// WPCS: input var ok, CSRF ok. } // wc-auth endpoint requests. if ( ! empty( $wp->query_vars['wc-auth-version'] ) && ! empty( $wp->query_vars['wc-auth-route'] ) ) { $this->auth_endpoint( $wp->query_vars['wc-auth-route'] ); } } /** * Auth endpoint. * * @since 2.4.0 * @throws Exception When validation fails. * @param string $route Route. */ protected function auth_endpoint( $route ) { ob_start(); $consumer_data = array(); try { $route = strtolower( wc_clean( $route ) ); $this->make_validation(); $data = wp_unslash( $_REQUEST ); // WPCS: input var ok, CSRF ok. // Login endpoint. if ( 'login' === $route && ! is_user_logged_in() ) { wc_get_template( 'auth/form-login.php', array( 'app_name' => wc_clean( $data['app_name'] ), 'return_url' => add_query_arg( array( 'success' => 0, 'user_id' => wc_clean( $data['user_id'] ), ), $this->get_formatted_url( $data['return_url'] ) ), 'redirect_url' => $this->build_url( $data, 'authorize' ), ) ); exit; } elseif ( 'login' === $route && is_user_logged_in() ) { // Redirect with user is logged in. wp_redirect( esc_url_raw( $this->build_url( $data, 'authorize' ) ) ); exit; } elseif ( 'authorize' === $route && ! is_user_logged_in() ) { // Redirect with user is not logged in and trying to access the authorize endpoint. wp_redirect( esc_url_raw( $this->build_url( $data, 'login' ) ) ); exit; } elseif ( 'authorize' === $route && current_user_can( 'manage_woocommerce' ) ) { // Authorize endpoint. wc_get_template( 'auth/form-grant-access.php', array( 'app_name' => wc_clean( $data['app_name'] ), 'return_url' => add_query_arg( array( 'success' => 0, 'user_id' => wc_clean( $data['user_id'] ), ), $this->get_formatted_url( $data['return_url'] ) ), 'scope' => $this->get_i18n_scope( wc_clean( $data['scope'] ) ), 'permissions' => $this->get_permissions_in_scope( wc_clean( $data['scope'] ) ), 'granted_url' => wp_nonce_url( $this->build_url( $data, 'access_granted' ), 'wc_auth_grant_access', 'wc_auth_nonce' ), 'logout_url' => wp_logout_url( $this->build_url( $data, 'login' ) ), 'user' => wp_get_current_user(), ) ); exit; } elseif ( 'access_granted' === $route && current_user_can( 'manage_woocommerce' ) ) { // Granted access endpoint. if ( ! isset( $_GET['wc_auth_nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_GET['wc_auth_nonce'] ) ), 'wc_auth_grant_access' ) ) { // WPCS: input var ok. throw new Exception( __( 'Invalid nonce verification', 'woocommerce' ) ); } $consumer_data = $this->create_keys( $data['app_name'], $data['user_id'], $data['scope'] ); $response = $this->post_consumer_data( $consumer_data, $this->get_formatted_url( $data['callback_url'] ) ); if ( $response ) { wp_redirect( esc_url_raw( add_query_arg( array( 'success' => 1, 'user_id' => wc_clean( $data['user_id'] ), ), $this->get_formatted_url( $data['return_url'] ) ) ) ); exit; } } else { throw new Exception( __( 'You do not have permission to access this page', 'woocommerce' ) ); } } catch ( Exception $e ) { $this->maybe_delete_key( $consumer_data ); /* translators: %s: error message */ wp_die( sprintf( esc_html__( 'Error: %s.', 'woocommerce' ), esc_html( $e->getMessage() ) ), esc_html__( 'Access denied', 'woocommerce' ), array( 'response' => 401 ) ); } } /** * Maybe delete key. * * @since 2.4.0 * * @param array $key Key. */ private function maybe_delete_key( $key ) { global $wpdb; if ( isset( $key['key_id'] ) ) { $wpdb->delete( $wpdb->prefix . 'woocommerce_api_keys', array( 'key_id' => $key['key_id'] ), array( '%d' ) ); } } } new WC_Auth();