ApiAuthentication
in package
Table of Contents
- $authMethod : string
- Current auth method.
- $error : WP_Error
- Authentication error.
- $user : stdClass
- Logged in user data.
- __construct() : mixed
- Initialize authentication actions.
- authenticate() : int|false
- Authenticate user.
- authenticationFallback() : WP_Error|null|bool
- Authenticate the user if authentication wasn't performed during the determine_current_user action.
- checkAuthenticationError() : WP_Error|null|bool
- Check for authentication error.
- checkUserPermissions() : mixed
- Check for user permissions and register last access.
- getAuthorizationHeader() : string
- Get the authorization header.
- getCurrentAuthKeyId() : mixed
- getOauthParameters() : array<string|int, mixed>|WP_Error
- Get oAuth parameters from $_GET, $_POST or request header.
- parseHeader() : array<string|int, mixed>
- Parse the Authorization header into parameters.
- sendUnauthorizedHeaders() : WP_REST_Response
- If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.
- getError() : WP_Error|null
- Get authentication error.
- isRequestToRestApi() : bool
- Check if is request to our REST API.
- setError() : mixed
- Set authentication error.
- checkOauthSignature() : true|WP_Error
- Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.
- checkOauthTimestampAndNonce() : bool|WP_Error
- Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
- checkPermissions() : bool|WP_Error
- Check that the API keys provided have the proper key-specific permissions to either read or write API resources.
- getUserDataByConsumerKey() : stdClass
- Return the user data for the given consumer_key.
- joinWithEqualsSign() : string
- Creates an array of urlencoded strings out of each array key/value pairs.
- normalizeParameters() : array<string|int, mixed>
- Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.
- performBasicAuthentication() : int|bool
- Basic Authentication.
- performOauthAuthentication() : int|bool
- Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.
- updateLastAccess() : mixed
- Updated API Key last access datetime.
Properties
$authMethod
Current auth method.
protected
string
$authMethod
= ''
$error
Authentication error.
protected
WP_Error
$error
= null
$user
Logged in user data.
protected
stdClass
$user
= null
Methods
__construct()
Initialize authentication actions.
public
__construct() : mixed
Return values
mixed —authenticate()
Authenticate user.
public
authenticate(int|false $userId) : int|false
Parameters
- $userId : int|false
-
User ID if one has been determined, false otherwise.
Return values
int|false —authenticationFallback()
Authenticate the user if authentication wasn't performed during the determine_current_user action.
public
authenticationFallback(WP_Error|null|bool $error) : WP_Error|null|bool
Necessary in cases where wp_get_current_user() is called before Motopress hotel booking is loaded.
Parameters
- $error : WP_Error|null|bool
-
Error data.
Return values
WP_Error|null|bool —checkAuthenticationError()
Check for authentication error.
public
checkAuthenticationError(WP_Error|null|bool $error) : WP_Error|null|bool
Parameters
- $error : WP_Error|null|bool
-
Error data.
Return values
WP_Error|null|bool —checkUserPermissions()
Check for user permissions and register last access.
public
checkUserPermissions(mixed $result, WP_REST_Server $server, WP_REST_Request $request) : mixed
Parameters
- $result : mixed
-
Response to replace the requested version with.
- $server : WP_REST_Server
-
Server instance.
- $request : WP_REST_Request
-
Request used to generate the response.
Return values
mixed —getAuthorizationHeader()
Get the authorization header.
public
getAuthorizationHeader() : string
On certain systems and configurations, the Authorization header will be
stripped out by the server or PHP. Typically this is then used to
generate PHP_AUTH_USER/PHP_AUTH_PASS but not passed on. We use
getallheaders here to try and grab it out instead.
Return values
string —Authorization header if set.
getCurrentAuthKeyId()
public
getCurrentAuthKeyId() : mixed
Return values
mixed —getOauthParameters()
Get oAuth parameters from $_GET, $_POST or request header.
public
getOauthParameters() : array<string|int, mixed>|WP_Error
Return values
array<string|int, mixed>|WP_Error —parseHeader()
Parse the Authorization header into parameters.
public
parseHeader(string $header) : array<string|int, mixed>
Parameters
- $header : string
-
Authorization header value (not including "Authorization: " prefix).
