Check for store api rest route in parameter (#7558)

Automattic · Nov 2, 2023 · 69d222b · 69d222b
1 parent 45b8d13
commit 69d222b
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 5 deletions.
diff --git a/changelog/fix-woopay-session-handler-permalinks b/changelog/fix-woopay-session-handler-permalinks
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix WooPay session handler's Store API route checks.
diff --git a/includes/woopay/class-woopay-session.php b/includes/woopay/class-woopay-session.php
@@ -535,9 +535,13 @@ private static function get_woopay_verified_email_address() {
 	 * @return bool True if request is a Store API request, false otherwise.
 	 */
 	private static function is_store_api_request(): bool {
-		$url_parts    = wp_parse_url( esc_url_raw( $_SERVER['REQUEST_URI'] ?? '' ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
-		$request_path = rtrim( $url_parts['path'], '/' );
-		$rest_route   = str_replace( trailingslashit( rest_get_url_prefix() ), '', $request_path );
+		if ( isset( $_REQUEST['rest_route'] ) ) {
+			$rest_route = sanitize_text_field( $_REQUEST['rest_route'] );
+		} else {
+			$url_parts    = wp_parse_url( esc_url_raw( $_SERVER['REQUEST_URI'] ?? '' ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+			$request_path = rtrim( $url_parts['path'], '/' );
+			$rest_route   = str_replace( trailingslashit( rest_get_url_prefix() ), '', $request_path );
+		}
 
 		foreach ( self::STORE_API_ROUTE_PATTERNS as $pattern ) {
 			if ( 1 === preg_match( $pattern, $rest_route ) ) {

diff --git a/tests/unit/woopay/test-class-woopay-session.php b/tests/unit/woopay/test-class-woopay-session.php
@@ -53,10 +53,15 @@ public function set_up() {
 		$this->mock_customer_service     = $this->createMock( WC_Payments_Customer_Service::class );
 		$this->original_customer_service = WC_Payments::get_customer_service();
 		WC_Payments::set_customer_service( $this->mock_customer_service );
+
+		add_filter( 'wcpay_woopay_is_signed_with_blog_token', '__return_true' );
 	}
 
 	public function tear_down() {
 		WC_Payments::set_customer_service( $this->original_customer_service );
+
+		wp_set_current_user( 0 );
+
 		parent::tear_down();
 	}
 
@@ -100,8 +105,6 @@ public function test_get_user_id_from_cart_token_with_logged_in_user() {
 		$this->setup_adapted_extensions();
 
 		$this->assertEquals( WooPay_Session::get_user_id_from_cart_token(), $user->ID );
-
-		wp_set_current_user( 0 );
 	}
 
 	public function test_get_user_id_from_cart_token_with_verified_user_email_address_header_without_email_in_session() {
@@ -269,6 +272,61 @@ public function test_session_currency_not_set_for_multi_currency_disabled() {
 		WC()->session->set( MultiCurrency::CURRENCY_SESSION_KEY, null );
 	}
 
+	public function test_determine_current_user_is_request_woopay_false() {
+		$_SERVER['HTTP_USER_AGENT'] = 'NotWooPay';
+
+		$guest_user  = 0;
+		$woopay_user = self::factory()->user->create_and_get();
+
+		$this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), 0 );
+	}
+
+	public function test_determine_current_user_is_store_api_request_false() {
+		$_SERVER['REQUEST_URI'] = '/another/store/url';
+
+		$guest_user  = 0;
+		$woopay_user = self::factory()->user->create_and_get();
+
+		$this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), 0 );
+	}
+
+	public function test_determine_current_user_is_store_api_request_true_using_uri() {
+		$guest_user  = 0;
+		$woopay_user = self::factory()->user->create_and_get();
+
+		wp_set_current_user( $woopay_user->ID );
+
+		$woopay_store_api_token   = WooPay_Store_Api_Token::init();
+		$authenticated_cart_token = $woopay_store_api_token->get_cart_token();
+
+		$_SERVER['HTTP_CART_TOKEN'] = $authenticated_cart_token;
+
+		$this->setup_session( $woopay_user->ID );
+
+		$this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), $woopay_user->ID );
+	}
+
+	public function test_determine_current_user_is_store_api_request_true_using_rest_route_parameter() {
+		$_SERVER['REQUEST_URI'] = '/index.php';
+		$_REQUEST['rest_route'] = '/wc/store/v1/checkout';
+
+		$guest_user  = 0;
+		$woopay_user = self::factory()->user->create_and_get();
+
+		wp_set_current_user( $woopay_user->ID );
+
+		$woopay_store_api_token   = WooPay_Store_Api_Token::init();
+		$authenticated_cart_token = $woopay_store_api_token->get_cart_token();
+
+		$_SERVER['HTTP_CART_TOKEN'] = $authenticated_cart_token;
+
+		$this->setup_session( $woopay_user->ID );
+
+		$this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), $woopay_user->ID );
+
+		unset( $_REQUEST['rest_route'] );
+	}
+
 	private function setup_session( $customer_id, $customer_email = null ) {
 		$session_handler = new SessionHandler();