WordPress.org
Get WordPress

Plugin Directory

Changeset 3446472


Ignore:
Timestamp:
01/25/2026 10:13:42 AM (2 months ago)
Author:
tripleatechnology
Message:

Version 2.0.23 - Client Secret encryption and UI masking for enhanced security

Location:
triplea-cryptocurrency-payment-gateway-for-woocommerce/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • triplea-cryptocurrency-payment-gateway-for-woocommerce/trunk/includes/WooCommerce/TripleA_Payment_Gateway.php

    r3177892 r3446472  
    5353        $this->debugLog         = ($this->get_option('debug_log') == 'yes') ? true : false;
    5454        $this->clientID         = $this->get_option('client_id');
    55         $this->clientSecret     = $this->get_option('client_secret');
     55        $this->clientSecret     = $this->decrypt_credential($this->get_option('client_secret'));
    5656        $this->oauthToken       = $this->get_option('oauth_token');
    5757        $this->oauthTokenExpiry = $this->get_option('oauth_token_expiry');
     
    146146    public function save_plugin_options()
    147147    {
     148        // Encrypt client_secret before saving
     149        if (!empty($_POST['woocommerce_triplea_payment_gateway_client_secret'])) {
     150            $client_secret_raw = $_POST['woocommerce_triplea_payment_gateway_client_secret'];
     151            $client_secret_encrypted = $this->encrypt_credential($client_secret_raw);
     152            $this->settings['client_secret'] = $client_secret_encrypted;
     153        }
    148154
    149155        if (!empty($_POST['clientID']) && (isset($_POST['oAuthToken']) || isset($_POST['oAuthTokenExpiry']))) {
    150156
    151157            // {@see https://codex.wordpress.org/HTTP_API}
     158            // Use raw (unencrypted) client_secret for OAuth request
    152159            $response = wp_remote_post('https://api.triple-a.io/api/v2/oauth/token', array(
    153160                'headers' => array(
     
    156163                'body' => array(
    157164                    'client_id' => $_POST['woocommerce_triplea_payment_gateway_client_id'],
    158                     'client_secret' => $_POST['woocommerce_triplea_payment_gateway_client_secret'],
     165                    'client_secret' => isset($client_secret_raw) ? $client_secret_raw : $_POST['woocommerce_triplea_payment_gateway_client_secret'],
    159166                    'grant_type' => 'client_credentials',
    160167                ),
     
    23552362        return ob_get_clean();
    23562363    }
     2364
     2365    /**
     2366     * Encrypt credential using OpenSSL AES-256-CBC encryption
     2367     *
     2368     * @param string $value The credential to encrypt
     2369     * @return string Encrypted credential prefixed with 'ENC:' or original if already encrypted/empty
     2370     * @since 2.0.23
     2371     */
     2372    protected function encrypt_credential($value)
     2373    {
     2374        if (empty($value) || strpos($value, 'ENC:') === 0) {
     2375            return $value; // Already encrypted or empty
     2376        }
     2377
     2378        // Check if required WordPress constants are defined
     2379        if (!defined('AUTH_KEY') || !defined('SECURE_AUTH_KEY')) {
     2380            if (isset($this->logger)) {
     2381                $this->logger->write_log('encrypt_credential(): WordPress security keys not defined. Cannot encrypt credentials.', true);
     2382            }
     2383            return $value; // Return unencrypted if keys missing
     2384        }
     2385
     2386        $key = hash('sha256', AUTH_KEY . SECURE_AUTH_KEY);
     2387        $iv = openssl_random_pseudo_bytes(16);
     2388        $encrypted = openssl_encrypt($value, 'AES-256-CBC', $key, 0, $iv);
     2389
     2390        if ($encrypted === false) {
     2391            if (isset($this->logger)) {
     2392                $this->logger->write_log('encrypt_credential(): OpenSSL encryption failed.', true);
     2393            }
     2394            return $value; // Return unencrypted if encryption fails
     2395        }
     2396
     2397        return 'ENC:' . base64_encode($iv . $encrypted);
     2398    }
     2399
     2400    /**
     2401     * Decrypt credential using OpenSSL AES-256-CBC decryption
     2402     *
     2403     * @param string $value The encrypted credential (prefixed with 'ENC:')
     2404     * @return string Decrypted credential or original if not encrypted
     2405     * @since 2.0.23
     2406     */
     2407    protected function decrypt_credential($value)
     2408    {
     2409        if (empty($value) || strpos($value, 'ENC:') !== 0) {
     2410            return $value; // Not encrypted, return as-is
     2411        }
     2412
     2413        // Check if required WordPress constants are defined
     2414        if (!defined('AUTH_KEY') || !defined('SECURE_AUTH_KEY')) {
     2415            if (isset($this->logger)) {
     2416                $this->logger->write_log('decrypt_credential(): WordPress security keys not defined. Cannot decrypt credentials.', true);
     2417            }
     2418            return ''; // Return empty string if cannot decrypt
     2419        }
     2420
     2421        $key = hash('sha256', AUTH_KEY . SECURE_AUTH_KEY);
     2422        $data = base64_decode(substr($value, 4));
     2423
     2424        if (strlen($data) < 16) {
     2425            if (isset($this->logger)) {
     2426                $this->logger->write_log('decrypt_credential(): Invalid encrypted data format.', true);
     2427            }
     2428            return ''; // Return empty if data is corrupted
     2429        }
     2430
     2431        $iv = substr($data, 0, 16);
     2432        $encrypted = substr($data, 16);
     2433
     2434        $decrypted = openssl_decrypt($encrypted, 'AES-256-CBC', $key, 0, $iv);
     2435
     2436        if ($decrypted === false) {
     2437            if (isset($this->logger)) {
     2438                $this->logger->write_log('decrypt_credential(): OpenSSL decryption failed.', true);
     2439            }
     2440            return ''; // Return empty string if decryption fails
     2441        }
     2442
     2443        return $decrypted;
     2444    }
    23572445}

