WC_REST_Authentication
in package
REST API authentication class.
Table of Contents
- $auth_method : string
- Current auth method.
- $error : WP_Error
- Authentication error.
- $user : stdClass
- Logged in user data.
- __construct() : mixed
- Initialize authentication actions.
- authenticate() : int|false
- Authenticate user.
- authentication_fallback() : WP_Error|null|bool
- Authenticate the user if authentication wasn't performed during the determine_current_user action.
- check_authentication_error() : WP_Error|null|bool
- Check for authentication error.
- check_user_permissions() : mixed
- Check for user permissions and register last access.
- get_authorization_header() : string
- Get the authorization header.
- get_oauth_parameters() : array<string|int, mixed>|WP_Error
- Get oAuth parameters from $_GET, $_POST or request header.
- parse_header() : array<string|int, mixed>
- Parse the Authorization header into parameters.
- send_unauthorized_headers() : WP_REST_Response
- If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.
- get_error() : WP_Error|null
- Get authentication error.
- is_request_to_rest_api() : bool
- Check if is request to our REST API.
- set_error() : mixed
- Set authentication error.
- check_oauth_signature() : true|WP_Error
- Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.
- check_oauth_timestamp_and_nonce() : bool|WP_Error
- Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
- check_permissions() : bool|WP_Error
- Check that the API keys provided have the proper key-specific permissions to either read or write API resources.
- get_user_data_by_consumer_key() : array<string|int, mixed>
- Return the user data for the given consumer_key.
- join_with_equals_sign() : string
- Creates an array of urlencoded strings out of each array key/value pairs.
- normalize_parameters() : array<string|int, mixed>
- Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.
- perform_basic_authentication() : int|bool
- Basic Authentication.
- perform_oauth_authentication() : int|bool
- Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.
- update_last_access() : void
- Updates the `last_access` field for the API key associated with the current request.
Properties
$auth_method
Current auth method.
protected
string
$auth_method
= ''
$error
Authentication error.
protected
WP_Error
$error
=
ull
$user
Logged in user data.
protected
stdClass
$user
=
ull
Methods
__construct()
Initialize authentication actions.
public
__construct() : mixed
Return values
mixed —authenticate()
Authenticate user.
public
authenticate(int|false $user_id) : int|false
Parameters
- $user_id : int|false
-
User ID if one has been determined, false otherwise.
Return values
int|false —authentication_fallback()
Authenticate the user if authentication wasn't performed during the determine_current_user action.
public
authentication_fallback(WP_Error|null|bool $error) : WP_Error|null|bool
Necessary in cases where wp_get_current_user() is called before WooCommerce is loaded.
Parameters
- $error : WP_Error|null|bool
-
Error data.
Tags
Return values
WP_Error|null|bool —check_authentication_error()
Check for authentication error.
public
check_authentication_error(WP_Error|null|bool $error) : WP_Error|null|bool
Parameters
- $error : WP_Error|null|bool
-
Error data.
Return values
WP_Error|null|bool —check_user_permissions()
Check for user permissions and register last access.
public
check_user_permissions(mixed $result, WP_REST_Server $server, WP_REST_Request $request) : mixed
Parameters
- $result : mixed
-
Response to replace the requested version with.
- $server : WP_REST_Server
-
Server instance.
- $request : WP_REST_Request
-
Request used to generate the response.
Return values
mixed —get_authorization_header()
Get the authorization header.
public
get_authorization_header() : string
On certain systems and configurations, the Authorization header will be
stripped out by the server or PHP. Typically this is then used to
generate PHP_AUTH_USER/PHP_AUTH_PASS but not passed on. We use
getallheaders here to try and grab it out instead.
Tags
Return values
string — Authorization header if set.get_oauth_parameters()
Get oAuth parameters from $_GET, $_POST or request header.
public
get_oauth_parameters() : array<string|int, mixed>|WP_Error
Tags
Return values
array<string|int, mixed>|WP_Error —parse_header()
Parse the Authorization header into parameters.
public
parse_header(string $header) : array<string|int, mixed>
Parameters
- $header : string
-
Authorization header value (not including "Authorization: " prefix).
