Automattic\WooCommerce\Internal\PushNotifications\Controllers
PushNotificationRestController::authorize
Validates the JWT from the Authorization header.
Method of the class: PushNotificationRestController{}
No Hooks.
Returns
true|WP_Error.
Usage
$PushNotificationRestController = new PushNotificationRestController(); $PushNotificationRestController->authorize( $request );
- $request(WP_REST_Request) (required)
- The request object.
Changelog
| Since 10.7.0 | Introduced. |
PushNotificationRestController::authorize() PushNotificationRestController::authorize code WC 10.9.1
public function authorize( WP_REST_Request $request ) {
$header = trim( (string) $request->get_header( 'authorization' ) );
if ( empty( $header ) ) {
return new WP_Error(
'woocommerce_rest_unauthorized',
'Missing authorization header.',
array( 'status' => WP_Http::UNAUTHORIZED )
);
}
$token = strncasecmp( $header, 'Bearer ', 7 ) === 0 ? substr( $header, 7 ) : $header;
if ( ! JsonWebToken::validate( $token, wp_salt( 'auth' ) ) ) {
return new WP_Error(
'woocommerce_rest_unauthorized',
'Invalid or expired token.',
array( 'status' => WP_Http::UNAUTHORIZED )
);
}
$parts = JsonWebToken::get_parts( $token );
if ( ! isset( $parts->payload->iss ) || get_site_url() !== $parts->payload->iss ) {
return new WP_Error(
'woocommerce_rest_unauthorized',
'Invalid token issuer.',
array( 'status' => WP_Http::UNAUTHORIZED )
);
}
$body_hash = hash( 'sha256', $request->get_body() );
if ( ! isset( $parts->payload->body_hash ) || ! hash_equals( (string) $parts->payload->body_hash, $body_hash ) ) {
return new WP_Error(
'woocommerce_rest_unauthorized',
'Body hash mismatch.',
array( 'status' => WP_Http::UNAUTHORIZED )
);
}
return true;
}