/** * Validate the API request * * Checks for the user's public key and token against the secret key * * @access private * @global object $wp_query WordPress Query * @uses Inbound_API::get_user() * @uses Inbound_API::invalid_key() * @uses Inbound_API::invalid_auth() * @return void */ private static function validate_request() { global $wp_query; self::$override = false; /* Check for presence of keys and tokens */ if (empty($_REQUEST['token']) || empty($_REQUEST['key'])) { self::missing_auth(); } /* Retrieve the user by public API key and ensure they exist */ if (!($user = self::get_user($_REQUEST['key']))) { self::invalid_key(); } else { $token = urldecode($_REQUEST['token']); $secret = get_user_meta($user, 'inbound_user_secret_key', true); $public = urldecode($_REQUEST['key']); if (hash('md5', $secret . $public) === $token) { self::$is_valid_request = true; } else { self::invalid_auth(); } } }