WordPress.org
Get WordPress

Making WordPress.org


Ignore:
Timestamp:
09/01/2020 05:08:48 AM (5 years ago)
Author:
dd32
Message:

Plugin Directory: API: Add a specific GitHub API token, to limit access to internal vs external APIs.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/api/class-base.php

    r10214 r10226  
    6060
    6161    /**
    62      * A Permission Check callback which validates the request with a Bearer token.
     62     * A Permission Check callback which validates the request against the internal api-call token.
    6363     *
    6464     * @param \WP_REST_Request $request The Rest API Request.
     
    6666     */
    6767    function permission_check_internal_api_bearer( $request ) {
     68        return $this->permission_check_api_bearer( $request, 'PLUGIN_API_INTERNAL_BEARER_TOKEN' );
     69    }
     70
     71    /**
     72     * A Permission Check callback which validates the request against a GitHub specific token.
     73     *
     74     * @param \WP_REST_Request $request The Rest API Request.
     75     * @return bool|\WP_Error True if the token exists, WP_Error upon failure.
     76     */
     77    function permission_check_github_api_bearer( $request ) {
     78        return $this->permission_check_api_bearer( $request, 'PLUGIN_API_GITHUB_BEARER_TOKEN' );
     79    }
     80
     81    /**
     82     * A Permission Check callback which validates the a request against a given token.
     83     *
     84     * @param \WP_REST_Request $request  The Rest API Request.
     85     * @param string           $constant The constant that contains the expected bearer.
     86     * @return bool|\WP_Error True if the token exists, WP_Error upon failure.
     87     */
     88    function permission_check_api_bearer( $request, $constant = false ) {
    6889        $authorization_header = $request->get_header( 'authorization' );
    6990        $authorization_header = trim( str_ireplace( 'bearer', '', $authorization_header ) );
     
    7192        if (
    7293            ! $authorization_header ||
    73             ! defined( 'PLUGIN_API_INTERNAL_BEARER_TOKEN' ) ||
    74             ! hash_equals( PLUGIN_API_INTERNAL_BEARER_TOKEN, $authorization_header )
     94            ! $constant ||
     95            ! defined( $constant ) ||
     96            ! hash_equals( constant( $constant ), $authorization_header )
    7597        ) {
    7698            return new \WP_Error(
Note: See TracChangeset for help on using the changeset viewer.