PATH:
home
/
thebhoeo
/
public_html
/
lazysleep
/
wp-content
/
plugins
/
woocommerce
/
src
/
Admin
/
API
<?php /** * REST API Mobile App QR Login controller. * * Handles requests to generate and exchange QR login tokens for direct mobile * app authentication via Application Passwords. Token generation is gated on * the `manage_woocommerce` capability (administrators and shop managers by * default). */ declare( strict_types=1 ); namespace Automattic\WooCommerce\Admin\API; use Automattic\WooCommerce\Admin\API\RateLimits\QRLoginRateLimits; defined( 'ABSPATH' ) || exit; /** * Mobile App QR Login controller. * * @internal */ class MobileAppQRLogin extends \WC_REST_Data_Controller { /** * Endpoint namespace. * * @var string */ protected $namespace = 'wc-admin'; /** * Route base. * * @var string */ protected $rest_base = 'mobile-app'; /** * Token TTL in seconds (5 minutes). */ const TOKEN_TTL = 300; /** * Transient prefix for QR login tokens. */ const TOKEN_TRANSIENT_PREFIX = '_wc_qr_login_token_'; /** * Max tokens per user per 15-minute window. */ const MAX_TOKENS_PER_WINDOW = 5; /** * Max exchange attempts per valid token per 15-minute window. */ const MAX_EXCHANGE_ATTEMPTS = 10; /** * Max invalid-token exchange attempts per IP per 15-minute window. */ const MAX_INVALID_EXCHANGE_ATTEMPTS = 100; /** * Max invalid-token scan attempts per IP per 15-minute window. */ const MAX_INVALID_SCAN_ATTEMPTS = 100; /** * Broad anonymous exchange abuse guard per IP per 15-minute window. */ const MAX_EXCHANGE_IP_ATTEMPTS = 1000; /** * Option prefix for database-backed atomic token claims. */ const CLAIM_OPTION_PREFIX = '_wc_qr_login_claim_'; /** * Scan-claim option prefix. Independent from `CLAIM_OPTION_PREFIX` so the * scan and exchange mutexes can't deadlock each other; they protect * different write windows on the same token record. */ const SCAN_CLAIM_OPTION_PREFIX = '_wc_qr_login_scan_claim_'; /** * Approval-claim option prefix. Prevents concurrent number choices from * racing the one-strike scanned -> approved/rejected transition. */ const APPROVE_CLAIM_OPTION_PREFIX = '_wc_qr_login_approve_claim_'; /** * Stable Application Passwords `app_id` for credentials issued by this * flow. Lets administrators identify QR-issued credentials in the * Application Passwords screen and revoke them in bulk. */ const APP_ID = '0b540e2f-86b7-4b8a-8e0c-f61e9bfbde59'; /** * Transient prefix for the "token consumed" record written after a successful * exchange. The wc-admin UI polls a status endpoint that reads this so it can * transition to a confirmation panel and surface the device that signed in. */ const CONSUMED_TRANSIENT_PREFIX = '_wc_qr_login_consumed_'; /** * Max status checks per user per 15-minute window. The polling client hits * this every ~2.5s while a QR is on screen; 600/15min ≈ 40/min, comfortably * above the polling rate but tight enough to short-circuit a misbehaving * client or a credential-stuffing scan. */ const MAX_STATUS_CHECKS_PER_WINDOW = 600; /** * Max revoke attempts per user per 15-minute window. */ const MAX_REVOKE_ATTEMPTS = 10; /** * Whitelisted keys for the `device` payload sent by the mobile app on the * scan call. Anything outside this set is dropped before storage. * * `brand` is Android-only (`Build.BRAND`, e.g. "google", "samsung"); iOS * doesn't have a direct analogue and clients that don't have the field * just leave it absent. * * @var string[] */ const DEVICE_PAYLOAD_KEYS = array( 'os', 'os_version', 'model', 'brand', 'app_version' ); /** * Maximum length (chars) for any individual sanitized device-payload field. * Defends against accidental or hostile bloat ending up in transients and * the Application Password name. */ const DEVICE_FIELD_MAX_LENGTH = 64; /** * State machine values for the per-token record. Transitions are gated * by an explicit `current_state` check at the top of each handler * (scan/approve/exchange) so the only writers are the handlers themselves. */ const STATE_PENDING = 'pending'; const STATE_SCANNED = 'scanned'; const STATE_APPROVED = 'approved'; const STATE_REJECTED = 'rejected'; const STATE_EXPIRED = 'expired'; const STATE_CONSUMED = 'consumed'; /** * Pick window after the app scans a QR (seconds). The merchant has this * long to tap the matching number on wc-admin before the session * auto-rejects. Short enough to limit replay; long enough for a confused * user to read the phone, find their browser, and click. */ const CHALLENGE_TTL_SECONDS = 90; /** * Length (bytes pre-bin2hex) of the exchange-grant nonce minted on * approval. The grant gates the final `/qr-login-exchange` call so an * attacker who learned the token can't race the legit app to exchange * after approval. 32 bytes = 64 hex chars = 256 bits of entropy. */ const EXCHANGE_GRANT_BYTES = 32; /** * Invalid exchange grants allowed before the token is terminally rejected. */ const MAX_INVALID_GRANT_ATTEMPTS = 3; /** * Transient prefix mapping `session_id` → `token_hash` so the mobile-side * `/qr-login-session-status` poll can resolve a session id back to the * underlying token record without exposing the original token to the * polling channel. */ const SESSION_TRANSIENT_PREFIX = '_wc_qr_login_session_'; /** * Rate limit for /qr-login-scan (per IP per 15 min). */ const MAX_SCAN_PER_WINDOW = 10; /** * Rate limit for /qr-login-approve (per user per 15 min). */ const MAX_APPROVE_PER_WINDOW = 20; /** * Rate limit for /qr-login-session-status (per session id per 15 min). * * Accounts for ~2-s polling over a 90-s challenge window plus headroom. */ const MAX_SESSION_STATUS_PER_WINDOW = 60; /** * Register routes. * * @return void */ public function register_routes() { // Generate a QR login token (requires authentication and `manage_woocommerce` capability). register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-token', array( array( 'methods' => \WP_REST_Server::CREATABLE, 'callback' => array( $this, 'generate_token' ), 'permission_callback' => array( $this, 'get_items_permissions_check' ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Exchange a QR login token for Application Password (no authentication required). // The device payload is captured at /qr-login-scan time and sourced from the // approved record — the exchange call only needs the token + grant nonce. register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-exchange', array( array( 'methods' => \WP_REST_Server::CREATABLE, 'callback' => array( $this, 'exchange_token' ), 'permission_callback' => '__return_true', 'args' => array( 'token' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), // Soft-required: the handler enforces presence + validity // via constant-time comparison and returns a clear // `invalid_exchange_grant` 412 if missing. We don't make // it `required: true` at the schema layer because that // would short-circuit earlier checks (HTTPS, invalid // token, rate limit) with a generic WP validation 400 // before our diagnostic responses can fire. 'exchange_grant' => array( 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Poll for token status (consumed yet?). Used by wc-admin to transition // the modal from "QR shown" to "Signed in successfully on {device}". register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-status', array( array( 'methods' => \WP_REST_Server::CREATABLE, 'callback' => array( $this, 'get_status' ), 'permission_callback' => array( $this, 'get_items_permissions_check' ), 'args' => array( 'token' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Revoke (delete) the Application Password issued by an exchange. The // user must own the AP — verified inside the callback via the WP API. register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-revoke', array( array( 'methods' => \WP_REST_Server::DELETABLE, 'callback' => array( $this, 'revoke_password' ), 'permission_callback' => array( $this, 'get_items_permissions_check' ), 'args' => array( 'uuid' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Mobile app reports the QR was scanned. Server generates the // number-match challenge and returns the *real* number to the app // only. Public — token + capability flag are the auth. register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-scan', array( array( 'methods' => \WP_REST_Server::CREATABLE, 'callback' => array( $this, 'scan_token' ), 'permission_callback' => '__return_true', 'args' => array( 'token' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), // The device payload is required: it shows up in the // merchant's "match this number" device card, in the // Application Password name, and in the sign-in // notification email. Mobile clients always have these // fields available from the platform SDK (Build.MODEL, // UIDevice.current.model, etc.), so requiring the // payload at the protocol level keeps every downstream // surface honest. 