From 3dd59c757ffcfaa5368e4446afe7c8b2e7d61afe Mon Sep 17 00:00:00 2001
From: Rene Vergara <rene@vergara.network>
Date: Mon, 26 Jun 2023 09:14:32 -0500
Subject: [PATCH] Implement new API callback

---
 CHANGELOG.md  |   6 ++
 zgopmtgwy.php | 188 +++++++++++++++++++++++++++++++++-----------------
 2 files changed, 132 insertions(+), 62 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5cc7452..29a1f6a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+
+## [Unreleased]
+
+- Security hardening changes to plugin queries.
+- Re-design of ZGo API callback to support WooCommerce 7.8.0
+
 ## [1.0.0-beta.1] - 2023-01-11
 
 - Adjust production server integration
diff --git a/zgopmtgwy.php b/zgopmtgwy.php
index 5db4282..34f4389 100644
--- a/zgopmtgwy.php
+++ b/zgopmtgwy.php
@@ -3,11 +3,11 @@
  * Plugin Name: ZGo Payment Gateway
  * Plugin URI: https://vergara.tech' 
  * Description: ZGo latest payment processing solution for Woocommerce. Accept payments using Zcash.
- * Version: 1.0.0 beta
+ * Version: 1.0.0
  * Requires at least: 5.2
  * Requires PHP:      7.2
  * Author: Vergara Tech LLC 
- * Author URI: https://vergara.tech
+ * Author URI: https://zgo.cash/
  * License:           GPL v2 or later
  * License URI:       https://www.gnu.org/licenses/gpl-2.0.html
  **/
@@ -97,7 +97,13 @@ function zgopmt_init() {
 			/**
 			 * Add the webhook for payment confirmation from ZGo
 			 */
-			add_action( 'woocommerce_api_zpmtcallback', array($this,'zconfirm'));	
+			//add_action( 'woocommerce_api_zpmtcallback', array($this,'zconfirm'));	
+		}
+
+		public function register_routes() {
+			register_rest_route( 'wc/v3', 'zgocallback', array(
+				'methods' => 'GET',
+				'callback' => array($this,'zgoapicallback')));
 		}
 
 		public function init_form_fields() {
@@ -283,58 +289,58 @@ function zgopmt_init() {
 		/**
 		 * Confirm payment and complete order
 		 */
-		public function zconfirm() {
+		//public function zconfirm() {
 
-			global $wpdb;
+			//global $wpdb;
 
-			$token = $_GET['token'];
-			$zgoOrderid =  $_GET['orderid'];
-			$orderid = $_GET['wc_orderid'];
-			$totalzec = $_GET['totalzec'];
-			$rate = $_GET['rate'];
-			$order = wc_get_order( $orderid );
+			//$token = $_GET['token'];
+			//$zgoOrderid =  $_GET['orderid'];
+			//$orderid = $_GET['wc_orderid'];
+			//$totalzec = $_GET['totalzec'];
+			//$rate = $_GET['rate'];
+			//$order = wc_get_order( $orderid );
 
-			$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
-			//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
-			$result = $wpdb->get_row($sql,OBJECT);
-			if ( ! is_null($result) ) {
+			//$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
+			////$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
+			//$result = $wpdb->get_row($sql,OBJECT);
+			//if ( ! is_null($result) ) {
 
-				if ( ($token == $this->zgotoken )
-					&& ( $result->pmt_orderid == $zgoOrderid )
-					&& ( $result->pmt_wc_paid == '0' ) ) {      
-					switch ( $order->get_status() ) {
-					case 'pending':
-					case 'failed':
-						$order->payment_complete();
-						$order->reduce_order_stock();
-						// 
-						//  Mark order as completed in ZGo DB
-						//
-						//$sql = "update zgo_payments set " .
-						//"pmt_confirmed='" . date('Y-m-d H:i:s') . 
-						//"', pmt_rate=" . $rate . 
-						//", pmt_zec=" . $totalzec .
-						//", pmt_wc_paid=1 " .
-						//" where pmt_wc_order='" . $orderid . "';";
-						$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
-						$wpdb->query($sql2);	
+				//if ( ($token == $this->zgotoken )
+					//&& ( $result->pmt_orderid == $zgoOrderid )
+					//&& ( $result->pmt_wc_paid == '0' ) ) {      
+					//switch ( $order->get_status() ) {
+					//case 'pending':
+					//case 'failed':
+						//$order->payment_complete();
+						//$order->reduce_order_stock();
+						//// 
+						////  Mark order as completed in ZGo DB
+						////
+						////$sql = "update zgo_payments set " .
+						////"pmt_confirmed='" . date('Y-m-d H:i:s') . 
+						////"', pmt_rate=" . $rate . 
+						////", pmt_zec=" . $totalzec .
+						////", pmt_wc_paid=1 " .
+						////" where pmt_wc_order='" . $orderid . "';";
+						//$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
+						//$wpdb->query($sql2);	
 
