Automattic\WooCommerce\Internal\PushNotifications\Controllers

PushNotificationRestController::authorizepublicWC 10.7.0

Validates the JWT from the Authorization header.

Method of the class: PushNotificationRestController{}

No Hooks.

Returns

true|WP_Error.

Usage

$PushNotificationRestController = new PushNotificationRestController();
$PushNotificationRestController->authorize( $request );
$request(WP_REST_Request) (required)
The request object.

Changelog

Since 10.7.0 Introduced.

PushNotificationRestController::authorize() code WC 10.9.1

public function authorize( WP_REST_Request $request ) {
	$header = trim( (string) $request->get_header( 'authorization' ) );

	if ( empty( $header ) ) {
		return new WP_Error(
			'woocommerce_rest_unauthorized',
			'Missing authorization header.',
			array( 'status' => WP_Http::UNAUTHORIZED )
		);
	}

	$token = strncasecmp( $header, 'Bearer ', 7 ) === 0 ? substr( $header, 7 ) : $header;

	if ( ! JsonWebToken::validate( $token, wp_salt( 'auth' ) ) ) {
		return new WP_Error(
			'woocommerce_rest_unauthorized',
			'Invalid or expired token.',
			array( 'status' => WP_Http::UNAUTHORIZED )
		);
	}

	$parts = JsonWebToken::get_parts( $token );

	if ( ! isset( $parts->payload->iss ) || get_site_url() !== $parts->payload->iss ) {
		return new WP_Error(
			'woocommerce_rest_unauthorized',
			'Invalid token issuer.',
			array( 'status' => WP_Http::UNAUTHORIZED )
		);
	}

	$body_hash = hash( 'sha256', $request->get_body() );

	if ( ! isset( $parts->payload->body_hash ) || ! hash_equals( (string) $parts->payload->body_hash, $body_hash ) ) {
		return new WP_Error(
			'woocommerce_rest_unauthorized',
			'Body hash mismatch.',
			array( 'status' => WP_Http::UNAUTHORIZED )
		);
	}

	return true;
}