<?php

[0] Fix | Delete

/*

[1] Fix | Delete

* This file is part of the ManageWP Worker plugin.

[2] Fix | Delete

*

[3] Fix | Delete

* (c) ManageWP LLC <contact@managewp.com>

[4] Fix | Delete

*

[5] Fix | Delete

* For the full copyright and license information, please view the LICENSE

[6] Fix | Delete

* file that was distributed with this source code.

[7] Fix | Delete

*/

[8] Fix | Delete

[9] Fix | Delete

class MWP_Security_NonceManager

[10] Fix | Delete

{

[11] Fix | Delete

[12] Fix | Delete

private $context;

[13] Fix | Delete

[14] Fix | Delete

private $nonceValidFor;

[15] Fix | Delete

[16] Fix | Delete

private $nonceBlacklistedFor;

[17] Fix | Delete

[18] Fix | Delete

/**

[19] Fix | Delete

* @param MWP_WordPress_Context $context

[20] Fix | Delete

* @param int $nonceValidFor How long (in seconds) is the nonce valid since its issue time.

[21] Fix | Delete

* @param int $nonceBlacklistedFor How long (in seconds) to keep used nonce in storage.

[22] Fix | Delete

*/

[23] Fix | Delete

public function __construct(MWP_WordPress_Context $context, $nonceValidFor = 43200, $nonceBlacklistedFor = 86400)

[24] Fix | Delete

{

[25] Fix | Delete

if ($nonceBlacklistedFor < $nonceValidFor) {

[26] Fix | Delete

throw new LogicException('Nonce blacklist time must be higher than nonce lifetime.');

[27] Fix | Delete

}

[28] Fix | Delete

[29] Fix | Delete

$this->context = $context;

[30] Fix | Delete

$this->nonceValidFor = $nonceValidFor;

[31] Fix | Delete

$this->nonceBlacklistedFor = $nonceBlacklistedFor;

[32] Fix | Delete

}

[33] Fix | Delete

[34] Fix | Delete

/**

[35] Fix | Delete

* @param string $nonce

[36] Fix | Delete

*

[37] Fix | Delete

* @throws MWP_Security_Exception_NonceFormatInvalid

[38] Fix | Delete

* @throws MWP_Security_Exception_NonceExpired

[39] Fix | Delete

* @throws MWP_Security_Exception_NonceAlreadyUsed

[40] Fix | Delete

*/

[41] Fix | Delete

public function useNonce($nonce)

[42] Fix | Delete

{

[43] Fix | Delete

$parts = explode('_', $nonce);

[44] Fix | Delete

[45] Fix | Delete

if (count($parts) !== 2) {

[46] Fix | Delete

throw new MWP_Security_Exception_NonceFormatInvalid();

[47] Fix | Delete

}

[48] Fix | Delete

[49] Fix | Delete

list($nonceValue, $issuedAt) = $parts;

[50] Fix | Delete

$issuedAt = (int) $issuedAt;

[51] Fix | Delete

[52] Fix | Delete

if (!$nonceValue || !$issuedAt) {

[53] Fix | Delete

throw new MWP_Security_Exception_NonceFormatInvalid();

[54] Fix | Delete

}

[55] Fix | Delete

[56] Fix | Delete

if ($issuedAt + $this->nonceValidFor < time()) {

[57] Fix | Delete

throw new MWP_Security_Exception_NonceExpired();

[58] Fix | Delete

}

[59] Fix | Delete

[60] Fix | Delete

// There was a bug where the generated nonce was 42 characters long.

[61] Fix | Delete

$transientKey = substr('n_'.$nonceValue, 0, 40);

[62] Fix | Delete

$nonceUsed = $this->context->transientGet($transientKey);

[63] Fix | Delete

[64] Fix | Delete

if ($nonceUsed !== false) {

[65] Fix | Delete

throw new MWP_Security_Exception_NonceAlreadyUsed();

[66] Fix | Delete

}

[67] Fix | Delete

[68] Fix | Delete

$this->context->transientSet($transientKey, $issuedAt, $this->nonceBlacklistedFor);

[69] Fix | Delete

}

[70] Fix | Delete

}

[71] Fix | Delete

[72] Fix | Delete