public static function get_config_js($app_id, $echo = false)
{
$wp_ws_url = WpakWebServices::get_app_web_service_base_url($app_id);
$theme = WpakThemesStorage::get_current_theme($app_id);
$app_slug = WpakApps::get_app_slug($app_id);
$app_main_infos = WpakApps::get_app_main_infos($app_id);
$app_title = $app_main_infos['title'];
$app_version = WpakApps::sanitize_app_version($app_main_infos['version']);
$debug_mode = WpakBuild::get_app_debug_mode($app_id);
$auth_key = WpakApps::get_app_is_secured($app_id) ? WpakToken::get_hash_key() : '';
//TODO : options to choose if the auth key is displayed in config.js.
$options = WpakOptions::get_app_options($app_id);
$addons = WpakAddons::get_app_addons_for_config($app_id);
if (!$echo) {
ob_start();
}
//Indentation is a bit funky here so it appears ok in the config.js file source:
?>
define( function ( require ) {
"use strict";
return {
app_slug : '<?php
echo $app_slug;
?>
',
wp_ws_url : '<?php
echo $wp_ws_url;
?>
',
theme : '<?php
echo addslashes($theme);
?>
',
version : '<?php
echo $app_version;
?>
',
app_title : '<?php
echo addslashes($app_title);
?>
',
debug_mode : '<?php
echo $debug_mode;
?>
'<?php
if (!empty($auth_key)) {
?>
,
auth_key : '<?php
echo $auth_key;
?>
'<?php
}
?>
,
options : <?php
echo json_encode($options);
?>
,
addons : <?php
echo json_encode($addons);
?>
};
});
<?php
$content = '';
if (!$echo) {
$content = ob_get_contents();
ob_end_clean();
}
return !$echo ? $content : '';
}
/**
* Checks that control data sent is valid.
* User authentication.getActionAuthData() on server side to generate $auth_data.
*
* @param int $app_id App id
* @param string $action Authentication action name
* @param array $auth_data Authentication data (user, control, timestamp)
* @param array $to_check Data we have to check validity for
*/
public function check_authenticated_action($app_id, $action, $auth_data, $to_check)
{
$result = array('ok' => false, 'auth_error' => '', 'user' => '');
$debug_mode = WpakBuild::get_app_debug_mode($app_id) === 'on';
//First check user validity
if (!empty($auth_data['user'])) {
$user = $auth_data['user'];
//Check user exists
$user_wp = get_user_by('login', $user);
if ($user_wp) {
//Check the user is not banned :
if ($this->check_user_is_allowed_to_authenticate($user_wp->ID, $app_id)) {
//Check if the user is authenticated for the given app :
if ($this->user_is_authenticated($user_wp->ID, $app_id)) {
if (!empty($auth_data['control']) && !empty($auth_data['timestamp'])) {
$control_key = $this->get_user_secret($user_wp->ID, $app_id);
//If the user is authenticated, he has a secret key
$control = $auth_data['control'];
$timestamp = $auth_data['timestamp'];
$control_string = '';
foreach ($to_check as $value) {
if (is_string($value) || is_numeric($value)) {
$control_string .= $value;
} elseif (is_bool($value)) {
$control_string .= $value ? '1' : '0';
}
}
//Check control data :
if ($this->check_hmac($action . $user . $timestamp . $control_string, $control_key, $control)) {
if ($this->check_query_time($timestamp)) {
$result['ok'] = true;
$result['user'] = $user;
} else {
//If not in debug mode, don't give error details for security concern :
$result['auth_error'] = $debug_mode ? 'wrong-query-time' : 'auth-error';
//Don't give more details for security concern
}
} else {
//If not in debug mode, don't give error details for security concern :
$result['auth_error'] = $debug_mode ? 'wrong-hmac' : 'auth-error';
//Don't give more details for security concern
}
} else {
//If not in debug mode, don't give error details for security concern :
$result['auth_error'] = $debug_mode ? 'wrong-auth-data' : 'auth-error';
//Don't give more details for security concern
}
} else {
$connection_validity = $this->get_user_connection_validity($user_wp->ID, $app_id);
$result['auth_error'] = $connection_validity === 0 ? 'user-not-authenticated' : 'user-connection-expired';
}
} else {
$result['auth_error'] = 'user-banned';
}
} else {
$result['auth_error'] = 'wrong-user';
}
} else {
$result['auth_error'] = 'no-user';
}
return $result;
}
