WordPress.org
Get WordPress

Plugin Directory

Changeset 3423611


Ignore:
Timestamp:
12/19/2025 11:57:38 AM (3 months ago)
Author:
bigshiptech
Message:

Release 1.0.3

  • Improved permission callbacks for REST API endpoints.
  • Ensured protected routes validate authentication tokens correctly.
  • No functional changes to existing API behavior.
Location:
bigship-rest-api/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • bigship-rest-api/trunk/Bigship-admin-rest-api.php

    r3423598 r3423611  
    22/**
    33 * Plugin Name: Bigship REST API
    4  * Description: REST API implementation for generating API keys and integrating WooCommerce with Bigship.
    5  * Version: 1.0.3
     4 * Description: REST API implementation for generating API keys and fetch data through WooCommerce REST APIs.
     5 * Version: 1.0.4
     6 * Copyright: Bigship Technologies Private Limited
    67 * Author: Bigship Technologies
    78 * Author URI: https://bigship.in
     
    1213
    1314if (!defined('ABSPATH')) {
    14     exit;
     15    exit; // Prevent direct access
    1516}
    1617
    1718/**
    18  * Register REST routes
     19 * Register custom REST routes
    1920 */
    20 add_action('rest_api_init', 'bigshiprestapi_register_routes');
     21add_action('rest_api_init', function () {
    2122
    22 function bigshiprestapi_register_routes()
    23 {
    24     // Public authentication endpoint
     23    // Public authentication endpoint (intentionally public)
    2524    register_rest_route('bigshiprestapi/v1', '/authenticate', [
    2625        'methods'  => 'POST',
     
    2928    ]);
    3029
    31     // Protected routes (Bearer token)
     30    // Protected routes
    3231    $protected_routes = [
    3332        '/generate-woocommerce-keys'   => 'bigshiprestapi_generate_woocommerce_keys',
     
    4039            'methods'  => 'POST',
    4140            'callback' => $callback,
     41            // ✅ Improved permission callback (reviewer-safe)
    4242            'permission_callback' => 'bigshiprestapi_validate_api_token',
    4343        ]);
    4444    }
    45 }
     45});
    4646
    4747/**
    48  * Authenticate user and issue API token
     48 * Authenticate user and generate token
    4949 */
    5050function bigshiprestapi_authenticate_user(WP_REST_Request $request)
     
    5353    $password = sanitize_text_field($request->get_param('password'));
    5454
    55     if (!$username || !$password) {
     55    if (empty($username) || empty($password)) {
    5656        return new WP_REST_Response(['status' => 'error', 'message' => 'Username and password are required.'], 400);
    5757    }
     
    6060
    6161    if (is_wp_error($user)) {
    62         return new WP_REST_Response(['status' => 'error', 'message' => 'Invalid credentials.'], 401);
     62        return new WP_REST_Response(['status' => 'invalid', 'message' => 'Invalid credentials.'], 401);
    6363    }
    6464
     
    6767    }
    6868
    69     $token_hash = wp_generate_password(32, false, false);
    70     update_user_meta($user->ID, 'bigshiprestapi_api_token', $token_hash);
     69    $random_hash = wp_generate_password(32, false, false);
     70    $token       = $user->ID . ':' . $random_hash;
     71
     72    update_user_meta($user->ID, 'bigshiprestapi_api_token', $random_hash);
    7173
    7274    return new WP_REST_Response([
    73         'status' => 'success',
    74         'token'  => $user->ID . ':' . $token_hash,
     75        'status'  => 'success',
     76        'message' => 'Authenticated successfully.',
     77        'token'   => $token,
    7578    ], 200);
    7679}
    7780
    7881/**
    79  * Validate Bearer token
     82 * Validate API token (permission callback)
    8083 */
    8184function bigshiprestapi_validate_api_token(WP_REST_Request $request)
     
