Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Inline generateToken for clarity

Browse Source 
The only thing Security::generateToken was providing was a default value
 for the $action, which created a pattern of using the same $action
 everywhere, which may not be the best way to go.

 Since it was essentially a wrapper for WP's built-in nonce functions,
 it seemed clearer to use those functions directly to be more explicit
 about how we're handling tokens.

[MAILPOET-2030]
This commit is contained in:
John Oleksowicz
2022-03-25 12:01:48 -05:00
committed by Veljko V
parent ed87d1cace
commit fc1f3e6dc2
6 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
mailpoet/lib/API/JSON/API.php
View File

@ -9,7 +9,6 @@ use MailPoet\Subscription\Captcha;
use MailPoet\Tracy\ApiPanel\ApiPanel; use MailPoet\Tracy\ApiPanel\ApiPanel;
use MailPoet\Tracy\DIPanel\DIPanel; use MailPoet\Tracy\DIPanel\DIPanel;
use MailPoet\Util\Helpers; use MailPoet\Util\Helpers;
use MailPoet\Util\Security;
use MailPoet\WP\Functions as WPFunctions; use MailPoet\WP\Functions as WPFunctions;
use MailPoetVendor\Psr\Container\ContainerInterface; use MailPoetVendor\Psr\Container\ContainerInterface;
use Throwable; use Throwable;
@ -106,7 +105,7 @@ class API {
$this->requestMethod === 'subscribe' $this->requestMethod === 'subscribe'
); );
if (!$ignoreToken && $this->checkToken() === false) { if (!$ignoreToken && $this->wp->wpVerifyNonce($this->requestToken, 'mailpoet_token') === false) {
$errorMessage = WPFunctions::get()->__("Sorry, but we couldn't connect to the MailPoet server. Please refresh the web page and try again.", 'mailpoet'); $errorMessage = WPFunctions::get()->__("Sorry, but we couldn't connect to the MailPoet server. Please refresh the web page and try again.", 'mailpoet');
$errorResponse = $this->createErrorResponse(Error::UNAUTHORIZED, $errorMessage, Response::STATUS_UNAUTHORIZED); $errorResponse = $this->createErrorResponse(Error::UNAUTHORIZED, $errorMessage, Response::STATUS_UNAUTHORIZED);
return $errorResponse->send(); return $errorResponse->send();
@ -228,23 +227,19 @@ class API {
$this->accessControl->validatePermission($permissions['global']); $this->accessControl->validatePermission($permissions['global']);
} }
public function checkToken() {
return WPFunctions::get()->wpVerifyNonce($this->requestToken, 'mailpoet_token');
}
public function setTokenAndAPIVersion() { public function setTokenAndAPIVersion() {
echo sprintf( echo sprintf(
'<script type="text/javascript">' . '<script type="text/javascript">' .
'var mailpoet_token = "%s";' . 'var mailpoet_token = "%s";' .
'var mailpoet_api_version = "%s";' . 'var mailpoet_api_version = "%s";' .
'</script>', '</script>',
esc_js(Security::generateToken()), esc_js($this->wp->wpCreateNonce('mailpoet_token')),
esc_js(self::CURRENT_VERSION) esc_js(self::CURRENT_VERSION)
); );
} }
public function addTokenToHeartbeatResponse($response) { public function addTokenToHeartbeatResponse($response) {
$response['mailpoet_token'] = Security::generateToken(); $response['mailpoet_token'] = $this->wp->wpCreateNonce('mailpoet_token');
return $response; return $response;
} }

3
mailpoet/lib/Form/DisplayFormInWPContent.php
View File

@ -7,7 +7,6 @@ use MailPoet\Config\Renderer as TemplateRenderer;
use MailPoet\Entities\FormEntity; use MailPoet\Entities\FormEntity;
use MailPoet\Subscribers\SubscribersRepository; use MailPoet\Subscribers\SubscribersRepository;
use MailPoet\Subscribers\SubscriberSubscribeController; use MailPoet\Subscribers\SubscriberSubscribeController;
use MailPoet\Util\Security;
use MailPoet\WP\Functions as WPFunctions; use MailPoet\WP\Functions as WPFunctions;
class DisplayFormInWPContent { class DisplayFormInWPContent {
@ -188,7 +187,7 @@ class DisplayFormInWPContent {
} }
// generate security token // generate security token
$templateData['token'] = Security::generateToken(); $templateData['token'] = $this->wp->wpCreateNonce('mailpoet_token');
// add API version // add API version
$templateData['api_version'] = API::CURRENT_VERSION; $templateData['api_version'] = API::CURRENT_VERSION;

