Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Inline generateToken for clarity

Browse Source 
The only thing Security::generateToken was providing was a default value
 for the $action, which created a pattern of using the same $action
 everywhere, which may not be the best way to go.

 Since it was essentially a wrapper for WP's built-in nonce functions,
 it seemed clearer to use those functions directly to be more explicit
 about how we're handling tokens.

[MAILPOET-2030]
This commit is contained in:
John Oleksowicz
2022-03-25 12:01:48 -05:00
committed by Veljko V
parent ed87d1cace
commit fc1f3e6dc2
6 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
mailpoet/lib/API/JSON/API.php
View File

@ -9,7 +9,6 @@ use MailPoet\Subscription\Captcha;
use MailPoet\Tracy\ApiPanel\ApiPanel;
use MailPoet\Tracy\DIPanel\DIPanel;
use MailPoet\Util\Helpers;
use MailPoet\Util\Security;
use MailPoet\WP\Functions as WPFunctions;
use MailPoetVendor\Psr\Container\ContainerInterface;
use Throwable;
@ -106,7 +105,7 @@ class API {
$this->requestMethod === 'subscribe'
);
if (!$ignoreToken && $this->checkToken() === false) {
if (!$ignoreToken && $this->wp->wpVerifyNonce($this->requestToken, 'mailpoet_token') === false) {
$errorMessage = WPFunctions::get()->__("Sorry, but we couldn't connect to the MailPoet server. Please refresh the web page and try again.", 'mailpoet');
$errorResponse = $this->createErrorResponse(Error::UNAUTHORIZED, $errorMessage, Response::STATUS_UNAUTHORIZED);
return $errorResponse->send();
@ -228,23 +227,19 @@ class API {
$this->accessControl->validatePermission($permissions['global']);
}
public function checkToken() {
return WPFunctions::get()->wpVerifyNonce($this->requestToken, 'mailpoet_token');
}
public function setTokenAndAPIVersion() {
echo sprintf(
'<script type="text/javascript">' .
'var mailpoet_token = "%s";' .
'var mailpoet_api_version = "%s";' .
'</script>',
esc_js(Security::generateToken()),
esc_js($this->wp->wpCreateNonce('mailpoet_token')),
esc_js(self::CURRENT_VERSION)
);
}
public function addTokenToHeartbeatResponse($response) {
$response['mailpoet_token'] = Security::generateToken();
$response['mailpoet_token'] = $this->wp->wpCreateNonce('mailpoet_token');
return $response;
}