Adding in the retry nonce.

krugazul · krugazul · commit c47286522a16 · 2024-10-04T15:26:37.000+02:00
diff --git a/assets/js/paystack-public.js b/assets/js/paystack-public.js
@@ -296,6 +296,8 @@ function PffPaystackFee()
                                     var firstName = names[0] || "";
                                     var lastName = names[1] || "";
                                     var quantity = data.quantity;
+
+									$("#pf-nonce").val(data.invoiceNonce);
                                     
                                     if (data.plan == "none" || data.plan == "" || data.plan == "no") {
                                         var handler = PaystackPop.setup(
@@ -316,9 +318,10 @@ function PffPaystackFee()
                                                     $.post(
                                                         $form.attr("action"),
                                                         {
-														action: "pff_paystack_confirm_payment",
-														code: response.trxref,
-														quantity: quantity
+															action: "pff_paystack_confirm_payment",
+															code: response.trxref,
+															quantity: quantity,
+															nonce: data.confirmNonce
 														},
                                                         function (newdata) {
 															data = JSON.parse(newdata);
@@ -378,7 +381,8 @@ function PffPaystackFee()
                                                         $form.attr("action"),
                                                         {
                                                             action: "pff_paystack_confirm_payment",
-                                                            code: response.trxref
+                                                            code: response.trxref,
+															nonce: data.confirmNonce
                                                           },
                                                         function (newdata) {
                                                             data = JSON.parse(newdata);
@@ -422,7 +426,7 @@ function PffPaystackFee()
 
                                     handler.openIframe();
                                 } else {
-                                    alert(data.message);
+                                    alert(data.error_message);
                                 }
 
                             },
diff --git a/includes/classes/class-confirm-payment.php b/includes/classes/class-confirm-payment.php
@@ -102,6 +102,18 @@ protected function setup_data( $payment ) {
 	 * Confirm Payment Functionality.
 	 */
 	public function confirm_payment() {
+
+		if ( ! isset( $_POST['nonce'] ) || false === wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'pff-paystack-confirm' ) ) {
+			$response = array(
+				'error' => true,
+				'error_message' => __( 'Nonce verification is required.', 'pff-paystack' ),
+			);
+	
+			exit( wp_json_encode( $response ) );	
+		}
+
+		// This is a false positive, we are using isset as WPCS suggest in the PCP plugin.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! isset( $_POST['code'] ) || '' === trim( wp_unslash( $_POST['code'] ) ) ) {
 			$response = array(
 				'error' => true,
@@ -202,7 +214,10 @@ protected function update_sold_inventory() {
 
 		if ( 'yes' === $usequantity ) {
 			$quantity = 1;
+			// Nonce is checked above in the parent function confirm_payment().
+			// phpcs:ignore WordPress.Security.NonceVerification
 			if ( isset( $_POST['quantity'] ) ) {
+				// phpcs:ignore WordPress.Security.NonceVerification
 				$quantity = (int) sanitize_text_field( wp_unslash( $_POST['quantity'] ) );
 			}
 			$sold     = $this->meta['sold'];
diff --git a/includes/classes/class-form-shortcode.php b/includes/classes/class-form-shortcode.php
@@ -499,7 +499,7 @@ public function get_retry_form( $code = '' ) {
 
 			$html[] = '<input type="hidden" name="action" value="pff_paystack_retry_action">';
 			$html[] = '<input type="hidden" name="code" value="' . esc_html( $code ) . '" />';
-
+			$html[] = wp_nonce_field( 'pff-paystack-retry', 'pf-nonce', true, false );
 
 			$html[] = '<div class="content">';
 			
diff --git a/includes/classes/class-form-submit.php b/includes/classes/class-form-submit.php
@@ -101,7 +101,6 @@ protected function valid_submission() {
 			return false;			
 		}
 
-
 		if ( ! isset( $_POST['pf-id'] ) || '' == trim( sanitize_text_field( wp_unslash( $_POST['pf-id'] ) ) ) ) {
 			$this->response['result']  = 'failed';
 			$this->response['message'] = __( 'A form ID is required', 'pff-paystack' );
@@ -249,9 +248,6 @@ public function process_images() {
 	}
 
 	public function submit_action() {
-		/**
-		 * TODO - Needs better security checks - NONCE
-		 */
 		if ( ! $this->valid_submission() ) {
 			// Exit here, for not processing further because of the error
 			exit( wp_json_encode( $this->response ) );
@@ -299,14 +295,10 @@ public function submit_action() {
 		 * This function will exit early if one of the images is too large to be uploaded.
 		 */
 		$this->process_images();
-
 		$this->process_recurring_plans( $amount );
-
 		$this->fixed_metadata = json_decode( wp_json_encode( $this->fixed_metadata, JSON_NUMERIC_CHECK ), true );
 		$this->fixed_metadata = array_merge( $this->untouched, $this->fixed_metadata );
 
-
-
 		$insert = array(
 			'post_id'  => $this->form_data['pf-id'],
 			'email'    => $this->form_data['pf-pemail'],
@@ -400,10 +392,11 @@ public function submit_action() {
 			'transaction_charge' => $transaction_charge,
 		);
 
-		//-------------------------------------------------------------------------------------------
-
-		// $pstk_logger = new paystack_plugin_tracker('pff-paystack', Kkd_Pff_Paystack_Public::fetchPublicKey());
-		// $pstk_logger->log_transaction_attempt($code);*/
+		// We create 2 nonces here
+		// 1 incase the payment fails, and the user needs to try again.
+		// 2 if the payment is successful and the confirmation ajax needs to run. 
+		$response['invoiceNonce'] = wp_create_nonce( 'pff-paystack-invoice' );
+		$response['confirmNonce'] = wp_create_nonce( 'pff-paystack-confirm' );
 
 		echo wp_json_encode( $response );
 		die();
diff --git a/includes/classes/class-retry-submit.php b/includes/classes/class-retry-submit.php
@@ -88,6 +88,15 @@ protected function setup_data() {
 	 * @return void
 	 */
 	public function retry_action() {
+		if ( ! isset( $_POST['pf-nonce'] ) || false === wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['pf-nonce'] ) ), 'pff-paystack-retry' ) ) {
+			$response = array(
+				'result'  => 'failed',
+				'message' => __( 'Nonce verification is required.', 'pff-paystack' ),
+			);
+			// Exit here, for not processing further because of the error.
+			exit( wp_json_encode( $response ) );	
+		}
+
 		if ( isset( $_POST['code'] ) && '' !== trim( wp_unslash( $_POST['code'] ) ) ) {
 			$this->code = sanitize_text_field( wp_unslash( $_POST['code'] ) );
 		} else {
