Authentication
in package
Authentication class.
Table of Contents
- allowed_cors_headers() : array<string|int, mixed>
- Add allowed cors headers for store API headers.
- check_authentication() : WP_Error|null|bool
- The Store API does not require authentication.
- init() : mixed
- Hook into WP lifecycle events. This is hooked by the StoreAPI class on `rest_api_init`.
- send_cors_headers() : bool
- Add CORS headers to a response object.
- set_logged_in_cookie() : mixed
- When the login cookies are set, they are not available until the next page reload. For the Store API, specifically for returning updated nonces, we need this to be available immediately.
- apply_rate_limiting() : WP_Error|null|bool
- Applies Rate Limiting to the request, and passes through any errors from other authentication methods used before this one.
- get_cart_token_secret() : string
- Gets the secret for the cart token using wp_salt.
- get_ip_address() : string
- Get current user IP Address.
- has_valid_cart_token() : bool
- Checks if we're using a cart token to access the Store API.
- is_preflight() : bool
- Is the request a preflight request? Checks the request method
- is_request_to_store_api() : bool
- Check if is request to the Store API.
- validate_ip() : string
- Uses filter_var() to validate and return ipv4 and ipv6 addresses Will return 0.0.0.0 if the ip is not valid. This is done to group and still rate limit invalid ips.
Methods
allowed_cors_headers()
Add allowed cors headers for store API headers.
public
allowed_cors_headers(array<string|int, mixed> $allowed_headers) : array<string|int, mixed>
Parameters
- $allowed_headers : array<string|int, mixed>
-
Allowed headers.
Return values
array<string|int, mixed> —check_authentication()
The Store API does not require authentication.
public
check_authentication(WP_Error|mixed $result) : WP_Error|null|bool
Parameters
- $result : WP_Error|mixed
-
Error from another authentication handler, null if we should handle it, or another value if not.
Return values
WP_Error|null|bool —init()
Hook into WP lifecycle events. This is hooked by the StoreAPI class on `rest_api_init`.
public
init() : mixed
Return values
mixed —send_cors_headers()
Add CORS headers to a response object.
public
send_cors_headers(bool $value, WP_HTTP_Response $result, WP_REST_Request $request) : bool
These checks prevent access to the Store API from non-allowed origins. By default, the WordPress REST API allows access from any origin. Because some Store API routes return PII, we need to add our own CORS headers.
Allowed origins can be changed using the WordPress allowed_http_origins or allowed_http_origin filters if
access needs to be granted to other domains.
Users of valid Cart Tokens are also allowed access from any origin.
Parameters
- $value : bool
-
Whether the request has already been served.
- $result : WP_HTTP_Response
-
Result to send to the client. Usually a
WP_REST_Response. - $request : WP_REST_Request
-
Request used to generate the response.
Return values
bool —set_logged_in_cookie()
When the login cookies are set, they are not available until the next page reload. For the Store API, specifically for returning updated nonces, we need this to be available immediately.
public
set_logged_in_cookie(string $logged_in_cookie) : mixed
Parameters
- $logged_in_cookie : string
-
The value for the logged in cookie.
Return values
mixed —apply_rate_limiting()
Applies Rate Limiting to the request, and passes through any errors from other authentication methods used before this one.
protected
apply_rate_limiting(WP_Error|mixed $result) : WP_Error|null|bool
Parameters
- $result : WP_Error|mixed
-
Error from another authentication handler, null if we should handle it, or another value if not.
Return values
WP_Error|null|bool —get_cart_token_secret()
Gets the secret for the cart token using wp_salt.
protected
get_cart_token_secret() : string
Return values
string —get_ip_address()
Get current user IP Address.
protected
static get_ip_address([bool $proxy_support = false ]) : string
X_REAL_IP and CLIENT_IP are custom implementations designed to facilitate obtaining a user's ip through proxies, load balancers etc.
_FORWARDED_FOR (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server. Note for X_FORWARDED_FOR, Proxy servers can send through this header like this: X-Forwarded-For: client1, proxy1, proxy2. Make sure we always only send through the first IP in the list which should always be the client IP. Documentation at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
Forwarded request header contains information that may be added by reverse proxy servers (load balancers, CDNs, and so on). Documentation at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded Full RFC at https://datatracker.ietf.org/doc/html/rfc7239
Parameters
- $proxy_support : bool = false
-
Enables/disables proxy support.
Return values
string —has_valid_cart_token()
Checks if we're using a cart token to access the Store API.
protected
has_valid_cart_token(WP_REST_Request $request) : bool
Parameters
- $request : WP_REST_Request
-
Request object.
Return values
bool —is_preflight()
Is the request a preflight request? Checks the request method
protected
is_preflight() : bool
Return values
bool —is_request_to_store_api()
Check if is request to the Store API.
protected
is_request_to_store_api() : bool
Return values
bool —validate_ip()
Uses filter_var() to validate and return ipv4 and ipv6 addresses Will return 0.0.0.0 if the ip is not valid. This is done to group and still rate limit invalid ips.
protected
static validate_ip(string $ip) : string
Parameters
- $ip : string
-
ipv4 or ipv6 ip string.