Merge pull request #2 from newfold-labs/add/hiive-auth

Authenticate Hiive API requests
newfold-labs · Jun 21, 2022 · 953117e · 953117e
2 parents 38bb971 + c4d5cb5
commit 953117e
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 8 deletions.
diff --git a/composer.json b/composer.json
@@ -42,5 +42,13 @@
   "scripts-descriptions": {
     "fix": "Automatically fix coding standards issues where possible.",
     "lint": "Check files against coding standards."
+  },
+  "require": {
+    "wpscholar/url": "^1.2"
+  },
+  "config": {
+    "allow-plugins": {
+      "dealerdirect/phpcodesniffer-composer-installer": true
+    }
   }
 }
diff --git a/composer.lock b/composer.lock
diff --git a/src/Data.php b/src/Data.php
@@ -2,6 +2,8 @@
 
 namespace NewfoldLabs\WP\Module\Data;
 
+use wpscholar\Url;
+
 /**
  * Main class for the data plugin module
  */
@@ -39,6 +41,7 @@ public function start() {
 
 		// Delays our primary module setup until init
 		add_action( 'init', array( $this, 'init' ) );
+		add_action( 'rest_authentication_errors', array( $this, 'authenticate' ) );
 
 	}
 
@@ -80,4 +83,70 @@ public function init() {
 
 	}
 
+	/**
+	 * Authenticate incoming REST API requests.
+	 *
+	 * @param bool|null|\WP_Error $status
+	 *
+	 * @return bool|null|\WP_Error
+	 */
+	public function authenticate( $status ) {
+
+		// Make sure there wasn't a different authentication method used before this
+		if ( ! is_null( $status ) ) {
+			return $status;
+		}
+
+		// Make sure this is a REST API request
+		if ( ! defined( 'REST_REQUEST' ) || ! REST_REQUEST ) {
+			return $status;
+		}
+
+		// If no auth header included, bail to allow a different auth method
+		if ( empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
+			return null;
+		}
+
+		$token = str_replace( 'Bearer ', '', $_SERVER['HTTP_AUTHORIZATION'] );
+
+		$data = [
+			'method'    => $_SERVER['REQUEST_METHOD'],
+			'url'       => Url::getCurrentUrl(),
+			'body'      => file_get_contents( 'php://input' ),
+			'timestamp' => data_get( getallheaders(), 'X-Timestamp' ),
+		];
+
+		$hash = hash( 'sha256', wp_json_encode( $data ) );
+		$salt = hash( 'sha256', strrev( HiiveConnection::get_auth_token() ) );
+
+		$is_valid = hash( 'sha256', $hash . $salt ) === $token;
+
+		// Allow access if token is valid
+		if ( $is_valid ) {
+
+			if ( isset( $_GET['user_id'] ) ) {
+
+				// If a user ID is provided, use it to find the desired user.
+				$user = get_user_by( 'id', filter_input( INPUT_GET, 'user_id', FILTER_SANITIZE_NUMBER_INT ) );
+
+			} else {
+
+				// If no user ID is provided, find the first admin user.
+				$admins = get_users( array( 'role' => 'administrator' ) );
+				$user   = array_shift( $admins );
+
+			}
+
+			if ( ! empty( $user ) && is_a( $user, \WP_User::class ) ) {
+				wp_set_current_user( $user->id );
+
+				return true;
+			}
+		}
+
+		// Don't return false, since we could be interfering with a basic auth implementation.
+		return null;
+
+	}
+
 }