3
mailpoet/lib/Form/Widget.php
View File

@ -9,7 +9,6 @@ use MailPoet\Entities\FormEntity;
use MailPoet\Form\Renderer as FormRenderer; use MailPoet\Form\Renderer as FormRenderer;
use MailPoet\Form\Util\CustomFonts; use MailPoet\Form\Util\CustomFonts;
use MailPoet\Settings\SettingsController; use MailPoet\Settings\SettingsController;
use MailPoet\Util\Security;
use MailPoet\WP\Functions as WPFunctions; use MailPoet\WP\Functions as WPFunctions;
// phpcs:disable Generic.Files.InlineHTML // phpcs:disable Generic.Files.InlineHTML
@ -249,7 +248,7 @@ class Widget extends \WP_Widget {
); );
// generate security token // generate security token
$data['token'] = Security::generateToken(); $data['token'] = $this->wp->wpCreateNonce('mailpoet_token');
// add API version // add API version
$data['api_version'] = API::CURRENT_VERSION; $data['api_version'] = API::CURRENT_VERSION;

5
mailpoet/lib/Util/Security.php
View File

@ -7,7 +7,6 @@ use MailPoet\Entities\NewsletterEntity;
use MailPoet\Entities\SubscriberEntity; use MailPoet\Entities\SubscriberEntity;
use MailPoet\Newsletter\NewslettersRepository; use MailPoet\Newsletter\NewslettersRepository;
use MailPoet\Subscribers\SubscribersRepository; use MailPoet\Subscribers\SubscribersRepository;
use MailPoet\WP\Functions as WPFunctions;
class Security { class Security {
const HASH_LENGTH = 12; const HASH_LENGTH = 12;
@ -27,10 +26,6 @@ class Security {
$this->subscribersRepository = $subscribersRepository; $this->subscribersRepository = $subscribersRepository;
} }
public static function generateToken($action = 'mailpoet_token') {
return WPFunctions::get()->wpCreateNonce($action);
}
/** /**
* Generate random lowercase alphanumeric string. * Generate random lowercase alphanumeric string.
* 1 lowercase alphanumeric character = 6 bits (because log2(36) = 5.17) * 1 lowercase alphanumeric character = 6 bits (because log2(36) = 5.17)

6
mailpoet/tests/integration/API/JSON/APITest.php
View File

@ -73,11 +73,15 @@ class APITest extends \MailPoetTest {
expect($api instanceof JSONAPI)->true(); expect($api instanceof JSONAPI)->true();
} }
); );
$wpStub = Stub::make(new WPFunctions, [
'wpVerifyNonce' => asCallable(function() {
return true;
})]);
$api = Stub::makeEmptyExcept( $api = Stub::makeEmptyExcept(
$this->api, $this->api,
'setupAjax', 'setupAjax',
[ [
'wp' => new WPFunctions, 'wp' => $wpStub,
'processRoute' => Stub::makeEmpty(new SuccessResponse), 'processRoute' => Stub::makeEmpty(new SuccessResponse),
'settings' => $this->container->get(SettingsController::class), 'settings' => $this->container->get(SettingsController::class),
] ]

3
mailpoet/tests/integration/Subscription/FormTest.php
View File

@ -14,7 +14,6 @@ use MailPoet\Models\Subscriber as SubscriberModel;
use MailPoet\Settings\SettingsController; use MailPoet\Settings\SettingsController;
use MailPoet\Settings\SettingsRepository; use MailPoet\Settings\SettingsRepository;
use MailPoet\Subscription\Form; use MailPoet\Subscription\Form;
use MailPoet\Util\Security;
use MailPoet\Util\Url as UrlHelper; use MailPoet\Util\Url as UrlHelper;
use MailPoet\WP\Functions as WPFunctions; use MailPoet\WP\Functions as WPFunctions;
use MailPoetVendor\Idiorm\ORM; use MailPoetVendor\Idiorm\ORM;
@ -62,7 +61,7 @@ class FormTest extends \MailPoetTest {
'form_id' => $this->form->getId(), 'form_id' => $this->form->getId(),
$obfuscatedEmail => $this->testEmail, $obfuscatedEmail => $this->testEmail,
], ],
'token' => Security::generateToken(), 'token' => WPFunctions::get()->wpCreateNonce('mailpoet_token'),
'api_version' => 'v1', 'api_version' => 'v1',
'endpoint' => 'subscribers', 'endpoint' => 'subscribers',
'mailpoet_method' => 'subscribe', 'mailpoet_method' => 'subscribe',