'device' => array( 'required' => true, 'type' => 'object', 'properties' => array( 'os' => array( 'type' => 'string' ), 'os_version' => array( 'type' => 'string' ), 'model' => array( 'type' => 'string' ), 'brand' => array( 'type' => 'string' ), 'app_version' => array( 'type' => 'string' ), ), ), // Capability flag the mobile app sets to advertise that // it implements the number-matching protocol. Reserved // for future protocol bumps that might gate behavior on // further capability bits. 'supports_number_matching' => array( 'required' => true, 'type' => 'boolean', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Merchant taps a number on wc-admin. Server validates against the // stored real number with hash_equals; correct → approved, wrong → // rejected (terminal, no retry). register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-approve', array( array( 'methods' => \WP_REST_Server::CREATABLE, 'callback' => array( $this, 'approve_token' ), 'permission_callback' => array( $this, 'get_items_permissions_check' ), 'args' => array( 'token' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), 'choice' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Mobile app polls this with the session id returned from /scan. // While in `scanned` we say so; on `approved` we hand over the // short-lived `exchange_grant` nonce required by the final // /qr-login-exchange call. register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-session-status', array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this, 'get_session_status' ), 'permission_callback' => '__return_true', 'args' => array( 'session_id' => array( 'required' => true, 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), 'token_hash' => array( 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', ), ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); // Cheap up-front capability check so wc-admin can render a permanently // disabled QR card (rather than spin up a token request that will fail) // when application passwords are unavailable on this site. Same gate as // the token endpoint so a subscriber cannot probe site configuration. register_rest_route( $this->namespace, '/' . $this->rest_base . '/qr-login-availability', array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this, 'get_availability' ), 'permission_callback' => array( $this, 'get_items_permissions_check' ), ), 'schema' => array( $this, 'get_public_item_schema' ), ) ); parent::register_routes(); } /** * Check whether the current user can generate a QR login token. * * Requires the `manage_woocommerce` capability, which covers administrators and * shop managers out of the box. The check is deliberately explicit (not routed * through `wc_rest_check_manager_permissions()`) so it cannot be loosened by the * `woocommerce_rest_check_permissions` filter that other Admin API endpoints share. * * @param \WP_REST_Request<array<string, mixed>> $request The REST request (unused). * @return \WP_Error|bool True if the user has the required capability, WP_Error otherwise. */ public function get_items_permissions_check( $request ) { unset( $request ); // Parameter required by WP REST contract but unused here. if ( ! current_user_can( 'manage_woocommerce' ) ) { return new \WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you are not allowed to generate a mobile app QR login token.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } return true; } /** * Check if Application Passwords are available. * * @return bool */ private function are_application_passwords_available() { return function_exists( 'wp_is_application_passwords_available' ) && wp_is_application_passwords_available(); } /** * Return a REST response carrying WordPress' no-cache headers. * * @param array<string, mixed> $data Response payload. * @return \WP_REST_Response */ private function rest_ensure_nocache_response( array $data ): \WP_REST_Response { $response = rest_ensure_response( $data ); foreach ( wp_get_nocache_headers() as $header_name => $header_value ) { if ( false === $header_value ) { continue; } $response->header( $header_name, (string) $header_value ); } return $response; } /** * Reason codes returned by `/qr-login-availability` so wc-admin can * tailor the disabled card to the specific cause. */ const AVAILABILITY_REASON_HTTPS_REQUIRED = 'https_required'; const AVAILABILITY_REASON_AP_UNSUPPORTED = 'application_passwords_unsupported'; const AVAILABILITY_REASON_AP_DISABLED_BY_FILTER = 'application_passwords_disabled_by_filter'; /** * Report whether QR login is currently available on this site. * * Lets wc-admin render a permanently-disabled QR card with the right * explanation up-front, instead of mounting `<QRDirectLoginCode />`, * spinning, calling `/qr-login-token`, and only then showing a generic * error. The reason code is the heuristic best we can do without each * security plugin self-identifying: * * - `https_required` — `is_ssl()` is false or the raw/final `siteurl` is * `http://`. The most common cause is a local dev environment; * production sites without HTTPS can't use QR login at all. * - `application_passwords_unsupported` — WordPress core's own support * gate (`wp_is_application_passwords_supported()`) returns false. * Ships true on every modern WP host that has SSL or is local; false * here typically means the site is non-local + non-SSL. * - `application_passwords_disabled_by_filter` — the WP support gate * passes, but the `wp_is_application_passwords_available` filter * returns false. This is the case where a security plugin (Wordfence, * Solid Security, etc.) or a custom code snippet has explicitly * disabled application passwords. We can't name the exact source from * the filter alone; the docs link in the merchant-facing UI covers it. * * `nocache_headers()` so an upstream cache cannot pin a stale * "unavailable" response for a site that just installed an HTTPS cert. * * @param \WP_REST_Request<array<string, mixed>> $request The REST request (unused). * @return \WP_REST_Response */ public function get_availability( $request ): \WP_REST_Response { unset( $request ); nocache_headers(); $site_url = $this->get_secure_site_url(); $https_ok = ! is_wp_error( $site_url ); $ap_supported = function_exists( 'wp_is_application_passwords_supported' ) && wp_is_application_passwords_supported(); $ap_available = $this->are_application_passwords_available(); $https_ok = is_ssl() && $https_ok; $available = $https_ok && $ap_available; $reason = null; if ( ! $available ) { if ( ! $https_ok ) { $reason = self::AVAILABILITY_REASON_HTTPS_REQUIRED; } elseif ( ! $ap_supported ) { $reason = self::AVAILABILITY_REASON_AP_UNSUPPORTED; } else { $reason = self::AVAILABILITY_REASON_AP_DISABLED_BY_FILTER; } } return $this->rest_ensure_nocache_response( array( 'available' => $available, 'reason' => $reason, ) ); } /** * Check rate limit for token generation. * * @param int $user_id The user ID. * @return bool True if within rate limit. */ private function check_generation_rate_limit( $user_id ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_GENERATION, (string) $user_id ); } /** * Broad anonymous abuse guard for token exchange. * * This intentionally has a high ceiling. It is only meant to slow obvious * unauthenticated floods; valid-token and invalid-token traffic use separate * lower buckets so a few random requests from a shared proxy IP cannot block * legitimate QR login exchanges. * * @return bool True if within rate limit. */ private function check_exchange_ip_rate_limit() { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_EXCHANGE_IP, $this->get_client_ip() ); } /** * Check rate limit for random/nonexistent exchange tokens. * * @return bool True if within rate limit. */ private function check_invalid_exchange_rate_limit() { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_INVALID_EXCHANGE, $this->get_client_ip() ); } /** * Check rate limit for random/nonexistent scan tokens. * * @return bool True if within rate limit. */ private function check_invalid_scan_rate_limit() { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_INVALID_SCAN, $this->get_client_ip() ); } /** * Check rate limit for exchange attempts against a valid token. * * @param string $token_hash SHA-256 hash of the plaintext token. * @return bool True if within rate limit. */ private function check_valid_exchange_rate_limit( $token_hash ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_VALID_EXCHANGE, $token_hash ); } /** * Get the client IP address used as the per-IP rate-limit key. * * Uses `REMOTE_ADDR` exclusively. We intentionally do not honor * `HTTP_X_FORWARDED_FOR` here: the exchange endpoint is unauthenticated, and * without a project-wide trusted-proxy list we cannot tell a legitimate * proxy header from an attacker-supplied one. Trusting the first XFF value * would let any client choose a fresh rate-limit bucket per request and * bypass per-IP caps. On sites behind a CDN/load balancer that all clients * share, REMOTE_ADDR is the proxy IP, so exchange uses broad IP throttling * only as an abuse guard and relies on token-scoped buckets for security. * * @return string */ private function get_client_ip() { if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) { return sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ); } return ''; } /** * Build the option name used for a token exchange claim. * * @param string $token_hash SHA-256 hash of the plaintext token. * @return string */ private function get_token_claim_key( $token_hash ) { return self::CLAIM_OPTION_PREFIX . $token_hash; } /** * Atomically claim a token for exchange using the options table. * * `add_option()` is backed by a unique option_name constraint, so it works * across PHP workers even on default installs without a persistent object * cache. Stale claims are cleaned only if their stored value still matches * the value this request observed, avoiding deletion of another worker's * fresh claim. * * @param string $token_hash SHA-256 hash of the plaintext token. * @param int $expires_at Unix timestamp when the token expires. * @return bool True if the claim was acquired. */ private function claim_token_for_exchange( $token_hash, $expires_at ) { return $this->claim_token_with_option_key( $this->get_token_claim_key( $token_hash ), $expires_at ); } /** * Atomically claim a token using an option key. * * @param string $claim_key Option key used as the claim mutex. * @param int $expires_at Unix timestamp when the token expires. * @return bool True if the claim was acquired. */ private function claim_token_with_option_key( $claim_key, $expires_at ) { $claim_expires_at = max( time() + 30, (int) $expires_at ); if ( add_option( $claim_key, (string) $claim_expires_at, '', false ) ) { return true; } $existing_expires_at = (int) get_option( $claim_key, 0 ); if ( $existing_expires_at > 0 && $existing_expires_at <= time() ) { $this->delete_claim_if_value_matches( $claim_key, (string) $existing_expires_at ); return add_option( $claim_key, (string) $claim_expires_at, '', false ); } return false; } /** * Delete a claim option only if it still has the value this request observed. * * @param string $claim_key Option key used as the claim mutex. * @param string $observed_claim_value Claim expiry value previously read from the option. * @return bool True if the observed stale claim was deleted. */ private function delete_claim_if_value_matches( $claim_key, $observed_claim_value ) { global $wpdb; $result = $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->options} WHERE option_name = %s AND option_value = %s", $claim_key, $observed_claim_value ) ); if ( false === $result ) { wc_get_logger()->warning( sprintf( 'QR login stale-claim cleanup query failed for %s: %s', $claim_key, $wpdb->last_error ), array( 'source' => 'mobile-app-qr-login' ) ); } wp_cache_delete( $claim_key, 'options' ); return (int) $result > 0; } /** * Release a token exchange claim. * * @param string $token_hash SHA-256 hash of the plaintext token. * @return void */ private function release_token_exchange_claim( $token_hash ) { delete_option( $this->get_token_claim_key( $token_hash ) ); } /** * Atomically claim a token for scan. Mirrors `claim_token_for_exchange()` * (same `add_option()` unique-constraint mutex, same staleness recovery) * but uses its own option key so the scan and exchange windows are * independent. * * Without this, two concurrent `/qr-login-scan` requests both pass the * `state === pending` gate, both write a fresh challenge, and the last * writer wins — leaving the loser's session_id silently orphaned and * pointing at the wrong challenge. * * @param string $token_hash SHA-256 hash of the plaintext token. * @param int $expires_at Unix timestamp when the token expires. * @return bool True if the claim was acquired. */ private function claim_token_for_scan( $token_hash, $expires_at ) { return $this->claim_token_with_option_key( self::SCAN_CLAIM_OPTION_PREFIX . $token_hash, $expires_at ); } /** * Release a token scan claim owned by this request. * * @param string $token_hash SHA-256 hash of the plaintext token. * @return void */ private function release_token_scan_claim( $token_hash ) { delete_option( self::SCAN_CLAIM_OPTION_PREFIX . $token_hash ); } /** * Atomically claim a token for approval. * * @param string $token_hash SHA-256 hash of the plaintext token. * @param int $expires_at Unix timestamp when the claim should expire. * @return bool True if the claim was acquired. */ private function claim_token_for_approval( $token_hash, $expires_at ) { return $this->claim_token_with_option_key( self::APPROVE_CLAIM_OPTION_PREFIX . $token_hash, $expires_at ); } /** * Release a token approval claim owned by this request. * * @param string $token_hash SHA-256 hash of the plaintext token. * @return void */ private function release_token_approval_claim( $token_hash ) { delete_option( self::APPROVE_CLAIM_OPTION_PREFIX . $token_hash ); } /** * Get the remaining storage TTL for a token record. * * @param array<string, mixed> $token_data Token record. * @return int Remaining TTL in seconds. */ private function get_token_record_ttl( array $token_data ) { return max( 1, isset( $token_data['expires_at'] ) ? (int) $token_data['expires_at'] - time() : self::TOKEN_TTL ); } /** * Delete the session-id to token-hash mapping for a token record. * * @param array<string, mixed> $token_data Token record. * @return void */ private function delete_session_mapping_for_record( array $token_data ) { if ( empty( $token_data['challenge']['session_id'] ) ) { return; } delete_transient( self::SESSION_TRANSIENT_PREFIX . hash( 'sha256', (string) $token_data['challenge']['session_id'] ) ); } /** * Validate that the configured site URL is HTTPS and return it. * * `is_ssl()` only tells us the current REQUEST is HTTPS — it says nothing about * the canonical site URL WordPress is configured to advertise. `get_site_url()` * itself is also insufficient because it passes its result through * `set_url_scheme()`, which rewrites the scheme to match `is_ssl()` — so * `get_site_url()` will return `https://…` whenever the request happens to be * HTTPS, masking a stale `http://` `siteurl` option underneath. We therefore * check the RAW stored option, which is what reflects admin configuration * and what shows up in reset-password emails, webhooks, canonical redirects, * etc. If that is `http://`, a misconfigured proxy that terminated TLS before * reaching PHP could still cause this endpoint to hand the mobile app a cleartext * site URL for the token-exchange POST. * * We deliberately reject (rather than silently normalizing to `https://`) * because: * 1. The misconfig usually affects other things (reset-password emails, * webhooks, canonical redirects). Failing loudly surfaces it. * 2. Normalizing assumes the site actually serves HTTPS on the same host, * which we cannot verify from within a single request. * 3. A 500 is strictly safer than a leaky success. * * @return string|\WP_Error The HTTPS site URL, or a WP_Error if it is not HTTPS. */ private function get_secure_site_url() { // Raw option: what the admin actually configured, before `set_url_scheme()` // inside `get_site_url()` normalizes it based on the current request's scheme. $raw_site_url = get_option( 'siteurl' ); $raw_scheme = is_string( $raw_site_url ) ? wp_parse_url( $raw_site_url, PHP_URL_SCHEME ) : null; if ( 'https' !== $raw_scheme ) { return new \WP_Error( 'insecure_site_url', __( 'QR login cannot be used because the site URL is not configured for HTTPS. Please update the WordPress Address (URL) in Settings → General to use https://.', 'woocommerce' ), array( 'status' => 500 ) ); } // Use get_site_url() for the returned value so any scheme normalization // or filtering that WordPress applies downstream is preserved, then // validate the final value too. A plugin can still filter `site_url` // after the raw option check above; never hand the mobile app an // HTTP exchange target. $site_url = get_site_url(); $final_scheme = wp_parse_url( $site_url, PHP_URL_SCHEME ); if ( 'https' !