fix nonce check

wcpos · Mar 28, 2024 · 4a12172 · 4a12172
1 parent 4b2351a
commit 4a12172
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 9 deletions.
diff --git a/includes/Form_Handler.php b/includes/Form_Handler.php
@@ -35,7 +35,7 @@ public static function init() {
 	public function pay_action() {
 		global $wp;
 
-		if ( woocommerce_pos_request() && isset( $_POST['woocommerce_pay'], $_GET['key'], $_GET['token'] ) ) {
+		if ( woocommerce_pos_request() && isset( $_POST['woocommerce_pay'], $_GET['key'] ) ) {
 			$order_id  = absint( $wp->query_vars['order-pay'] );
 			$order     = wc_get_order( $order_id );
 
@@ -58,8 +58,20 @@ public function pay_action() {
 				);
 			}
 
+			// Check for 'wcpos_jwt' and fall back to 'token' if not present.
+			// remove 'token' when wcpos_jwt is fully implemented.
+			$token_key = isset( $_GET['wcpos_jwt'] ) ? 'wcpos_jwt' : ( isset( $_GET['token'] ) ? 'token' : null );
+
+			if ( $token_key === null || ! isset( $_GET[ $token_key ] ) ) {
+				wp_die(
+					esc_html__( 'Token not provided.', 'woocommerce-pos' ),
+					esc_html__( 'Error', 'woocommerce-pos' ),
+					array( 'response' => 403 )
+				);
+			}
+
 			// Verify the cashier is authorized to access the order.
-			$provided_token = sanitize_text_field( wp_unslash( $_GET['token'] ) );
+			$provided_token = sanitize_text_field( wp_unslash( $_GET[ $token_key ] ) );
 			$auth = AuthService::instance();
 			$user = $auth->validate_token( $provided_token );
 			if ( is_wp_error( $user ) ) {

diff --git a/includes/Templates/Payment.php b/includes/Templates/Payment.php
@@ -153,6 +153,7 @@ public function get_template(): void {
 			 * @TODO - is this the best way to do this?
 			 */
 			wp_set_current_user( $order->get_customer_id() );
+			add_filter( 'nonce_user_logged_out', array( $this, 'nonce_user_logged_out' ), 10, 2 );
 
 			// create nonce for customer
 			// $nonce_field = '<input type="hidden" id="woocommerce-pay-nonce" name="woocommerce-pay-nonce" value="' . $this->create_customer_nonce() . '" />';
@@ -249,6 +250,17 @@ private function check_troubleshooting_form_submission(): void {
 		}
 	}
 
+	/**
+	 * Fix: when checking out as Guest on the desktop application, WordPress gets a $uid from the
+	 * session, eg: 't_8b04f8283e7edc5aeee2867c89dd06'. This causes the nonce check to fail.
+	 */
+	public function nonce_user_logged_out( $uid, $action ) {
+		if ( $action === 'woocommerce-pay' ) {
+			return 0;
+		}
+		return $uid;
+	}
+
 	/**
 	 * Custom version of wp_create_nonce that uses the customer ID.
 	 */

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@wcpos/woocommerce-pos",
-  "version": "1.4.15",
+  "version": "1.4.16",
   "description": "A simple front-end for taking WooCommerce orders at the Point of Sale.",
   "main": "index.js",
   "workspaces": {

diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: kilbot
 Tags: ecommerce, point-of-sale, pos, inventory, woocommerce
 Requires at least: 5.6
 Tested up to: 6.5
-Stable tag: 1.4.15
+Stable tag: 1.4.16
 License: GPL-3.0
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -79,7 +79,7 @@ There is more information on our website at [https://wcpos.com](https://wcpos.co
 == Changelog ==
 
 = 1.4.16 - 2024/03/22 =
-* Fix: namespace checkout token, this may help some situations where checkout is not completing
+* Fix: nonce check failing for Guest orders when checking out with the desktop application
 
 = 1.4.15 - 2024/03/20 = 
 * Fix: another potential error introduced to Pro updater in previous version 🤦‍♂️

diff --git a/woocommerce-pos.php b/woocommerce-pos.php
@@ -3,18 +3,18 @@
  * Plugin Name:       WooCommerce POS
  * Plugin URI:        https://wordpress.org/plugins/woocommerce-pos/
  * Description:       A simple front-end for taking WooCommerce orders at the Point of Sale. Requires <a href="http://wordpress.org/plugins/woocommerce/">WooCommerce</a>.
- * Version:           1.4.15
+ * Version:           1.4.16
  * Author:            kilbot
  * Author URI:        http://wcpos.com
  * Text Domain:       woocommerce-pos
  * License:           GPL-3.0+
  * License URI:       http://www.gnu.org/licenses/gpl-3.0.txt
  * Domain Path:       /languages
  * Requires at least: 5.6
+ * Tested up to:      6.5
  * Requires PHP:      7.4
  * Requires Plugins:  woocommerce
- * Tested up to:      6.5
- * WC tested up to:   8.6
+ * WC tested up to:   8.7
  * WC requires at least: 5.3
  *
  * @author    Paul Kilmurray <[email protected]>
@@ -26,7 +26,7 @@
 namespace WCPOS\WooCommercePOS;
 
 // Define plugin constants.
-const VERSION     = '1.4.15';
+const VERSION     = '1.4.16';
 const PLUGIN_NAME = 'woocommerce-pos';
 const SHORT_NAME  = 'wcpos';
 \define( __NAMESPACE__ . '\PLUGIN_FILE', plugin_basename( __FILE__ ) ); // 'woocommerce-pos/woocommerce-pos.php'