  • triplea-cryptocurrency-payment-gateway-for-woocommerce/trunk/includes/WooCommerce/views/triplea_options.php

    r2814849 r3446472  
    2727    $merchantKey  = ( !empty( $plugin_settings['merchant_key'] ) ) ? $plugin_settings['merchant_key'] : '';
    2828    $clientID     = ( !empty( $plugin_settings['client_id'] ) ) ? $plugin_settings['client_id'] : '';
    29     $clientSecret = ( !empty( $plugin_settings['client_secret'] ) ) ? $plugin_settings['client_secret'] : '';
     29    // Decrypt client_secret for display (prevents double encryption on re-save)
     30    $clientSecret_encrypted = ( !empty( $plugin_settings['client_secret'] ) ) ? $plugin_settings['client_secret'] : '';
     31    $clientSecret = $this->decrypt_credential($clientSecret_encrypted);
    3032
    3133    //Settings Section
     
    7981                <div class="triplea-form-group">
    8082                    <label for="clientSecret"><?php _e( 'Client Secret', 'wc-triplea-crypto-payment' ); ?></label>
    81                     <input id="clientSecret" type="text" name="clientSecret" value="<?php echo $clientSecret; ?>">
     83                    <input id="clientSecret" type="password" name="clientSecret" value="<?php echo $clientSecret; ?>">
    8284                </div>
    8385                <input type="hidden" name="oAuthToken" id="oAuthToken">

  • triplea-cryptocurrency-payment-gateway-for-woocommerce/trunk/readme.txt

    r3218101 r3446472  
    77Requires at least: 5.5
    88Tested up to: 6.6.2
    9 Stable tag: 2.0.22
     9Stable tag: 2.0.23
    1010Requires PHP: 7.0
    1111License: GPLv2 or later

  • triplea-cryptocurrency-payment-gateway-for-woocommerce/trunk/triplea-cryptocurrency-payment-gateway-for-woocommerce.php

    r3177892 r3446472  
    1717 * Plugin URI:        https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/
    1818 * Description:       Offer cryptocurrency as a payment option on your website and get access to even more clients. Receive payments in cryptocurrency or in your local currency, directly in your bank account. Enjoy an easy setup, no cryptocurrency expertise required. Powered by Triple-A.
    19  * Version:           2.0.22
     19 * Version:           2.0.23
    2020 * Author:            Triple-A Team
    2121 * Author URI:        https://triple-a.io
     
    4949     * $var string
    5050     */
    51     public const version = '2.0.22';
     51    public const version = '2.0.23';
    5252
    5353    /*
Note: See TracChangeset for help on using the changeset viewer.