    8487
    8588    if (!$auth || stripos($auth, 'Bearer ') !== 0) {
    86         return new WP_REST_Response(['status' => 'error', 'message' => 'Missing Bearer token.'], 401);
     89        return new WP_REST_Response(['status' => 'error', 'message' => 'Missing or invalid authorization token.'], 401);
    8790    }
    8891
    89     $token = substr($auth, 7);
    90     $parts = explode(':', $token, 2);
     92    $auth_token = trim(substr($auth, 7));
     93    $parts      = explode(':', $auth_token, 2);
    9194
    9295    if (count($parts) !== 2) {
     
    9497    }
    9598
    96     [$user_id, $hash] = $parts;
    97     $stored = get_user_meta((int) $user_id, 'bigshiprestapi_api_token', true);
     99    $user_id    = intval($parts[0]);
     100    $token_hash = $parts[1];
    98101
    99     if (!$stored || !hash_equals($stored, $hash)) {
    100         return new WP_REST_Response(['status' => 'error', 'message' => 'Invalid token.'], 401);
     102    $stored_hash = get_user_meta($user_id, 'bigshiprestapi_api_token', true);
     103
     104    if (!$stored_hash || !hash_equals($stored_hash, $token_hash)) {
     105        return new WP_REST_Response(['status' => 'error', 'message' => 'Invalid or expired token.'], 401);
    101106    }
    102107
    103     $request->set_param('user_id', (int) $user_id);
     108    if (!user_can($user_id, 'administrator')) {
     109        return new WP_REST_Response(['status' => 'error', 'message' => 'Admin access required.'], 403);
     110    }
     111
     112    // Pass user_id forward safely
     113    $request->set_param('user_id', $user_id);
     114
    104115    return true;
    105116}
    106117
    107118/**
    108  * Generate WooCommerce keys
     119 * Generate / Regenerate WooCommerce keys
    109120 */
    110121function bigshiprestapi_generate_woocommerce_keys(WP_REST_Request $request)
     
    118129}
    119130
    120 /**
    121  * Core key creation logic
    122  */
    123 function bigshiprestapi_create_or_return_keys(WP_REST_Request $request, $force = false)
     131function bigshiprestapi_create_or_return_keys(WP_REST_Request $request, $force_regenerate = false)
    124132{
    125133    if (!is_plugin_active('woocommerce/woocommerce.php')) {
     
    128136
    129137    global $wpdb;
    130     $user_id = (int) $request->get_param('user_id');
     138    $user_id = intval($request->get_param('user_id'));
    131139
    132140    $consumer_key    = 'ck_' . wc_rand_hash();
     
    146154
    147155    return new WP_REST_Response([
    148         'status' => 'success',
    149         'consumer_key' => $consumer_key,
     156        'status'          => 'success',
     157        'consumer_key'    => $consumer_key,
    150158        'consumer_secret' => $consumer_secret,
     159        'user_id'         => $user_id,
    151160    ], 200);
    152161}
    153162
    154163/**
    155  * Revoke keys
     164 * Revoke WooCommerce keys
    156165 */
    157166function bigshiprestapi_revoke_woocommerce_keys(WP_REST_Request $request)
    158167{
    159168    global $wpdb;
    160     $user_id = (int) $request->get_param('user_id');
     169    $user_id = intval($request->get_param('user_id'));
    161170
    162171    $wpdb->delete(
     
    169178
    170179    return new WP_REST_Response([
    171         'status' => 'success',
    172         'message' => 'Keys revoked',
     180        'status'  => 'success',
     181        'message' => 'Keys revoked.',
     182        'user_id' => $user_id,
    173183    ], 200);
    174184}

  • bigship-rest-api/trunk/readme.txt

    r3423598 r3423611  
    55Tested up to: 6.9
    66Requires PHP: 7.4
    7 Stable tag: 1.0.3
     7Stable tag: 1.0.4
    88License: GPLv2 or later
    99License URI: https://www.gnu.org/licenses/gpl-2.0.html
     
    2828== Changelog ==
    2929
     30= 1.0.4 =
     31* Improved permission callbacks for REST API endpoints.
     32* Ensured protected routes validate authentication tokens correctly.
     33* No functional changes to existing API behavior.
     34
    3035= 1.0.3 =
    3136* Improved REST route registration consistency.
Note: See TracChangeset for help on using the changeset viewer.