== $final_scheme ) { return new \WP_Error( 'insecure_site_url', __( 'QR login cannot be used because the site URL is not configured for HTTPS. Please update the WordPress Address (URL) in Settings → General to use https://.', 'woocommerce' ), array( 'status' => 500 ) ); } return $site_url; } /** * Generate a QR login token. * * Creates a short-lived one-time token that can be exchanged for an Application * Password by the mobile app. The caller is assumed to have already passed the * `manage_woocommerce` capability check in `get_items_permissions_check()`. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function generate_token( $request ) { unset( $request ); // Parameter required by WP REST contract but unused here. // Check HTTPS. if ( ! is_ssl() ) { return new \WP_Error( 'ssl_required', __( 'QR login requires an HTTPS connection.', 'woocommerce' ), array( 'status' => 403 ) ); } // Verify the canonical site URL is HTTPS — is_ssl() alone is not enough // when WordPress is behind a misconfigured proxy. $site_url = $this->get_secure_site_url(); if ( is_wp_error( $site_url ) ) { return $site_url; } // Check Application Passwords are available. if ( ! $this->are_application_passwords_available() ) { return new \WP_Error( 'application_passwords_unavailable', __( 'Application Passwords are not available on this site.', 'woocommerce' ), array( 'status' => 501 ) ); } // Check rate limit. if ( ! $this->check_generation_rate_limit( get_current_user_id() ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login requests. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } // Generate a cryptographically secure token. $token = wp_generate_password( 64, false ); $token_hash = hash( 'sha256', $token ); $now = time(); $expires_at = $now + self::TOKEN_TTL; // Structured state-machine record. Subsequent transitions // (scan/approve/exchange) gate themselves on the current state at the // top of each handler. $token_data = array( 'state' => self::STATE_PENDING, 'created_at' => $now, 'state_at' => $now, 'user_id' => get_current_user_id(), 'site_url' => $site_url, 'expires_at' => $expires_at, ); set_transient( self::TOKEN_TRANSIENT_PREFIX . $token_hash, $token_data, self::TOKEN_TTL ); // Build the QR URL (deep link for the mobile app). $qr_url = sprintf( 'woocommerce://qr-login?token=%s&siteUrl=%s', rawurlencode( $token ), rawurlencode( $site_url ) ); return rest_ensure_response( array( 'qr_url' => $qr_url, 'expires_at' => $expires_at, 'ttl' => self::TOKEN_TTL, ) ); } /** * Exchange a QR login token for an Application Password. * * This endpoint does not require authentication — the token serves * as the authentication mechanism. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function exchange_token( $request ) { // Refuse to return credentials over a non-HTTPS request. if ( ! is_ssl() ) { return new \WP_Error( 'ssl_required', __( 'QR login requires an HTTPS connection.', 'woocommerce' ), array( 'status' => 403 ) ); } // Refuse to return credentials bound to a non-HTTPS site URL — see // get_secure_site_url() for rationale. A token that was minted while the // siteurl was still https:// but has since been changed to http:// should // also be refused here. $site_url = $this->get_secure_site_url(); if ( is_wp_error( $site_url ) ) { return $site_url; } // Defensive sanitize even though the REST `sanitize_callback` already // did so — guards against future refactors that bypass the callback. $token = sanitize_text_field( (string) $request->get_param( 'token' ) ); $token_hash = hash( 'sha256', $token ); $key = self::TOKEN_TRANSIENT_PREFIX . $token_hash; $token_data = get_transient( $key ); if ( ! is_array( $token_data ) ) { if ( ! $this->check_invalid_exchange_rate_limit() ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many exchange attempts. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } // Broad anonymous abuse guard applies only after token lookup. Random // invalid requests use the invalid-token bucket above so they cannot // exhaust this shared-IP guard for later valid exchanges behind the same // proxy/CDN IP. if ( ! $this->check_exchange_ip_rate_limit() ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many exchange attempts. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } if ( ! $this->check_valid_exchange_rate_limit( $token_hash ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many exchange attempts. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } if ( ! $this->claim_token_for_exchange( $token_hash, isset( $token_data['expires_at'] ) ? (int) $token_data['expires_at'] : time() + self::TOKEN_TTL ) ) { return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } // Re-read after acquiring the database claim in case another process // consumed or expired the token while this request was waiting. $token_data = get_transient( $key ); if ( ! is_array( $token_data ) ) { $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } // Validate token hasn't expired (belt and suspenders with transient TTL). if ( ! empty( $token_data['expires_at'] ) && time() >= (int) $token_data['expires_at'] ) { delete_transient( $key ); $this->delete_session_mapping_for_record( $token_data ); $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'token_expired', __( 'QR login token has expired.', 'woocommerce' ), array( 'status' => 401 ) ); } // Number-matching enforcement: exchange must be preceded by /scan + // /approve. Anything other than `approved` (including `pending` — // scan was skipped — and `scanned` — scan completed but merchant // didn't tap a number yet) is a hard 412. $current_state = isset( $token_data['state'] ) ? (string) $token_data['state'] : self::STATE_PENDING; if ( self::STATE_APPROVED !== $current_state ) { $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'qr_login_not_approved', __( 'This QR login session has not been approved.', 'woocommerce' ), array( 'status' => 412 ) ); } // Constant-time grant comparison. The grant is bound to this token // at /approve time and only handed back to the polling app via // /session-status, so an attacker who somehow learned the token // can't race the legit app to exchange after approval. $submitted_grant = (string) $request->get_param( 'exchange_grant' ); $stored_grant = isset( $token_data['exchange_grant'] ) ? (string) $token_data['exchange_grant'] : ''; if ( '' === $stored_grant || ! hash_equals( $stored_grant, $submitted_grant ) ) { $invalid_grant_attempts = isset( $token_data['invalid_grant_attempts'] ) ? (int) $token_data['invalid_grant_attempts'] : 0; ++$invalid_grant_attempts; $token_data['invalid_grant_attempts'] = $invalid_grant_attempts; $token_data['invalid_grant_last_attempted_at'] = time(); if ( $invalid_grant_attempts >= self::MAX_INVALID_GRANT_ATTEMPTS ) { $token_data['state'] = self::STATE_REJECTED; $token_data['state_at'] = time(); wc_get_logger()->warning( 'QR login rejected after repeated invalid exchange grants', array( 'source' => 'qr-login-security', 'user_id' => isset( $token_data['user_id'] ) ? (int) $token_data['user_id'] : 0, 'ip' => $this->get_client_ip(), ) ); } set_transient( $key, $token_data, $this->get_token_record_ttl( $token_data ) ); $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'invalid_exchange_grant', __( 'Invalid exchange grant for this QR login session.', 'woocommerce' ), array( 'status' => 412 ) ); }//end if $user_id = $token_data['user_id']; $user = get_userdata( $user_id ); if ( ! $user ) { $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'user_not_found', __( 'User associated with this token no longer exists.', 'woocommerce' ), array( 'status' => 404 ) ); } // Application Passwords may have been disabled after the token was minted. if ( ! $this->are_application_passwords_available() ) { $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'application_passwords_unavailable', __( 'Application Passwords are not available on this site.', 'woocommerce' ), array( 'status' => 501 ) ); } // Mirror the permission check WP core performs in // WP_REST_Application_Passwords_Controller::create_item_permissions_check(). // Capability or per-user availability filters could have changed in the // window between token generation and exchange. if ( ! user_can( $user, 'create_app_password', $user_id ) ) { $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'rest_cannot_create_application_passwords', __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } // Source the device payload from the scan record. /qr-login-scan // requires a device object, so by the time we reach `approved` it's // guaranteed present. Re-sanitize defensively in case the transient // was tampered with at the storage layer. $device_source = isset( $token_data['challenge']['device'] ) && is_array( $token_data['challenge']['device'] ) ? $token_data['challenge']['device'] : array(); $device = $this->sanitize_device_payload( $device_source ); // Create an Application Password for the mobile app. The name is // descriptive (e.g. "Woo Mobile · iPhone 15 · 2026-04-28") so the user // can identify it later in Users → Profile → Application Passwords. $app_password_result = \WP_Application_Passwords::create_new_application_password( $user_id, array( 'name' => $this->format_application_password_name( $device ), 'app_id' => self::APP_ID, ) ); if ( is_wp_error( $app_password_result ) ) { wc_get_logger()->error( sprintf( 'QR login: failed to create Application Password for user %d: %s', $user_id, $app_password_result->get_error_message() ), array( 'source' => 'mobile-app-qr-login' ) ); $this->release_token_exchange_claim( $token_hash ); return new \WP_Error( 'application_password_failed', __( 'Could not create a mobile-app credential. Please try again, or contact your site administrator.', 'woocommerce' ), array( 'status' => 500 ) ); } list( $new_password, $item ) = $app_password_result; // Write a "consumed" record so wc-admin's polling client can transition // from "QR shown" to "Signed in successfully on {device}" and surface // a revoke button. Same TTL as the original token transient — there's // no value in keeping this record longer than the modal that polls it. $consumed_record = array( 'consumed_at' => time(), 'user_id' => $user_id, 'ap_uuid' => $item['uuid'], 'ap_name' => $item['name'], 'device' => $device, ); set_transient( self::CONSUMED_TRANSIENT_PREFIX . $token_hash, $consumed_record, self::TOKEN_TTL ); // One-shot: consume only after the Application Password has been // successfully created and the consumed record is visible to wc-admin's // polling client. delete_transient( $key ); $this->delete_session_mapping_for_record( $token_data ); $this->release_token_exchange_claim( $token_hash ); // Notify the merchant out-of-band so they're aware of a fresh sign-in // even when they aren't currently looking at wc-admin. Wrapped in a // try/catch + filter to keep the exchange path uninterrupted if the // site's mailer is misconfigured. $this->maybe_send_sign_in_notification_email( $user, $consumed_record ); return rest_ensure_response( array( 'success' => true, 'user_login' => $user->user_login, 'user_email' => $user->user_email, 'user_id' => $user_id, 'site_url' => $site_url, 'application_password' => $new_password, 'uuid' => $item['uuid'], ) ); } /** * Get the status of a previously generated QR login token. * * Used by the wc-admin UI to poll while the QR is on screen. Returns one of: * - `pending` — token transient exists, has not been exchanged yet. * - `consumed` — token has been exchanged; payload includes the device that * signed in and the AP UUID so the UI can render the * confirmation panel and (optionally) revoke the AP. * - `expired` — neither transient exists, so the token has expired or * was never valid for this user. * * The user calling this endpoint must be the same user who minted the token. * That's defense in depth — tokens are 64 random chars and not realistically * guessable, but cross-user status reads should be impossible regardless. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function get_status( $request ) { // Defeat any intermediary cache (Cloudflare, NGINX micro-cache, browser, edge proxy) // that might pin this GET to its first response. Polling endpoints are by definition // state-bearing — every tick must see the live transient. Returning a stale `scanned` // response forever is exactly the symptom we'd see if the cache pins the first hit. nocache_headers(); $user_id = get_current_user_id(); if ( ! $this->check_status_rate_limit( $user_id ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login status checks. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } $token = (string) $request->get_param( 'token' ); if ( '' === $token ) { return $this->rest_ensure_nocache_response( array( 'status' => 'expired' ) ); } $token_hash = hash( 'sha256', $token ); // Consumed lookup first — once a token has been exchanged the main // transient is deleted, but we keep a one-way breadcrumb at the // `_wc_qr_login_consumed_` key so the polling client (which still // has the plaintext token) can render the success panel. $consumed = get_transient( self::CONSUMED_TRANSIENT_PREFIX . $token_hash ); if ( is_array( $consumed ) ) { if ( ! isset( $consumed['user_id'] ) || (int) $consumed['user_id'] !== (int) $user_id ) { return $this->rest_ensure_nocache_response( array( 'status' => 'expired' ) ); } return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_CONSUMED, 'consumed_at' => isset( $consumed['consumed_at'] ) ? (int) $consumed['consumed_at'] : null, 'ap_uuid' => isset( $consumed['ap_uuid'] ) ? (string) $consumed['ap_uuid'] : null, 'ap_name' => isset( $consumed['ap_name'] ) ? (string) $consumed['ap_name'] : null, 'device' => isset( $consumed['device'] ) && is_array( $consumed['device'] ) ? $consumed['device'] : array(), ) ); } $record = get_transient( self::TOKEN_TRANSIENT_PREFIX . $token_hash ); if ( ! is_array( $record ) ) { return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_EXPIRED ) ); } // Cross-user defense in depth — same as before. if ( ! isset( $record['user_id'] ) || (int) $record['user_id'] !== (int) $user_id ) { return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_EXPIRED ) ); } $state = isset( $record['state'] ) ? (string) $record['state'] : self::STATE_PENDING; // Rejected / expired states are terminal — surface them directly so // wc-admin can render the "Login denied" terminal screen. if ( in_array( $state, array( self::STATE_REJECTED, self::STATE_EXPIRED ), true ) ) { return $this->rest_ensure_nocache_response( array( 'status' => $state ) ); } if ( ! empty( $record['expires_at'] ) && time() >= (int) $record['expires_at'] ) { return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_EXPIRED ) ); } // While in `scanned`, surface the shuffled candidate triple and the // device that scanned so wc-admin can render the matching UI. The // REAL number is never returned via this endpoint — only the // shuffled triple of (real + 2 distractors) is, so an XSS / hostile // extension can't read which one is correct from JS state. if ( self::STATE_SCANNED === $state ) { $challenge = isset( $record['challenge'] ) && is_array( $record['challenge'] ) ? $record['challenge'] : array(); $numbers = $this->shuffled_candidate_numbers( $challenge ); return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_SCANNED, 'numbers' => $numbers, 'device' => isset( $challenge['device'] ) && is_array( $challenge['device'] ) ? $challenge['device'] : array(), 'expires_at' => isset( $challenge['expires_at'] ) ? (int) $challenge['expires_at'] : null, ) ); } // Approved (post-tap, pre-exchange) — surface so a wc-admin tab that // reloaded between approve and exchange shows the "Signing in…" // transitional state rather than going back to the QR. if ( self::STATE_APPROVED === $state ) { return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_APPROVED ) ); } // Pending: same shape as before, plus the new `state` field for // clients that want to switch on it directly. return $this->rest_ensure_nocache_response( array( 'status' => self::STATE_PENDING, 'expires_at' => isset( $record['expires_at'] ) ? (int) $record['expires_at'] : null, ) ); } /** * Revoke (delete) the Application Password issued by a QR login exchange. * * The current user must own the AP being revoked — verified via * `WP_Application_Passwords::get_user_application_password()`. We * deliberately do NOT use `current_user_can( 'edit_user', $user_id )` * because that would let a higher-privilege admin revoke another user's AP * here; the QR flow's revoke surface is for "I just authorized this — undo," * not for site-wide AP management (which lives at Users → Profile). * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function revoke_password( $request ) { $user_id = get_current_user_id(); if ( ! $this->check_revoke_rate_limit( $user_id ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login revoke attempts. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } if ( ! $this->are_application_passwords_available() ) { return new \WP_Error( 'application_passwords_unavailable', __( 'Application Passwords are not available on this site.', 'woocommerce' ), array( 'status' => 501 ) ); } $uuid = (string) $request->get_param( 'uuid' ); // Ownership check: the AP must exist AND belong to the current user. $ap = \WP_Application_Passwords::get_user_application_password( $user_id, $uuid ); if ( ! is_array( $ap ) ) { return new \WP_Error( 'application_password_not_found', __( 'No matching Application Password to revoke.', 'woocommerce' ), array( 'status' => 404 ) ); } $deleted = \WP_Application_Passwords::delete_application_password( $user_id, $uuid ); if ( true !== $deleted ) { return new \WP_Error( 'application_password_revoke_failed', __( 'Could not revoke the Application Password. Please try again.', 'woocommerce' ), array( 'status' => 500 ) ); } return rest_ensure_response( array( 'success' => true, 'uuid' => $uuid, ) ); } /** * Whitelist + sanitize the `device` payload sent by the mobile app. * * Returns an array of strings keyed by the whitelisted keys defined in * `DEVICE_PAYLOAD_KEYS`. Anything outside that whitelist is dropped. Each * value is run through `sanitize_text_field()` and capped at * `DEVICE_FIELD_MAX_LENGTH` characters. The function is total — pass `null` * or anything non-array and you get back `array()`. * * @param mixed $device Raw payload from the request. * @return array<string, string> */ private function sanitize_device_payload( $device ) { if ( ! is_array( $device ) ) { return array(); } $sanitized = array(); foreach ( self::DEVICE_PAYLOAD_KEYS as $key ) { if ( ! isset( $device[ $key ] ) || ! is_scalar( $device[ $key ] ) ) { continue; } $value = sanitize_text_field( (string) $device[ $key ] ); if ( '' === $value ) { continue; } if ( strlen( $value ) > self::DEVICE_FIELD_MAX_LENGTH ) { $value = substr( $value, 0, self::DEVICE_FIELD_MAX_LENGTH ); } $sanitized[ $key ] = $value; } return $sanitized; } /** * Build a descriptive name for the Application Password issued by the QR * login exchange. * * Preferred: `Woo Mobile · iPhone 15 · 2026-04-28` (model + ISO date). * Falls back to `Woo Mobile · iOS · 2026-04-28` when only the OS is known. * The scan endpoint requires at least model or OS. The legacy fallback is * retained as a defensive guard in case stored token data is corrupted. * * The name is what the merchant sees in WP admin → Users → Profile → * Application Passwords, so it should be human-readable, single-line, and * not contain anything that would only make sense to an engineer. * * @param array<string, string> $device Sanitized device payload. * @return string */ private function format_application_password_name( array $device ): string { $model = isset( $device['model'] ) ? trim( $device['model'] ) : ''; $os = isset( $device['os'] ) ? trim( $device['os'] ) : ''; // Prefer model (e.g. "iPhone 15", "Pixel 10"); fall back to the OS // label if a particular device build returns an empty MODEL string. // Both fields come from the platform SDK on the mobile side and are // effectively always populated, but defending against an empty model // is cheaper than chasing the edge case at runtime. $descriptor = '' !== $model ? $model : $os; if ( '' === $descriptor ) { return __( 'WooCommerce Mobile App (QR Login)', 'woocommerce' ); } // Use the site's configured timezone so the date the merchant sees in // the AP list matches what they'd see in the rest of wp-admin. $date = wp_date( 'Y-m-d' ); /* translators: 1: device descriptor (model or OS, e.g. "iPhone 15"). 2: ISO date the AP was created. */ return sprintf( __( 'Woo Mobile · %1$s · %2$s', 'woocommerce' ), $descriptor, $date ); } /** * Per-user rate limit for the polling status endpoint. * * @param int $user_id The user ID. * @return bool True if within rate limit. */ private function check_status_rate_limit( $user_id ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_STATUS, (string) $user_id ); } /** * Per-user rate limit for the revoke endpoint. * * @param int $user_id The user ID. * @return bool True if within rate limit. */ private function check_revoke_rate_limit( $user_id ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_REVOKE, (string) $user_id ); } /** * Mobile app reports the QR was scanned. Generates the number-match * challenge, marks the state as `scanned`, and returns the *real* number * + a session id back to the app. Public — the token is the auth. * * Hard-break compat: clients that don't send `supports_number_matching` * get 426 Upgrade Required. The Android Task 7 PR adds the flag; older * apps in the wild see a clear "update required" error. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function scan_token( $request ) { if ( ! is_ssl() ) { return new \WP_Error( 'ssl_required', __( 'QR login requires an HTTPS connection.', 'woocommerce' ), array( 'status' => 403 ) ); } if ( true !== (bool) $request->get_param( 'supports_number_matching' ) ) { return new \WP_Error( 'mobile_app_update_required', __( 'This Woo mobile app version is no longer supported for QR sign-in. Please update the app and try again.', 'woocommerce' ), array( 'status' => 426 ) ); } $token = (string) $request->get_param( 'token' ); $token_hash = hash( 'sha256', $token ); $key = self::TOKEN_TRANSIENT_PREFIX . $token_hash; $record = get_transient( $key ); if ( ! is_array( $record ) ) { if ( ! $this->check_invalid_scan_rate_limit() ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login scans. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } if ( ! $this->check_scan_rate_limit() ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login scans. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } $device = $this->sanitize_device_payload( $request->get_param( 'device' ) ); if ( empty( $device['model'] ) && empty( $device['os'] ) ) { return new \WP_Error( 'invalid_device', __( 'QR login requires device information from the mobile app.', 'woocommerce' ), array( 'status' => 400 ) ); } // Atomic mutex on the read-mutate-write window. Without this, two // concurrent scans both pass the state==pending check below and both // write a new challenge — last writer wins, the loser's session_id // is silently orphaned. The state check is kept as defense-in-depth // for any path that bypasses the claim (e.g. the staleness branch). if ( ! $this->claim_token_for_scan( $token_hash, isset( $record['expires_at'] ) ? (int) $record['expires_at'] : time() + self::TOKEN_TTL ) ) { return new \WP_Error( 'qr_login_already_scanned', __( 'This QR login session is no longer accepting scans.', 'woocommerce' ), array( 'status' => 409 ) ); } $current_state = isset( $record['state'] ) ? (string) $record['state'] : self::STATE_PENDING; if ( self::STATE_PENDING !== $current_state ) { $this->release_token_scan_claim( $token_hash ); return new \WP_Error( 'qr_login_already_scanned', __( 'This QR login session is no longer accepting scans.', 'woocommerce' ), array( 'status' => 409 ) ); } $challenge_numbers = $this->generate_challenge_numbers(); $session_id = wp_generate_uuid4(); $now = time(); $token_expires_at = isset( $record['expires_at'] ) ? (int) $record['expires_at'] : $now + self::TOKEN_TTL; if ( $token_expires_at <= $now ) { $this->release_token_scan_claim( $token_hash ); return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } $challenge_expires_at = min( $now + self::CHALLENGE_TTL_SECONDS, $token_expires_at ); $challenge_ttl = max( 1, $challenge_expires_at - $now ); // Shuffle the candidate triple ONCE at scan time and persist the chosen ordering so // every subsequent /qr-login-status poll returns the same array. Re-shuffling per-poll // would make the wc-admin tile order flicker every 2.5 s — terrible UX, and makes the // merchant doubt they're reading the right number. $candidates = array_merge( array( $challenge_numbers['real'] ), $challenge_numbers['distractors'] ); shuffle( $candidates ); $record['state'] = self::STATE_SCANNED; $record['state_at'] = $now; $record['challenge'] = array( 'real' => $challenge_numbers['real'], 'distractors' => $challenge_numbers['distractors'], 'shuffled' => $candidates, 'session_id' => $session_id, 'expires_at' => $challenge_expires_at, 'device' => $device, ); // Re-use whatever TTL the original transient had left. The challenge // window itself is capped to the remaining token lifetime, while the // storage TTL keeps the full challenge visible for normal fresh scans. $ttl_left = max( 1, $token_expires_at - $now ); $storage_ttl = min( $ttl_left, self::CHALLENGE_TTL_SECONDS + 30 ); set_transient( $key, $record, $storage_ttl ); // Sibling transient that resolves session_id → token_hash for the // app's session-status poll. Stored hashed so the session id isn't // directly indexable in wp_options. set_transient( self::SESSION_TRANSIENT_PREFIX . hash( 'sha256', $session_id ), $token_hash, $storage_ttl ); $this->release_token_scan_claim( $token_hash ); return rest_ensure_response( array( 'session_id' => $session_id, 'real_number' => $challenge_numbers['real'], 'expires_in' => $challenge_ttl, ) ); } /** * Merchant taps a number on wc-admin. Server validates against the * stored real number with `hash_equals()` (constant-time). Correct → * `approved` + mints `exchange_grant`. Wrong → `rejected` (terminal, * security event logged). One-strike: no retry. