Skip to content

Commit 57344bf

Browse files
committed
Improve magic link code compatibility
1 parent f0b903a commit 57344bf

1 file changed

Lines changed: 51 additions & 21 deletions

File tree

plugins/bcc-login/includes/class-bcc-login-visibility.php

Lines changed: 51 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1339,23 +1339,33 @@ public function bcc_magic_link() {
13391339
return $url;
13401340
}
13411341

1342-
private function bcc_base64url_encode(string $bin): string {
1342+
private function bcc_base64url_encode($bin) {
13431343
return rtrim(strtr(base64_encode($bin), '+/', '-_'), '=');
13441344
}
13451345

1346-
private function bcc_base64url_decode(string $str): string|false {
1346+
private function bcc_base64url_decode($str) {
13471347
$pad = strlen($str) % 4;
1348-
if ($pad) $str .= str_repeat('=', 4 - $pad);
1348+
if ($pad) {
1349+
$str .= str_repeat('=', 4 - $pad);
1350+
}
1351+
13491352
$out = base64_decode(strtr($str, '-_', '+/'), true);
1350-
return $out === false ? false : $out;
1353+
1354+
if ($out === false) {
1355+
return false;
1356+
}
1357+
1358+
return $out;
13511359
}
13521360

1353-
private function bcc_make_magic_token(int $post_id, int $ttl_seconds = 900): string {
1354-
$exp = time() + $ttl_seconds;
1355-
$nonce = bin2hex(random_bytes(16)); // prevent deterministic tokens
1361+
private function bcc_make_magic_token($post_id, $ttl_seconds = 900) {
1362+
$exp = time() + $ttl_seconds;
1363+
1364+
// prevents deterministic tokens (same post_id at same time)
1365+
$nonce = bin2hex(random_bytes(16));
13561366

13571367
// v1|postId|exp|nonce
1358-
$payload = implode('|', ['v1', (string)$post_id, (string)$exp, $nonce]);
1368+
$payload = 'v1' . '|' . (string)$post_id . '|' . (string)$exp . '|' . $nonce;
13591369

13601370
// Uses keys/salts from wp-config.php (+ DB secret) via wp_salt
13611371
$secret = wp_salt('secure_auth');
@@ -1364,29 +1374,49 @@ private function bcc_make_magic_token(int $post_id, int $ttl_seconds = 900): str
13641374
return $this->bcc_base64url_encode($payload . '|' . $sig);
13651375
}
13661376

1367-
private function bcc_verify_magic_token(string $token): array|false {
1377+
private function bcc_verify_magic_token($token) {
13681378
$raw = $this->bcc_base64url_decode($token);
1369-
if ($raw === false) return false;
1379+
if ($raw === false) {
1380+
return false;
1381+
}
13701382

13711383
$parts = explode('|', $raw);
1384+
13721385
// v1|postId|exp|nonce|sig => 5 parts
1373-
if (count($parts) !== 5) return false;
1386+
if (count($parts) !== 5) {
1387+
return false;
1388+
}
13741389

1375-
[$v, $post_id, $exp, $nonce, $sig] = $parts;
1376-
if ($v !== 'v1') return false;
1390+
$v = $parts[0];
1391+
$post_id = $parts[1];
1392+
$exp = $parts[2];
1393+
$nonce = $parts[3];
1394+
$sig = $parts[4];
13771395

1378-
if (!ctype_digit($post_id) || !ctype_digit($exp)) return false;
1379-
if ((int)$exp < time()) return false;
1396+
if ($v !== 'v1') {
1397+
return false;
1398+
}
1399+
1400+
if (!ctype_digit($post_id) || !ctype_digit($exp)) {
1401+
return false;
1402+
}
1403+
1404+
if ((int)$exp < time()) {
1405+
return false;
1406+
}
1407+
1408+
$payload = $v . '|' . $post_id . '|' . $exp . '|' . $nonce;
13801409

1381-
$payload = implode('|', [$v, $post_id, $exp, $nonce]);
1382-
$secret = wp_salt('secure_auth');
1383-
$calc = hash_hmac('sha256', $payload, $secret);
1410+
$secret = wp_salt('secure_auth');
1411+
$calc = hash_hmac('sha256', $payload, $secret);
13841412

1385-
if (!hash_equals($calc, $sig)) return false;
1413+
if (!hash_equals($calc, $sig)) {
1414+
return false;
1415+
}
13861416

1387-
return [
1417+
return array(
13881418
'post_id' => (int)$post_id,
13891419
'exp' => (int)$exp,
1390-
];
1420+
);
13911421
}
13921422
}

0 commit comments

Comments
 (0)