WC_WCCOM_Site::verify_wccom_request()protected staticWC 3.7.0

Verify WooCommerce.com request from a given body and signature request.

Method of the class: WC_WCCOM_Site{}

No Hooks.

Return

true|false.

Usage

$result = WC_WCCOM_Site::verify_wccom_request( $body, $signature, $access_token_secret );
$body(string) (required)
Request body.
$signature(string) (required)
Request signature found in X-Woo-Signature header.
$access_token_secret(string) (required)
Access token secret for this site.

Changelog

Since 3.7.0 Introduced.

WC_WCCOM_Site::verify_wccom_request() code WC 9.4.2

protected static function verify_wccom_request( $body, $signature, $access_token_secret ) {
	// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
	$data = array(
		'host'        => $_SERVER['HTTP_HOST'],
		'request_uri' => urldecode( remove_query_arg( array( 'token', 'signature' ), $_SERVER['REQUEST_URI'] ) ),
		'method'      => strtoupper( $_SERVER['REQUEST_METHOD'] ),
	);
	// phpcs:enable

	if ( ! empty( $body ) ) {
		$data['body'] = $body;
	}

	$expected_signature = hash_hmac( 'sha256', wp_json_encode( $data ), $access_token_secret );

	return hash_equals( $expected_signature, $signature );
}