diff --git a/includes/Form_Handler.php b/includes/Form_Handler.php
index 0129a116..17c5124e 100644
--- a/includes/Form_Handler.php
+++ b/includes/Form_Handler.php
@@ -35,7 +35,7 @@ public static function init() {
public function pay_action() {
global $wp;
- if ( woocommerce_pos_request() && isset( $_POST['woocommerce_pay'], $_GET['key'], $_GET['token'] ) ) {
+ if ( woocommerce_pos_request() && isset( $_POST['woocommerce_pay'], $_GET['key'] ) ) {
$order_id = absint( $wp->query_vars['order-pay'] );
$order = wc_get_order( $order_id );
@@ -58,8 +58,20 @@ public function pay_action() {
);
}
+ // Check for 'wcpos_jwt' and fall back to 'token' if not present.
+ // remove 'token' when wcpos_jwt is fully implemented.
+ $token_key = isset( $_GET['wcpos_jwt'] ) ? 'wcpos_jwt' : ( isset( $_GET['token'] ) ? 'token' : null );
+
+ if ( $token_key === null || ! isset( $_GET[ $token_key ] ) ) {
+ wp_die(
+ esc_html__( 'Token not provided.', 'woocommerce-pos' ),
+ esc_html__( 'Error', 'woocommerce-pos' ),
+ array( 'response' => 403 )
+ );
+ }
+
// Verify the cashier is authorized to access the order.
- $provided_token = sanitize_text_field( wp_unslash( $_GET['token'] ) );
+ $provided_token = sanitize_text_field( wp_unslash( $_GET[ $token_key ] ) );
$auth = AuthService::instance();
$user = $auth->validate_token( $provided_token );
if ( is_wp_error( $user ) ) {
diff --git a/includes/Templates/Payment.php b/includes/Templates/Payment.php
index 934bc740..542ffe64 100644
--- a/includes/Templates/Payment.php
+++ b/includes/Templates/Payment.php
@@ -153,6 +153,7 @@ public function get_template(): void {
* @TODO - is this the best way to do this?
*/
wp_set_current_user( $order->get_customer_id() );
+ add_filter( 'nonce_user_logged_out', array( $this, 'nonce_user_logged_out' ), 10, 2 );
// create nonce for customer
// $nonce_field = '';
@@ -249,6 +250,17 @@ private function check_troubleshooting_form_submission(): void {
}
}
+ /**
+ * Fix: when checking out as Guest on the desktop application, WordPress gets a $uid from the
+ * session, eg: 't_8b04f8283e7edc5aeee2867c89dd06'. This causes the nonce check to fail.
+ */
+ public function nonce_user_logged_out( $uid, $action ) {
+ if ( $action === 'woocommerce-pay' ) {
+ return 0;
+ }
+ return $uid;
+ }
+
/**
* Custom version of wp_create_nonce that uses the customer ID.
*/
diff --git a/package.json b/package.json
index 39c6b5e4..7e57e37a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "@wcpos/woocommerce-pos",
- "version": "1.4.15",
+ "version": "1.4.16",
"description": "A simple front-end for taking WooCommerce orders at the Point of Sale.",
"main": "index.js",
"workspaces": {
diff --git a/readme.txt b/readme.txt
index 30e0df68..30e96ab9 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: kilbot
Tags: ecommerce, point-of-sale, pos, inventory, woocommerce
Requires at least: 5.6
Tested up to: 6.5
-Stable tag: 1.4.15
+Stable tag: 1.4.16
License: GPL-3.0
License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -79,7 +79,7 @@ There is more information on our website at [https://wcpos.com](https://wcpos.co
== Changelog ==
= 1.4.16 - 2024/03/22 =
-* Fix: namespace checkout token, this may help some situations where checkout is not completing
+* Fix: nonce check failing for Guest orders when checking out with the desktop application
= 1.4.15 - 2024/03/20 =
* Fix: another potential error introduced to Pro updater in previous version 🤦♂️
diff --git a/woocommerce-pos.php b/woocommerce-pos.php
index 7e7915fc..e61b5758 100644
--- a/woocommerce-pos.php
+++ b/woocommerce-pos.php
@@ -3,7 +3,7 @@
* Plugin Name: WooCommerce POS
* Plugin URI: https://wordpress.org/plugins/woocommerce-pos/
* Description: A simple front-end for taking WooCommerce orders at the Point of Sale. Requires WooCommerce.
- * Version: 1.4.15
+ * Version: 1.4.16
* Author: kilbot
* Author URI: http://wcpos.com
* Text Domain: woocommerce-pos
@@ -11,10 +11,10 @@
* License URI: http://www.gnu.org/licenses/gpl-3.0.txt
* Domain Path: /languages
* Requires at least: 5.6
+ * Tested up to: 6.5
* Requires PHP: 7.4
* Requires Plugins: woocommerce
- * Tested up to: 6.5
- * WC tested up to: 8.6
+ * WC tested up to: 8.7
* WC requires at least: 5.3
*
* @author Paul Kilmurray
@@ -26,7 +26,7 @@
namespace WCPOS\WooCommercePOS;
// Define plugin constants.
-const VERSION = '1.4.15';
+const VERSION = '1.4.16';
const PLUGIN_NAME = 'woocommerce-pos';
const SHORT_NAME = 'wcpos';
\define( __NAMESPACE__ . '\PLUGIN_FILE', plugin_basename( __FILE__ ) ); // 'woocommerce-pos/woocommerce-pos.php'