trouvaille

File "authentication.php"
Full Path: /home/safaelji/blog.automotomaroc.com/wp-content/plugins/integromat-connector/api/authentication.php
File size: 3.27 KB
MIME-type: text/x-php
Charset: utf-8
Open Edit Advanced Editor Back
<?php defined( 'ABSPATH' ) || die( 'No direct access allowed' );

add_filter(
	'rest_authentication_errors',
	function ( $result ) {

		$skip  = false;
		$codes = array();
		$log   = ( get_option( 'iwc-logging-enabled' ) == 'true' ) ? true : false;

		if ( isset( $_SERVER['PHP_AUTH_USER'] ) && isset( $_SERVER['PHP_AUTH_PW'] ) ) {
			$skip    = true;
			$codes[] = 1;
		}

		if ( is_user_logged_in() ) {
			$skip    = true;
			$codes[] = 2;
		}

		$user_id = \Integromat\User::get_administrator_user();
		if ( $user_id === 0 ) {
			$skip    = true;
			$codes[] = 3;
		}

		if ( $skip ) {
			$log && \Integromat\Logger::write( implode( ';', $codes ) );
			return $result;
		}

		if ( isset( $_SERVER['HTTP_IWC_API_KEY'] ) && ! empty( $_SERVER['HTTP_IWC_API_KEY'] ) ) {
			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Token is hashed before comparison in is_valid()
			$token =  $_SERVER['HTTP_IWC_API_KEY'];

			if ( strlen( $token ) !== \Integromat\Api_Token::API_TOKEN_LENGTH || ! \Integromat\Api_Token::is_valid( $token ) ) {
				$log && \Integromat\Logger::write( 6 );
				\Integromat\Rest_Response::render_error( 401, 'Provided API key is invalid', 'invalid_token' );
			} else {
				// Check rate limiting
				$rate_limit_id = \Integromat\Rate_Limiter::get_identifier();
				if ( \Integromat\Rate_Limiter::is_rate_limited( $rate_limit_id ) ) {
					$rate_status = \Integromat\Rate_Limiter::get_rate_limit_status( $rate_limit_id );
					$log && \Integromat\Logger::write( 9 );
					\Integromat\Rest_Response::render_error( 
						429, 
						'Rate limit exceeded. Try again later.', 
						'rate_limit_exceeded',
						array(
							'X-RateLimit-Limit' => $rate_status['limit'],
							'X-RateLimit-Remaining' => max( 0, $rate_status['limit'] - $rate_status['requests'] ),
							'X-RateLimit-Reset' => $rate_status['reset_time'],
						)
					);
				}

				// Check payload size
				if ( \Integromat\Rate_Limiter::is_payload_too_large() ) {
					$log && \Integromat\Logger::write( 10 );
					\Integromat\Rest_Response::render_error( 413, 'Request payload too large', 'payload_too_large' );
				}

				// Extract endpoint and method for permission checking
				$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
				$method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : 'GET';
				
				$endpoint = '';
				if ( preg_match( '#\/wp-json/(.*?)(\?.*)?$#i', $request_uri, $matches ) ) {
					$endpoint = '/' . $matches[1];
				}

				// Use safer user context setting with permission checking
				if ( ! \Integromat\User::set_api_user_context( $user_id, $endpoint, $method ) ) {
					$log && \Integromat\Logger::write( 8 );
					\Integromat\Rest_Response::render_error( 403, 'Insufficient API permissions', 'insufficient_permissions' );
				}
				$log && \Integromat\Logger::write( 7 );
				\Integromat\Rest_Request::dispatch();
			}
		} else {
			if ( \Integromat\Guard::is_protected() ) {
				$log && \Integromat\Logger::write( 5 );
				\Integromat\Rest_Response::render_error( 401, 'API key is missing', 'missing_token' );

			} else {
				$log && \Integromat\Logger::write( 4 );
				return $result;
			}
		}

		return $result;

	}
);