-
Notifications
You must be signed in to change notification settings - Fork 5
/
VippsCallbackSessionHandler.class.php
134 lines (111 loc) · 5.3 KB
/
VippsCallbackSessionHandler.class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
<?php
/*
This class implements a Woocommerce Session Handler that works with callbacks from Vipps to the store
so that the customers session will be in effect when calculating shipping, calculating VAT and so forth. IOK 2019-10-22
This file is part of the plugin Pay with Vipps and MobilePay for WooCommerce
Copyright (c) 2019 WP-Hosting AS
MIT License
Copyright (c) 2019 WP-Hosting AS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
class VippsCallbackSessionHandler extends WC_Session_Handler {
protected $callbackorder = 0;
protected $sessiondata=null;
public function init() {
global $Vipps;
$this->callbackorder = $Vipps->callbackorder;
return parent::init();
}
// Unfortunately, we need to override all of this, because
// the is_session_cookie_valid() method is *private*. On the
// parent class, this checks whether or not the user is logged-in,
// and if so, if this session is for the same user. But these callbacks
// should not have any user privileges, so they are *not* logged in. Therefore we only
// check the expiry of the cookie. IOK 2022-03-14
public function init_session_cookie() {
$cookie = $this->get_session_cookie();
if ( $cookie ) {
// Customer ID will be an MD5 hash id this is a guest session.
$this->_customer_id = $cookie[0];
$this->_session_expiration = $cookie[1];
$this->_session_expiring = $cookie[2];
$this->_has_cookie = true;
$this->_data = $this->get_session_data();
if ( ! $this->is_session_cookie_valid_ignoring_loggedinness() ) {
$this->destroy_session();
$this->set_session_expiration();
}
// We also won't do the logged-in update check, because we aren't logged in.
// Update session if its close to expiring.
if ( time() > $this->_session_expiring ) {
$this->set_session_expiration();
$this->update_session_timestamp( $this->_customer_id, $this->_session_expiration );
}
} else {
$this->set_session_expiration();
$this->_customer_id = $this->generate_customer_id();
$this->_data = $this->get_session_data();
}
}
// We can't override is_session_cookie_valid, which checks whether or not we are logged in.
// Therefore, call this instead in init_session_cookie. IOK 2022-03-14
private function is_session_cookie_valid_ignoring_loggedinness() {
// If session is expired, session cookie is invalid.
if ( time() > $this->_session_expiration ) {
return false;
}
return true;
}
public function get_session_cookie() {
if (!$this->callbackorder) return false;
$order = wc_get_order($this->callbackorder);
if (empty($order) && is_wp_error($order)) {
return false;
}
$sessionjson = $order->get_meta('_vipps_sessiondata');
if (empty($sessionjson)) return false;
$sessiondata = @json_decode($sessionjson,true);
if (empty($sessiondata)) return false;
list($customer_id, $session_expiration, $session_expiring, $cookie_hash) = $sessiondata;
if (empty($customer_id)) return false;
// Validate hash.
$to_hash = $customer_id . '|' . $session_expiration;
$hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
if ( empty( $cookie_hash ) || ! hash_equals( $hash, $cookie_hash ) ) {
return false;
}
$this->sessiondata = $sessiondata;
return array($customer_id, $session_expiration, $session_expiring, $cookie_hash);
}
public function has_session () {
return !empty($this->sessiondata);
}
public function forget_session() {
if (!$this->has_session()) return;
$order = wc_get_order($this->callbackorder);
if (empty($order) && is_wp_error($order)) return false;
$order->delete_meta_data('_vipps_sessiondata');
wc_empty_cart();
$this->_data = array();
$this->_dirty = false;
$this->_customer_id = $this->generate_customer_id();
}
// This is only used for callbacks, so *never* set cookies.
public function set_customer_session_cookie( $set ) {
return;
}
}