Skip to content

Commit

Permalink
Make the browser api key user specific
Browse files Browse the repository at this point in the history
  • Loading branch information
@akirk
akirk committed Jan 15, 2025
1 parent d89fa61 commit 5f888fa
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 8 deletions.
41 changes: 41 additions & 0 deletions includes/class-access-control.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,4 +349,45 @@ public function option_comment_whitelist( $value ) {
}
return $value;
}

public static function check_browser_api_key( $key ) {
$parts = explode( '-', $key, 3 );
if ( 3 !== count( $parts ) ) {
return false;
}

$user_id = (int) $parts[1];
if ( ! $user_id ) {
return false;
}

$desired_key = self::get_browser_api_key( $user_id );
if ( ! $desired_key ) {
return false;
}

return $key === $desired_key;
}

public static function revoke_browser_api_key( $user_id = false ) {
if ( ! $user_id ) {
$user_id = get_current_user_id();
}

delete_user_option( $user_id, 'friends_browser_api_key' );
}

public static function get_browser_api_key( $user_id = false ) {
if ( ! $user_id ) {
$user_id = get_current_user_id();
}

$key = get_user_option( 'friends_browser_api_key', $user_id );
if ( ! $key ) {
$key = 'friends-' . $user_id . '-' . wp_generate_password( 32, false );
update_user_option( $user_id, 'friends_browser_api_key', $key );
}

return $key;
}
}
10 changes: 3 additions & 7 deletions includes/class-admin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2754,19 +2754,15 @@ function ( $menu ) {
)
);
$this->check_admin_settings();
$browser_api_key = get_option( 'friends_browser_api_key' );
$browser_api_key = Access_Control::get_browser_api_key();

if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'friends-browser-extension' ) ) {
if ( isset( $_POST['revoke-api-key'] ) ) {
$browser_api_key = false;
Access_Control::revoke_browser_api_key();
$browser_api_key = Access_Control::get_browser_api_key();
}
}

if ( ! $browser_api_key ) {
$browser_api_key = wp_generate_password( 32, false );
update_option( 'friends_browser_api_key', $browser_api_key );
}

Friends::template_loader()->get_template_part(
'admin/browser-extension',
null,
Expand Down
2 changes: 1 addition & 1 deletion includes/class-rest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -678,7 +678,7 @@ public function rest_extension( $request ) {
);

if ( 'POST' === $request->get_method() && $request->get_param( 'key' ) ) {
if ( $request->get_param( 'key' ) === get_option( 'friends_browser_api_key' ) ) {
if ( Access_Control::check_browser_api_key( $request->get_param( 'key' ) ) ) {
$return = apply_filters( 'friends_browser_extension_rest_info', $return );
} else {
$return['error'] = 'Invalid API key';
Expand Down

0 comments on commit 5f888fa

Please sign in to comment.