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function approve_token( $request ) { $user_id = get_current_user_id(); if ( ! $this->check_approve_rate_limit( $user_id ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login approval attempts. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } $token = (string) $request->get_param( 'token' ); $token_hash = hash( 'sha256', $token ); $key = self::TOKEN_TRANSIENT_PREFIX . $token_hash; $record = get_transient( $key ); if ( ! is_array( $record ) ) { return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } $approval_claim_expires_at = ! empty( $record['challenge']['expires_at'] ) ? (int) $record['challenge']['expires_at'] : ( isset( $record['expires_at'] ) ? (int) $record['expires_at'] : time() + self::TOKEN_TTL ); if ( ! $this->claim_token_for_approval( $token_hash, $approval_claim_expires_at ) ) { return new \WP_Error( 'qr_login_approval_in_progress', __( 'This QR login session is already being approved.', 'woocommerce' ), array( 'status' => 409 ) ); } // Re-read after acquiring the database claim in case another request // approved, rejected, or expired the challenge while this one was waiting. $record = get_transient( $key ); if ( ! is_array( $record ) ) { $this->release_token_approval_claim( $token_hash ); return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } // Same cross-user defense as get_status — only the user that minted // the token can approve it. if ( ! isset( $record['user_id'] ) || (int) $record['user_id'] !== (int) $user_id ) { $this->release_token_approval_claim( $token_hash ); return new \WP_Error( 'invalid_token', __( 'Invalid or expired QR login token.', 'woocommerce' ), array( 'status' => 401 ) ); } if ( ! empty( $record['expires_at'] ) && time() >= (int) $record['expires_at'] ) { $record['state'] = self::STATE_EXPIRED; $record['state_at'] = time(); set_transient( $key, $record, 60 ); $this->release_token_approval_claim( $token_hash ); return new \WP_Error( 'qr_login_expired', __( 'The QR login challenge has expired. Please generate a new code.', 'woocommerce' ), array( 'status' => 410 ) ); } $current_state = isset( $record['state'] ) ? (string) $record['state'] : self::STATE_PENDING; if ( self::STATE_SCANNED !== $current_state ) { $this->release_token_approval_claim( $token_hash ); return new \WP_Error( 'qr_login_not_scanned', __( 'This QR login session is not waiting for approval.', 'woocommerce' ), array( 'status' => 409 ) ); } // Challenge expiry — normally 90 s after scan, capped by token expiry. if ( ! empty( $record['challenge']['expires_at'] ) && time() > (int) $record['challenge']['expires_at'] ) { $record['state'] = self::STATE_EXPIRED; $record['state_at'] = time(); set_transient( $key, $record, 60 ); $this->release_token_approval_claim( $token_hash ); return new \WP_Error( 'qr_login_expired', __( 'The QR login challenge has expired. Please generate a new code.', 'woocommerce' ), array( 'status' => 410 ) ); } $choice = (string) $request->get_param( 'choice' ); $real = isset( $record['challenge']['real'] ) ? (string) $record['challenge']['real'] : ''; // Constant-time compare. Defends against PHP string-comparison fast // paths that can leak prefix-matching info via timing. if ( '' === $real || ! hash_equals( $real, $choice ) ) { $record['state'] = self::STATE_REJECTED; $record['state_at'] = time(); set_transient( $key, $record, 60 ); wc_get_logger()->warning( 'QR login number-match rejected — wrong choice submitted', array( 'source' => 'qr-login-security', 'user_id' => (int) $user_id, 'ip' => $this->get_client_ip(), 'device' => isset( $record['challenge']['device'] ) ? $record['challenge']['device'] : array(), ) ); $this->release_token_approval_claim( $token_hash ); return rest_ensure_response( array( 'state' => self::STATE_REJECTED ) ); } $record['state'] = self::STATE_APPROVED; $record['state_at'] = time(); $record['exchange_grant'] = bin2hex( random_bytes( self::EXCHANGE_GRANT_BYTES ) ); $ttl = max( 1, isset( $record['expires_at'] ) ? (int) $record['expires_at'] - time() : self::CHALLENGE_TTL_SECONDS ); set_transient( $key, $record, $ttl ); $this->release_token_approval_claim( $token_hash ); return rest_ensure_response( array( 'state' => self::STATE_APPROVED ) ); } /** * Mobile app polls this with the session id from /scan. Returns the * current state of the underlying token, plus — when state is * `approved` — the `exchange_grant` nonce required by /qr-login-exchange. * * @param \WP_REST_Request<array<string, mixed>> $request Full details about the request. * @return \WP_REST_Response|\WP_Error */ public function get_session_status( $request ) { // Defeat any intermediary cache (Cloudflare, NGINX micro-cache, OkHttp's shared // cache, edge proxy) that might pin this GET to its first response. Polling // endpoints are by definition state-bearing — every tick must see the live // transient. Returning a stale `scanned` response forever is exactly the // symptom we see if the cache pins the first hit. nocache_headers(); if ( ! is_ssl() ) { return new \WP_Error( 'ssl_required', __( 'QR login requires an HTTPS connection.', 'woocommerce' ), array( 'status' => 403 ) ); } $session_id = (string) $request->get_param( 'session_id' ); $submitted_hash = (string) $request->get_param( 'token_hash' ); $token_hash = get_transient( self::SESSION_TRANSIENT_PREFIX . hash( 'sha256', $session_id ) ); if ( ! is_string( $token_hash ) || '' === $token_hash ) { // Either the session never existed or it has expired. Either way, // surface as expired to the polling app. return $this->rest_ensure_nocache_response( array( 'state' => self::STATE_EXPIRED ) ); } // Bind grant delivery to proof of token knowledge: an attacker who // learns the session_id alone (mobile logs, network capture, debug // output) cannot poll for state transitions and walk away with the // `exchange_grant` the moment the merchant approves. The mobile app // already holds the plaintext token from the QR scan — passing // SHA-256(token) on every poll is essentially free for it. // `hash_equals` for constant-time comparison; `expired` opacity so // we never leak whether the session_id is real or not. if ( ! hash_equals( $token_hash, $submitted_hash ) ) { return $this->rest_ensure_nocache_response( array( 'state' => self::STATE_EXPIRED ) ); } if ( ! $this->check_session_status_rate_limit( $session_id ) ) { return new \WP_Error( 'rate_limit_exceeded', __( 'Too many QR login session-status checks. Please try again later.', 'woocommerce' ), array( 'status' => 429 ) ); } $record = get_transient( self::TOKEN_TRANSIENT_PREFIX . $token_hash ); if ( ! is_array( $record ) ) { return $this->rest_ensure_nocache_response( array( 'state' => self::STATE_EXPIRED ) ); } $state = isset( $record['state'] ) ? (string) $record['state'] : self::STATE_PENDING; $response = array( 'state' => $state ); if ( in_array( $state, array( self::STATE_REJECTED, self::STATE_EXPIRED ), true ) ) { return $this->rest_ensure_nocache_response( $response ); } if ( ! empty( $record['expires_at'] ) && time() >= (int) $record['expires_at'] ) { return $this->rest_ensure_nocache_response( array( 'state' => self::STATE_EXPIRED ) ); } if ( self::STATE_APPROVED === $state && ! empty( $record['exchange_grant'] ) ) { $response['exchange_grant'] = (string) $record['exchange_grant']; } return $this->rest_ensure_nocache_response( $response ); } /** * Generate a 1-real + 2-distractor number triple for the match * challenge. Distractors must differ from the real number and from each * other by ≥ 100 — defends against a partial-read leak fingerprinting * the real one (no `042` vs `043` near-misses). * * Uses `random_int()` (CSPRNG-backed) rather than `wp_rand()`, which can * fall back to mt_rand() and is predictable. * * @return array{real: string, distractors: array<int, string>} * @throws \RuntimeException If a valid distractor set cannot be generated. */ private function generate_challenge_numbers(): array { $real = random_int( 0, 999 ); $valid_candidates = array(); for ( $candidate = 0; $candidate <= 999; $candidate++ ) { if ( $candidate !