plugin installs
This commit is contained in:
Tony Volpe
86
wp/wp-content/plugins/leadin/public/auth/class-oauth.php
Normal file
86
wp/wp-content/plugins/leadin/public/auth/class-oauth.php
Normal file
@@ -0,0 +1,86 @@
|
||||
<?php
|
||||
|
||||
namespace Leadin\auth;
|
||||
|
||||
use Leadin\data\User;
|
||||
use Leadin\data\Portal_Options;
|
||||
use Leadin\auth\OAuthCrypto;
|
||||
use Leadin\admin\Routing;
|
||||
use Leadin\admin\MenuConstants;
|
||||
|
||||
/**
|
||||
* Class managing OAuth2 authorization
|
||||
*/
|
||||
class OAuth {
|
||||
|
||||
const MAX_RETRIES = 3;
|
||||
const RETRY_DELAY_MICROSECONDS = 100000; // 100ms converted to microseconds
|
||||
|
||||
/**
|
||||
* Authorizes the plugin with given oauth credentials by storing them in the options DB.
|
||||
*
|
||||
* @param string $refresh_token OAuth refresh token to store.
|
||||
*/
|
||||
public static function authorize( $refresh_token ) {
|
||||
$encrypted_refresh_token = OAuthCrypto::encrypt( $refresh_token );
|
||||
Portal_Options::set_refresh_token( $encrypted_refresh_token );
|
||||
|
||||
Portal_Options::set_last_authorize_time();
|
||||
}
|
||||
|
||||
/**
|
||||
* Deauthorizes the plugin by deleting OAuth credentials from the options DB.
|
||||
*/
|
||||
public static function deauthorize() {
|
||||
Portal_Options::delete_refresh_token();
|
||||
|
||||
Portal_Options::set_last_deauthorize_time();
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to get and decrypt the refresh token with retries.
|
||||
* Records an error if decryption fails or if the token is invalid.
|
||||
*
|
||||
* @return string The decrypted refresh token, or an empty string on failure.
|
||||
*/
|
||||
public static function get_refresh_token() {
|
||||
for ( $attempt = 0; $attempt < self::MAX_RETRIES; $attempt++ ) {
|
||||
$encrypted_refresh_token = Portal_Options::get_refresh_token();
|
||||
|
||||
if ( ! self::is_valid_value( $encrypted_refresh_token ) ) {
|
||||
Portal_Options::set_refresh_token_error( 'Token is invalid or missing' );
|
||||
self::retry_delay();
|
||||
continue;
|
||||
}
|
||||
|
||||
$refresh_token = OAuthCrypto::decrypt( $encrypted_refresh_token );
|
||||
|
||||
if ( ! self::is_valid_value( $refresh_token ) ) {
|
||||
Portal_Options::set_refresh_token_error( 'Decryption failed' );
|
||||
self::retry_delay();
|
||||
continue;
|
||||
}
|
||||
|
||||
return $refresh_token;
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the provided value is valid (not false, null, or empty).
|
||||
*
|
||||
* @param mixed $value The value to check.
|
||||
* @return bool Whether the value is valid.
|
||||
*/
|
||||
private static function is_valid_value( $value ) {
|
||||
return false !== $value && null !== $value && '' !== $value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Delays the execution to handle transient issues before retrying.
|
||||
*/
|
||||
private static function retry_delay() {
|
||||
usleep( self::RETRY_DELAY_MICROSECONDS );
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,90 @@
|
||||
<?php
|
||||
|
||||
namespace Leadin\auth;
|
||||
|
||||
/**
|
||||
* Encrypting/decrypting OAuth credentials
|
||||
* Adapted from https://felix-arntz.me/blog/storing-confidential-data-in-wordpress/
|
||||
*/
|
||||
class OAuthCrypto {
|
||||
|
||||
/**
|
||||
* Return the key to use in encrypting/decrypting OAuth credentials
|
||||
*/
|
||||
private static function get_key() {
|
||||
if ( defined( 'LOGGED_IN_KEY' ) ) {
|
||||
return LOGGED_IN_KEY;
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the salt to use in encrypting/decrypting OAuth credentials
|
||||
*/
|
||||
private static function get_salt() {
|
||||
if ( defined( 'LOGGED_IN_SALT' ) ) {
|
||||
return LOGGED_IN_SALT;
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Given a value, encrypt it if the openssl extension is loaded and we have a valid key/salt
|
||||
*
|
||||
* @param string $value Value to encrypt.
|
||||
*
|
||||
* @return string Encrypted value
|
||||
*/
|
||||
public static function encrypt( $value ) {
|
||||
if ( ! extension_loaded( 'openssl' ) ||
|
||||
empty( self::get_key() ) ||
|
||||
empty( self::get_salt() ) ) {
|
||||
return $value;
|
||||
}
|
||||
|
||||
$method = 'aes-256-ctr';
|
||||
$init_vector_length = openssl_cipher_iv_length( $method );
|
||||
$init_vector = openssl_random_pseudo_bytes( $init_vector_length );
|
||||
|
||||
$raw_value = openssl_encrypt( $value . self::get_salt(), $method, self::get_key(), 0, $init_vector );
|
||||
if ( ! $raw_value ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
|
||||
return base64_encode( $init_vector . $raw_value );
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrpyt a given value
|
||||
*
|
||||
* @param string $value the encrypted value to decrypt.
|
||||
*
|
||||
* @return string The decrypted value
|
||||
*/
|
||||
public static function decrypt( $value ) {
|
||||
if ( ! extension_loaded( 'openssl' ) ||
|
||||
empty( self::get_key() ) ||
|
||||
empty( self::get_salt() ) ) {
|
||||
return $value;
|
||||
}
|
||||
|
||||
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
|
||||
$raw_value = base64_decode( $value, true );
|
||||
|
||||
$method = 'aes-256-ctr';
|
||||
$init_vector_length = openssl_cipher_iv_length( $method );
|
||||
$init_vector = substr( $raw_value, 0, $init_vector_length );
|
||||
|
||||
$raw_value = substr( $raw_value, $init_vector_length );
|
||||
|
||||
$value = openssl_decrypt( $raw_value, $method, self::get_key(), 0, $init_vector );
|
||||
if ( ! $value || substr( $value, - strlen( self::get_salt() ) ) !== self::get_salt() ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return substr( $value, 0, - strlen( self::get_salt() ) );
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user