@@ -1339,23 +1339,33 @@ public function bcc_magic_link() {
13391339 return $ url ;
13401340 }
13411341
1342- private function bcc_base64url_encode (string $ bin ): string {
1342+ private function bcc_base64url_encode ($ bin ) {
13431343 return rtrim (strtr (base64_encode ($ bin ), '+/ ' , '-_ ' ), '= ' );
13441344 }
13451345
1346- private function bcc_base64url_decode (string $ str ): string | false {
1346+ private function bcc_base64url_decode ($ str ) {
13471347 $ pad = strlen ($ str ) % 4 ;
1348- if ($ pad ) $ str .= str_repeat ('= ' , 4 - $ pad );
1348+ if ($ pad ) {
1349+ $ str .= str_repeat ('= ' , 4 - $ pad );
1350+ }
1351+
13491352 $ out = base64_decode (strtr ($ str , '-_ ' , '+/ ' ), true );
1350- return $ out === false ? false : $ out ;
1353+
1354+ if ($ out === false ) {
1355+ return false ;
1356+ }
1357+
1358+ return $ out ;
13511359 }
13521360
1353- private function bcc_make_magic_token (int $ post_id , int $ ttl_seconds = 900 ): string {
1354- $ exp = time () + $ ttl_seconds ;
1355- $ nonce = bin2hex (random_bytes (16 )); // prevent deterministic tokens
1361+ private function bcc_make_magic_token ($ post_id , $ ttl_seconds = 900 ) {
1362+ $ exp = time () + $ ttl_seconds ;
1363+
1364+ // prevents deterministic tokens (same post_id at same time)
1365+ $ nonce = bin2hex (random_bytes (16 ));
13561366
13571367 // v1|postId|exp|nonce
1358- $ payload = implode ( ' | ' , [ ' v1 ' , (string )$ post_id, (string )$ exp, $ nonce]) ;
1368+ $ payload = ' v1 ' . ' | ' . (string )$ post_id . ' | ' . (string )$ exp . ' | ' . $ nonce ;
13591369
13601370 // Uses keys/salts from wp-config.php (+ DB secret) via wp_salt
13611371 $ secret = wp_salt ('secure_auth ' );
@@ -1364,29 +1374,49 @@ private function bcc_make_magic_token(int $post_id, int $ttl_seconds = 900): str
13641374 return $ this ->bcc_base64url_encode ($ payload . '| ' . $ sig );
13651375 }
13661376
1367- private function bcc_verify_magic_token (string $ token ): array | false {
1377+ private function bcc_verify_magic_token ($ token ) {
13681378 $ raw = $ this ->bcc_base64url_decode ($ token );
1369- if ($ raw === false ) return false ;
1379+ if ($ raw === false ) {
1380+ return false ;
1381+ }
13701382
13711383 $ parts = explode ('| ' , $ raw );
1384+
13721385 // v1|postId|exp|nonce|sig => 5 parts
1373- if (count ($ parts ) !== 5 ) return false ;
1386+ if (count ($ parts ) !== 5 ) {
1387+ return false ;
1388+ }
13741389
1375- [$ v , $ post_id , $ exp , $ nonce , $ sig ] = $ parts ;
1376- if ($ v !== 'v1 ' ) return false ;
1390+ $ v = $ parts [0 ];
1391+ $ post_id = $ parts [1 ];
1392+ $ exp = $ parts [2 ];
1393+ $ nonce = $ parts [3 ];
1394+ $ sig = $ parts [4 ];
13771395
1378- if (!ctype_digit ($ post_id ) || !ctype_digit ($ exp )) return false ;
1379- if ((int )$ exp < time ()) return false ;
1396+ if ($ v !== 'v1 ' ) {
1397+ return false ;
1398+ }
1399+
1400+ if (!ctype_digit ($ post_id ) || !ctype_digit ($ exp )) {
1401+ return false ;
1402+ }
1403+
1404+ if ((int )$ exp < time ()) {
1405+ return false ;
1406+ }
1407+
1408+ $ payload = $ v . '| ' . $ post_id . '| ' . $ exp . '| ' . $ nonce ;
13801409
1381- $ payload = implode ('| ' , [$ v , $ post_id , $ exp , $ nonce ]);
1382- $ secret = wp_salt ('secure_auth ' );
1383- $ calc = hash_hmac ('sha256 ' , $ payload , $ secret );
1410+ $ secret = wp_salt ('secure_auth ' );
1411+ $ calc = hash_hmac ('sha256 ' , $ payload , $ secret );
13841412
1385- if (!hash_equals ($ calc , $ sig )) return false ;
1413+ if (!hash_equals ($ calc , $ sig )) {
1414+ return false ;
1415+ }
13861416
1387- return [
1417+ return array (
13881418 'post_id ' => (int )$ post_id ,
13891419 'exp ' => (int )$ exp ,
1390- ] ;
1420+ ) ;
13911421 }
13921422}
0 commit comments