Authentication
in package
Authentication class.
Table of Contents
- allowed_cors_headers() : array<string|int, mixed>
- Add allowed cors headers for store API headers.
- check_authentication() : WP_Error|null|bool
- The Store API does not require authentication.
- exposed_cors_headers() : array<string|int, mixed>
- Expose Store API headers in CORS responses.
- init() : mixed
- Hook into WP lifecycle events. This is hooked by the StoreAPI class on `rest_api_init`.
- opt_in_checkout_endpoint() : WP_Error|null|bool
- Opt in to rate limiting for the checkout endpoint.
- send_cors_headers() : bool
- Add CORS headers to a response object.
- set_logged_in_cookie() : mixed
- When the login cookies are set, they are not available until the next page reload. For the Store API, specifically for returning updated nonces, we need this to be available immediately.
- apply_rate_limiting() : WP_Error|null|bool
- Applies Rate Limiting to the request, and passes through any errors from other authentication methods used before this one.
- get_cart_token() : string
- Gets the cart token from the request header.
- get_cart_token_secret() : string
- Gets the secret for the cart token using wp_salt.
- get_ip_address() : string
- Get current user IP Address.
- get_rate_limiting_id() : string
- Generates the request grouping identifier for the rate limiting.
- is_preflight() : bool
- Is the request a preflight request? Checks the request method
- is_request_to_store_api() : bool
- Check if is request to the Store API.
- validate_ip() : string
- Uses filter_var() to validate and return ipv4 and ipv6 addresses Will return 0.0.0.0 if the ip is not valid. This is done to group and still rate limit invalid ips.
Methods
allowed_cors_headers()
Add allowed cors headers for store API headers.
public
allowed_cors_headers(array<string|int, mixed> $allowed_headers) : array<string|int, mixed>
Parameters
- $allowed_headers : array<string|int, mixed>
-
Allowed headers.
Return values
array<string|int, mixed> —check_authentication()
The Store API does not require authentication.
public
check_authentication(WP_Error|mixed $result) : WP_Error|null|bool
Parameters
- $result : WP_Error|mixed
-
Error from another authentication handler, null if we should handle it, or another value if not.
Return values
WP_Error|null|bool —exposed_cors_headers()
Expose Store API headers in CORS responses.
public
exposed_cors_headers(array<string|int, mixed> $exposed_headers) : array<string|int, mixed>
We're explicitly exposing the Cart-Token, not the nonce. Only one of them is needed.
Parameters
- $exposed_headers : array<string|int, mixed>
-
Exposed headers.
Return values
array<string|int, mixed> —init()
Hook into WP lifecycle events. This is hooked by the StoreAPI class on `rest_api_init`.
public
init() : mixed
Return values
mixed —opt_in_checkout_endpoint()
Opt in to rate limiting for the checkout endpoint.
public
opt_in_checkout_endpoint(WP_Error|mixed $result) : WP_Error|null|bool
Parameters
- $result : WP_Error|mixed
-
Error from another authentication handler, null if we should handle it, or another value if not.
Return values
WP_Error|null|bool —send_cors_headers()
Add CORS headers to a response object.
public
send_cors_headers(bool $value, WP_REST_Server $server, WP_REST_Request $request) : bool
These checks prevent access to the Store API from non-allowed origins. By default, the WordPress REST API allows access from any origin. Because some Store API routes return PII, we need to add our own CORS headers.
Allowed origins can be changed using the WordPress allowed_http_origins or allowed_http_origin filters if
access needs to be granted to other domains.
Users of valid Cart Tokens are also allowed access from any origin.
Parameters
- $value : bool
-
Whether the request has already been served.
- $server : WP_REST_Server
-
The REST server instance.
- $request : WP_REST_Request
-
The REST request instance.
Return values
bool —set_logged_in_cookie()
When the login cookies are set, they are not available until the next page reload. For the Store API, specifically for returning updated nonces, we need this to be available immediately.
public
set_logged_in_cookie(string $logged_in_cookie) : mixed
Parameters
- $logged_in_cookie : string
-
The value for the logged in cookie.
Return values
mixed —apply_rate_limiting()
Applies Rate Limiting to the request, and passes through any errors from other authentication methods used before this one.
protected
apply_rate_limiting(WP_Error|mixed $result) : WP_Error|null|bool
Parameters
- $result : WP_Error|mixed
-
Error from another authentication handler, null if we should handle it, or another value if not.
Return values
WP_Error|null|bool —get_cart_token()
Gets the cart token from the request header.
protected
get_cart_token(WP_REST_Request $request) : string
Parameters
- $request : WP_REST_Request
-
The REST request instance.
Return values
string —get_cart_token_secret()
Gets the secret for the cart token using wp_salt.
protected
get_cart_token_secret() : string
Return values
string —get_ip_address()
Get current user IP Address.
protected
static get_ip_address([bool $proxy_support = false ]) : string
X_REAL_IP and CLIENT_IP are custom implementations designed to facilitate obtaining a user's ip through proxies, load balancers etc.
_FORWARDED_FOR (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server. Note for X_FORWARDED_FOR, Proxy servers can send through this header like this: X-Forwarded-For: client1, proxy1, proxy2. Make sure we always only send through the first IP in the list which should always be the client IP. Documentation at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
Forwarded request header contains information that may be added by reverse proxy servers (load balancers, CDNs, and so on). Documentation at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded Full RFC at https://datatracker.ietf.org/doc/html/rfc7239
Parameters
- $proxy_support : bool = false
-
Enables/disables proxy support.
Return values
string —get_rate_limiting_id()
Generates the request grouping identifier for the rate limiting.
protected
static get_rate_limiting_id(bool $proxy_support) : string
Parameters
- $proxy_support : bool
-
Rate Limiting proxy support.
Return values
string —is_preflight()
Is the request a preflight request? Checks the request method
protected
is_preflight() : bool
Return values
bool —is_request_to_store_api()
Check if is request to the Store API.
protected
is_request_to_store_api() : bool
Return values
bool —validate_ip()
Uses filter_var() to validate and return ipv4 and ipv6 addresses Will return 0.0.0.0 if the ip is not valid. This is done to group and still rate limit invalid ips.
protected
static validate_ip(string $ip) : string
Parameters
- $ip : string
-
ipv4 or ipv6 ip string.