WooCommerce Code Reference

WC_REST_Authentication
in package

REST API authentication class.

Table of Contents

$auth_method  : string
Current auth method.
$error  : WP_Error
Authentication error.
$user  : stdClass
Logged in user data.
__construct()  : mixed
Initialize authentication actions.
authenticate()  : int|false
Authenticate user.
check_authentication_error()  : WP_Error|null|bool
Check for authentication error.
check_user_permissions()  : mixed
Check for user permissions and register last access.
get_authorization_header()  : string
Get the authorization header.
get_oauth_parameters()  : array|WP_Error
Get oAuth parameters from $_GET, $_POST or request header.
parse_header()  : array
Parse the Authorization header into parameters.
send_unauthorized_headers()  : WP_REST_Response
If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.
get_error()  : mixed
Get authentication error.
is_request_to_rest_api()  : bool
Check if is request to our REST API.
set_error()  : mixed
Set authentication error.
check_oauth_signature()  : true|WP_Error
Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.
check_oauth_timestamp_and_nonce()  : bool|WP_Error
Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
check_permissions()  : bool|WP_Error
Check that the API keys provided have the proper key-specific permissions to either read or write API resources.
get_user_data_by_consumer_key()  : array
Return the user data for the given consumer_key.
join_with_equals_sign()  : string
Creates an array of urlencoded strings out of each array key/value pairs.
normalize_parameters()  : array
Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.
perform_basic_authentication()  : int|bool
Basic Authentication.
perform_oauth_authentication()  : int|bool
Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.
update_last_access()  : mixed
Updated API Key last access datetime.

Properties

Methods

authenticate()

Authenticate user.

public authenticate(int|false $user_id) : int|false
Parameters
$user_id : int|false

User ID if one has been determined, false otherwise.

Return values
int|false

check_authentication_error()

Check for authentication error.

public check_authentication_error(WP_Error|null|bool $error) : WP_Error|null|bool
Parameters
$error : WP_Error|null|bool

Error data.

Return values
WP_Error|null|bool

check_user_permissions()

Check for user permissions and register last access.

public check_user_permissions(mixed $result, WP_REST_Server $server, WP_REST_Request $request) : mixed
Parameters
$result : mixed

Response to replace the requested version with.

$server : WP_REST_Server

Server instance.

$request : WP_REST_Request

Request used to generate the response.

Return values
mixed

get_authorization_header()

Get the authorization header.

public get_authorization_header() : string

On certain systems and configurations, the Authorization header will be stripped out by the server or PHP. Typically this is then used to generate PHP_AUTH_USER/PHP_AUTH_PASS but not passed on. We use getallheaders here to try and grab it out instead.

Tags
since
3.0.0
Return values
stringAuthorization header if set.

get_oauth_parameters()

Get oAuth parameters from $_GET, $_POST or request header.

public get_oauth_parameters() : array|WP_Error
Tags
since
3.0.0
Return values
array|WP_Error

parse_header()

Parse the Authorization header into parameters.

public parse_header(string $header) : array
Parameters
$header : string

Authorization header value (not including "Authorization: " prefix).

Tags
since
3.0.0
Return values
arrayMap of parameter values.

send_unauthorized_headers()

If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.

public send_unauthorized_headers(WP_REST_Response $response) : WP_REST_Response
Parameters
$response : WP_REST_Response

Current response being served.

Return values
WP_REST_Response

set_error()

Set authentication error.

protected set_error(WP_Error $error) : mixed
Parameters
$error : WP_Error

Authentication error data.

Return values
mixed

check_oauth_signature()

Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.

private check_oauth_signature(stdClass $user, array $params) : true|WP_Error
Parameters
$user : stdClass

User data.

$params : array

The request parameters.

Return values
true|WP_Error

check_oauth_timestamp_and_nonce()

Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.

private check_oauth_timestamp_and_nonce(stdClass $user, int $timestamp, string $nonce) : bool|WP_Error
  • A timestamp is valid if it is within 15 minutes of now.
  • A nonce is valid if it has not been used within the last 15 minutes.
Parameters
$user : stdClass

User data.

$timestamp : int

The unix timestamp for when the request was made.

$nonce : string

A unique (for the given user) 32 alphanumeric string, consumer-generated.

Return values
bool|WP_Error

check_permissions()

Check that the API keys provided have the proper key-specific permissions to either read or write API resources.

private check_permissions(string $method) : bool|WP_Error
Parameters
$method : string

Request method.

Return values
bool|WP_Error

get_user_data_by_consumer_key()

Return the user data for the given consumer_key.

private get_user_data_by_consumer_key(string $consumer_key) : array
Parameters
$consumer_key : string

Consumer key.

Return values
array

join_with_equals_sign()

Creates an array of urlencoded strings out of each array key/value pairs.

private join_with_equals_sign(array $params[, array $query_params = array() ][, string $key = '' ]) : string
Parameters
$params : array

Array of parameters to convert.

$query_params : array = array()

Array to extend.

$key : string = ''

Optional Array key to append.

Return values
stringArray of urlencoded strings.

normalize_parameters()

Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.

private normalize_parameters(array $parameters) : array

Note both the key and value is normalized so a filter param like:

'filter[period]' => 'week'

is encoded to:

'filter%255Bperiod%255D' => 'week'

This conforms to the OAuth 1.0a spec which indicates the entire query string should be URL encoded.

Parameters
$parameters : array

Un-normalized parameters.

Tags
see
rawurlencode()
Return values
arrayNormalized parameters.

perform_basic_authentication()

Basic Authentication.

private perform_basic_authentication() : int|bool

SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid.

Return values
int|bool

perform_oauth_authentication()

Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.

private perform_oauth_authentication() : int|bool

This is required so API credentials cannot be sniffed or intercepted when making API requests over plain HTTP.

This follows the spec for simple OAuth 1.0a authentication (RFC 5849) as closely as possible, with two exceptions:

1) There is no token associated with request/responses, only consumer keys/secrets are used.

2) The OAuth parameters are included as part of the request query string instead of part of the Authorization header, This is because there is no cross-OS function within PHP to get the raw Authorization header.

Tags
link
http://tools.ietf.org/html/rfc5849

for the full spec.

Return values
int|bool