== $real && abs( $candidate - $real ) >= 100 ) { $valid_candidates[] = $candidate; } } if ( empty( $valid_candidates ) ) { throw new \RuntimeException( 'QR login challenge generator could not find a valid first distractor.' ); } $first_index = random_int( 0, count( $valid_candidates ) - 1 ); $first = $valid_candidates[ $first_index ]; $second_candidates = array_values( array_filter( $valid_candidates, static function ( $candidate ) use ( $first ) { return abs( $candidate - $first ) >= 100; } ) ); if ( empty( $second_candidates ) ) { throw new \RuntimeException( 'QR login challenge generator could not find a valid second distractor.' ); } $second = $second_candidates[ random_int( 0, count( $second_candidates ) - 1 ) ]; $distractors = array( $first, $second ); return array( 'real' => str_pad( (string) $real, 3, '0', STR_PAD_LEFT ), 'distractors' => array_map( static function ( $n ) { return str_pad( (string) $n, 3, '0', STR_PAD_LEFT ); }, $distractors ), ); } /** * Build the shuffled candidate triple returned by `/qr-login-status` * while in the `scanned` state. The order is fixed at scan time (in * `scan_token`) and stored in `challenge.shuffled` so every poll returns * the same array — re-shuffling per-poll caused visible tile flicker on * wc-admin. Falls back to building + shuffling on the fly for any token * record that predates the persisted-shuffle change. * * @param array<string, mixed> $challenge The challenge payload from the token record. * @return array<int, string> */ private function shuffled_candidate_numbers( array $challenge ): array { if ( isset( $challenge['shuffled'] ) && is_array( $challenge['shuffled'] ) ) { return array_map( 'strval', $challenge['shuffled'] ); } $real = isset( $challenge['real'] ) ? (string) $challenge['real'] : ''; $distractors = isset( $challenge['distractors'] ) && is_array( $challenge['distractors'] ) ? array_map( 'strval', $challenge['distractors'] ) : array(); $candidates = array_merge( array( $real ), $distractors ); shuffle( $candidates ); return $candidates; } /** * Per-IP rate limit on /qr-login-scan. * * @return bool True if within rate limit. */ private function check_scan_rate_limit() { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_SCAN, $this->get_client_ip() ); } /** * Per-user rate limit on /qr-login-approve. * * @param int $user_id The user ID. * @return bool True if within rate limit. */ private function check_approve_rate_limit( $user_id ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_APPROVE, (string) $user_id ); } /** * Per-session rate limit on /qr-login-session-status. * * @param string $session_id The session ID. * @return bool True if within rate limit. */ private function check_session_status_rate_limit( $session_id ) { return QRLoginRateLimits::consume( QRLoginRateLimits::BUCKET_SESSION_STATUS, $session_id ); } /** * Send the merchant a transactional email summarizing a successful QR * sign-in, unless they (or a site owner) opt out via the * `woocommerce_qr_login_should_send_signin_email` filter. * * Wrapped so a misconfigured mailer cannot break the exchange path. Mailer * false returns and exceptions are logged, but delivery never blocks the API * response. * * @param \WP_User $user The user who minted the token (recipient). * @param array<string, mixed> $consumed_record The record persisted to the consumed transient (keys: consumed_at, user_id, ap_uuid, ap_name, device). * @return void */ private function maybe_send_sign_in_notification_email( \WP_User $user, array $consumed_record ): void { /** * Filter whether to send the QR sign-in notification email. * * Default: true. Return false to suppress the send for a specific * user, environment (e.g. staging), or test run. * * @since 10.9.0 * * @param bool $should_send Whether to send the email. * @param \WP_User $user The user who minted the QR token. * @param array<string, mixed> $consumed_record The consumed record about to be emailed (keys: consumed_at, user_id, ap_uuid, ap_name, device). */ $should_send = (bool) apply_filters( 'woocommerce_qr_login_should_send_signin_email', true, $user, $consumed_record ); if ( ! $should_send ) { return; } try { if ( ! $this->send_sign_in_notification_email( $user, $consumed_record ) ) { wc_get_logger()->warning( sprintf( 'QR sign-in notification email failed for user %d: wp_mail returned false', $user->ID ), array( 'source' => 'mobile-app-qr-login' ) ); } } catch ( \Throwable $e ) { // Don't surface mailer failures to the exchange response — the // merchant already has the API result, and the email is best-effort. // Log instead so a misconfigured mailer is observable rather than // invisible. Catch \Throwable so an \Error from the mailer also // stays out of the exchange path. wc_get_logger()->warning( sprintf( 'QR sign-in notification email failed for user %d: %s', $user->ID, $e->getMessage() ), array( 'source' => 'mobile-app-qr-login' ) ); } } /** * Render and dispatch the sign-in notification email. * * Uses `wp_mail()` directly with our own minimal HTML shell rather than * `WC()->mailer()->wrap_message()` — the WC wrapper auto-prepends a small * site-name header that duplicates the subject line shown by most clients * and constrains the body width. Owning the wrapper lets us deliver one * coherent layout. * * @param \WP_User $user Recipient. * @param array<string, mixed> $consumed_record The consumed record (same shape as `maybe_send_sign_in_notification_email`). * @return bool True if WordPress accepted the message for delivery. */ private function send_sign_in_notification_email( \WP_User $user, array $consumed_record ): bool { $site_name = wp_specialchars_decode( (string) get_bloginfo( 'name' ), ENT_QUOTES ); /* translators: %s: site name. */ $subject = sprintf( __( 'A new device signed in to %s', 'woocommerce' ), $site_name ); $body_html = $this->render_sign_in_notification_email_body( $user, $consumed_record, $site_name, $subject ); return wp_mail( $user->user_email, $subject, $body_html, array( 'Content-Type: text/html; charset=UTF-8' ) ); } /** * Render the full HTML email document for the sign-in notification. * * @param \WP_User $user Recipient. * @param array<string, mixed> $consumed_record The consumed record (same shape as `maybe_send_sign_in_notification_email`). * @param string $site_name Decoded site name (passed in to avoid double-decoding). * @param string $subject Email subject; rendered as the in-body heading. * @return string Rendered HTML document. */ private function render_sign_in_notification_email_body( \WP_User $user, array $consumed_record, string $site_name, string $subject ): string { $device = $consumed_record['device'] ?? array(); $consumed_at = isset( $consumed_record['consumed_at'] ) ? (int) $consumed_record['consumed_at'] : time(); $ap_name = $consumed_record['ap_name'] ?? ''; $applications_url = admin_url( 'profile.php#application-passwords-section' ); ob_start(); include __DIR__ . '/views/mobile-app-qr-login-signin-email.php'; $html = ob_get_clean(); return is_string( $html ) ? $html : ''; } }
[-] MarketingCampaignTypes.php
[edit]
[-] OnboardingPlugins.php
[edit]
[-] OnboardingFreeExtensions.php
[edit]
[-] ProductVariations.php
[edit]
[-] Notice.php
[edit]
[-] Init.php
[edit]
[-] CustomAttributeTraits.php
[edit]
[-] Data.php
[edit]
[-] MarketingRecommendations.php
[edit]
[+]
RateLimits
[-] MarketingOverview.php
[edit]
[-] Themes.php
[edit]
[-] Products.php
[edit]
[-] MarketingCampaigns.php
[edit]
[-] Taxes.php
[edit]
[-] Options.php
[edit]
[-] SettingOptions.php
[edit]
[-] OnboardingProductTypes.php
[edit]
[-] Orders.php
[edit]
[-] Leaderboards.php
[edit]
[-] OnboardingThemes.php
[edit]
[+]
Templates
[-] MobileAppMagicLink.php
[edit]
[-] Marketing.php
[edit]
[-] Plugins.php
[edit]
[-] DataDownloadIPs.php
[edit]
[-] Coupons.php
[edit]
[-] Experiments.php
[edit]
[-] Features.php
[edit]
[-] OnboardingTasks.php
[edit]
[-] OnboardingProfile.php
[edit]
[-] NoteActions.php
[edit]
[-] Customers.php
[edit]
[+]
Reports
[-] MobileAppQRLogin.php
[edit]
[-] ShippingPartnerSuggestions.php
[edit]
[-] ProductForm.php
[edit]
[+]
..
[+]
AI
[-] ProductsLowInStock.php
[edit]
[+]
views
[-] Notes.php
[edit]
[-] ProductAttributes.php
[edit]
[-] ProductCategories.php
[edit]
[-] OnboardingProducts.php
[edit]
[-] PaymentGatewaySuggestions.php
[edit]
[-] LaunchYourStore.php
[edit]
[-] ProductAttributeTerms.php
[edit]
[-] DataCountries.php
[edit]
[-] AnalyticsImports.php
[edit]
[-] ProductReviews.php
[edit]
[-] MarketingChannels.php
[edit]