request_key = $request_key; |
| 50 | $this->generate_nonce(); |
| 51 | } |
| 52 | |
| 53 | public function verify( $request ) { |
| 54 | if ( ! isset( $request[ $this->request_key ] ) ) { |
| 55 | return false; |
| 56 | } |
| 57 | return false !== wp_verify_nonce( $request[ $this->request_key ], $this->action ); |
| 58 | } |
| 59 | |
| 60 | public function generate_nonce() { |
| 61 | $nonce = wp_create_nonce( $this->action ); |
| 62 | static::save_generated_nonce( $this->action, $nonce ); |
| 63 | |
| 64 | return $nonce; |
| 65 | } |
| 66 | |
| 67 | /** |
| 68 | * Keep track of the nonces created using this class. |
| 69 | * |
| 70 | * @param string $action - The action where this nonce is used. |
| 71 | * @param string $nonce - The nonce value. |
| 72 | * |
| 73 | * @return void |
| 74 | */ |
| 75 | private static function save_generated_nonce( $action, $nonce ) { |
| 76 | static::$saved_nonces[ $action ] = $nonce; |
| 77 | } |
| 78 | |
| 79 | /** |
| 80 | * @return array Array of saved [action => nonce] pairs. |
| 81 | */ |
| 82 | public static function get_generated_nonces() { |
| 83 | return static::$saved_nonces; |
| 84 | } |
| 85 | } |