-						update_option('webhook_debug', $_GET);
-						break;
-					default:
-						//$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
-						return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
-						break;
-					} 
-				} else {
-					//$this->console_log('Invalid parameters...');
-					return array("message" => 'Invalid parameters...');
-				}
-			} else {
-				//$this->console_log('Database error...');
-				return array("message" => 'Database error...');
-			}	
-		}
+						//update_option('webhook_debug', $_GET);
+						//break;
+					//default:
+						////$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
+						//return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
+						//break;
+					//} 
+				//} else {
+					////$this->console_log('Invalid parameters...');
+					//return array("message" => 'Invalid parameters...');
+				//}
+			//} else {
+				////$this->console_log('Database error...');
+				//return array("message" => 'Database error...');
+			//}	
+		//}
 
 		public function thankyou_page () {
 			if ( $description = $this->get_description() ) {
@@ -355,6 +361,64 @@ function zgopmt_init() {
 			return $edata;
 		}
 
+		public function zgoapicallback($request) {
+			global $wpdb;
+
+			//$token = $_GET['token'];
+			//$zgoOrderid =  $_GET['orderid'];
+			//$orderid = $_GET['wc_orderid'];
+			//$totalzec = $_GET['totalzec'];
+			//$rate = $_GET['rate'];
+			$token = $request->get_param('token');
+			$zgoOrderid = $request->get_param('orderid');
+			$orderid = $request->get_param('wc_orderid');
+			$totalzec = $request->get_param('totalzec');
+			$rate = $request->get_param('rate');
+			$order = wc_get_order( $orderid );
+
+			$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
+			//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
+			$result = $wpdb->get_row($sql,OBJECT);
+			if ( ! is_null($result) ) {
+
+				if ( (hash('sha256',$token) == hash('sha256',$this->zgotoken) )
+					&& ( $result->pmt_orderid == $zgoOrderid )
+					&& ( $result->pmt_wc_paid == '0' ) ) {      
+					switch ( $order->get_status() ) {
+					case 'pending':
+					case 'failed':
+						$order->payment_complete();
+						$order->reduce_order_stock();
+						// 
+						//  Mark order as completed in ZGo DB
+						//
+						//$sql = "update zgo_payments set " .
+						//"pmt_confirmed='" . date('Y-m-d H:i:s') . 
+						//"', pmt_rate=" . $rate . 
+						//", pmt_zec=" . $totalzec .
+						//", pmt_wc_paid=1 " .
+						//" where pmt_wc_order='" . $orderid . "';";
+						$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
+						$wpdb->query($sql2);	
+
+						//update_option('webhook_debug', $_GET);
+						return array('message' => 'Order '. $orderid . ' mark as paid correctly.');
+						break;
+					default:
+						//$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
+						return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
+						break;
+					} 
+				} else {
+					//$this->console_log('Invalid parameters...');
+					return array("message" => 'Invalid parameters...');
+				}
+			} else {
+				//$this->console_log('Database error...');
+				return array("message" => 'Database error...');
+			}	
+			//return array( 'custom' => 'Data', "request" => $data->get_params() );
+		}
 
 
 	}
@@ -391,15 +455,15 @@ function get_custom($data) {
 	//$orderid = $_GET['wc_orderid'];
 	//$totalzec = $_GET['totalzec'];
 	//$rate = $_GET['rate'];
-	$token = $data->token;
-	$zgoOrderid = $data->orderid;
-	$orderid = $data->wc_orderid;
-	$totalzec = $data->totalzec;
-	$rate = $data->rate;
+	$token = $data->get_param('token');
+	$zgoOrderid = $data->get_param('orderid');
+	$orderid = $data->get_param('wc_orderid');
+	$totalzec = $data->get_param('totalzec');
+	$rate = $data->get_param('rate');
 	$order = wc_get_order( $orderid );
 
-	//$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
-	$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
+	$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
+	//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
 	$result = $wpdb->get_row($sql,OBJECT);
 	if ( ! is_null($result) ) {
 
@@ -441,8 +505,8 @@ function get_custom($data) {
 	//return array( 'custom' => 'Data', "request" => $data->get_params() );
 }
 
-add_action( 'rest_api_init', function () {
-	register_rest_route( 'wc/v3', 'custom', array(
-		'methods' => 'GET',
-		'callback' => 'get_custom'));
-});
+function plugin_register_rest_apis() {
+	$zgoPlugin = new WC_ZGopmt_Gateway();
+	$zgoPlugin->register_routes();
+}
+add_action( 'rest_api_init', 'plugin_register_rest_apis');