Return values
array<string|int, mixed> —Map of parameter values.
sendUnauthorizedHeaders()
If the consumer_key and consumer_secret $_GET parameters are NOT provided and the Basic auth headers are either not present or the consumer secret does not match the consumer key provided, then return the correct Basic headers and an error message.
public
sendUnauthorizedHeaders(WP_REST_Response $response) : WP_REST_Response
Parameters
- $response : WP_REST_Response
-
Current response being served.
Return values
WP_REST_Response —getError()
Get authentication error.
protected
getError() : WP_Error|null
Return values
WP_Error|null —isRequestToRestApi()
Check if is request to our REST API.
protected
isRequestToRestApi() : bool
Return values
bool —setError()
Set authentication error.
protected
setError(WP_Error $error) : mixed
Parameters
- $error : WP_Error
-
Authentication error data.
Return values
mixed —checkOauthSignature()
Verify that the consumer-provided request signature matches our generated signature, this ensures the consumer has a valid key/secret.
private
checkOauthSignature(stdClass $user, array<string|int, mixed> $params) : true|WP_Error
Parameters
- $user : stdClass
-
User data.
- $params : array<string|int, mixed>
-
The request parameters.
Return values
true|WP_Error —checkOauthTimestampAndNonce()
Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
private
checkOauthTimestampAndNonce(stdClass $user, int $timestamp, string $nonce) : bool|WP_Error
- A timestamp is valid if it is within 15 minutes of now.
- A nonce is valid if it has not been used within the last 15 minutes.
Parameters
- $user : stdClass
-
User data.
- $timestamp : int
-
The unix timestamp for when the request was made.
- $nonce : string
-
A unique (for the given user) 32 alphanumeric string, consumer-generated.
Return values
bool|WP_Error —checkPermissions()
Check that the API keys provided have the proper key-specific permissions to either read or write API resources.
private
checkPermissions(string $method) : bool|WP_Error
Parameters
- $method : string
-
Request method.
Return values
bool|WP_Error —getUserDataByConsumerKey()
Return the user data for the given consumer_key.
private
getUserDataByConsumerKey(string $consumer_key) : stdClass
Parameters
- $consumer_key : string
-
Consumer key.
Return values
stdClass —joinWithEqualsSign()
Creates an array of urlencoded strings out of each array key/value pairs.
private
joinWithEqualsSign(array<string|int, mixed> $params[, array<string|int, mixed> $query_params = array() ][, string $key = '' ]) : string
Parameters
- $params : array<string|int, mixed>
-
Array of parameters to convert.
- $query_params : array<string|int, mixed> = array()
-
Array to extend.
- $key : string = ''
-
Optional Array key to append.
Return values
string —Array of urlencoded strings.
normalizeParameters()
Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then re-encode according to RFC 3986.
private
normalizeParameters(array<string|int, mixed> $parameters) : array<string|int, mixed>
Note both the key and value is normalized so a filter param like:
'filter[period]' => 'week'
is encoded to:
'filter%255Bperiod%255D' => 'week'
This conforms to the OAuth 1.0a spec which indicates the entire query string should be URL encoded.
Parameters
- $parameters : array<string|int, mixed>
-
Un-normalized parameters.
Tags
Return values
array<string|int, mixed> —Normalized parameters.
performBasicAuthentication()
Basic Authentication.
private
performBasicAuthentication() : int|bool
SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid.
Return values
int|bool —performOauthAuthentication()
Perform OAuth 1.0a "one-legged" (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.
private
performOauthAuthentication() : int|bool
This is required so API credentials cannot be sniffed or intercepted when making API requests over plain HTTP.
This follows the spec for simple OAuth 1.0a authentication (RFC 5849) as closely as possible, with two exceptions:
-
There is no token associated with request/responses, only consumer keys/secrets are used.
-
The OAuth parameters are included as part of the request query string instead of part of the Authorization header, This is because there is no cross-OS function within PHP to get the raw Authorization header.
Tags
Return values
int|bool —updateLastAccess()
Updated API Key last access datetime.
private
updateLastAccess() : mixed