Fix QIT warning in WooPay session endpoint (#8760)

Automattic · May 2, 2024 · 04352d5 · 04352d5
1 parent b6e8874
commit 04352d5
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 38 deletions.
diff --git a/changelog/fix-8732-qit-warning b/changelog/fix-8732-qit-warning
@@ -0,0 +1,5 @@
+Significance: patch
+Type: fix
+Comment: Fix QIT warning for discouraged function.
+
+
diff --git a/includes/admin/class-wc-rest-woopay-session-controller.php b/includes/admin/class-wc-rest-woopay-session-controller.php
@@ -9,8 +9,6 @@
 
 use WCPay\WooPay\WooPay_Session;
 use Automattic\Jetpack\Connection\Rest_Authentication;
-use Automattic\WooCommerce\StoreApi\Utilities\JsonWebToken;
-use WCPay\Exceptions\Rest_Request_Exception;
 use WCPay\Logger;
 
 /**
@@ -56,24 +54,15 @@ public function register_routes() {
 	 */
 	public function get_session_data( WP_REST_Request $request ): WP_REST_Response {
 		try {
-			$payload = $this->validated_cart_token_payload( $request->get_header( 'cart_token' ) );
-			$user_id = (int) $payload->user_id ?? null;
-
-			if ( is_int( $user_id ) && $user_id > 0 ) {
-				wp_set_current_user( $user_id );
-			}
-
 			// phpcs:ignore
 			/**
 			 * @psalm-suppress UndefinedClass
 			 */
 			$response = WooPay_Session::get_init_session_request( null, null, null, $request );
 
 			return rest_ensure_response( $response );
-		} catch ( Rest_Request_Exception $e ) {
-			$error_code = $e->getCode() === 400 ? 'rest_invalid_param' : 'wcpay_server_error';
-			$error      = new WP_Error( $error_code, $e->getMessage(), [ 'status' => $e->getCode() ] );
-
+		} catch ( Exception $e ) {
+			$error = new WP_Error( 'wcpay_server_error', $e->getMessage(), [ 'status' => 400 ] );
 			Logger::log( 'Error validating cart token from WooPay request: ' . $e->getMessage() );
 
 			return rest_convert_error_to_response( $error );
@@ -89,31 +78,6 @@ public function check_permission() {
 		return $this->is_request_from_woopay() && $this->has_valid_request_signature();
 	}
 
-	/**
-	 * Validates the cart token and returns its payload.
-	 *
-	 * @param string|null $cart_token The cart token to validate.
-	 *
-	 * @return object The validated cart token.
-	 *
-	 * @throws Rest_Request_Exception If the cart token is invalid, missing, or cannot be validated.
-	 */
-	public function validated_cart_token_payload( $cart_token ): object {
-		if ( ! $cart_token ) {
-			throw new Rest_Request_Exception( 'Missing cart token.', 400 );
-		}
-
-		if ( ! class_exists( JsonWebToken::class ) ) {
-			throw new Rest_Request_Exception( 'Cannot validate cart token.', 500 );
-		}
-
-		if ( ! JsonWebToken::validate( $cart_token, '@' . wp_salt() ) ) {
-			throw new Rest_Request_Exception( 'Invalid cart token.', 400 );
-		}
-
-		return JsonWebToken::get_parts( $cart_token )->payload;
-	}
-
 	/**
 	 * Returns true if the request that's currently being processed is signed with the blog token.
 	 *

diff --git a/includes/woopay/class-woopay-session.php b/includes/woopay/class-woopay-session.php
@@ -47,6 +47,9 @@ class WooPay_Session {
 		'@^\/wc\/store(\/v[\d]+)?\/checkout\/(?P<id>[\d]+)@',
 		'@^\/wc\/store(\/v[\d]+)?\/checkout$@',
 		'@^\/wc\/store(\/v[\d]+)?\/order\/(?P<id>[\d]+)@',
+		// The route below is not a Store API route. However, this REST endpoint is used by WooPay to indirectly reach the Store API.
+		// By adding it to this list, we're able to identify the user and load the correct session for this route.
+		'@^\/wc\/v3\/woopay\/session$@',
 	];
 
 	/**