fix: performance and security audit fixes

[kilbot]

Summary

• Fix O(n²) nested loop in Orders::order_item_after_calculate_taxes — inner foreach used same $meta variable, shadowing outer loop and causing quadratic iteration
• Remove save_meta_data() from order/product/variation REST response hooks — this was calling read_meta_data(true) internally, re-reading ALL meta from the database for every single API response (root cause of 768MB memory exhaustion on large stores)
• Move UUID persistence into maybe_add_post_uuid() so save_meta_data() only runs when a UUID is actually generated, not on every response
• Mask auth tokens in the /wcpos/v1/jwt/authorize test endpoint — return string length instead of raw token values
• Protect temp receipt template directory (wp-uploads/wcpos-templates/) with .htaccess deny and index.php guard
• Remove dead duplicate barcode field code and unused $fields_to_search variable in Products_Controller

Test plan

• Create an order via POS with a "misc" product (tax_status: none) — verify taxes are correctly zeroed out (nested loop fix)
• Fetch a list of orders via REST API — verify meta_data is present in response and UUIDs are assigned (save_meta_data removal)
• Fetch products and variations via REST API — verify meta_data and UUIDs are present
• Hit the /wcpos/v1/jwt/authorize test endpoint with a Bearer token — verify response contains header_length (integer) instead of header_value (string)
• Preview a custom receipt template — verify it renders correctly (temp directory protection)
• Search products by barcode — verify search still works (dead code removal)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Security

  • Masked authentication tokens in API responses.
  • Added directory protection for temporary templates to prevent public access.

• Improvements

  • Ensure generated identifiers are persisted reliably.

• Bug Fixes

  • Stop unintended metadata persistence during API responses; responses now parse meta values without forcing saves.
  • Reduce unnecessary iteration in order tax calculation for more consistent results.

• Tests

  • Updated authorization tests to validate token masking.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR changes metadata handling across API controllers (parsing instead of saving), persists UUID metadata immediately, refactors order tax item iteration, adds temp-template directory protection files, and updates auth tests to assert token lengths rather than raw values.

Changes

Cohort / File(s)	Summary
API Metadata Responses includes/API/Orders_Controller.php, includes/API/Product_Variations_Controller.php, includes/API/Products_Controller.php	Removed calls to <code>->save_meta_data()</code> when building API responses; responses now use wcpos_parse_meta_data(...) to populate meta_data. Products_Controller also simplified search fields (removed separate barcode fields handling).
UUID Persistence includes/API/Traits/Uuid_Handler.php	After generating/updating post UUID, code now calls save_meta_data() immediately to persist the post meta change.
Auth token masking (tests + API) includes/API/Auth.php, tests/includes/API/Test_Auth_API.php	Responses/tests now expose masked token info (lengths) instead of raw token values; test assertions verify length equality rather than exact strings.
Order tax processing includes/Orders.php	Refactored order_item_after_calculate_taxes to stop after the first matching _woocommerce_pos_data meta entry (removes inner loop), preserves JSON/error handling, and adds a void return type on the method.
Receipt template directory protection includes/Templates/Receipt.php	Ensures .htaccess (deny) and index.php protection files are created/exist for the temp template directory on each invocation (adds explicit file writes/checks).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: comprehensive PHP unit tests for improved code coverage #417: Tests for Uuid_Handler that exercise UUID persistence; closely related to the added save_meta_data() call in the trait.

Poem

🐰 I nibble through meta, tidy and spry,
I save tiny UUIDs before they fly,
I parse the carrots that once were saved,
I guard the temp nest so it's safely paved,
Hooray — short tokens only peep their length, not pry! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: performance fixes (O(n²) loop optimization, meta_data caching removal) and security fixes (auth token masking, directory protection).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/audit-perf-security

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E API Test Results

35 tests   35 ✅  3s ⏱️
17 suites   0 💤
 1 files     0 ❌

Results for commit bb4364a.

♻️ This comment has been updated with latest results.

[github-actions]

PHPUnit Test Results

720 tests  ±0   712 ✅ ±0   56s ⏱️ -1s
 40 suites ±0     8 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit bb4364a. ± Comparison against base commit f2a750c.