cloudflare/Cloudflare-WordPress
Publicmirrored fromhttps://github.com/cloudflare/Cloudflare-WordPress
src/WordPress/Proxy.php
132lines · modecode
| 1 | <?php |
| 2 | |
| 3 | namespace CF\WordPress; |
| 4 | |
| 5 | use CF\API; |
| 6 | use CF\API\Plugin; |
| 7 | use CF\Integration\IntegrationInterface; |
| 8 | use CF\Router\RequestRouter; |
| 9 | |
| 10 | class Proxy |
| 11 | { |
| 12 | protected $config; |
| 13 | protected $dataStore; |
| 14 | protected $logger; |
| 15 | protected $wordpressAPI; |
| 16 | protected $wordpressClientAPI; |
| 17 | protected $wordpressIntegration; |
| 18 | protected $requestRouter; |
| 19 | |
| 20 | /** |
| 21 | * @param IntegrationInterface $integration |
| 22 | */ |
| 23 | public function __construct(IntegrationInterface $integration) |
| 24 | { |
| 25 | $this->config = $integration->getConfig(); |
| 26 | $this->dataStore = $integration->getDataStore(); |
| 27 | $this->logger = $integration->getLogger(); |
| 28 | $this->wordpressAPI = $integration->getIntegrationAPI(); |
| 29 | $this->wordpressIntegration = $integration; |
| 30 | $this->wordpressClientAPI = new WordPressClientAPI($this->wordpressIntegration); |
| 31 | $this->pluginAPI = new Plugin($this->wordpressIntegration); |
| 32 | |
| 33 | $this->requestRouter = new RequestRouter($this->wordpressIntegration); |
| 34 | $this->requestRouter->addRouter($this->wordpressClientAPI, ClientRoutes::$routes); |
| 35 | $this->requestRouter->addRouter($this->pluginAPI, PluginRoutes::getRoutes(PluginRoutes::$routes)); |
| 36 | } |
| 37 | |
| 38 | /** |
| 39 | * @param API\APIInterface $wordpressClientAPI |
| 40 | */ |
| 41 | public function setWordpressClientAPI(API\APIInterface $wordpressClientAPI) |
| 42 | { |
| 43 | $this->wordpressClientAPI = $wordpressClientAPI; |
| 44 | } |
| 45 | |
| 46 | /** |
| 47 | * @param RequestRouter $requestRouter |
| 48 | */ |
| 49 | public function setRequestRouter(RequestRouter $requestRouter) |
| 50 | { |
| 51 | $this->requestRouter = $requestRouter; |
| 52 | } |
| 53 | |
| 54 | public function run() |
| 55 | { |
| 56 | header('Content-Type: application/json'); |
| 57 | |
| 58 | $request = $this->createRequest(); |
| 59 | |
| 60 | $response = null; |
| 61 | $body = $request->getBody(); |
| 62 | $csrfToken = $body['cfCSRFToken']; |
| 63 | if ($this->isCloudFlareCSRFTokenValid($request->getMethod(), $csrfToken)) { |
| 64 | $response = $this->requestRouter->route($request); |
| 65 | } else { |
| 66 | if ($csrfToken === null) { |
| 67 | $response = $this->wordpressClientAPI->createAPIError('CSRF Token not found. It\'s possible another plugin is altering requests sent by the Cloudflare plugin.'); |
| 68 | } else { |
| 69 | $response = $this->wordpressClientAPI->createAPIError('CSRF Token not valid.'); |
| 70 | } |
| 71 | } |
| 72 | |
| 73 | //die is how wordpress ajax keeps the rest of the app from loading during an ajax request |
| 74 | wp_die(json_encode($response)); |
| 75 | } |
| 76 | |
| 77 | public function createRequest() |
| 78 | { |
| 79 | $method = $_SERVER['REQUEST_METHOD']; |
| 80 | $parameters = $_GET; |
| 81 | $jsonInput = $this->getJSONBody(); |
| 82 | $body = json_decode($jsonInput, true); |
| 83 | $path = null; |
| 84 | |
| 85 | if (strtoupper($method === 'GET')) { |
| 86 | if ($_GET['proxyURLType'] === 'CLIENT') { |
| 87 | $path = API\Client::ENDPOINT . $_GET['proxyURL']; |
| 88 | } elseif ($_GET['proxyURLType'] === 'PLUGIN') { |
| 89 | $path = API\Plugin::ENDPOINT . $_GET['proxyURL']; |
| 90 | } |
| 91 | } else { |
| 92 | $path = $body['proxyURL']; |
| 93 | } |
| 94 | |
| 95 | unset($parameters['proxyURLType']); |
| 96 | unset($parameters['proxyURL']); |
| 97 | unset($body['proxyURL']); |
| 98 | |
| 99 | return new API\Request($method, $path, $parameters, $body); |
| 100 | } |
| 101 | |
| 102 | /** |
| 103 | * Wrapped in a function so it can be |
| 104 | * mocked during testing |
| 105 | * |
| 106 | * @return json |
| 107 | */ |
| 108 | public function getJSONBody() |
| 109 | { |
| 110 | return $GLOBALS[Hooks::CLOUDFLARE_JSON]; |
| 111 | } |
| 112 | |
| 113 | /** |
| 114 | * https://codex.wordpress.org/Function_Reference/wp_verify_nonce. |
| 115 | * |
| 116 | * Boolean false if the nonce is invalid. Otherwise, returns an integer with the value of: |
| 117 | * 1 – if the nonce has been generated in the past 12 hours or less. |
| 118 | * 2 – if the nonce was generated between 12 and 24 hours ago. |
| 119 | * |
| 120 | * @param $csrfToken |
| 121 | * |
| 122 | * @return bool |
| 123 | */ |
| 124 | public function isCloudFlareCSRFTokenValid($method, $csrfToken) |
| 125 | { |
| 126 | if ($method === 'GET') { |
| 127 | return true; |
| 128 | } |
| 129 | |
| 130 | return wp_verify_nonce($csrfToken, WordPressAPI::API_NONCE) !== false; |
| 131 | } |
| 132 | } |