Tags
Return values
array<string|int, mixed> — Map of parameter values.send_unauthorized_headers()
If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.
public
send_unauthorized_headers(WP_REST_Response $response) : WP_REST_Response
Parameters
- $response : WP_REST_Response
-
Current response being served.
Return values
WP_REST_Response —get_error()
Get authentication error.
protected
get_error() : WP_Error|null
Return values
WP_Error|null —is_request_to_rest_api()
Check if is request to our REST API.
protected
is_request_to_rest_api() : bool
Return values
bool —set_error()
Set authentication error.
protected
set_error(WP_Error $error) : mixed
Parameters
- $error : WP_Error
-
Authentication error data.
Return values
mixed —check_oauth_signature()
Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.
private
check_oauth_signature(stdClass $user, array<string|int, mixed> $params) : true|WP_Error
Parameters
- $user : stdClass
-
User data.
- $params : array<string|int, mixed>
-
The request parameters.
Return values
true|WP_Error —check_oauth_timestamp_and_nonce()
Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
private
check_oauth_timestamp_and_nonce(stdClass $user, int $timestamp, string $nonce) : bool|WP_Error
- A timestamp is valid if it is within 15 minutes of now.
- A nonce is valid if it has not been used within the last 15 minutes.
Parameters
- $user : stdClass
-
User data.
- $timestamp : int
-
The unix timestamp for when the request was made.
- $nonce : string
-
A unique (for the given user) 32 alphanumeric string, consumer-generated.
Return values
bool|WP_Error —check_permissions()
Check that the API keys provided have the proper key-specific permissions to either read or write API resources.
private
check_permissions(string $method) : bool|WP_Error
Parameters
- $method : string
-
Request method.
Return values
bool|WP_Error —get_user_data_by_consumer_key()
Return the user data for the given consumer_key.
private
get_user_data_by_consumer_key(string $consumer_key) : array<string|int, mixed>
Parameters
- $consumer_key : string
-
Consumer key.
Return values
array<string|int, mixed> —join_with_equals_sign()
Creates an array of urlencoded strings out of each array key/value pairs.
private
join_with_equals_sign(array<string|int, mixed> $params[, array<string|int, mixed> $query_params = array() ][, string $key = '' ]) : string
Parameters
- $params : array<string|int, mixed>
-
Array of parameters to convert.
- $query_params : array<string|int, mixed> = array()
-
Array to extend.
- $key : string = ''
-
Optional Array key to append.
Return values
string — Array of urlencoded strings.normalize_parameters()
Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.
private
normalize_parameters(array<string|int, mixed> $parameters) : array<string|int, mixed>
Note both the key and value is normalized so a filter param like:
'filter[period]' => 'week'
is encoded to:
'filter%255Bperiod%255D' => 'week'
This conforms to the OAuth 1.0a spec which indicates the entire query string should be URL encoded.
Parameters
- $parameters : array<string|int, mixed>
-
Un-normalized parameters.
Tags
Return values
array<string|int, mixed> — Normalized parameters.perform_basic_authentication()
Basic Authentication.
private
perform_basic_authentication() : int|bool
SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid.
Return values
int|bool —perform_oauth_authentication()
Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.
private
perform_oauth_authentication() : int|bool
This is required so API credentials cannot be sniffed or intercepted when making API requests over plain HTTP.
This follows the spec for simple OAuth 1.0a authentication (RFC 5849) as closely as possible, with two exceptions:
-
There is no token associated with request/responses, only consumer keys/secrets are used.
-
The OAuth parameters are included as part of the request query string instead of part of the Authorization header, This is because there is no cross-OS function within PHP to get the raw Authorization header.
Tags
Return values
int|bool —update_last_access()
Updates the `last_access` field for the API key associated with the current request.
private
update_last_access(WP_REST_Request $request) : void
This method tries to disambiguate 'primary' API requests from any programmatic REST API requests made internally.
Parameters
- $request : WP_REST_Request
-
The request currently being processed.