From 69d222b99d9f728cd15adb63c02e52299e7a2a72 Mon Sep 17 00:00:00 2001 From: Brian Borman <68524302+bborman22@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:26:29 -0400 Subject: [PATCH] Check for store api rest route in parameter (#7558) --- .../fix-woopay-session-handler-permalinks | 4 ++ includes/woopay/class-woopay-session.php | 10 ++- .../unit/woopay/test-class-woopay-session.php | 62 ++++++++++++++++++- 3 files changed, 71 insertions(+), 5 deletions(-) create mode 100644 changelog/fix-woopay-session-handler-permalinks diff --git a/changelog/fix-woopay-session-handler-permalinks b/changelog/fix-woopay-session-handler-permalinks new file mode 100644 index 00000000000..f26eea765a0 --- /dev/null +++ b/changelog/fix-woopay-session-handler-permalinks @@ -0,0 +1,4 @@ +Significance: patch +Type: fix + +Fix WooPay session handler's Store API route checks. diff --git a/includes/woopay/class-woopay-session.php b/includes/woopay/class-woopay-session.php index f4ec84b3d15..c07fa70601f 100644 --- a/includes/woopay/class-woopay-session.php +++ b/includes/woopay/class-woopay-session.php @@ -535,9 +535,13 @@ private static function get_woopay_verified_email_address() { * @return bool True if request is a Store API request, false otherwise. */ private static function is_store_api_request(): bool { - $url_parts = wp_parse_url( esc_url_raw( $_SERVER['REQUEST_URI'] ?? '' ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash - $request_path = rtrim( $url_parts['path'], '/' ); - $rest_route = str_replace( trailingslashit( rest_get_url_prefix() ), '', $request_path ); + if ( isset( $_REQUEST['rest_route'] ) ) { + $rest_route = sanitize_text_field( $_REQUEST['rest_route'] ); + } else { + $url_parts = wp_parse_url( esc_url_raw( $_SERVER['REQUEST_URI'] ?? '' ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash + $request_path = rtrim( $url_parts['path'], '/' ); + $rest_route = str_replace( trailingslashit( rest_get_url_prefix() ), '', $request_path ); + } foreach ( self::STORE_API_ROUTE_PATTERNS as $pattern ) { if ( 1 === preg_match( $pattern, $rest_route ) ) { diff --git a/tests/unit/woopay/test-class-woopay-session.php b/tests/unit/woopay/test-class-woopay-session.php index f17c094f192..f15f32412ae 100644 --- a/tests/unit/woopay/test-class-woopay-session.php +++ b/tests/unit/woopay/test-class-woopay-session.php @@ -53,10 +53,15 @@ public function set_up() { $this->mock_customer_service = $this->createMock( WC_Payments_Customer_Service::class ); $this->original_customer_service = WC_Payments::get_customer_service(); WC_Payments::set_customer_service( $this->mock_customer_service ); + + add_filter( 'wcpay_woopay_is_signed_with_blog_token', '__return_true' ); } public function tear_down() { WC_Payments::set_customer_service( $this->original_customer_service ); + + wp_set_current_user( 0 ); + parent::tear_down(); } @@ -100,8 +105,6 @@ public function test_get_user_id_from_cart_token_with_logged_in_user() { $this->setup_adapted_extensions(); $this->assertEquals( WooPay_Session::get_user_id_from_cart_token(), $user->ID ); - - wp_set_current_user( 0 ); } public function test_get_user_id_from_cart_token_with_verified_user_email_address_header_without_email_in_session() { @@ -269,6 +272,61 @@ public function test_session_currency_not_set_for_multi_currency_disabled() { WC()->session->set( MultiCurrency::CURRENCY_SESSION_KEY, null ); } + public function test_determine_current_user_is_request_woopay_false() { + $_SERVER['HTTP_USER_AGENT'] = 'NotWooPay'; + + $guest_user = 0; + $woopay_user = self::factory()->user->create_and_get(); + + $this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), 0 ); + } + + public function test_determine_current_user_is_store_api_request_false() { + $_SERVER['REQUEST_URI'] = '/another/store/url'; + + $guest_user = 0; + $woopay_user = self::factory()->user->create_and_get(); + + $this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), 0 ); + } + + public function test_determine_current_user_is_store_api_request_true_using_uri() { + $guest_user = 0; + $woopay_user = self::factory()->user->create_and_get(); + + wp_set_current_user( $woopay_user->ID ); + + $woopay_store_api_token = WooPay_Store_Api_Token::init(); + $authenticated_cart_token = $woopay_store_api_token->get_cart_token(); + + $_SERVER['HTTP_CART_TOKEN'] = $authenticated_cart_token; + + $this->setup_session( $woopay_user->ID ); + + $this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), $woopay_user->ID ); + } + + public function test_determine_current_user_is_store_api_request_true_using_rest_route_parameter() { + $_SERVER['REQUEST_URI'] = '/index.php'; + $_REQUEST['rest_route'] = '/wc/store/v1/checkout'; + + $guest_user = 0; + $woopay_user = self::factory()->user->create_and_get(); + + wp_set_current_user( $woopay_user->ID ); + + $woopay_store_api_token = WooPay_Store_Api_Token::init(); + $authenticated_cart_token = $woopay_store_api_token->get_cart_token(); + + $_SERVER['HTTP_CART_TOKEN'] = $authenticated_cart_token; + + $this->setup_session( $woopay_user->ID ); + + $this->assertEquals( WooPay_Session::determine_current_user_for_woopay( $guest_user ), $woopay_user->ID ); + + unset( $_REQUEST['rest_route'] ); + } + private function setup_session( $customer_id, $customer_email = null ) { $session_handler = new SessionHandler();