WC_API_Authentication::check_oauth_signature()privateWC 1.0

Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret

Method of the class: WC_API_Authentication{}

No Hooks.

Return

null. Nothing (null).

Usage

// private - for code of main (parent) class only
$result = $this->check_oauth_signature( $keys, $params );
$keys(array) (required)
-
$params(array) (required)
the request parameters

WC_API_Authentication::check_oauth_signature() code WC 8.9.0

private function check_oauth_signature( $keys, $params ) {
	$http_method = strtoupper( WC()->api->server->method );

	$server_path = WC()->api->server->path;

	// if the requested URL has a trailingslash, make sure our base URL does as well
	if ( isset( $_SERVER['REDIRECT_URL'] ) && '/' === substr( $_SERVER['REDIRECT_URL'], -1 ) ) {
		$server_path .= '/';
	}

	$base_request_uri = rawurlencode( untrailingslashit( get_woocommerce_api_url( '' ) ) . $server_path );

	// Get the signature provided by the consumer and remove it from the parameters prior to checking the signature
	$consumer_signature = rawurldecode( str_replace( ' ', '+', $params['oauth_signature'] ) );
	unset( $params['oauth_signature'] );

	// Sort parameters
	if ( ! uksort( $params, 'strcmp' ) ) {
		throw new Exception( __( 'Invalid signature - failed to sort parameters.', 'woocommerce' ), 401 );
	}

	// Normalize parameter key/values
	$params = $this->normalize_parameters( $params );
	$query_parameters = array();
	foreach ( $params as $param_key => $param_value ) {
		if ( is_array( $param_value ) ) {
			foreach ( $param_value as $param_key_inner => $param_value_inner ) {
				$query_parameters[] = $param_key . '%255B' . $param_key_inner . '%255D%3D' . $param_value_inner;
			}
		} else {
			$query_parameters[] = $param_key . '%3D' . $param_value; // join with equals sign
		}
	}
	$query_string = implode( '%26', $query_parameters ); // join with ampersand

	$string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string;

	if ( 'HMAC-SHA1' !== $params['oauth_signature_method'] && 'HMAC-SHA256' !== $params['oauth_signature_method'] ) {
		throw new Exception( __( 'Invalid signature - signature method is invalid.', 'woocommerce' ), 401 );
	}

	$hash_algorithm = strtolower( str_replace( 'HMAC-', '', $params['oauth_signature_method'] ) );

	$secret = $keys['consumer_secret'] . '&';
	$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $secret, true ) );

	if ( ! hash_equals( $signature, $consumer_signature ) ) {
		throw new Exception( __( 'Invalid signature - provided signature does not match.', 'woocommerce' ), 401 );
	}
}